John Shaw, VP of product management, Sophos
John Shaw, VP of product management, Sophos

Once upon a time it was more or less enough to just keep on top of software updates and patches and run some anti-virus software to fend off cyber-criminals. However, as breaches have become more sophisticated in nature, organisations need to take a more joined-up approach to security to defend against increasingly coordinated and stealthy attacks.  

As the information security industry matures, we are accepting that there is no such thing as 100 percent protection. Traditionally, IT teams have assembled best-of-breed network and endpoint components to provide some reasonable measure of defence in depth, but something has always been missing.

In many IT organisations, endpoint security sits with the desktop/workplace IT team, and firewall, web and email security with the network team. Although, IT and security professionals know they must collate events from both sides to get complete visibility of attacks, this has never even been within the reach of any but the biggest organisations. As a result, every day businesses miss cues that could prevent or detect an attack.

A different approach

A radically different approach is to link together network and endpoint products in a way that allows them to share meaningful and contextual information. Described as synchronised security, connecting the endpoint and the network creates a constant security ‘heartbeat' in every area of the business – from the iPhone you use to check your emails while travelling to the wireless printer you use from your tablet.

In short, synchronised security:

  • Improves protection by automating and coordinating the response to detected threats across assets
  • Increases operational efficiency by shedding light on the five “Ws” of a threat (what happened, why did it happen, where, when, and by whom?), streamlining investigation

Without synchronised security, information system controls don't talk to each other, so can't work together to react to threats. For example, if a firewall sees an outbound connection or a DNS lookup to a suspected command and control IP or domain, the best it can do is block the connection and alert the admin. The alert might contain an IP address or perhaps even the logged-in user, but it will not contain information about the offending process. Meanwhile, the endpoint remains infected, posing a risk to the business until manual intervention.

Likewise, firewalls are typically blind to what's happening on endpoint devices. Runtime behaviour analytics on an endpoint might identify and block a malicious process, leading to investigation and clean-up. However, until that clean-up has been completed, the firewall is unaware of the threat. The affected system can freely communicate out to the internet or to other sensitive systems.

Using a synchronised approach, when the firewall detects malicious traffic, it notifies the endpoint. The endpoint agent responds dynamically, identifying and aggressively scrutinising the suspect process. Often, it can automatically terminate the process and remove the remnants of the infection.

One of the biggest challenges faced by IT departments is how to join the dots between individual events and alerts. When a firewall detects malicious traffic from an endpoint, it's typically reported in connection with an IP address. As the investigator, you must then connect the IP address to a particular user and computer. This might, for example, include reviewing DHCP or dynamic DNS records and querying an inventory or IP address management database.

Synchronised security automatically joins the dots. When the firewall shares what it has detected in real time with the endpoint, the endpoint agent immediately traces the traffic to the suspect process. That information, along with the computer name and username of the logged-in user, is then communicated to IT and to the firewall. What might have previously taken hours or days of analysis is reduced to seconds, allowing those responding to an incident to focus on resolving the threat instead of finding it.

It's just the start

Soon we'll be able to use encryption and endpoint protection together to isolate sensitive data based on the security health of the device, or even a specific process. And mobile devices, cloud-based gateways and sandboxes will all join the endpoint and the firewall in an interconnected, synchronised security system.

The vast majority of businesses struggle today to keep up with security. Money, well-trained staff, and time are all scarce. Done right, synchronised security can be the solution, creating better protection with less cost and complexity than an uncoordinated collection of point products.

Contributed by John Shaw, VP of product management, Sophos