Introduction to Endpoints & Servers

The next stop on the journey of Building a Cybersecurity Strategy is to understand how to secure endpoints and servers. For clarification of terminology, the following will be used throughout this post:

Endpoint: An endpoint refers to any technology employees might leverage - generally phones, laptops, and tablets. We will be excluding internet-of-things (IoT) devices from this post.

Server: Servers are computer systems leveraged to run an organization and includes domain controllers, application servers, and file servers. These systems are always on and serve to provide information or services to endpoints.

In this post, we will break down Baseline Configurations, Security Tooling and Logging & Monitoring.

It should be noted that every organization is different. With a myriad of different types and purposes of endpoints and servers alike - this guide should be leveraged as a high-level methodology. For a more tactical approach in securing a specific environment, please do not hesitate to contact Thoreson Consulting.

Baseline Configurations

When developing a strategy to secure endpoints and severs, management should develop baseline configurations for all assets in use by the organization. Sometimes referred to as a ‘Golden Image’, the baseline configuration allows for all assets being deployed to follow the same steps of configuration upon deployment.

Imaging

An ‘image’ is exactly what is sounds like - a snapshot of a system at given point in time. It is a strong security practice to maintain a clean image of the endpoints and servers in an organization. The golden image can be referred to as an image of a system after all hardening configurations have been made, default software installed, and security tools deployed. It should be the baseline of where all systems start.

Group Policy

Devices running a Windows operating system can leverage Group Policy in order to deploy the same configurations across all devices. Careful consideration should be applied to the ‘Default Domain Policy’ as this will be applied to all devices on the domain.

Group Policy can be used for many different security configurations including but not limited to:

• Password length requirements

• Command prompt & PowerShell usage

• Restriction of removable media (USB Drives)

• Restriction of the installation of software

Another one of the benefits of Group Policy is that devices and users can be organized by groups to apply different settings. This allows granularity and the separation of different departments or levels of privileged users.

While Group Policy can allow for a majority of settings to be configured, some devices may require a deployment guide:

Deployment Guides

Should an organization be operating without domain joined devices or have devices that cannot be configured via Group Policy, deployment guides should be leveraged.

Individuals tasked with the deployment of assets should follow a documented set of steps for the proper configuration of new devices.

Note: Deployment guides should include any steps required from the time the organization purchased the asset through an employee receiving it.

Configuration Standards

Understanding how to configure endpoints or servers is only a fraction of the challenge. Understanding what the configurations should entail is the most important part. While experienced IT professionals can often provide support, there are several publicly available frameworks that can provide assistance in hardening devices. The ‘Center for Internet Security’ as well as the ‘National Institute of Standards and Technology’ both have extensive guides on how to securely configure devices.

It should be noted that the scale of secure vs functional should be applied here. While the most secure device in the world might be one buried underground in concrete - it is not useable. Considerations should be applied when following configuration standards to ensure they do not restrict required business activity.

Another crucial area to consider is whether the asset will be publicly facing - findable on the internet. Publicly facing assets should be locked down to include only the networking access and software needed for business function. Anything extraneous on the server becomes another door or window for an attacker to leverage as an entry point to the organization.

Security Tooling

Strong baseline settings can greatly reduce the attack vector a hacker can leverage to target an organization. However, tooling should be deployed in order to detect and respond to threats encountered by users. This includes Antivirus / Endpoint Detection and Response and Data Loss Prevention tools.

Anti Virus vs Endpoint Detection and Response

While many times AV and EDR get used interchangeably - this is incorrect terminology. For clarification, AV and EDR both function to detect and stop an attack, however EDR has additional capabilities to remediate threats that have penetrated an organization’s defenses. Simply put, EDR is a more advanced AV with response capabilities.

At a minimum, organizations should have some form of endpoint protection installed on employee devices. It is imperative to detect malicious activity that may occur after a download from a sketchy site or opening of a potentially malicious email attachment.

There are numerous solutions on the market that vary in cost and capabilities. It is difficult to recommend any specific solution as a blanket choice for all organizations. When considering a solution things like cost, integration with current security tools, and resource usage, and deployment difficulty should all be addressed.

Additional considerations should be taken regarding servers. In the past, Linux has had less solutions available for endpoint and server protection, however that has changed over the recent years. It is important to find a solution that works for your organization to ensure coverage across all assets while not restricting resource usage.

Data Loss Prevention & Encryption

Data Loss Prevention (DLP) tools assist in preventing sensitive data from being leaked. They can range from solutions that plug into email to detect sensitive information to tools that assist in alerting on removable media being introduced to an environment.

Much like AV / EDR, there is a vast number of DLP solutions available on the market. When considering these tools, take note of what the organization needs to detect. Often times the tools support the detection of Social Security Numbers (SSN), financial information such as Payment Card Information (PCI), and Personal Health Information (PHI). In some cases, organizations may be required to have a DLP solution per HIPAA or PCI DSS compliance laws.

In organizations where sensitive information is required, encryption can be leveraged to ensure data is safe. Leveraging encryption to secure both removable media and system drives is paramount in data security - especially on employee devices with sensitive information.

Should an employe have a laptop misplaced or stolen, the organization can be certain unauthorized access to data does not occur. Some solutions DLP solutions even allow for the remote wiping of devices.

Note: The caveat to this is having a solution in place to validate all devices are encrypted. Generally larger solutions such as Intune or Service Now offer such capabilities for a price.

Logging & Monitoring

It is important when configuring and deploying assets that proper logging and monitoring settings are configured. This allows visibility into devices and offers a trail of evidence should a security event occur. Without logging and monitoring, it becomes extremely difficult to determine what happened to a device and how.

As mentioned above, configuration standards often detail the settings required for adequate logging on a device. Where possible, alerting should be configured around changes to baseline activity. As an organization matures in its security posture, threat hunting and incident response capabilities can improve as log monitoring and alerting take place.

With logging configured on all deployed devices, the next goal is to store those logs into a centralized location and ingest them into a Security Information and Event Management (SIEM) tool. This allows for the access and review of logs in a single location. Often times these tools provide advanced capabilities such as dashboards, alerting, and ticketing to support operations.

Conclusion

Protecting assets can be challenging. With a strategy in place to harden and monitor endpoints and servers, the tide shifts in the favor of the organization. Configuration goes hand in hand with security tooling and logging and monitoring. Leveraging all three parts can assist in reducing the likelihood of a security incident and increasing the effectiveness in detection and response capabilities.

As mentioned before, this post is can be seem a bit more challenging than the others. Thoreson Consulting is here to help organizations not only understand the terminology and importance of cybersecurity, but build a strategy of their own.

Reach out today for a free consultation!