May 19, 2020 Opinions & insights
Brian Beyer Chris Rothe Keith McCammon Katie Nickels

Endpoint security: what’s changed and what hasn’t?

In this recap of our CB Connect keynote, we discuss topics that are top of mind for security teams right now, including the impact of COVID-19, macro trends in endpoint security, and advice for team leaders.

As one of Carbon Black’s oldest technology partners, Red Canary was thrilled to deliver the keynote presentation at last week’s annual CB Connect event. When we first started planning our talk, we looked forward to giving an optimistic view of infosec. After all, we have more tools, data, resources, and talent than ever before, and all of that helps security teams build great security programs.

Then things changed. We live in a different world today. Most of us are working remotely, defending a distributed workforce, and the future of many businesses is uncertain. Don’t get us wrong: there is still plenty to be optimistic about, and all the positive trends surrounding tools and data still apply. However, given how much had changed, we thought the best way to help everyone was to instead gather some of the Red Canary team to talk about topics that are especially relevant to security teams right now.

Moderated by Chris Rothe, Red Canary CTO, the discussion included Brian Beyer, CEO; Keith McCammon, CSO; and Katie Nickels, Principal Security Analyst. Below are the highlights for your viewing convenience. If you prefer to watch the full 19-minute video, we’ve also included it in its entirety.

Watch the full video

Viewing tip: our live audience told us the discussion pairs well with coffee. But then again, what doesn’t?

Q: Brian, thinking in macro terms about COVID-19, what are some of the key concerns you have as a CEO about security during this time?

Brian Beyer: Like the leader of any organization, my biggest goal is that everyone on our team can continue achieving our mission. At Red Canary, we’re committed to ensuring that every organization around the world can continue achieving its own mission without being distracted by a cyber attack. So that’s what I’m focused on. We closed our headquarters in Denver several weeks ago and have teams working remotely that hadn’t in the past. We need them to be productive and enable them to do what they do for our customers while working in a new environment. The big balances we have to take into account are making sure we’re protecting our customers, their data and privacy, and Red Canary’s own intellectual property.

In any time of recession or downturn, we have to figure out how to balance the greatest productivity to serve our customers while doing so with less budget, focus, and attention than we’d have in normal times.

Q: Having a remote workforce obviously creates major differences in security architecture and engineering. Keith, what key things stand out to you as considerations?

Keith McCammon, CSO: It’s been interesting having these conversations with people over the last few weeks and trying to distill it down to a handful of things that are common to most organizations. The first one comes down to understanding endpoints, which means a very different thing in the context of what’s happening now. We typically think of traditional endpoints as your workstation or a server; now we have a lot of customers and organizations everywhere standing up infrastructure they need in short order but didn’t expect, such as VPNs and cloud services.

The next big item is doubling down on security training and not having the benefit of all your controls, particularly for organizations that are typically behind a firewall or in an office and in a tightly controlled environment. Lastly, everyone has to revisit and think about incident response plans. Even if you have them, don’t make the assumption your communications and tools will work the same given various constraints.

Q: Katie, you spend a lot of time researching adversaries and techniques. What key changes do you think about from an adversary’s perspective? What new opportunities are presented to them because of the changes people are forced to make?

Katie Nickels: I’ve talked to a lot of folks in the community and have been struck by how some things are different, but a lot is the same. Anytime you have a huge event like this that we’re all concerned about, it’s tempting to have knee-jerk reactions of panic and feel like there is so much unknown and unexpected. We have a lot of people working remotely, many for the first time, and we might think we need to do everything differently. Keith mentioned a couple things that are important to re-evaluate, such as looking at incident response plans.

Adversaries know about these changes as well. They know that a lot of us are working remotely for the first time and that things have changed quickly. We’ve seen an increase in things like scanning for Citrix vulnerabilities or other remote software, and increased attempts to exploit in a public-facing remote desktop protocol. Adversaries are definitely preying on the uncertainty we all feel right now, so we’ve seen coronavirus themes for phishing to obtain initial access and credential harvesting.

Looking at this from Red Canary’s perspective is interesting because we take a really deep view into endpoint telemetry and analyzing adversary behaviors. And from that perspective, we’ve seen a lot of the phishing themes change, and the social engineering aspect might be a little more successful because people are feeling really vulnerable, but a lot of the adversary behaviors are really the same. We’re still seeing the same kind of payloads, the same living-off-the-land binaries, the PowerShell execution.

If you had detection approaches that worked before, like the behavior-based detection approach we take at Red Canary, that stuff is still working. Adversaries are still relying on the same techniques and behaviors they did before. Some things have changed, but not everything.

Q: Thinking about macro trends in endpoint security, we’ve seen product shifts from all-in-one EPP suites to standalone “best of breed” products and back again. Many endpoint vendors have also gone public or gotten acquired. Where is all this headed and what are some of the pros and cons?

Brian Beyer: One of the big trends we’re seeing is security becoming more embedded inside all the platforms we use every day. From my perspective, it looks like that continues to happen in two ways. The first phase is that we’re able to get really good telemetry and monitoring out of those platforms—whether it’s a cloud platform like AWS, Azure, or DCP, or the endpoint platforms running an operating system, or even something in between like VMware’s hypervisors. Second, we see the ability to do detection and prevention coming from those platforms. So we are now seeing the operating systems, cloud providers, vSphere, and all of these systems giving us more data than we ever had before.

That’s what we as a security team—and for many security teams, and for all of you—view with so much optimism and why I love the world we’re in right now. We have more data than we’ve ever had before and that’s great.

What’s been an interesting change over time is this yo-yo back and forth between very low quality, single EPP products that are supposed to be a single agent and do a mediocre job across the board of everything it tries to do, and then the creation of EDR gives us really best-of-breed sensors. Sensors like Carbon Black Response and now Threat Hunter and CB Cloud are still setting the gold standards for the amount of telemetry they collect off systems, but the reason we love this current evolution of Carbon Black products is that they’re now paired with great prevention capabilities in what used to be called CB Defense and in Endpoint Standard and in other parts of LiveOps being brought together. My hope is that we don’t go down the path we went down in the past, where the quality suffered as they were consolidated, and that we’ll continue to see really good, best-of-breed features, all as a part of this total suite.

Finally, endpoints continue to change. At Red Canary, we use a mix of Windows, Mac, and Linux systems, but a lot of those Linux systems are also Chromebooks being run by different parts of our company. And those really look more like thin clients which makes the “endpoint” that we’re talking about both that thin client, but also effectively the SaaS applications behind the scenes.

The question we ask ourselves and what we’re doing a lot of work to figure out right now is: how can we monitor those SaaS endpoints for our teams that we work with and for our customers just as well as we monitor their more physical or virtual operating systems?

Q: Keith, you’ve certainly been through the wars of on-premise security infrastructure. Now with increases in cloud and SaaS for those backends, is there anything that excites you in terms of what that shift enables security teams to do?

Keith McCammon: Irrespective of cloud or traditional endpoints, I think the nice thing we’re in a position to do now is to really focus. On the cloud side, that means letting providers do what they’re really good at and providing a strong, focused service and do a really good job at securing that service. Ceding things like identity management over to the customer enables agility and mobility, which we now know is increasingly important.

On the traditional endpoint side, the same thing is true. We’re seeing a lot of really good controls like application whitelisting or application control—which Bit9, then Carbon Black, and now VMware really pioneered over the course of years and years—and now we’re seeing platform and endpoint vendors adopt that as a core selling feature of their platform. That entire attack surface is being addressed by Apple, Linux, and Microsoft. That also levels the playing field in a lot of ways for endpoint security vendors.

Removal of things like kernel extensions and a lot of low-level access to operating systems makes them safer and requires that security vendors be more thoughtful. It allows them to focus a lot less on data acquisition and a lot more on providing innovative security solutions. Again, I think “focus” is the thing that everyone’s in a really good and unique position to do for the first time in a long time.

Q: Some of these changes seem to remove a lot of the potential for low-level vulnerability that attackers prey on today. How does that change the way adversaries have to think or the techniques they use?

Katie Nickels: It’s been really interesting to watch when vendors, users, or those who create operating systems are locking down the kernel so much, the adversary has to go somewhere else. We’re already seeing glimpses of this. A huge one is business email compromise. People are so concerned—as we should be—about how adversaries are operating on hosts, they often ignore the idea that an adversary could just email me and say, “Oh, it’s Brian Beyer, I need you to wire me some money.” With business email compromise, there’s tons of money going out the door just by exploiting the human and using social engineering.

We talked about SaaS earlier, and we’ve already seen adversaries realizing, “Okay, if I don’t really need access to the host, what else can I do?” They go back to things like password spraying attacks and harvesting credentials—and if you’re not using multi-factor authentication, that’s an easy way an adversary doesn’t have to get on the host at all. There are also interesting things like token access and OAuth, and users are just going to allow that app. Adversaries are again using social engineering and things that don’t really touch the host.

I’m always concerned with BYOD (bring your own device) or personal devices, especially now. You have some apps and software for your company on a personal device, and how are you securing that? Do you have visibility into that if something goes wrong? There’s an overall shift and adversaries know where they’re getting stopped. So if they’re getting stopped at the kernel or at the host level, they’re going elsewhere. Cloud is another huge one that we’ve talked about. We’re trying to figure out how to monitor adversaries in the cloud, but adversaries know about this disconnect between the owners of the cloud infrastructure and the users. Am I supposed to secure it or are you supposed to secure it? There’s some of that confusion and adversaries are going to go wherever they know where we’re weak.

Q: Everyone’s to-do-list has gotten a lot longer with all of this happening, and different projects have changed. What are the one or two things that those listening to this should do immediately?

Keith McCammon: You mentioned everyone’s to-do list getting longer and different. I just sent an email to one of the teams at Red Canary the other day and said: Let’s just take a step back and think about how we’re spending every minute of our time and whether the things we’re doing are things we have to do. Particularly if you’re a security leader, there is no better time than now to evaluate this. The tools you’re considering: how much value do they provide? Can you maybe do a little more to figure out from others in the industry if they’re going to deliver on that value? Because the lift to deploy and operationalize those things now is going to be higher and harder than it was just a month ago.

Whether you have Carbon Black, Microsoft, or any other suite of products, thinking on the operations side about whether you have the right vendors and partners in place to help you operationalize and get good outcomes from those tools is every bit as important as the technology itself. It’s important to consider whether the things you’re setting out to do are really the things you absolutely have to do right now. Everything now takes a little bit longer, and is costing a little bit more, and time and attention are harder to come by right now than they’ve ever been.

Katie Nickels: I always go back to this idea of threat modeling. To me, this is simply knowing your adversaries and knowing yourself, and then matching those things up. This is a great time to stop, pause, take a deep breath. There’s a lot going on, but it can be a good time to reassess. It’s not panic mode. Everything is different, and maybe there are some tweaks you need to make. You know your own organization; if a lot of people are newly remote, are there some things you need to do to lock things down there? On the adversary side, maybe they’re trying to exploit your users feeling unsafe and uncertain. Maybe you need to ramp up your user awareness. So it’s not like everything has changed.

If you had things that were a priority before—for example, if you were trying to ramp up endpoint visibility, that’s still a really good thing to do—but it’s nice to have a chance to pause, think more about your threats and yourselves, and whether you should reprioritize.

 

The Attribution Game: When Knowing Your Adversary Matters

 

Red Canary in 2020: looking ahead

 

Endpoint Security vs Network Security: Where to Invest Your Budget

 

Building security from the ground up as a team of one

Subscribe to our blog