If criminals are constantly trying new tactics to break into your current security defenses, is your business doing enough to thwart their efforts? Endpoint security is a huge industry today, but it’s not all that it seems. Vendors may make promising claims, with the truth hidden in the heavy jargon of the fine print: most endpoint security can’t defend against the vast sea of threats.
One of the best ways to improve your testing is taking the first step into a hacker’s shoes. It may not take a criminal very long to find and learn the ‘new’ way to exploit vulnerabilities, which is why your endpoint security testing almost certainly needs a boost.
More Than Portable Executables
A motivated criminal knows how most standard endpoint security solutions work because they’ve studied it and potentially even practiced it as well. They know the majority of programs are looking for portable executables as the main security threat. So, they simply find ways to skirt traditional endpoint security (e.g., by attacking the software or through email phishing.)
Businesses that become focused on one specific kind of threat will fail to see the many workarounds criminals invent to infiltrate your systems. Businesses need security that can not only block malicious files but also defend the system against email threats and infected web browsers.
Doing the Research
Each testing product will let their customers know its major capabilities, so it’s important for businesses to cut through the technical language and ensure the product is creating a multi-layer defense. The right security program keeps employees’ personal devices off the network. It prevents people from accessing infected websites or programs and defends against exploitation of both known and unknown vulnerabilities in the system. Endpoint security software should detect malicious code and files and prevent the manipulation of legitimate systems.
The flexibility and adaptability of the program is in direct correlation of how strong your systems will stand against a seemingly infinite amount of threats.
Testing Your Endpoint Security
Much like endpoint security programs, there is no one-size solution for endpoint testing. To step up your security, you’ll likely need to employ some trial and error. Testing a variety of malware and ransomware on a testing machine is tantamount to your success. You need to determine how quickly your system can identify and eliminate the threat. While it may take some time, experts recommend testing each file one at a time (both online and off) rather than dropping in common types of malware all at once. Adjust your firewall to prevent any outbound connections and then check the logs to see if there were any recorded attempts.
If testing packed files (or malicious files posing as legitimate), you’ll want to test with both legitimate packing modules (e.g., 7-zip SFX) and illegitimate packers (e.g., UPX.) If your system throws up a red flag for harmless files, it indicates your security defenses aren’t sophisticated enough to tell one threat from another.
For weaponized documents, you should be also testing a variety of malicious documents — not just common formats such as Word or PDF. (Open sourced software can help you create these documents for testing purposes). You need a security tool that can do more than just disable macros and Visual Basic.
Learning the Mechanisms
Endpoint security isn’t just about verifying that your protocols can keep out threats, it’s also about understanding the methodology behind your security. The right program can block out multiple threats, whether it’s the first day it’s implemented or the 50th day. A testing machine should be hit from a number of different angles to determine where its vulnerabilities lie.
To test exploits and active attacks, run multiple portable executables and testing URLs from vulnerable browsers. Try injecting code into your systems to simulate an active attack (Shellter is a program that can help with this.)
Finally, testers should learn more about their false positives and negatives, as they can waste time at best and expose the system to criminals at worse. If you run 50 portable executables with a variety of malware and 50 clean files, you’ll get a better idea of your rates. If it’s detecting the majority of safe files as threats, you need to change our strategy so more programs can be whitelisted. (When it comes to resetting your machines, make sure any virtual testing equipment can be rolled back to its original state.)
The Bottom Line
Extra security testing takes time, but it’s time well spent for companies who care about their future. Even the most inefficient practices can be smoothed out with enough practice and time. You can also look for better programs that feature more advanced tactics when it comes to blocking threats before they ever reach your attention. Sophos worked on perfecting its end-to-end security so you can rest easier about the strength of your systems.
To view more tips from Sophos, view the whitepaper on endpoint security testing. You can also contact us to see how we can help your organization test, or determine the appropriate endpoint security solution for you.