Cybersecurity Awareness Series: How Are My Endpoints Being Used?

Welcome to Cybersecurity Awareness Month! Throughout this month, we will explore a series of topics that revolve around essential questions to ask when reviewing your cybersecurity posture. Given the dynamic and complex nature of this field, we aim to initiate meaningful discussions within your organization. As the month continues, we hope these topics will spark valuable conversations and empower you to navigate this ever-expanding landscape effectively.

Question:
How are my endpoints being used?

The question of what truly occurs on your endpoints has been a topic of discussion for as long as computers have been integrated into the workplace. Over the years, various solutions have emerged, offering ways to inventory, conduct health checks, geo-track, and update endpoints within an organization. However, these solutions often overlook the day-to-day activities of users, such as machine usage patterns, specific applications accessed, modifications made, and the amount of time spent on the endpoints.

In essence, while existing software provides valuable data on the technical aspects of endpoints, it falls short in capturing the nuanced behaviors and daily actions of users that could have a tremendous impact on security and productivity. Understanding these user-centric activities is crucial for gaining comprehensive insights into endpoint usage, understanding and addressing potential risks, and allowing organizations to make informed decisions that align with both technical requirements and user behavior.

Let’s discuss several crucial areas of awareness that are frequently overlooked and how gaining awareness of end-user access can impact the organization –

Understand what is running on your machines and when those applications change.

Going beyond the surface-level 'application inventory,' it is vital to comprehend what is both installed and actively running on your endpoints. Truly understanding applications and processes in use involves vigilant tracking of restricted or unknown applications that could pose serious security threats. Unauthorized software can become entry points for cyberattacks, compromising data integrity and network security. Real-time monitoring and swift action to address unauthorized or suspicious applications are critical in safeguarding your organization.

Similarly, keeping an eye on newly installed applications is vital. Endpoint users may install software for legitimate purposes, but without proper oversight, it can lead to compatibility issues, system slowdowns, and potential security risks. By closely monitoring newly installed applications, organizations ensure compliance with security policies, license agreements, and performance standards.

To achieve this, deploying robust endpoint management solutions is essential. These solutions continuously track applications, issue alerts for unusual activities, and empower IT administrators to take rapid action.

Understand how and when applications are used and how this impacts your organization

It's imperative to have robust analysis capabilities that provide in-depth insights into application usage statistics, file activity within these applications, and even instances of off-hours application access. These behavioral insights gathered from endpoints can serve as early indicators of a wide spectrum of potential issues, ranging from workflow inefficiencies to potentially malicious process usage.

One key aspect of endpoint awareness involves tracking the usage patterns of applications and their associated files by employees. Understanding when and for how long these applications are in use provides a critical dimension to endpoint monitoring. High levels of application activity, depending on the specific application or user, can be a significant cause for concern, just as a lack of activity can raise its own set of questions.

Another key aspect is the capability to be aware any time new, unapproved, or high-risk applications are added to your endpoints or currently in use. For example, upon inspecting application usage patterns and newly installed processes in use, organizations often find underlying issues such as

-          Employees utilizing unapproved or private cloud repositories via FTP

-          Employees installing productivity-killers such as mouse-movers, gaming, or macros

-          Unknown open-source applications that have an unknown security profile

-          Shortcuts or applications that put data at risk by moving outside secured means

-          Development or technical tools downloaded to a non-development machine by a tech-savvy user

Understand where data is stored and how it is used across various machines

As each year passes, data mobility across various endpoints, including the cloud and external devices, continues to increase. While network-based security systems can detect some data movements, many instances go unnoticed, especially when dealing with privileged users or data transfers occurring when computers are offline. Users often duplicate frequently accessed data, store backups of projects or contact lists on personal drives or use unauthorized cloud storage to ensure constant access to essential information. Although these actions are typically done with good intentions to expedite daily tasks, they can pose a significant threat to data security, often resulting in data leakage. Conversely, malicious actors who hoard or surreptitiously move data to secure locations require careful inventory management of data access and storage across multiple devices.

In a relevant case study, innerActiv was introduced to an organization specializing in the manufacturing and sale of building materials. Despite having multiple layers of data security measures in place, the organization sought to enhance their data monitoring capabilities with a focus on user-centric monitoring. Within this industry, two primary forms of valuable data emerged as critical assets: proprietary material formulas and specifications, as well as a set of "sales calculator" documents used by sales representatives to generate quotes and price materials for customers. Any compromise of these assets would result in substantial sales losses to competitors.

Upon implementing monitoring, it quickly became evident that even though these assets were assumed to be heavily monitored and secured, various components and data fragments were scattered across different devices and servers. Over time, these data elements had been duplicated, stored in download folders and backup locations, partially converted to different formats, and distributed to users who did not require daily access. Once the extent of the issue was fully comprehended, new policies were crafted, monitoring efforts were refined, and storage challenges were systematically resolved.

Understand how machines are being used off-network and off-site

One of the most significant challenges companies have encountered in recent years is the management and security of off-network or remote employees. Handling these employees' workflows and schedules is already a complex task, and the widespread adoption of remote work has led to a substantial increase in data security incidents and productivity-related setbacks.

From a data perspective, it is crucial to collect data points on the access patterns of sensitive files and data sources. These access patterns, whether occurring on or off the network, can serve as indicators of unusual data usage or usage by unauthorized internal users. Additionally, concerning trends, such as irregular application usage, access during unconventional hours, repeated access to large volumes of data, and significant deviations in workflow patterns between office and remote work schedules, can signal potential issues that may harm the organization.

Regarding productivity, the advent of remote work and flexible employment arrangements has given rise to new trends like "gig-working," where employees may hold multiple positions concurrently. This presents not only concerns about time theft but also raises confidentiality and data cross-contamination issues between different roles. In industries where time sensitivity is critical, such as customer service and business process outsourcing (BPO), employees who divide their attention, employ mouse-movers to feign activity or do not adequately address data security, can result in not just time but financial losses.

Having the ability to track and analyze both usage and security patterns and gaps regardless of the endpoint’s location is critical.

By achieving a comprehensive understanding of the activities on endpoints, the impact on data, and how employees utilize these endpoints and their resources, it is possible to safeguard both security and productivity. While tracking every action of an endpoint is a challenging endeavor, the deployment of robust endpoint monitoring and protection software, in conjunction with existing network-based endpoint tools, can swiftly elevate awareness and reveal previously unnoticed issues within the environment.

As we reach the middle of Cybersecurity Awareness Month, we’ll continue to discuss cybersecurity training, what should be covered, and how to tell if it’s actually working.