Endpoint protection

Endpoint protection is a core concept of any company’s digital security. It helps a company defend against Internet based breaches and data losses. It provides barriers against malware, data loss and theft. Technologies behind endpoint protection also mitigate network intrusion. Generally a company has many services offered via its endpoints. They type and number of endpoints, how it is hosted – on site, in a virtualized environment or in the cloud, the management tools required whether it is on-site, remote or mobile, its performance expectations and support determine the choice of vendor for the endpoint protection.  Reviewers of endpoint protection technologies indicate that the size of a company does not matter to the endpoints being protected. Also endpoint protection typically scales to hundreds or thousands of endpoints.

Let us take a look at the architecture behind this offering. An endpoint device is an Internet-capable computer hardware device on a TCP/IP network with an address and port that clients can connect. Typically they can be any web service or application of any size that can be reached over say http or https. The devices hosting the applications can be cloud based servers, on site web farms, desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware such as POS terminals and smart meters.

Policies are associated with endpoints and these are managed as network rules and firewalls within an organization. A system administrator may divide the network, secure access via firewalls, disable ports and establish static rules to prevent undesirable access to devices hosting endpoints. There are software tools that can manage these centrally for a spread of computers - be it on premise or in the cloud. Such tools are usually associated with system center management platforms.

Another technique is to use an http proxy. As a man in the middle, it does not require any invasion of the server offering the services and is capable of performing the same mitigations that could have been taken on the said server. A http proxy like Mashery can also monitor and measure incoming traffic to the advantage of provided detailed statistics on a variety of metrics. Proxy can not only support relay behavior but also filtering. They support promiscuous mode listening. In our case we have a transparent proxy that does not modify the requests or responses. Proxies can also be forward or reverse. A  forward proxy helps with anonymity in that it retrieves resources from the web on behalf of the users behind the proxy. A reverse proxy is one that secures the resources of the corporate from outside access This comes in helpful to maintain quarantine lists to stage access to the protected resources. Network address translation is a useful concept in this regard. Its also referred to as fencing when used with virtual machines. A reverse proxy can do several things such as load-balancing, authentication, decryption or caching. By treating the proxy as another server, the clients don't know which server processed the request. The reverse proxy can distribute the load to several servers which means the configuration is not just a fail over but a load balancing one. SSL acceleration is another option where this proxy enables hardware acceleration and a central place for SSL connectivity for clients.

The proxy can also choose to serve/cache static content and facilitate compression or to communicate to the firewall server since the rules on the firewall server could now be simplified. Firewalls can also use proxies and they can be transparent or opaque. Thus proxy is a very useful technique to protect endpoints.

Another technique is to use a variety of intelligent, lightweight sensors which capture and record all relevant endpoint activity ensuring true visibility across the environment.  They may come with a small footprint, no reboot, no daily AV definitions, no user alerts, no impact on the endpoints and protect both offline and online access. Crowdstrike is well known for use this kind of technique. The use of distributed sensors also implies a centralized analysis service that can be hosted in the cloud so that it can scale arbitrarily.  Together with the use of sensors and services, this kind of platform can crunch large amount of data and form the so called ThreatGraph.  By correlating billions of events in real time and applying graph based techniques, a ThreatGraph can draw link between events and adversary activity quickly. It’s a powerful and massive scalable graph database that can be used with machine learning techniques to detect patterns. More on some of the machine learning techniques can be read in my blog post here.

A survey research in network and intrusion analysis shows a lot of the assessment techniques are reactionary and often too late because the attacks quickly escalate into a deluge. Sensors are also not able to discern the good from the bad. Therefore predictive algorithms and precautionary load balancing and throttling between regions becomes an active area of study.

Conclusion: Endpoint protection is no longer a set of static rules but a field of work in itself.

#codingexercise
Find the number of Palindromic paths in a matrix of alphabets.

int GetPalinPathCount( char[,] A, int R, int C, int rs, int re, int cs, int ce)
{
if ( rs < 0 || re >= R || cs < 0 || ce >= C || re < 0 || rs >= R || cs < 0 || ce >= C) return 0;

if (A[rs, cs]  != A[re, ce]) return 0;
if (Math.Abs((rs - re) + (cs - ce)) <= 1)
        return 1;
int ret = 0;
ret += GetPalinPathCount(A, R, C, rs+1, re-1, cs, ce);
ret += GetPalinPathCount(A, R, C, rs+1, re, cs, ce-1);
ret += GetPalinPathCount(A, R, C, rs, re, cs+1, ce-1);
ret += GetPalinPathCount(A, R, C, rs, re-1, cs+1, ce);
return ret;
}