Workstation security is like a sea snake With a more digitally dependent and mobile economy, the slightest vulnerability can become catastrophic.
1. Discover the initial infection as soon as possible
The main purpose of the attackers is to seize sensitive personal, industrial or commercial data, to encrypt and redeem them, to publish them or even to disrupt the company’s production. For this purpose, they must find the gateways, which are often the user’s machine. The latter, once compromised, and even without advanced facilities, then lets them penetrate more deeply into the system.
To achieve this, attackers can exploit both vulnerabilities, including increasingly targeted phishing (spear phishing) or poorly protected system vulnerabilities: RDP servers open to the Internet, applications not updated, and so on. This is a question to be identified as soon as these attacks occur before these attackers can go further into the system, to stop the malicious process and to immediately block their promotion on the respective machine or application.
2. Adapt the level of safety to the environmental context
Ensuring the safety of the workstation was not already easy within the company’s boundaries. With the proliferation of portable PCs and especially the specific mobility issues for each organization, the mission has become more complex.
Therefore, the level of protection of workstations can no longer be satisfied with stabilization, but must be dynamic, depending on the context within the organization and the various mobility situations. These include, for example, controlling authorized Wi-Fi networks, disabling them if a LAN connection is available, or even preventing connections other than VPN when it is active (to avoid rebound attacks).
3. Focus protection on agents in a behavioral manner
It is always easier and less risky for a malicious element (workstation or server) to enter and immediately block its activities before it spreads. This is the complete purpose of the workstation protection system. Traditional antivirus, which relies on signatures, is not enough to deal with ransomware, which is becoming more sophisticated. Unknown zero-day attacks cannot be detected immediately.
To overcome this deficit, behavioral HIPS is based on its analysis of the normal behavior of a host or its applications. In the event of suspicious activity by legitimate applications, the system immediately issues a warning (or immediately blocks activity) to limit the risk of promotion. A little more complicated to implement, but it fits easily with any type of organization and will be able to deal with unknown attacks of Zero Day type.
4. Actively block attacks and predict future attacks
Knowing how to prevent an attack, known or not, is of course essential. But it is also important to learn from these attacks to move forward more easily in the future. This is a role that can be assigned to endpoint detection and response (EDR) solutions: in addition to the immediate response, their logs make it possible to examine, after in-depth analysis, its effectiveness in optimizing attack detection solutions.
In this context, two approaches are possible. The method of focusing on a cloud solution is based on the response of a light agent deployed to each workstation and brings all the promises of artificial intelligence with the obligation of connected workstations. In contrast, a solution based on an autonomous agent provides real-time active protection of each workstation, while providing information for post-attack analysis. Third-party systems can then combine these phenomena to establish interactions in the context of artificial intelligence.
5. Security Measures to ensure safety yourself
Company information is the primary target of cyber attackers. But security remains a major primary concern. In fact, if the attackers manage to disable the protections, or worse, to access the privileged accounts rights of these solutions, the door to the information system is wide open for them.
As with any hardware or application deployment, it is a question of limiting the presence of bugs or vulnerabilities as much as possible, by default applying a rigid and adequate configuration, considering its surface. Device. The attacks they represent. With privileged rights, the protection measures are relatively broad. A safety by design approach in their development should therefore be encouraged.