I’ve always tried to raise awareness about the importance of workstation security logs. Workstation endpoints are a crucial component of security and the first target of today’s bad guys. Look at news reports and you’ll find that APT attacks and outsider data thefts always begin with the workstation endpoint. So unless you want to ignore your first opportunity to detect and disrupt such attacks you need to be monitoring them.
For example, if you aren’t monitoring workstation endpoints you don’t know:
1) When the user is really physically present using the endpoint vs when an attacker is posing as the user while they are absent
2) When new executables start for the first time – a key indicator of an APT-agent
3) When new software is installed or existing code modified
4) Removable media and other devices are connected
That’s certainly true of endpoints connected to your internal network. But what about the occasionally connected (if ever) workstations of mobile and remote employees, outside sales and field forces, telecommuters, etc?
Beyond the points above, with mobile/remote endpoints you don’t have the luxury of analyzing their network traffic patterns because they aren’t visible to net-flow analyzers on your internal network. So you don’t have any opportunity to detect network signatures indicative of a compromised endpoint “phoning home” to its command and control center.
If you agree internal endpoints are important to monitor then you have to admit that mobile and remote ones are too. Some may counter that “internal endpoints” are a threat because they are on the internal network – mobile/remote systems are not. Well, if you don’t use a VPN, the first part of that statement may be true but the threat is far from eliminated.
True, attackers who gain access to a VPN-less mobile/remote endpoint can’t immediately start a network scan and begin directly attacking other systems on the internal network in order to extend the horizontal kill chain.
But advanced persistent threat actors commonly use other techniques that are viable to mobile/remote endpoint users. Having gained control of that endpoint they can “become” the user and access anything resource that user can. For instance attackers are known to drop infected files in file sharing locations accessible to that remote user and patiently wait for someone else on the inside to open that file.
At the end of the day, this is just another example of how there is no real solid boundary between our networks and the outside world. Perhaps as far as packet routing but not in terms of content. Getting it by APT type attacks is nearly a foregone conclusion. So early detection is critical in order to stop real losses – like information breaches that plaster the front page today. And the place to start is the endpoint – whether it’s technically on your internal network or not.
But how can you monitor remote systems that may be anywhere? About the only thing you can count on is for those systems to have web access via http or https. Today, such endpoints use VPNs less and less with the rise of web-based applications, the cloud, reverse proxies and other remote access technologies. So even if pulling entire event logs over the VPN were practical, it’s decreasing as an option.
The good news is that there are great ways to monitor mobile and remote systems in near real-time without a VPN, using just the restricted web-based access you can expect mobile and remote employees to have most of the time.