Endpoint Monitoring

Endpoints are the devices connected to a computer network--computers, servers, printers, etc. Organizations must monitor endpoints to determine if malicious activity is happening. Today, organizations monitor endpoints by installing software that monitors all activity and reports activity to a central location. In essence, yes, the information technology department is spying on your company laptop. Policies and procedures must be put in place to ensure that this sensitive data is safeguarded. Cybersecurity professionals monitor multiple endpoints in a security operations center (SOC).

SOC
People monitoring alerts in a Security Operations Center (SOC)

Why Does this Matter?

This lesson is less applicable to home networks. But, if you ever have a job where the company issues you a computer, you can pretty much guarantee that the computer will have endpoint management software installed. You should be aware that every website you visit (even using private browsing windows), every application you launch, and every email you send will be tracked. If you are going into the cybersecurity career field, endpoint management will be something that every organization should adopt.

Learning Objectives

By the end of this exercise, you will be able to:

  • recognize different names for endpoint monitoring tools,
  • describe how endpoint monitoring software works, and
  • learn what can go wrong with endpoint monitoring.

Endpoint Monitoring Tools

The following tools are used to monitor endpoints. Their feature sets are converging over time.

  • Endpoint Detection and Response (EDR): These tools look for malware and suspicious activity on devices and can take action to quarantine threats. Experts use the data from these tools for forensic investigations.
    Central Logging
    Endpoints send data to a server in the organization's data center
  • Extended Detection and Response (XDR): These tools analyze data not just from endpoints, but the network, email, and other computing services in an organization.
  • Managed Detection and Response (MDR): With MDR, an organization installs EDR tools on its systems, but the monitoring and response are coordinated by a third party. This approach is commonly adopted by municipal governments, small businesses, and other organizations that lack dedicated cybersecurity teams. All MDR is EDR, but EDR is only MDR if it's managed by a third party. An MDR provider might monitor systems for hundreds of organizations in a SOC.
    Cloud EDR
    Endpoint data is sent over the internet to a 3rd party
  • Antivirus/Antimalware: Tools like Microsoft Defender can be classified as "antivirus," but they often now include EDR features like centralized reporting and response. If home users say they use Microsoft Defender, they probably mean the standalone Microsoft Defender Antivirus that lives on their computers and does not centrally collect data. If a Chief Information Security Officer says that her organization uses Microsoft Defender, she probably means Microsoft Defender for Endpoint which includes centralized monitoring and reporting.

How Endpoint Monitoring Tools Work

This section describes how EDR tools live on your computer and what they do.

Operating System Modes

There are two modes where software can run on your computer.

  • Kernel Mode. Software running in kernel mode is unrestricted. It can access any hardware, read memory, write memory, launch applications, etc. If something is running in the kernel, it can do whatever it wants, therefore, only those most trusted system tools should run in kernel mode. When kernel mode software crashes, the entire operating system can crash.
  • User Mode. Regular applications like web browsers, document editors, and games run in user mode. These applications cannot access hardware directly but have to ask the kernel for permission to access the hardware. Applications in user mode are typically isolated, meaning that Candy Crush cannot access the memory in your web browser's password manager. When a user mode program crashes, the operating system typically does not crash with it.

Hardware drivers (for things like graphics cards or network cards) are installed in kernel mode. You can see a list of drivers installed on Windows by pressing Windows Key+r > msinfo32. Expand Software Environment > System Drivers. Apart from physical hardware, you might see drivers for virtual private network (VPN) software or EDR/antivirus.

Because EDR tools need to monitor all activity on the computer, they need to be installed in kernel mode.

What They Do

Client-side EDR software works with centralized EDR servers to perform the following actions.

  • Data collection. EDR tools gather data in real time and often send that data to a central server for analysis. The data includes files opened, applications run, websites visited, and more.
  • Behavioral analysis. Some EDR tools establish a normal baseline of activity and then look for deviations from that activity. For example, if a computer has never sent data to a foreign country, the first time that computer sends data to a foreign country a warning alarm could be raised.
  • Threat detection. EDR tools look for things like modifications to system files, unusual network activity, unsuccessful login attempts, etc.
  • Alerting. EDR tools alert administrators to suspicious activity. These alerts are typically presented in a centralized dashboard with relevant log data.
  • Investigation. If an alert warrants further investigation, EDR tools let administrators reconstruct a timeline of computer activity around an event.
  • Response. EDR tools can quarantine computers, delete files, or make other changes to mitigate threats.

Modern EDR tools use machine learning (branded AI) to detect and classify threats. But there are always risks of false positives and false negatives. With false positives, an action is flagged as malicious but is benign. For example, an employee might upload a document with social security numbers to the Internal Revenue Service (IRS), and that upload might be flagged as a potential leak of private information. But, in this case, it might not be a breach of security if the IRS requires social security numbers. False negatives occur when malicious activity is ignored by EDR. For example, a new ransomware tool might be developed by a criminal organization. If an employee downloads this malware, the EDR might not flag the ransomware as malware until the malware signature is added to the EDR database.

CrowdStrike Debacle

CrowdStrike is a cybersecurity company that sells endpoint protection. Crowstrike customers deploy the Falcon sensor to all endpoints. The Falcon sensor installs an operating system kernel driver that gives the sensor full visibility to all computer activity. The Falcon sensor sends data to CrowdStrike's servers for analysis. Like traditional antivirus, the sensor requires frequent updates so that it can detect emerging threats.

CrowdStrike
Source: Timon - stock.adobe.com

On July 19, 2024, millions of Windows computer users were met with the dreaded "Blue Screen of Death" (BSOD). A bad EDR update pushed out by CrowdStrike was to blame.

BSOD
Blue Screen of Death (BSOD)

All security tools require regular updates to address emerging threats. CrowdStrike researchers discovered new command and control (C2) malware infecting computers. So, CrowdStrike developed and deployed a "Channel File" that could detect the new C2 malware. Unfortunately, a bug in the Channel File or the sensor (or both) caused the Falcon sensor to crash. Because the Falcon sensor operated at the kernel level, the bug crashed the operating system. The Falcon sensor downloads updates automatically. Millions of people downloaded the Channel File update between midnight and the morning of July 19. When the code ran, the computers crashed. Only Windows computers were affected. In theory, a similar type of bug could have happened on Linux or OSX, but this particular bug only affected Windows.

CrowdStrike removed the bad Channel File from its update repository soon after the problem was discovered, but the damage had already been done. Because affected computers crashed, users could not simply log in to their computers and run an update. You can't run an update if you can't log in to your computer.

There were several fixes for the problem.

  • Boot into safe mode and delete the offending Channel File.
  • Boot normally and hope that your computer downloads Channel File updates before loading existing Channel Files. Some suggested rebooting your computer 15 times in hopes of getting a fixed set of Channel Files.

Fortunately, the bug did not corrupt any data or cause any data leaks. However, flights were grounded, hospitals lost access to patient records, 911 systems went down, and Aunt Phyllis was unable to post on Facebook.

Dave Plummer gives an excellent overview of the CrowdStrike fiasco here. Dave wrote a lot of code for the Windows operating system and knows what he's talking about. Consider subscribing to his channel.

CrowdStrike is not unique in deploying software with bugs. But organizations pay CrowdStrike to protect their systems, and CrowdStrike's software took their systems down. It could have been worse, but it was a wake-up call for every information technology department.

Challenge

  • Search the internet for EDR platform options. How would you choose the best fit for your organization?

Reflection

  • How should CrowdStrike update its Channel File update process?
  • How do you feel knowing that your company-owned laptop tracks everything that you do?

Key Terms

  • Endpoint: Any device that connects to a network and communicates with other devices or systems. Examples include computers, smartphones, tablets, servers, and IoT devices.
  • Endpoint Detection and Response (EDR): A cybersecurity solution that continuously monitors and collects data from endpoints to detect, investigate, and respond to security threats and incidents. EDR tools provide real-time visibility and advanced threat detection capabilities.
  • Extended Detection and Response (XDR): An integrated cybersecurity approach that extends beyond endpoints to include data from multiple security layers such as network, server, and email. XDR solutions provide a holistic view of threats across an organization's entire IT environment, enabling more effective detection and response.
  • Managed Detection and Response (MDR): A managed security service that combines technology and human expertise to detect, analyze, and respond to threats on behalf of an organization. MDR providers offer 24/7 monitoring, threat intelligence, and incident response services to enhance an organization's security posture.
  • Antivirus/Antimalware: Software designed to detect, prevent, and remove malicious software (malware) such as viruses, worms, trojans, ransomware, and spyware. Antivirus/antimalware solutions use signature-based detection, heuristic analysis, and behavioral monitoring to protect systems from known and emerging threats.
  • Kernel Mode: A privileged mode of operation for the CPU that allows unrestricted access to all system resources, including hardware and memory. In this mode, the operating system kernel and core system services run, enabling them to execute critical tasks and manage hardware directly.
  • User Mode: A restricted mode of operation for the CPU where applications and user-level processes run. In this mode, access to system resources is limited, and operations that require higher privileges must be requested through system calls to the kernel. This separation helps ensure system stability and security by preventing user applications from directly interacting with hardware or critical system components.