This chapter is about endpoint detection and response (EDR). Here, we will be discussing the importance of securing your endpoints. Securing your endpoints is critical; this includes laptops and servers. With the move to remote work, people working out of their homes, and mobile working, it means endpoints are more at risk. Do your employees have a home firewall? When I worked at Cisco, they sent us configured firewalls with steps to complete the setup. Most companies can’t afford to send out firewalls to everyone. There are solutions where you can test your home firewall setup to make sure it is configured properly.

In this chapter, we’re going to cover the following main topics:

• Antivirus/anti-malware
• Virtual private network (VPN)
• Moving to remote work
• Testing your home firewall
• Network access control (NAC) and Zero Trust
• Application firewall
• Securing your browser
• Turning on your application firewall
...

I’m sure you are familiar with antivirus and anti-malware. Every laptop, computer, and server should have a good antivirus installed, including every Apple MacBook. An antivirus is essentially a program that is installed on your laptop or server and scans your computer periodically for any virus or malicious software. Today, there is a new name for the latest antivirus and anti-malware software. It is called EDR or endpoint protection platform (EPP) software. Essentially, EDR software provides antivirus, anti-malware, and response capabilities. Let me explain; the best EDRs have levels of service that you can purchase along with the software. If you purchase the full capabilities with 24/7 customer support, then you will have access to an incident response (IR) help desk that will respond in case of an infection or attack. For example, with CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Bitdefender, Carbon Black, and Malwarebytes, if you purchase...

When securing your endpoints, a VPN is necessary when you are away from the office or traveling, unless your company has a software-defined perimeter (SDP). I cover SDPs and Zero Trust in Chapter 11. Your company may have a VPN set up if they have an on-premise data center. Typically, you will connect to the company VPN in order to get access to the on-premise servers and applications. As more and more companies move to cloud-first postures, your company may not have one set up. If your company is cloud-first, then every service it uses is a SaaS. Your employees log in to M365 or Google Workspace, for example. The remote session is already being encrypted with TLS 1.2 or above. As more companies move to this posture, they may not have a VPN that you connect to. A VPN is not obsolete. When you are out and about away from your home Wi-Fi or company network, connecting to guest Wi-Fi, then you need to use a VPN. Be suspicious of any free VPN except for Proton...

When COVID hit, there was a massive move from workers being in the office to working from home. Suddenly, your home network security became a higher priority. Now, we are in more of a hybrid work situation, but many companies are allowing their employees to continue to work from home. I think this is great. I have been working from home since 2001. I found it to be the best option for me. Prior to COVID, there was a move in tech to work in the office. I was super disappointed when I interviewed with IBM, which was one of the pioneers in working from home in the 90s and had completely abolished the ability to work from home. One bright spot of COVID is that it forced people to work from home, and companies saw it works. Everyone is different, so for some, being in an office works better for them. I think it should be a personal choice. Of course, for new college graduates, I think working from the office is paramount if able for the first 2 years. At the same time...

You are probably thinking, is my home firewall properly configured? Cisco sent preconfigured firewalls to each employee. Most companies can’t afford to send every employee a firewall. One way to ensure your employee’s home networks are secure is to have them do a test on it. Steve Gibson’s ShieldsUP web page provides a home firewall test that can be run: https://www.grc.com/x/ne.dll?bh0bkyd2. You could send this out to your employees to test their home firewalls. HackerTarget offers a way to test your external firewall also: https://hackertarget.com/firewall-test/. In addition, you can update your information security policy or acceptable use policy (AUP) stating that an employee can only connect to the company network with their company-assigned computer. Only phones or home computers can be used for checking email.

Another option is to scan all devices that attempt to connect to your work network. Typically, this is part of Zero Trust offerings, but it’s actually NAC that has been around since the late 2000s. NAC provides scanning, ensuring that the operating system (OS) is patched. In addition, NAC will ensure that your antivirus and anti-malware are up to date on all devices prior to being allowed to access your network. If your machine is company-issued, but the OS isn’t patched or the antivirus needs to be updated, then NAC would place you on a separate network to upgrade the software. This was set up at Cisco years before the Zero Trust became a big topic. NAC is considered a building block of Zero Trust. At Cisco, if I brought in my personal laptop, it would not automatically connect to the Cisco internal Wi-Fi network. There was a website you would go to to register your device. NAC would scan your device to ensure the OS and antivirus...

To secure your endpoint, ensure the application firewall is turned on. The application firewall protects your computer from being attacked by another device on the same network. Whether you are running Microsoft Windows or macOS, the application firewall needs to be enabled. By default, Windows has the application firewall turned on; leave it that way. On macOS, the application firewall is off by default. You should ensure your baseline configuration for Macs is to enable the application firewall. Go to Settings | Network | Firewall to enable it. Some may say, “Well, I mainly connect to my work network, so it is secure.” This is not always the case. Zero Trust means anyone could be an attacker. The reason is that a user’s machine could have been hacked, and the user unknowingly is part of a botnet. What is a botnet? Essentially, hackers take over Internet of Things (IoT) devices such as cameras and lights that are directly connected to the...

Everyone has a favorite browser, but I currently prefer Firefox. Brave is also a good browser that is based on Chrome; it has a lot of security functionality built in. Brave has built-in privacy. Brave provides safe browsing and search with a VPN (for an added fee). My only complaint is that it’s so safe, sometimes even after whitelisting a site, it may not work properly. Firefox also has some good blockers built in to protect you. You can also add Ghostery to your browser to add further blocking protections. Essentially, when you go to a website, you may have to allow an action on the site. This will prevent your computer from being harmed by a malicious website. Also, make sure you configure auto-update so that your browser stays updated on software patches and upgrades. Based on Chromium, Enterprise Browser is a web browser designed specifically for enterprise use. It features core security controls embedded within the browser itself, such as anti-phishing...

Traditional firewalls are devices, but there are also software firewalls. A firewall is typically a device that sits between your internal network and external network (internet). The network firewall filters the network traffic. Software firewalls are applications you install such as in the cloud, in VLANs, or residing on your OS that filter traffic going into and out of the device that could be virtual. By default, you want to deny/deny traffic versus allow/allow.

Ensure the application firewall on your OS is enabled. macOS does not enable the application firewall by default. Go into your Mac’s System Settings | Network | Firewall and enable the firewall. By default, on Windows OS, the firewall is enabled. Open the Control Panel, then select Windows Security | Firewall and Network Protection | Firewall on.

The Okta hack was one of the biggest hacks of 2022. A tweet was sent on Twitter where the LAPSUS$ hacker group was bragging that they had hacked Okta. The tweets included screenshots of a customer support engineer’s computer:

Figure 5.1 ‒ LAPSUS$ announcing they had hacked Okta

Within the screenshots was a picture of the hacker logged in as a Cloudflare employee.

I was a CISO at this point, and someone at my company forwarded the tweets to me. Twitter (or X, as it is now called) is a good place to stay up on all of the latest hacks since hackers will brag on X. Also, there is a great number of cybersecurity researchers who post information on the site. If your company has an incident, then you need to do a write-up of the incident, detailing how you found out about it and the steps you took to address it. When there is an active incident at your company, you need to create a Tiger team or IR interim working group to focus on...

In summary, securing your endpoints is imperative to lower your company’s risk. Whether an employee takes their work laptop and connects it to a public Wi-Fi or clicks on a suspicious email, there are risks with your endpoints. Ideally, you want an advanced antivirus and anti-malware solution such as an EDR. Having a good EDR will both secure the endpoint and will alert you and your security team if an event occurs.

In the next chapter, we will be covering backups. When building a security program, ensuring you have good offline backups is critical. Whether an employee makes a mistake or your company gets attacked by ransomware, you need good offline backups and a business continuity plan (BCP).