Endpoints, The Law of Entropy and Evading Chaos

It is widely agreed that the universe naturally gravitates toward chaos. These same principles that govern space apply to security environments as well. Endpoint devices are not immune. They, too, are subject to the Natural Law of Entropy, which means they will go from order to disorder naturally without anyone intending it. The security posture of a device will “drift” or “decay”in a reliable and predictable way.

Why it Happens

Well-functioning controls fail. The reasons vary, from controls being disabled by users to underlying services becoming disabled or broken and/or communication channels inside of the operating system (OS) breaking or experiencing disruption in some way. When it comes to device encryption, in particular, there’s a mathematical expectation that your perfectly working encryption today on a particular device will fail within three months from now. When controls fail, natural entropy—or going from order to disorder—contributes.

Complicating Factors

Endpoints are like snowflakes. They are composed of the same material as one another but arranged in unique ways. The average endpoint tends, for instance, to have multiple different security tools with multiple different versions, which adds much complexity and accelerates entropic endpoint decay. If that set of attributes changes in any way—and this is inevitable—you need to maintain visibility and be quickly informed if changes have occurred. It may mean your security and risk posture is drifting toward more exposure or vulnerability.

Complexity itself is an exposure and comes with the constant demand to uphold those apps and controls.

What to Do About It

Redefine the term “asset.” First, we need to evolve the definition of “asset” and move to align it with the way real-world security teams define this term within the endpoint domain, which is to encompass devices, data, users and apps. We need to be aware of the interplay between all four components because situations exist in which controls may be in place and apps are all consistent, but a particular user is utilizing those tools and technologies differently than another. You have to monitor the entire environment on the endpoint to reduce complexity and risk associated with all of the variables.

Trust, but verify, your security controls. It’s not enough to set and forget security controls. For example, it’s not just a matter of installing encryption; you also need to make sure it’s active and that if something does change on that device you can bring it back to health. It’s important to think about how to make sure your devices’ security controls remain on the devices and stay healthy.

See everything. It’s important to understand your environment, know what hardware you have, and then go beyond the devices themselves to include intelligence around the applications or software on them, looking at what applications are being used by an individual. All of this insight helps you assess risk.

Take an intent-based approach. Understanding user intent should not be overlooked. Take, for example, Beth in accounting. It’s not a matter of providing her with a standard image or standard device configuration; rather, you need to look at her role and the applications she uses to support her with a purpose-configured machine. And let’s not forgot the data that’s on the device. Organizations rely on access to that data, often it’s sensitive, and you need to protect it while empowering users with the data access they need to do their jobs. Organizations benefit from this intent-based approach. Not only is it less wasteful—you’re not overbuying on hardware and software—but you also eliminate many of the security risks by factoring the user persona and business purpose.

Disorganization threatens to seep into everyday life if we don’t focus on keeping things in order. The same can be said about endpoint environments. Unless you’re making deliberate moves to evade the chaos, you’re in for trouble.

Josh Mayfield

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. Sponsorships ... Read More
Palo Alto Networks
Avatar photo

Josh Mayfield

Josh is Absolute’s Director of Security Strategy and works with Absolute customers to leverage technology for stronger cybersecurity, continuous compliance, and reduced risk on the attack surface. He has spent years in cybersecurity with a special focus on network security, threat hunting, identity management, and endpoint security. His research has been featured in leading security publications, and he is often cited by business and tech journalists for his analysis of cryptocurrencies, security operations, and attacker psychology.

josh-mayfield has 1 posts and counting.See all posts by josh-mayfield