3.2 Host or Application Security Solutions

Endpoint Protection

Anti-virus and Anti-malware

Endpoint detection and response (EDR) - detects threats not just looking at the signature - behavioral analysis, machine learning - isolate the system, quarantine the threat, rollback to a previous config

Data loss prevention (DLP) = tools and processes used to ensure that sensitive or critical information is not lost, misused, or accessed by unauthorized users. identify sensitive or critical data across an organization, often classifying data based on its sensitivity. - endpoint DLP (which focuses on data at rest on end-user devices) - network DLP (which focuses on data in transit) - cloud-based DLP (for data in cloud services).

Next-generation firewall (NGFW) - also known as = application layer gateway, stateful multilayer inspection, deep packet inspection - allow or disallow application features, identify attacks and malware, examine encrypted data, prevent access to URLs

Boot Integrity

TPM (trusted platform module) = computer chip (microcontroller) that can securely store artifacts used to authenticate the platform. These artifacts can include passwords, certificates, or encryption keys, cryptographic processor - specification for cryptographic functions, random number generator, key generator - TPMs are usually built with brute force protection

UEFI BIOS Secure boot = feature of your PC's UEFI that only allows approved operating systems to boot up. It's a security tool that prevents malware from taking over your PC at boot time - verifies bootloader's digital signature which must be signed with trusted certificate - checks key operating systems files, and the ROM for any tampering attempts

Trusted boot = bootloader verifies digital signature of the OS kernel, boot drivers, startup files - before loading all the drivers, ELAM (early launch anti-malware) starts to check every driver to see if it's trusted, if not it won't load the drivers

Measured boot = checks each start up component including the firmware all the way to the boot drivers and it will store this information in what is called a Trusted Platform Module (TPM)

Application Security

Dynamic analysis (fuzzing) = send random input to an application looking for something out of ordinary - testing for application crashes, server errors, and other exceptions

Application Hardening

Minimizing the attack surface by removing the potential vulnerabilities and removing possible entry points.

Close all ports expect the ones that are being used.

Some of the Registry changes indicates a important security settings. Some applications chance the Registry but we usually don't know what is being changed

Disk encryption - Full Disk Encryption (FDE) - prevent access to a drive, adversaries need to decrypt the disk to access the data inside - this process is usually very challenging and sometimes infeasable

Operating system hardening - each OSs have their own system hardening - harden your OS with updates - harden your users with least privilege principles - have your computers have limited access to other computers that don't need connection

Sandboxing - security mechanism used to isolate running programs, usually in a tightly controlled environment (security through isolation) - applications can't access other resources in the host OS - you can run malicious software in a sandbox environment without affecting the host OS - virtual machine-based sandboxes - operating system-level sandboxes - application sandboxing - there are some sophisticated malware that can detect and evade the sandboxing environment