Endpoint Quarantine – Just-in-Time Security

Just-in-time Security (JITSec) is the application of remediation or mitigation techniques based on need at the time an endpoint requests access to a trusted network.

I am working on a taxonomy for the techniques that are used in JITsec. The process begins with identification of an endpoint on the wire, then an evaluation (the frisk) of the endpoint, quarantining the endpoints deemed unclean, and finally decontamination – the remediation process.

Here is the taxonomy:

Identification Techniques (the trigger to begin analysis)

  • Pre-identified ("always-on")
  • On ARP request
  • On IP Address request to DHCP server
  • On Authentication request
  • On http GET for url

Analysis/Evaluation (how an endpoint is "frisked")

  • Check security software
  • Verify current av/fw settings
  • Check native system settings
    • patch levels
    • processes
    • registry settings
    • other config
  • Monitor network connection
    (IDS techniques, etc.)

Containment – this stage is where JITSec differs from a standard NIPS that blocks/drops traffic. With JITSec, the endpoint is assumed to be trusted yet contaminated. It is therefore contained in a special area for decontamination.

  • Self-containment (local sw blocks access)
  • Assign public VLAN
  • Assign IP/Port/Protocol ACLs
  • Hide network

Remediation

  • Patch system
  • Modify configuration (remediate)
  • Update antivirus/IDS signatures
  • Update firewall policy

Recovery (return to good state)