Esc

Endpoint Health Beacon

D3-EHB
D3-EHB (Endpoint Health Beacon)

Definition

Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.

Synonyms: Endpoint Health Telemetry .

How it works

Endpoints are configured to periodically generate and transmit a secure heartbeat that is delivered on a configured schedule and provides endpoint status information. Status information can include software details (version, configuration, etc), endpoint identification (MAC, IP address, machine ID) or other hardware/software configuration information. Interruption of the heartbeat can signal that the endpoint has been compromised.

Considerations

  • Security of heartbeat messages to ensure message integrity
  • Disappearance of the heartbeat could simply mean that the endpoint is powered off or intentionally disconnected from the network. Therefore other criteria may need to be used to accurately detect endpoint compromise.
  • Attacker presence on the machine may leave the heartbeat intact.
  • An attacker may determine the format of the heartbeat and continue to send it even after the machine is compromised.
loading...
json
loading...

References

All
Patent

The following references were used to develop the Endpoint Health Beacon knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

Intrusion detection using a heartbeat

MITRE Comments

This patent describes a health monitor deployed on an endpoint that uses a heartbeat to periodically communicate status to a gateway's remote health monitor. The endpoint health monitor issues a heartbeat for satisfactory status of the endpoint using factors such as:

  • checking the status of individual software items executing on the endpoint
  • checking that antivirus and other security software is up to date (e. g., with current virus definition files) and running correctly
  • checking the integrity of cryptographic key stores
  • checking other hardware or software components of the endpoint as necessary or helpful for health monitoring

A disappearance of the heartbeat from the endpoint may indicate that the endpoint has been compromised.

Reference Type: Patent Organization: Sophos Ltd Author: Kenneth D. Ray
Source: https://patents.google.com/patent/US20180191752A1

A knowledge graph of cybersecurity countermeasures