We have covered the reasons endpoint security is getting more challenging, and offered some perspective on what is important when buying anti-malware and endpoint hygiene products – or both in an integrated package. Then we addressed the issues BYOD and mobility present for protecting endpoints. To wrap up we just need to discuss the buying considerations driving you toward one solution over another, and develop a procurement process that can work for your organization. Platform Features As in most technology categories (at least in security), the management console (or ‘platform’, as we like to call it) connects the sensors, agents, appliances, and any other security controls. You need several platform capabilities for endpoint security: Dashboard: You should have user-selectable elements and defaults for technical and non-technical users. You should be able to only show certain elements, policies, and alerts to different authorized users or groups, with entitlements typically stored in the enterprise directory. Nowadays, given the state of widget-based interface design, you can expect a highly customizable environment, letting each user configure what they need and how they prefer to see it. Discovery: You cannot protect an endpoint (or any other device) if you don’t know it exists. So the next key platform feature is discovery. Surprise is the enemy of the security professional, so make sure you know about new devices as quickly as possible – including mobile devices. Asset repository integration: Closely related to discovery is the ability to integrate with an enterprise asset management system or CMDB for a heads-up whenever a new device is provisioned. This is essential for monitoring and enforcing policies. You can learn about new devices proactively via integration or reactively via discovery, but either way you need to know what’s out there. Policy creation and management: Alerts are driven by the policies you implement, and of course policy creation and management are also critical. Agent management: Anti-malware defense requires a presence on the endpoint device so you need to distribute, update, and manage agents in a scalable and effective fashion. You need alerts when a device hasn’t updated for a certain period of time, along with the ability to report on the security posture of these endpoints. Alert management: A security team is only as good as its last incident response, so alert management is key. It enables administrators to monitor for potential malware attacks and policy violations which might represent an attack. Time is of the essence during any response, so the ability to provide deeper detail via drill-down, and to send relevant information into a root cause analysis / incident response process, are critical. The interface should be concise, customizable, and easy to read at a glance – responsiveness key. When an administrator drills down into an alert the display should cleanly and concisely summarize the reason for the alert, the policy violated, the user(s) involved, and any other information helpful for assessing criticality and severity. System administration: You can expect the standard system status and administration capabilities within the platform, including user and group administration. For larger distributed environments you will want some kind of role-based access control (RBAC) and hierarchical management to manage access and entitlements for a variety of administrators with varied responsibilities. Reporting: As we mentioned under specific controls, compliance tends to fund and drive these investments, so substantiating their efficacy is necessary. Look for a mixture of customizable pre-built reports and tools to facilitate ad hoc reporting – both at the specific control level and across the entire platform. Cloud vs. Non-cloud The advent of cloud-based offerings for endpoint security has forced many organizations to evaluate the value of running a management server on premise. The cloud fashionistas focus on the benefit of not having to provision and manage a server or set of servers to support the endpoint security offering – which is especially painful in distributed, multi-site environments. They talk about continuous and transparent updates to the interface and feature set of the platform without disruptive software upgrades. They may even mention the ability to have the environment monitored 24/7, with contractually specified uptime. And they are right about all these advantages. But for an endpoint security vendor to manage their offering from the cloud requires more than just loading a bunch of AWS instances with their existing software. The infrastructure now needs to provide data segregation and protection for multi-tenancy, and the user experience needs to be rebuilt for remote management, because there are no longer ‘local’ endpoints on the same network as the management console. Make sure you understand the vendor’s technology architecture, and that they protect your data in their cloud – not just in transit. You also want a feel for service levels, downtime, and support for the cloud offering. It’s great to not have another server on your premise, but if the service goes down and your endpoints are either bricked or unprotected, that on-premise server will look pretty good. Buying Considerations After doing your research to figure out which platforms can meet your requirements, you need to define a short list and ultimately choose something. One of the inevitable decision points involves large vs. small vendors. Given the pace of mergers and acquisitions in the security space, even small vendors may not remain independent and small forever. As a rule, every small vendor is working every day to not be small. Working with a larger vendor is all about leverage. One type is pricing leverage, achieved by buying multiple products and services from the vendor and negotiating a nice discount on all their products. But smaller vendors can get aggressive on pricing as well, and sometimes have even more flexibility to sell cheaper. Another type is platform leverage from using multiple products managed via a single platform. The larger endpoint security vendors offer comprehensive product lines with a bunch of products you might need, and an integrated console can make your life easier. Given the importance of intelligence for tracking malware and keeping current on patches, configurations, and file integrity, it is important to consider the size and breadth of the vendor’s research