The Endpoint Security Buyer’s Guide [New Series]By Mike Rothman
Last year we documented our thoughts on buying Endpoint Security Management offerings, which basically include patch, configuration, device control, and file integrity monitoring – increasingly bundled in suites to simplify management. We planned to dig into the evolution of endpoint security suites earlier this year but the fates intervened and we got pulled into other research initiatives. Which is just as well because these endpoint security and management offerings have consolidated more quickly than we anticipated, so it makes sense to treat all these functions within a consistent model.
We are pleased to kick off a new series called the “Endpoint Security Buyer’s Guide,” where we will discuss all these functions, update some of our research from last year, and provide clear buying criteria for those of you looking at these solutions in the near future. As always we will tackle the topic from the perspective of an organization looking to buy and implement these solutions, and build the series using our Totally Transparent Research methodology.
Before we get going we would like to thank our friends at Lumension for potentially licensing the content when the project is done. They have long supported of our research, which we certainly appreciate.
The Ongoing Challenge of Securing Endpoints
We have seen this movie before – in both the online and offline worlds. You have something and someone else wants to steal it. Or maybe your competitors want to beat you in the marketplace through less than savory tactics. Or you have devices that would be useful as part of a bot network. You are a target, regardless of how large or small your organization is, whether you like it or not. Many companies make the serious mistake of thinking it won’t happen to them. With search engines and other automated tools looking for common vulnerabilities everyone is a target.
Humans, alas, remain gullible and flawed. Regardless of the training you provide, employees continue to click stuff, share information, and fall for simple social engineering attacks. So your endpoints remain some of the weakest links in your security defenses. Even worse for you, unsophisticated attacks on the endpoints remain viable, so your adversaries do not need serious security kung fu to beat your defenses.
The industry has responded, but not quickly enough. There is an emerging movement to take endpoints out of play. Whether using isolation technologies at the operating system or application layer, draconian whitelisting approaches, or even virtualizing desktops, organizations no longer trust endpoints and have started building complimentary defenses in acknowledgement of that reality. But those technologies remain immature, so the problem of securing endpoints isn’t going away any time soon.
Emerging Attack Vectors
You cannot pick up a technology trade publication without seeing terms like “Advanced Malware” and “Targeted Attacks.” We generally just laugh at all the attacker hyperbole thrown around by the media. You need to know one simple thing: these so-called “advanced attackers” are only as advanced as they need to be. If you leave the front door open they don’t need to sneak in through the ventilation ducts.
Many successful attacks today are caused by simple operational failures. Whether it’s an inability to patch in a timely fashion, or to maintain secure configurations, far too many people leave the proverbial doors open on their devices. Or attackers target users via sleight-of-hand and social engineering. Employees unknowingly open the doors for attackers – and enable data compromise.
There is no use sugar-coating anything. Attacker capabilities improve much faster than defensive technologies, processes, and personnel. We were recently ruminating in the Securosis chat room that offensive security (attacking things) continues to be far sexier than defense. As long as that’s the case, defenders will be on the wrong side of the battle.
Remember the good old days, when devices consisted of DOS PCs and a few dumb terminals? The attack surface consisted of the floppy drive. Yeah, those days are gone. Now we have a variety of PC variants running numerous operating systems. Those PCs may be virtualized and they may connect in from anywhere in the world – including networks you do not control. Even better, many employees carry smartphones in their pockets, but ‘smartphones’ are really computers. Don’t forget tablet computers either – each with as much computing power as a 20-year-old mainframe.
So any set of controls and processes you implement must be consistently enforced across the sprawl of all your devices. You need to make sure your malware defenses can support this diversity. Every attack starts with one compromised device. More devices means more complexity, a far greater attack surface, and a higher likelihood of something going wrong. Again, you need to execute on your endpoint security strategy flawlessly. But you already knew that.
As uplifting as dealing with emerging attack vectors and device sprawl is, we are not done complicating things. It is not just endpoints you have to defend any more. Many organizations support employee-owned devices. Don’t forget about contractors and other business partners who may have authorized access to your networks and critical data stores, connecting with devices you don’t control.
Most folks assume that BYOD (bring your own device) just means dealing with those pesky Android phones and iPads, but we know many finance folks itching to get all those PCs off the corporate books. That means you need to eventually support any variety of PC or Mac any employee wants to use.
Of course the security controls you put in place need to be consistent, whether your organization or an employee owns a device. The big difference is granularity of management. If a corporate device is compromised you just nuke it from orbit, as they say. Well not literally, but you need to wipe the machine down to bare metal ensuring no vestiges of the malware remain. But what about those pictures of Grandma on an employee’s device? What about their personal email and address book? Blow those away and the uproar is likely to be much worse than just idling someone for a few hours while they wait to get their work desktop back.
So providing secure BYOD requires flawless execution, with an additional layer of granularity you haven’t had to worry about before. Good times.
Defining Endpoint Security
Before we jump into the specifics, let’s map out the rest of this series, so you have some context on what we will be writing about. The simple picture below shows how we think about endpoint security.
Anti-Malware: The ability to detect today’s attacks and malware is a topic that folks write books about. We won’t go deeply into the topic in this series because we have already researched Evolving Endpoint Malware Detection and Malware Analysis Quant. Here we will cover the highlights of how anti-malware is packaged and what to look for, and we will mention some of the advanced detection techniques emerging to stop the relentless tide of malware attacks.
Endpoint Hygiene: As part of an endpoint security strategy you need to pay close attention to the operational aspects of reducing device attack surface. You do that by ensuring you have sufficient capabilities to manage patches and enforce security configuration policies. You also need to lock down the ports on devices as needed (device control). We covered these topics in granular detail in the Endpoint Security Management Buyer’s Guide, as well as Implementing and Managing Patch and Configuration Management.
BYOD and Mobility: Finally, you need to think about both employee-owned devices and those that don’t fit the definition of a traditional PC. So we will briefly discuss how tools such as Mobile Device Management (MDM), Mobile Application Management (MAM), and other security controls (like device containers) have emerged to provide simple management of these devices.
- The Endpoint Security Platform: The centerpiece of the endpoint security platform is an asset management capability and console to define policies, analyze data, and report. Platforms should have advanced capabilities for asset management & discovery, policies, analytics, and reporting.
Finally we will wrap up this series by talking about the integration of all these components within the platform, and how all these pieces eventually need to become part of an integrated capability to secure endpoint devices with access to critical data. Next week we will get going with a look at the current state of (buying) anti-malware technologies.
Mike, this is very good and I look forward to the series. I know you guys mostly focus on larger enterprise but I would ask you also consider the multi-tenant enterprise such as from a managed provider perspective.
In addition, although a separate topic it would be interesting to see how end user education fits in, particularly around containerization that you allude to.
By Raffi Jamgotchian
Where is ENDPOINT INVESTIGATIONS?
E.g. see http://blogs.gartner.com/anton-chuvakin/2013/07/03/on-endpoint-sensing/ for a list of functions
By Anton Chuvakin