Endpoint Security Buyer’s Guide: Buying ConsiderationsBy Mike Rothman
We have covered the reasons endpoint security is getting more challenging, and offered some perspective on what is important when buying anti-malware and endpoint hygiene products – or both in an integrated package. Then we addressed the issues BYOD and mobility present for protecting endpoints. To wrap up we just need to discuss the buying considerations driving you toward one solution over another, and develop a procurement process that can work for your organization.
As in most technology categories (at least in security), the management console (or ‘platform’, as we like to call it) connects the sensors, agents, appliances, and any other security controls. You need several platform capabilities for endpoint security:
- Dashboard: You should have user-selectable elements and defaults for technical and non-technical users. You should be able to only show certain elements, policies, and alerts to different authorized users or groups, with entitlements typically stored in the enterprise directory. Nowadays, given the state of widget-based interface design, you can expect a highly customizable environment, letting each user configure what they need and how they prefer to see it.
- Discovery: You cannot protect an endpoint (or any other device) if you don’t know it exists. So the next key platform feature is discovery. Surprise is the enemy of the security professional, so make sure you know about new devices as quickly as possible – including mobile devices.
- Asset repository integration: Closely related to discovery is the ability to integrate with an enterprise asset management system or CMDB for a heads-up whenever a new device is provisioned. This is essential for monitoring and enforcing policies. You can learn about new devices proactively via integration or reactively via discovery, but either way you need to know what’s out there.
- Policy creation and management: Alerts are driven by the policies you implement, and of course policy creation and management are also critical.
- Agent management: Anti-malware defense requires a presence on the endpoint device so you need to distribute, update, and manage agents in a scalable and effective fashion. You need alerts when a device hasn’t updated for a certain period of time, along with the ability to report on the security posture of these endpoints.
- Alert management: A security team is only as good as its last incident response, so alert management is key. It enables administrators to monitor for potential malware attacks and policy violations which might represent an attack. Time is of the essence during any response, so the ability to provide deeper detail via drill-down, and to send relevant information into a root cause analysis / incident response process, are critical. The interface should be concise, customizable, and easy to read at a glance – responsiveness key. When an administrator drills down into an alert the display should cleanly and concisely summarize the reason for the alert, the policy violated, the user(s) involved, and any other information helpful for assessing criticality and severity.
- System administration: You can expect the standard system status and administration capabilities within the platform, including user and group administration. For larger distributed environments you will want some kind of role-based access control (RBAC) and hierarchical management to manage access and entitlements for a variety of administrators with varied responsibilities.
- Reporting: As we mentioned under specific controls, compliance tends to fund and drive these investments, so substantiating their efficacy is necessary. Look for a mixture of customizable pre-built reports and tools to facilitate ad hoc reporting – both at the specific control level and across the entire platform.
Cloud vs. Non-cloud
The advent of cloud-based offerings for endpoint security has forced many organizations to evaluate the value of running a management server on premise. The cloud fashionistas focus on the benefit of not having to provision and manage a server or set of servers to support the endpoint security offering – which is especially painful in distributed, multi-site environments. They talk about continuous and transparent updates to the interface and feature set of the platform without disruptive software upgrades. They may even mention the ability to have the environment monitored 24/7, with contractually specified uptime. And they are right about all these advantages.
But for an endpoint security vendor to manage their offering from the cloud requires more than just loading a bunch of AWS instances with their existing software. The infrastructure now needs to provide data segregation and protection for multi-tenancy, and the user experience needs to be rebuilt for remote management, because there are no longer ‘local’ endpoints on the same network as the management console. Make sure you understand the vendor’s technology architecture, and that they protect your data in their cloud – not just in transit.
You also want a feel for service levels, downtime, and support for the cloud offering. It’s great to not have another server on your premise, but if the service goes down and your endpoints are either bricked or unprotected, that on-premise server will look pretty good.
After doing your research to figure out which platforms can meet your requirements, you need to define a short list and ultimately choose something. One of the inevitable decision points involves large vs. small vendors. Given the pace of mergers and acquisitions in the security space, even small vendors may not remain independent and small forever. As a rule, every small vendor is working every day to not be small.
Working with a larger vendor is all about leverage. One type is pricing leverage, achieved by buying multiple products and services from the vendor and negotiating a nice discount on all their products. But smaller vendors can get aggressive on pricing as well, and sometimes have even more flexibility to sell cheaper. Another type is platform leverage from using multiple products managed via a single platform. The larger endpoint security vendors offer comprehensive product lines with a bunch of products you might need, and an integrated console can make your life easier.
Given the importance of intelligence for tracking malware and keeping current on patches, configurations, and file integrity, it is important to consider the size and breadth of the vendor’s research team and customer base. Keeping policies current and issuing effective updates requires a huge dataset and a serious analysis capability to figure out what needs to be done. You will probably hear a lot about big data, the buzzword du jour. More interesting is vendor investment to keep their platform current.
You will want to ensure the vendor has the ability to support your environment, wherever it is geographically. Local support is best for dealing with endpoints, because you may not have capable staff on-site to troubleshoot the issue. But as time goes on we will see improved collaboration, with better remote management and troubleshooting tools, making centralized support increasingly viable for serving a global customer base with a cloud-based deployment.
For the purchasing cycle there is no need to reinvent the wheel. Some organizations are formal and issue RFI/RFP (requests for information/proposals). Others work with resellers or rely on personal contacts to learn about alternatives and negotiate deals. However you buy products and services, you are likely to go through the same basic process:
- Define requirements: Don’t minimize the need to do internal fact finding and requirements gathering before engaging with vendors. Know what you’re buying and why. Understand what works in your environment and what doesn’t. Get a feel for the importance of each function of the offering. For example, is anti-malware your most important requirement, or are you more concerned managing the patch cycle across a highly distributed user community? Once you answer those questions you will know what you need an endpoint security platform to do.
- Establish short list: This may be a formal or informal process. You need a handful of vendors who can meet your requirements. Talk to them and dig deeper into their products and services to figure out which vendors can really solve your problems.
- Test products: Set up a testbed and let the tools do their thing. Depending on which controls you are looking to implement, you can run all sorts of tests during proof of concept. Figuring out the device overhead of agents is key; as is the user experience of setting policies, managing alerts, and remediating issues. Keep in mind that you won’t really be able to compare effectiveness of anti-malware protection unless you have a library of 0-day attacks, so you will need to rely on third-party tests and reviews.
- Talk to your buddies: Given the challenges of comparative testing for anti-malware, you should probably reach out to security peers in other companies to hear which endpoint security offerings they use, and what works and doesn’t work.
- Try support: Make sure you put a number of calls into the vendor’s support group. Both during typical business hours and off-hours, to understand how they’ll support you when it counts.
- Negotiate: We could write a book about vendor negotiation, but for now suffice it to say leverage is good. Try to negotiate with at least two vendors to get them competing for your business. And don’t believe them when they say end of quarter discounts don’t happen. Unless the sales rep is way ahead of their quota, they deal at the end of the quarter.
We could go much deeper into purchasing – it’s a discipline like any other aspect of a security professional’s job. But the high-level process outlined above should serve you well at you procure an endpoint security offering.
And with that we wrap up the Endpoint Security Buyer’s Guide. When we assemble the paper from these blog posts, we will add “10 Questions to Ask Your Endpoint Security Vendor” so you have an incentive to read the paper too.