As we described in The Business Impact of Managing Endpoint Security, the world is complex and only getting more so. You need to deal with more devices, mobility, emerging attack vectors, and virtualization, among other things. So you need to graduate from the tactical view of endpoint security.
Thinking about how disparate operations teams manage endpoint security today, you probably have tools to manage change – functions such as patch and configuration management. You also have technology to control use of the endpoints, such as device control and file integrity monitoring. So you might have 4 or more different consoles to manage one endpoint device. We call that problem swivel chair management – you switch between consoles enough to wear out your chair. It’s probably worth keeping a can of WD-40 handy to ensure your chair is in tip-top shape.
Using all these disparate tools also creates challenges in discovery and reporting. Unless the tools cleanly integrate, if your configuration management system (for instance) detects a new set of instances in your virtualized data center, your patch management offering might not even know to scan those devices for missing patches. Likewise, if you don’t control the use of I/O ports (USB) on the endpoints, you might not know that malware has replaced system files unless you are specifically monitoring those files. Obviously, given ongoing constraints in funding, resources, and expertise, finding operational leverage anywhere is a corporate imperative.
So it’s time to embrace a broader view of Endpoint Security Management and improve integration among the various tools in use to fill these gaps. Let’s take a little time to describe what we mean by endpoint security management, the foundation of an endpoint security management suite, its component parts, and ultimately how these technologies fit into your enterprise management stack.
The Endpoint Security Management Lifecycle
As analyst types, the only thing we like better than quadrant diagrams are lifecycles. So of course we have an endpoint security management lifecycle. Of course none of these functions are mutually exclusive, and you don’t may not perform all these functions. And keep in mind that you can start anywhere, and most organizations already have at least some technologies in place to address these problems. It’s has become rare for organizations to manage endpoint security manually.
We push the lifecycle mindset to highlight the importance of looking at endpoint security management strategically. A patch management product can solve part of the problem, tactically. And the same with each of the other functions. But handling endpoint security management as a platform can provide more value than dealing with each function in isolation.
So we drew a picture to illustrate our lifecycle. We show both periodic functions (patch and configuration management) which typically occur every day or every two. We also depict ongoing activities (device control and file integrity monitoring) which need to run all the time – typically using device agents.
Let’s describe each part of the lifecycle at a high level, before we dig down in subsequent posts.
Configuration Management
Configuration management provides the ability for an organization to define an authorized set of configurations for devices in use within the environment. These configurations govern the applications installed, device settings, services running, and security controls in place. This capability is important because a changing configuration might indicate malware manipulation, an operational error, or an innocent and unsuspecting end user deciding it’s a good idea to bring up an open SMTP relay on their laptop. Configuration management enables your organization to define what should be running on each device based on entitlements, and to identify non-compliant devices.
Patch Management
Patch management installs fixes from software vendors to address vulnerabilities in software. The best known patching process comes from Microsoft every month. On Patch Tuesday, Microsoft issues a variety of software fixes to address defects that could result in exploitation of their systems. Once a patch is issued your organization needs to assess it, figure out which devices need to be patched, and ultimately install the patch within the window specified by policy – typically a few days. The patch management product scans devices, installs patches, and reports on the success and/or failure of the process. Patch Management Quant provides a very detailed view of the patching process, so check it out if you want more information.
Device Control
End users just love the flexibility their USB ports provide for their ‘productivity’. You know – the ability to share music with buddies and download your entire customer database onto their phones became – it all got much easier once the industry standardized on USB a decade ago. All kidding aside, the ability to easily share data has facilitated better collaboration between employees, while simultaneously greatly increasing the risk of data leakage and malware proliferation. Device control technology enables you both to enforce policy for who can use USB ports, and for what; and also to capture what is copied to and from USB devices. As a more active control, monitoring and enforcement of for device usage policy eliminates a major risk on endpoint devices.
File Integrity Monitoring
The last control we will mention explicitly is file integrity monitoring, which watches for changes in critical system files. Obviously these file do legitimately change over time – particularly during patch cycles. But those files are generally static, and changes to core functions (such as the IP stack and email client) generally indicate some type of problem. This active control allows you to define a set of files (including both system and other files), gather a baseline for what they should look like, and then watch for changes. Depending on the type of change, you might even roll back those changes before more bad stuff happens.
The Foundation
The centerpiece of the ESM platform is an asset management capability and console to define policies, analyze data, and report. A platform should have the following capabilities:
- Asset Management/Discovery: Of course you can’t manage what you can’t see, so the first critical capability of an ESM platform is sophisticated discovery. When a new device appears on the network the ESM should know about it. That may happen via scanning the organization’s IP address ranges, passively monitoring traffic, or integrating with other asset management repositories (CMDB, vulnerability management, etc). Regardless of how the platform is populated, without a current list of assets you cannot manage endpoint security.
- Policy Interface: The next key capability of the ESM platform is the ability to set policies – a very broad requirement. You must be able to set standard configurations, patch windows, device entitlements, etc., for groups of devices and users. Obviously it is necessary to balance policy granularity against ease of use, but without an integrated policy encompassing all the platform’s capabilities, you are still stuck in your swivel chair.
- Analytics: Once policies are defined you need to analyze and alert on them. The key here is the ability to set rules and triggers across all functions of the ESM platform. For instance, if a configuration change occurs shortly after a patch fails, followed by a system file being changed, that might indicate a malware infection. We aren’t talking about the sophisticated multivariate analysis available in enterprise-class SIEMs – just the ability to set alerts based on common attacks you are likely to see.
- Reporting: You just cannot get around compliance. Many security projects receive funding and resources from the compliance budget, which means your ESM platform needs to report on what is happening. This isn’t novel but it is important. The sooner you can provide the information to make your auditor happy, the sooner you can get back to the rest of your job.
Obviously we could write an entire series just about buying the ESM platform, but that’s enough for now. The key is to look for integration across asset management, policies, analytics, and reporting, to provide the operational leverage you need.
Enterprise Integration Points
Before we move on to specific functions of the platform, keep in mind that no platform really stands alone in an organization. You already have plenty of technology in place, and anything you buy to manage endpoint security needs to play nice with your other stuff. So keep these other enterprise management systems in mind as you look at ESM. Make sure your vendor can provide sufficient integration, or at a minimum a SDK/API to pull data from or send it to these other systems.
- Operations Management – including device building/provisioning, software distribution/licensing, and other asset repositories
- Vulnerability Management – for discovery, vulnerabilities, and patch levels
- Endpoint Protection – including anti-malware and full disk encryption, potentially leveraging agents to simplify management and minimize performance impact
- SIEM/Log Management – for robust data aggregation, correlation, alerting and reporting
- Backup/Recovery – many endpoints house valuable data, so make sure device failure doesn’t put intellectual property at risk
Obviously this view of the platform and capabilities is high level. Next we will dig into the periodic functions of patch and configuration management.
Reader interactions
One Reply to “Endpoint Security Management Buyer’s Guide: the ESM Lifecycle”
These are all excellent points, but I would add to this one very commonly ignored aspect of endpoint security which, now more than ever, needs to be revisited… physical asset security. Yes, physical security may not be that interesting, and conjures images of cable lock, but this is not what I am referring to. My point is that an active computer is a vulnerable computer, which if stolen or accessed by an unauthorized party can result in the unintentional exposure of confidential information; a situation which, under current privacy regulations, can impose financial penalties, mandatory disclosure, or in the worst case, criminal charges against directors.
The vulnerabilities are great. Although many believe disk encryption if the solution to securing mobile computing assets, fact is, this could not be further from the truth. If the device hosting the encrypted device is active, chances are the encryption is passive, and will provide no protection against exposing its stored data to the thief at the time the active device is stolen. This is one of many reasons for the need for an intelligent security solution to actively monitor for the risk of physical threat on an active workstation.
Cicada Security Technology, a Montreal based company recognized this vulnerability and has produced a device, called the Cicada, which addresses this vulnerability. No larger than a common USB flash storage device, the Cicada actively monitors the host station for evidence of physical threat from multiple trigger sources to protect the host from attempted theft or tamper. Once triggered, the Cicada will invoke deterrent, and protective actions to instantly protect the host. Optionally, devices can be monitored, and once security has been violated, an alert can be issued to a user or admin via SMS or email, or to a service desk by SNMP.
As each device has an indelible Electronic Serial Number, compliance can be assured by using the ESN as a secondary hardware based authentication factor. Additionally, environments offering remote access to its users can include in the authentication policy that remote devices must have a physical security device present, and configured to meet specific policy requirements. Again, the hardware ID can be used as a factor in the gateway authentication policy. This feature alone is of great value to adding security to federated identity and Single Sign On authentication platforms.
As an enabling technology, the platform can be used to extend the visibility of endpoint security platforms to become ‘physical threat aware’.
Physical security has been long ignored since the invention of the cable lock in 1992, and it is surprising that with more attention than ever to the development of policy to protect confidential data that there has not been greater effort to address these vulnerabilities sooner.