RSA Conference Guide 2012: Endpoint SecurityBy Mike Rothman
Ah, the endpoint. Do you remember the good old days when endpoint devices were laptops? That made things pretty simple, but alas, times have changed and the endpoint devices you are tasked to protect have changed as well. That means it’s not just PC-type devices you have to worry about – it’s all varieties of smartphones and in some industries other devices including point of sale terminals, kiosks, control systems, etc. Basically anything with an operating system can be hacked, so you need to worry about it. Good times.
You’ll hear a lot about “consumerization” at RSAC 2012. Most of the vendors will focus on smartphones, as they are the clear and present danger. These devices aren’t going away, so everybody will be talking about mobile device management. But as in other early markets, there is a plenty of talk but little reality to back it up. You should use the venue to figure out what you really need to worry about, and for this technology that’s really the deployment model.
It comes down to a few questions:
- Can you use the enterprise console from your smartphone vendor? Amazingly enough, the smartphone vendors have decent controls to manage their devices. And if you live in a homogenous world this is a logical choice. But if you live in a heterogenous world (or can’t kill all those BlackBerries in one fell swoop), a vendor console won’t cut it.
- Does your IT management vendor have an offering? Some of the big stack IT security/management folks have figured out that MDM is kind of important, so they offer solutions that plug into the stuff you already use. Then you can tackle the best of breed vs. big stack discussion, but this is increasingly a reasonable alternative.
- What about those other tools? If you struck out with the first two questions you should look at one of the start-up vendors who make a trade on heterogenous environment. But don’t just look for MDM – focus on what else those folks are working on. Maybe it’s better malware checking. Perhaps it’s integration with network controls (to restrict devices to certain network segments). If you find a standalone product, it is likely to be acquired during your depreciation cycle, so be sure there is enough added value to warrant the tool standing alone for a while.
Another topic to grill vendors on is how they work with the “walled garden” of iOS (Apple mobile devices). Vendors have limited access into iOS, so look for innovation above and beyond what you can get with Apple’s console.
Finally, check out our research on Bridging the Mobile Security Gap (Staring Down Network Anarchy, The Need for Context, and Operational Consistency), as that research deals with many of these consumerization & BYOD issues, especially around integrating with the network.
The Biggest AV Loser
Last year’s annual drops of the latest and greatest in endpoint protection suites were all about sucking less. And taking up less real estate and compute power on the endpoint devices. Given the compliance regimes many of you live under, getting rid of endpoint protection isn’t an option, so less suckage means less heartburn for you. At least you can look at the bright side, right?
In terms of technology evolution there won’t be much spoken about at the RSA Conference. You’ll see vendors still worshipping the Cloud Messiah, as they try to leverage their libraries of a billion AV signatures in the cloud. That isn’t very interesting but check into how they leverage file ‘reputation’ to track which files look like malware, and your options to block them. The AV vendors actually have been hard at work bolstering this file analysis capability, so have them run you through their cloud architectures to learn more. It’s still early in terms of effectiveness but the technology is promising.
You will also see adjunct endpoint malware detection technologies positioned to address the shortcomings of current endpoint protection. You know, basically everything. The technology (such as Sourcefire’s FireAMP) is positioned as the cloud file analysis technology discussed above so the big vendors will say they do this, but be wary of them selling futures. There are differences, though – particularly in terms of tracking proliferation and getting better visibility into what the malware is doing.
You can learn a lot more about this malware analysis process by checking out our Quant research, which goes into gory detail on the process and provides some context for how the tools fit into the process.