Research

Let’s wrap up our use case discussions for Continuous Security Monitoring by digging into how CSM can contribute to your compliance efforts. We know the way we staged these use cases (first attack, then change control) is bass-ackwards from how most folks implement monitoring. Compliance is typically the first use cases implemented, mostly because PCI-DSS mandates it. Regardless of how you adopt the technology, what you want to do is make sure whatever monitoring infrastructure you put in place will be extensible and relevant to all your use cases. We described the compliance use case as: Compliance is the check-the-box use case, where a mandate or guidance requires monitoring and/or scanning technology; less sophisticated organizations have no choice but to do something. But keep in mind the mandated product of this initiative is documentation that you are doing something – not necessarily an improved security posture, identification of security issues, or confirmation of activity. Dissecting the language above, you see that the goal of compliance is to document and substantiate the controls you have in place to pacify an auditor. It is not to solve actual security problems. Yes, that is a nuance, and if you adequately protect information assets you are likely be able to prove compliance. But the converse is clearly not true. Just being compliant does not mean you are secure. In terms of frequency of monitoring, you have a lot more leeway in this less-stringent use case. In the attack and change control use cases, you need to constantly monitor critical assets to identify dangerous situations. But to be compliant you basically need to assess devices quarterly or so. As long as you are collecting and parsing event logs on protected devices in a secure fashion (PCI Requirement 10), you’re good. Well, in terms of compliance, but not necessarily actual security. To be clear, logging is good. It helps when you have this information during incident response or investigation, so we are happy that PCI and other compliance hierarchies mandate it. PCI also specifically requires assessment after ‘significant’ change (Requirement 11.2.3), but what does that mean? That kind of nebulous verbiage both gives you the leeway to assess and monitor the devices when you want to, and it also gives the PCI council (and card brands) the leeway to string you up during a breach. Compliance mandates like PCI may also specify a more ‘continuous’ monitoring approach such as an IDS (Requirement 11.4), which is also a good practice. But remember – this use case isn’t about being secure – just meeting the base requirements expressly mandated by regulation and/or guidance. So putting up an IDS to monitor your perimeter and fire one alert meets the requirement. Compliance is great, right? We will get down off the soapbox now. Smart security professionals realize that compliance is a means to an end. They can use the compliance mandate to free up budget for equipment and processes that also assist with the attack and change control use cases. Data Sources The data sources you use for compliance tend to be pretty consistent with the attack use case, though without the more sophisticated telemetry and forensic data to really figure out what happened: Assets: Your asset base is the fundamental data source for all use cases. At least that’s consistent – you need an ongoing discovery capability to detect new devices on your network, and then a mechanism for profiling and classifying them. Events & Logs: Pretty much everything can and should be logged as part of the compliance use case – including security gear, network infrastructure, identity sources, data center servers, and applications, among others. This is helpful to demonstrate that the controls in place work, which is the goal of this use case. Patches: Keeping a device up to date is typically mandated by compliance regulations, so you need to generate reports showing which devices were updated when. Configurations: Another aspect of compliance is implementing and maintaining secure configurations. You will need to document the posture of protected devices periodically. Differentials and history are less important because compliance is based on a point-in-time view at your infrastructure. Vulnerabilities: Mandates also require periodic vulnerability scans of protected devices. So you need to document what was scanned, what was found, and eventually what was fixed, if the scan showed clear deficiencies. Other Documentation: Some mandates also require periodic penetration tests and other less automated functions. So you need the ability to store this unstructured data in the CSM repository as well, if it will be used as a compliance automation platform. Preparing for the Audit As opposed to a more action-oriented decision flow, as you saw with the attack and change control use cases, compliance is all about using data to prepare for assessment. You know when you need to be ready – it’s not like auditors show up as mystery shoppers to surprise you. You also know the nature of the documentation you need to provide. Shame on you if you aren’t prepared for an audit, when you know exactly what’s expected and when you need to be ready to deliver it. To help you prepare for an audit and make it as painless as possible, here is a streamlined process adapted from Mike’s Pragmatic CSO methodology. Describe Your Security Program: Wait, what? What about blasting the auditor with all sorts of reports to convince them you know what you’re doing? There is plenty of time for that, but only after you provide context for your security program – specifically how your CSM capabilities provide an accurate and timely view of information needed to understand your compliance posture. Address Past Deficiencies: This is probably not your first audit, so you need to update the auditor on how you addressed previous findings. Here you can leverage your CSM platform to search for specifics and substantiate fixes for issues pointed out in the last assessment. One of the best ways to build your credibility with the assessor is to own your past mistakes and prove that you have fixed things. Substantiate Your Controls: Now you can work through the data, showing the assessor that you have implemented the necessary controls effectively. This documentation should be

We see continuing confusion regarding the CISO duties in many organizations. When I saw this opinion piece in SC Mag by an experienced CISO (David Nathans) with both commercial and defense sector experience, I figured we might finally get some clarification. Yeah, I should have known better. I have been involved in a lot of debate on whether a CISO should be a technical leader or more of a policy writer. Technical leadership and policy writing are not among the first CISO duties that come to my mind – not even close. David then explains that the CISO’s duties vary by company. Uh, no. Let me try to be clear here. The duty of the CISO is to be responsible and accountable for the organization’s security program. Period. But the definition, objectives, expectations, and funding models for the security program all depend on the organization. Clearly how the security program is implemented varies from company to company. That’s why we see so many experienced business folks taking on the CISO job. Typically after the technical guys fell on their swords, multiple times. I call these folks, “Mr/Ms. Fix It.” They don’t know a lot about security per se. But they know how to get things done in the organization. When you are asking folks to do things they don’t want to do – which is basically always in security – you need someone who either has compromising photos of key execs, or is a credible businessperson with a long track record of accomplishment within the organization. That credibility provides enough runway to get the security program moving. Without CISO credibility any security initiative will be stillborn. He also mentions the need to partner with the business to enable secure innovation; and not putting the organization at risk by pointing out potential issues with emerging business plans, technical services, and partner communications. The security team’s function could be implementation or just be a validation that chosen technology complies with security policy. A CISO and his or her organizational leaders need to be able to direct technical staff to ensure business objectives and risk tolerances are met. That is a critical duty for the CISO, which absolutely requires credibility with the business leaders of the organization. David’s point about the criticality of communications is spot on. Whether it is trying to coerce peers into getting with the security program or providing information about a breach or other attack, the ability to communicate at a high level, in business terms, is absolutely a critical success factor for the CISO. This is no easy task, as the person filling the CISO role needs to be able to articulate complex technical issues and risks effectively and in a way that is clear, quick to the point, can be well understood, and does not cause any unnecessary panic. But let’s not forget that without credibility, the CISO (any executive, for that matter) has very little chance of success. Photo credit: “There goes your credibility” originally uploaded by Hrag Vartanian Share:

Silent Circle is shutting down their email service: However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now. Two things: Mail hosting is a bitch. Parsing their words, it appears they were not pressured like Lavabit. We smell a little publicity hunting in this announcement. However: Based on what we are seeing, any data stored on any service anywhere on the Internet is subject to government scrutiny. If you store it they will come. Silent Circle or any provider that stores or processes data is subject to subpoena, National Security Letters, and other local equivalents. This isn’t a US-specific issue, and I think globally we are in for some very interesting conversations as societies attempt to determine what privacy really means in the information age. Share:

We now resume our series on Continuous Security Monitoring. We have dug into the Attack Use Case so it’s time to cover the next most popular use case for security monitoring: Change Control. We will keep the same format as before; digging into what you are trying to do, what data is required to do it, and then how this information can and should guide your prioritization of operational activities. The Change Control Use Case We briefly described the change control use case as follows: An operations-centric use case is to monitor for changes, both to detect unplanned (possibly malicious) changes, and to verify that planned changes complete successfully. There are two aspects, first to determine whether unplanned change indicates an attack – covered in the attack use case. The other aspect is to isolate unplanned any non-malicious changes to figure out why they took occurred outside normal change processes. Finally you need to verify planned and authorized changes to close the operational process loop. Before we discuss the data sources you need we should mention monitoring frequency. As with the attack use case, the NIST definition – monitor as frequently as you need to – fits here as well. For highly critical devices you want to look for changes continuously, because if the device is attacked or suffers a bad change, the result could be or enable data loss. As we mentioned under the attack use case, automation is critical to maintaining a consistent and accurate monitoring process. Ensure you minimize human effort, increase efficiency, and minimize human error. Data Sources To evaluate a specific change you will want to collect the following data sources: Assets: As we discussed in the classification post you cannot monitor what you don’t know about; without knowing how critical an asset is, you cannot choose the most appropriate way to monitor it. This requires an ongoing – dare we say, ‘continuous’ – discovery capability to detect new devices appearing on your network, as well as a mechanism for profiling and classifying them. Work Orders: A key aspect of change control is handling unauthorized and authorized changes differently. To do that you need an idea of which changes are part of a patch, update, or maintenance request. That requires a link to your work management system to learn whether a device was scheduled for work. Patching Process: Sometimes installing security patches is outside the purview of the operations group, and instead something the security function takes care of. Not that we think that’s the right way to run things, but the fact is that not all operational processes are managed in the same system. If different systems are used to manage the work involved in changes and patches, you need visibility into both. Configurations: This use case is all about determining differentials in configurations and software loaded on devices. You need the ability to assess the configuration of devices, and to store a change history so you can review deltas to pinpoint exactly what any specific change did and when. This is critical to determining attack intent. We have always been fans of more data rather than less, so if you can collect device forensics, more detailed events/logs, and/or network full packet captures, as described in the attack use case – do that. But for the change control use case proper, you don’t generally need that data. It is more useful when trying to determine whether the change is part of an attack. Decision Flow Unlike the attack use case, which is less predictable in how you evaluate alerts from the monitoring process, the decision flow for change control is straightforward: Detect change: Through your security monitoring initiative you will be notified that a change happened on a device you are watching. Is this change authorized? Next you will want to cross-reference the change against the work management system(s) which manages all the operational changes in your environment. It is important that you be able to link your operational tracking systems with the CSM environment – otherwise you will spend a lot of time tracking down authorized changes. We understand these systems tend to be run by different operational groups, but in order to have a fully functional process those walls need to be broken down. If authorized, was the change completed successfully? If the change was completed then move on. Nothing else to see here. The hope is that this verification can be done in an automated fashion to ensure you aren’t spending time validating stuff that already happened correctly, so your valuable (and expensive) humans can spend their time dealing with exceptions. If the change wasn’t completed successfully you need to send that information back into the work management system (perhaps some fancy DevOps thing, or your trouble ticket system) to have the work done again. If not authorized, is it an attack? At this point you need to do a quick triage to figure out whether this is an attack warranting further investigation or escalation, or merely an operational failure. The context is important for determining whether it’s an ongoing attack. We will get into that later. If it’s an attack investigate: If you determine it’s an attack you need to investigate. We dealt with this process in both the Incident Response Fundamentals and also React Faster and Better. If it’s not an attack, figure out who screwed up: If you made it to this point the good news is that your unauthorized change is an operational mishap rather than an attack. So you need to figure out why the mistake happened and take corrective measures within the change process to ensure it doesn’t happen again. Let’s make a further clarification on the distinction between the attack and change control use cases. If you have only implemented the change use case and collected the data appropriate for it, then your visibility into what the malware is doing and how broadly it has spread up to this point will be limited. But that doesn’t mean starting with change control doesn’t provide value for detecting attacks. An alert of an

After reading this inane blog post, “Cisco – Buying into the security game,” from an EMEA product manager for HP TippingPoint, the Security Twittersphere rose up together to call out this nonsense. I figured I would just let it lie, but I couldn’t. This is the worst type of competitive positioning – basically calling out a competitor for doing exactly what you have done. I think psychologists call this projection. Let’s just excerpt a few statements from the post, so you can get a good feel for how ridiculous it was. By purchasing Sourcefire, Cisco has all but admitted that they had no relevance in today’s security solutions market. They’re stuck on enhancing the products they have in the market, and making acquisitions to get a foothold in IPS. Huh? You either enhance your existing products or you make an acquisition. Or sometimes both. Is there a third option I’m missing? And for a company with no relevance in today’s security market, Cisco sells a bunch of gear. In fact, substantially more than TippingPoint. And it’s not like HP has been in the network security space for years. They inherited TippingPoint along with the 3Com deal, which they did to enhance their position in network switching, not in security. But those are pesky details, eh? Now I’m not Cisco apologist here. As I wrote in the CSCO/FIRE deal analysis, Cisco isn’t as competitive as they need to be to have a place in the Perimeter Security Gateway market. That’s why they had to write the multi-billion-dollar check. HP TippingPoint is positioned worse then Cisco because they don’t have a FW platform at all, and you need both capabilities (FW, IPS, and other stuff) to be competitive moving forward. As we look at Snort–and know that Cisco has a limited OpenSource track record–one would tend to believe that they’ll eventually just scrap it. Another WTF. This guy has no basis for this statement. Especially after Cisco and Sourcefire publicly committed to future support for Snorty. This is just FUD-mongering nonsense. So, the question remains: Is Cisco serious? Are they REALLY in the security game for the long run? Looking back, surely the time for Cisco to get into the IPS business was 8 years ago, when Check Point failed to acquire Sourcefire–why the game change now? Wow. Cisco has been in the IPS business. But that’s the problem with folks who don’t get out much. They drink their own bathwater and don’t realize the rest of the industry is feeding on their installed base. They poke fun at companies making decisive moves to better their market position, while their city is burning to the ground. Share:

By the time most of you read this I will be on my way back down the east coast, shuttling all the kid’s stuff home after a summer of camp in the family truckster. 12+ hours in pleasant solitude as the Boss flies the kids home. They start school next Monday so we didn’t want them to sit in the car all day. So I’m taking one for the team, but it’s okay. I will spend the solitary time working over my world domination plans. Like I do on every long trip. I’d be lying if I said I’m excited that summer is over. And I know my kids feel the same way. Not that they don’t like school, but they like vacation and camp a lot better. As they should. For the Boss and me, there is something about living carefree for a couple weeks without real parental responsibilities while the kids are away. If the Boss and I wanted to go out to dinner, we did. If we wanted to go to a Braves game, we did. If I wanted to play hooky so we could take a long weekend, we did. But in the 10 months the kids are home we need to be a little more planned. The kids are old enough now to stay by themselves for short amounts of time, so we can be a little spontaneous, and we need to do that. Though it’s incredible how quickly you get back into the daily crap of washing dishes, doing laundry, and shuttling the kids around. It won’t be long before we area again mired in the daily battle to get homework done and get ahead of major projects. It goes with the territory. To be clear, I am excited the kids are coming home. I missed them every day and the house was very calm and quiet. That was nice, but it will also be good to get back to the craziness of our lives. But the end of summer also marks the passage of time. Another season in the books. The start of another school year is one year closer to the kids moving out of the nest and making their way in the world. It’s a reminder that we need to cherish the time they are home. Both the fun stuff and the not-so-fun stuff. I guess that’s the point. For 6+ weeks each summer I see the future. And it’s a good future. But those other 10 months are the present. And it’s a great present. Wrapped up in a bow and everything. –Mike Photo credit: “Summer’s End” originally uploaded by Jeremy Piehler Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. The Endpoint Security Buyer’s Guide Buying Considerations The Impact of BYOD and Mobility Endpoint Hygiene: Reducing Attack Surface Anti-Malware, Protecting Endpoints from Attacks Introduction Continuous Security Monitoring The Attack Use Case Classification Defining CSM Why. Continuous. Security. Monitoring? Database Denial of Service Countermeasures Attacks Introduction API Gateways Implementation Key Management Developer Tools Newly Published Papers Defending Cloud Data with Infrastructure Encryption Network-based Malware Detection 2.0: Assessing Scale, Accuracy, and Deployment Quick Wins with Website Protection Services Email-based Threat Intelligence: To Catch a Phish Network-based Threat Intelligence: Searching for the Smoking Gun Incite 4 U Don’t blame the cloud: I often remind people that the cloud is no more or less secure than your traditional infrastructure – it’s just different. That said, for many organizations the cloud is far more secure because if you properly leverage public it you can outsource security to a provider with better security staffing and controls than you can afford. But, as NASA demonstrates in this piece from The Verge, you can outsource stupid. It seems NASA completely failed to comply with their own security and cloud policies by putting data in a public cloud that shouldn’t be there, failing to include security requirements in contracts, and not bothering to test security controls. Details, details. The cloud can make you more secure but it doesn’t make you smarter. And all this from the guys who built a big chunk of OpenStack. I suppose that explains a few things. – RM ETDR just rolls off the tongue – NOT! I guess you should take comfort in the fact that most analysts are very bad at marketing type stuff. I mean just look at some of the category names they come up with. The latest to draw my ire is Endpoint Threat Detection and Response (ETDR), although you can also put NGFW and NGIPS in the bucket of names I hate. It’s not that ETDR is wrong, but it’s ponderous. And a lot of these technologies aren’t limited to endpoints. I come down on the side of simplicity – only three letters in an acronym. So Endpoint Activity Monitoring and Advanced Endpoint Protection. And throw Perimeter Security Gateway into that mix as well. But in the end those with the biggest megaphones get to name the category, and that ain’t me… – MR Now go to work: Tim Wilson’s post Black Hat: Moving Security Outside The Lines captures the essence of why you should attend Black Hat. If you want to to understand how attackers approach hacking your stuff, the technical conferences are invaluable for learning the attacker mindset. If you’re an IT practitioner who wants to make stuff secure, you are in the wrong place – there really aren’t any step-by-step guides. Defense tactics and research are elsewhere. You go to BH, B-Sides, and DEFCON to learn what the really skilled people have done to break stuff, so you don’t have to. But to find practical applications of that research within your environment you need to do the work. That is what most folks forget. It’s not the hack, but what you do with the information that’s important. – AL New problems? Or

I may be done with having children, but that doesn’t mean I’ve forgotten how quickly 8 months can stream by. Windows XP is certainly, definitely, going out of support in April of 2014, but all too many people are still using it: If you’re a fan of numbers, head over to Netmarketshare.com, NetApplication’s site for usage share statistics. They measure web browser usage share, search engine usage share, and operating system usage share, and it is of course that latter measurement that I’m focused on this week. According to the firm, Windows XP still accounted for over 37 percent of all desktop OS usage share in July 2013, behind Windows 7 (44.5 percent) but well ahead of Windows 8 (5.4 percent), Vista (4.24 percent), or the most recent Mac OS X version (3.3 percent). That means no more security patches, unless you pony up insane amounts of money for custom extended support. If Windows 8 scares you, Windows 7 is a far less jarring transition. But seriously, don’t wait. XP is effectively impossible to secure today, and once support disappears you will really have no way to keep bad guys out. All it takes is one XP box in the wrong place on your network. Share:

It doesn’t happen very often so it’s highly scrutinized. No, it’s not me being nice to someone. It’s a security company IPO. Last week the folks at FireEye filed their Form S-1, which is the first step toward becoming a public company. The echo chamber blew up, mostly because of FireEye’s P&L. Basically, FireEye spent more on sales and marketing in the first half of 2013 than they took in revenue. Their top line revenue was $61.6MM; they spent $66.1MM on sales and marketing. Their total loss was $63.4MM. Yes, you read that correctly. On the surface that’s pretty ugly. Sure, revenue growth has been significant ($11.3MM, $33.6MM, and $83.3MM; in 2010, 2011, and 2012, respectively). But to lose that much money seems a bit troubling, no? Well, those folks squawking about the losses don’t really understand financial filings too well. In 2012, as I mentioned, they had $83.3MM in revenues. They showed a loss of $35.7MM. But they had positive net cash of $21.5MM in 2012. WTF? Those numbers don’t add up, do they? Keep in mind that bookings does not equal revenue. So FireEye figured out a way to get companies to pay them $75MM more than they could recognize in revenue due to accounting nuances. That’s listed on the balance sheet as Deferred Revenue. They had $43.7MM in current-year deferred revenue (which will be recognized over the coming 12 months), and $32.6MM in revenue deferred for longer than 12 months. And in the first half of 2013 they added another $12MM to their current deferred revenue and over $14MM to non-current deferred. To be clear, they booked a lot more than $83MM in 2012 and a lot more than $61.6MM in the first 6 months. Those revenue numbers are only the stuff they could recognize. The difference between bookings and recognized revenue is services they sold and got paid for now, which they will recognize over the life of the subscription. These multi-year agreements are great for cash flow, but not so great for the income statement. The good news is that companies don’t pay their employees with income statements. The sell-side analysts can do the math to figure out roughly what bookings were, but my point is not to get confused by nuances of the income statement, versus what they actually sell. To be clear, there are a number of issues with that kind of growth in sales and marketing spend. FireEye sees this as a land grab, and the best way to get land is to hire like drunken sailors, put scads of folks in the field, and try to sell product now. It is very expensive to build a global direct sales force, and it is usually done over a long period of time. Clearly FireEye sees their opportunity right now, so they are taking the express train to a huge go-to-market engine. FireEye is making a bet, which you can see in their spending on equipment including demo units (which presumably become production appliances when customers buy). They are betting that once they get a demo box installed on a customer site they will close the deal. They spent $18MM on “property and equipment and demonstration units” last year. That’s a lot of hardware, folks. So they are putting reps everywhere and giving them demo units to get into customer sites before the competition. At some point they will need to dial back the spending and show profits. Ultimately that’s what public company investors demand. But they get a pass on that for the time being because of the huge revenue growth, as well as the need to invest internationally to gain market share now. Which they had better do, because the competition is coming. Pretty much every network security vendor has a network-based malware detection device. They are all gunning for FireEye, which is why FireEye is grabbing as much real estate as they can, right now. Clearly the market for malware detection is red hot and very high profile for enterprises of all sizes. But we don’t expect a stand-alone technology to ultimately prevail for this capability. We expect malware detection to be part of a much bigger security strategy that spans not just the perimeter network, but also endpoints. So FireEye needs a much broader story in the works, or they’ll hit the wall hard. Perhaps they will use public market currency to acquire their way to a broader product line. They have also announced an ecosystem, while remaining focused on the malware detection space. Will that be enough? Time will tell. Listen, I’m not a stock analyst. Personally I cannot invest in the companies I cover, so I don’t have any skin in the game. But I can read a balance sheet, and FireEye is in land grab mode, spending like crazy to build global momentum. Maybe it will pay off and maybe it won’t. Maybe this S-1 is the catalyst they need for a bigger company to acquire them. Maybe they will IPO, broaden their story, and become a sustainable public company. Maybe they don’t. But it will be fun to watch in any case. Photo credit: “DKHouse 082” originally uploaded by May Monthong Share:

Pretty much the entire team is out at the Black Hat conference. Yes, we really are working. Heck, by the time you read this, Rich and James will have taught 2 separate cloud security classes. Although we think Mike may be enjoying a Vegas cabana as this post goes live, based on his calendar. We will resume regular posting next week. Share:

We have covered the reasons endpoint security is getting more challenging, and offered some perspective on what is important when buying anti-malware and endpoint hygiene products – or both in an integrated package. Then we addressed the issues BYOD and mobility present for protecting endpoints. To wrap up we just need to discuss the buying considerations driving you toward one solution over another, and develop a procurement process that can work for your organization. Platform Features As in most technology categories (at least in security), the management console (or ‘platform’, as we like to call it) connects the sensors, agents, appliances, and any other security controls. You need several platform capabilities for endpoint security: Dashboard: You should have user-selectable elements and defaults for technical and non-technical users. You should be able to only show certain elements, policies, and alerts to different authorized users or groups, with entitlements typically stored in the enterprise directory. Nowadays, given the state of widget-based interface design, you can expect a highly customizable environment, letting each user configure what they need and how they prefer to see it. Discovery: You cannot protect an endpoint (or any other device) if you don’t know it exists. So the next key platform feature is discovery. Surprise is the enemy of the security professional, so make sure you know about new devices as quickly as possible – including mobile devices. Asset repository integration: Closely related to discovery is the ability to integrate with an enterprise asset management system or CMDB for a heads-up whenever a new device is provisioned. This is essential for monitoring and enforcing policies. You can learn about new devices proactively via integration or reactively via discovery, but either way you need to know what’s out there. Policy creation and management: Alerts are driven by the policies you implement, and of course policy creation and management are also critical. Agent management: Anti-malware defense requires a presence on the endpoint device so you need to distribute, update, and manage agents in a scalable and effective fashion. You need alerts when a device hasn’t updated for a certain period of time, along with the ability to report on the security posture of these endpoints. Alert management: A security team is only as good as its last incident response, so alert management is key. It enables administrators to monitor for potential malware attacks and policy violations which might represent an attack. Time is of the essence during any response, so the ability to provide deeper detail via drill-down, and to send relevant information into a root cause analysis / incident response process, are critical. The interface should be concise, customizable, and easy to read at a glance – responsiveness key. When an administrator drills down into an alert the display should cleanly and concisely summarize the reason for the alert, the policy violated, the user(s) involved, and any other information helpful for assessing criticality and severity. System administration: You can expect the standard system status and administration capabilities within the platform, including user and group administration. For larger distributed environments you will want some kind of role-based access control (RBAC) and hierarchical management to manage access and entitlements for a variety of administrators with varied responsibilities. Reporting: As we mentioned under specific controls, compliance tends to fund and drive these investments, so substantiating their efficacy is necessary. Look for a mixture of customizable pre-built reports and tools to facilitate ad hoc reporting – both at the specific control level and across the entire platform. Cloud vs. Non-cloud The advent of cloud-based offerings for endpoint security has forced many organizations to evaluate the value of running a management server on premise. The cloud fashionistas focus on the benefit of not having to provision and manage a server or set of servers to support the endpoint security offering – which is especially painful in distributed, multi-site environments. They talk about continuous and transparent updates to the interface and feature set of the platform without disruptive software upgrades. They may even mention the ability to have the environment monitored 24/7, with contractually specified uptime. And they are right about all these advantages. But for an endpoint security vendor to manage their offering from the cloud requires more than just loading a bunch of AWS instances with their existing software. The infrastructure now needs to provide data segregation and protection for multi-tenancy, and the user experience needs to be rebuilt for remote management, because there are no longer ‘local’ endpoints on the same network as the management console. Make sure you understand the vendor’s technology architecture, and that they protect your data in their cloud – not just in transit. You also want a feel for service levels, downtime, and support for the cloud offering. It’s great to not have another server on your premise, but if the service goes down and your endpoints are either bricked or unprotected, that on-premise server will look pretty good. Buying Considerations After doing your research to figure out which platforms can meet your requirements, you need to define a short list and ultimately choose something. One of the inevitable decision points involves large vs. small vendors. Given the pace of mergers and acquisitions in the security space, even small vendors may not remain independent and small forever. As a rule, every small vendor is working every day to not be small. Working with a larger vendor is all about leverage. One type is pricing leverage, achieved by buying multiple products and services from the vendor and negotiating a nice discount on all their products. But smaller vendors can get aggressive on pricing as well, and sometimes have even more flexibility to sell cheaper. Another type is platform leverage from using multiple products managed via a single platform. The larger endpoint security vendors offer comprehensive product lines with a bunch of products you might need, and an integrated console can make your life easier. Given the importance of intelligence for tracking malware and keeping current on patches, configurations, and file integrity, it is important to consider the size and breadth of the vendor’s research