A Forrester Consulting Thought Leadership Paper Commissioned By Palo Alto Networks August 2015 Endpoint Security Takes Center Stage Real-Time Prevention Is A Must-Have Capability
Table Of Contents Executive Summary... 1 IT Security Decision-Makers Are Most Concerned About Exploitation Of Unpatched Vulnerabilities... 2 Today s Prevention Endpoint Security Solutions Offer A Balance Of Security And Usability... 4 Endpoint Protection Must Include Prevention Of Zero-Day And Targeted Unique Exploits... 7 Key Recommendations... 9 Appendix A: Methodology... 10 Appendix B: Demographics/Data... 10 Appendix C: Endnotes... 12 ABOUT FORRESTER CONSULTING Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forrester s Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit forrester.com/consulting. 2015, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to www.forrester.com. [1-TI1473]
1 Executive Summary The fight today between security professionals and attackers is an uphill battle, as endpoints multiply and attackers get better at exploiting vulnerabilities before they can be patched. Antivirus, the longtime staple of endpoint protection, can no longer be relied upon to protect against these never-before-seen threats. To protect against these zero-day threats, security pros need to adopt new solutions that can protect against never-before-seen malware and exploits of unpatched vulnerabilities in the OS, browser, and third-party applications. Today s endpoint protection solutions offer varying levels of protection against these advanced threats, and decision-makers need to weigh the protection offered against end user disruption when choosing the best technologies to defend their organizations. In April 2015, Palo Alto Networks commissioned Forrester Consulting to evaluate endpoint security solutions. To further explore this trend, Forrester developed a hypothesis that tested the assertion that endpoint security solutions whose focus is primarily on detection and remediation are not effectively serving customers. In order to protect against advanced and previously unseen threats, a combined strategy of both detection and prevention is needed. compounded by the large number of endpoints that are either unpatchable or patched very infrequently. Traditional antivirus solutions based on blacklist technology are insufficient to deal with these threats. Today s prevention solutions vary in their ability to protect against zero-day threats. Endpoint security solutions today must go beyond detecting known threats; they must be able to prevent threats that have never been seen before. However, some prevention technologies are better at this than others. When deciding which solutions to use, security pros must weigh the balance of security and usability. Today s top desired endpoint security solutions reflect security pros top threats. The most desired capabilities that security pros are looking for in their endpoint protection solutions today are the ability to integrate into network security solutions and protect against never-before-seen malware and exploits of unpatched vulnerabilities in the browser, OS, and thirdparty applications. Forrester conducted in-depth surveys with 125 North American IT security professionals responsible for endpoint security protection and found they are most concerned with the exploitation of unpatched or unknown endpoint vulnerabilities. Security pros told us they believe their current antivirus solutions can no longer effectively detect or prevent attacks against these vulnerabilities. In order to protect against these attacks, respondents are looking for solutions that deliver strong integration between network and endpoint solutions; stop malicious processes without prior knowledge of the threat; and provide proactive exploit prevention capabilities. KEY FINDINGS Forrester s study yielded three key findings: Security pros today are most concerned with zeroday browser and OS threats, which antivirus solutions struggle to address. Our survey shows respondents are most concerned about exploits of unpatched or unknown/zero-day vulnerabilities in the endpoint operating system and browser. This threat is
2 IT Security Decision-Makers Are Most Concerned About Exploitation Of Unpatched Vulnerabilities Security professionals today recognize that they are in an escalating arms race with malware creators. Two factors make this challenge particularly difficult: first, the attack surface continues to grow as the number of applications and services required by the business increases; second; the bad actors can move much faster to find and exploit vulnerabilities before they can be patched. These threats are even more acute in systems where some endpoints are virtually unpatchable, such as systems that are no longer supported by vendors or ones that require 100% uptime. These concerns are top of mind for security professionals today, especially because one of the most-adopted endpoint security protection solutions, antivirus, is ill equipped to deal with such threats. Our survey of 125 IT decision-makers responsible for endpoint security shows: Phishing attacks are targeting weaknesses in the OS, browser, and third-party apps. The most common attacks that organizations have faced in the past year were phishing and waterhole attacks (see Figure 1). These attacks target weaknesses in endpoint OS browsers and third-party applications. Our biggest problem today is phishing attacks. Even with all the training we have done, there is still someone who will click on something and expose us to attack. Director of information security at an enterprise retailer Security professionals are most concerned about zero-day threats for the browser and OS. The most common endpoint attacks our respondents are facing today come in the form of phishing or waterhole attacks (37%) and insider misuse (29%). However, these are not the attacks that keep security professionals awake at night. Our survey shows respondents are most concerned about exploits of unpatched or unknown/zero-day vulnerabilities in the endpoint operating system and browser (see Figure 2). FIGURE 1 Most Common Attacks In The Past Year Have Come From Phishing/Waterhole Attacks Where have you experienced attacks or breaches in the past year? (Select all that apply) Phishing or waterhole attacks Inadvertent misuse by insider (e.g., authorized users inappropriately disclosing sensitive information by accident) Direct attacks against Internet-facing assets (e.g., SQL injection) External attack originating from compromised business partner/third party supplier s servers or users Loss/theft of physical corporate asset (e.g., backup data, server, laptop, smartphone) Inadvertent misuse by business partner/third-party supplier Loss/theft of business partner physical asset (e.g., backup data, server, laptop, smartphone) Cross-site scripting (XSS) or cross-site request forgery (CSRF) Abuse by malicious insider (authorized or terminated users exploitingtheiraccessrightsor gaining unauthorized access) Abuse by malicious business partner 37% 29% 25% 22% 22% 20% 1 15% 15% 8% Don t know Other (please specify) 1% 1% We have experienced no attacks or breaches in the past year 22% Base: 125 North American IT security decision-makers responsible for endpoint security
3 FIGURE 2 Respondents Are Most Worried About Zero-Day Vulnerabilities In The OS And Browser As Well As Phishing/Spyware What types of attacks are you most worried about regarding endpoint security today? (Rank your top three) Exploit of operating system vulnerability for known/unpatched and unknown/zero-day vulnerabilities Exploit of browser vulnerability for known/unpatched and unknown/ zero-day vulnerabilities Phishing 1 2 3 9% 14% 18% 1 11% 18% 10% 15% Total 51% 37% 35% Spyware Exploit of productivity software vulnerability for known/unpatched and unknown/zero-day vulnerabilities Drive-by malware downloads from websites (over HTTP) 11% 9% 10% 14% 10% 13% 10% 10% 10% 35% 32% 30% APTs/targeted attacks 7% 9% 28% Drive-by malware downloads from social networking 8% 20% Botnet attacks Rootkits 9% 3% 7% 2% 9% 2% 19% 13% Base: 125 North American IT security decision-makers responsible for endpoint security Unpatchable systems are most vulnerable to advanced threats. The reason these exploits are so concerning is that 44% of respondents said over 10% of their endpoint systems are either unpatchable or patched very infrequently (see Figure 3). Antivirus solutions do not address these important vulnerabilities. Antivirus/antimalware software has long been a staple of endpoint protection; however, our survey reveals some key weaknesses in the protection this software provides. While 87% of our respondents are using a paid antivirus solution today, nearly three-fourths of our respondents have experienced challenges with it (see Figure 4). One of the top challenges, reported by 29% of respondents, was a low detection rate for advanced threats the same threats that most worry security pros. FIGURE 3 Forty-Four Percent Of Respondents Said That Over 10% Of Their Environment Is Unpatchable Approximately what percentage of the endpoints in your environment cannot be patched (due to end-of -life systems no longer supported by vendors or systems that require 100% uptime) or are patched very infrequently? 51%+ 41% to 50% 30% to 40% 21% to 30% 5% 3% 2% We need zero-day protection today. You can t call antivirus zero day when you look at how long it takes to update. VP of IT, US financial services firm 11% to 20% 1% to 10% 0% 14% 22% 42% Base: 125 North American IT security decision-makers responsible for endpoint security Source: A commissioned study conducted by Forrester Consulting on behalf of Palo Alto Networks, May 2015
4 FIGURE 4 Nearly Three-Quarters Of Respondents Have Challenges With Paid Antivirus; Top Challenges Are High Licensing Cost, Low Detection Of Advanced Threats What challenges have you experienced from using a paid antivirus solution? (Select all that apply) Licensing costs are too high Low detection rate for advanced threats Lack of integration into network security technology Signature updates are often slow following the public announcement of new malware Lack of integration into remediation/patching workflow Large number of false positives detected Network or endpoint performance impacts (CPU, RAM, I/O, network bandwidth utilization) Other We have experienced no challenges 1% 34% 29% 27% 2 25% 24% 23% 2 Base: 125 North American IT security decision-makers responsible for endpoint security Today s Prevention Endpoint Security Solutions Offer A Balance Of Security And Usability Endpoint security solutions today must go beyond detecting known threats they must be able to prevent threats that have never been seen before. This means not just blocking a known exploit from causing further damage, but recognizing a new exploit based on a pattern of behavior and preventing the process from ever occurring. Endpoint security via detection must become endpoint security via prevention. However, not all prevention solutions and capabilities are created equal, and some are better equipped to prevent zero-day attacks than others. Here are five specific endpoint technology approaches to endpoint security prevention. Each has its own strengths and weaknesses when we look at operational overhead, user experience impact, speed of response to new threats, and ability to prevent spread. Our study found that: 1. Rapid patch deployment capabilities are an important way to reduce exploit vulnerability. Attackers target the most vulnerable applications with exploits, and closing those potential vulnerabilities as quickly as possible is essential to protecting your endpoints. One of the most important endpoint defenses today is to deploy patches in a timely manner. Our survey shows that patch deployment is both the most used prevention solution available today (58% adopted) and also the most desired (25% interested in adopting) (see Figure 5). In addition, respondents believe patch deployment delivers the most critical value of all the protection solutions, though patches cannot protect against zero-day exploits for which patches do not exist (see Figure 6). However, patch deployment can cause end user disruptions, as some of the most vulnerable applications are also some of the most critical, meaning any downtime is going to disrupt the business. Also, some applications release dozens of patches a year, making it difficult to keep up. For these reason, 58% of respondents said that patch deployment causes at least some noticeable end user impact. 1 2. Whitelisting is the philosophical opposite to antivirus software. Whitelisting focuses on the known good ; only trusted applications or processes are allowed to run, while all other executables including potentially malicious code are blocked by default. This gives security pros the power to remove unknown
5 apps as potential conduits of attack, ultimately leading to a smaller footprint of running applications while decreasing the endpoint s attack surface. However, no exploit protection for whitelisted software is offered unless additional memory exploit protection measures are leveraged, so whitelisted applications can still be exploited, leading to a compromised endpoint. Additionally, setting up the initial whitelist is not a trivial matter; every time a user installs a new app or receives an update/security patch for an existing app, the whitelist must be updated accordingly if a default-deny policy is enforced. The more heterogeneous your endpoint environment is, the more challenging whitelisting becomes. As a result, whitelisting is one of the lesser-used endpoint security solutions. Our survey shows that only 39% of survey respondents have adopted whitelisting solutions at their organizations. Another approach to whitelisting involves controlling execution through a more generalized approach by broadly whitelisting folder locations, code signers, and certain behaviors, and then dynamically whitelisting individual applications or processes via a threat intelligence feed. This type of execution control reduces the challenges involved with managing application whitelists, but it still does not prevent exploitation of whitelisted applications. FIGURE 5 App Integrity Protection, Privilege Management, And Virtual Patching Are The Top Desired Prevention Capabilities Which of the following prevention (no prior knowledge of threat required) capabilities are you using today for endpoint protection? Of the technologies/capabilities you are not currently using, which do you have interest in adopting? (Select all that apply) Patch deployment capabilities Privilege management Application exploit prevention Data/app isolation Whitelisting Adopted Interested in adopting 42% 39% 47% 55% 14% 58% 18% 20% 17% Base: 125 North American IT security decision-makers responsible for endpoint security Source: A commissioned study conducted by Forrester Consulting on behalf of Palo Alto Networks, May 2015 25% FIGURE 6 Respondents Feel They Get The Most Value From App Exploit Prevention And Patch Deployment For Prevention Solutions How much security value do you feel you get from each of your current endpoint security solutions? (Prevention [no prior knowledge of threat required]) Critical value High value Patch deployment capabilities (N = 72) 44% 40% Privilege management (N = 69) 33% 45% Application exploit prevention (N = 59) 32% 53% Data/app isolation (N = 53) 25% 53% Whitelisting (N = 49) 20% 49% Base: Variable North American IT security decision-makers responsible for endpoint security
6 3. App privilege management enforces least privilege on the endpoint. Application privilege management software gives administrators the power to remove admin rights on their end user endpoints while elevating application-specific privilege levels as needed. This is achieved by modifying the security token assigned to each running process in order to control their respective privilege levels. Since most malware require admin rights in order to run, this form of application control offers a reasonably high level of malware protection. Our survey shows that 33% of respondents feel the solution provides critical value, and 45% feel it provides high value. Privilege management solutions are currently adopted by 55% of respondents. However, IT administrators face similar challenges with app privilege management as those presented by whitelisting; the list of software requiring admin rights takes time to build and must be monitored closely. Additionally, no exploit protection for the allowed software is offered. Once allowed software has been exploited, an attacker can escalate privileges regardless of whether the end user had local admin privileges. 4. Application exploit prevention guards running code. Application exploit prevention ensures that applications act in a known good way while blocking all other actions taken by those supported applications. Since application exploit prevention if set up in such a way will prevent unknown code from modifying existing applications stored on the hard drive or taking abnormal actions within running memory, this form of protection offers better protection against software exploits when compared with AV, whitelisting, or app privilege management. Our survey shows app exploit prevention is one of the more valuable prevention solutions, with 32% saying the solution delivers critical value, and another 53% saying it delivers high value. Some application exploit prevention solutions involve a much more extensive data set for each application (compared with a simple hash used within application control products), and most tools only support a limited number of applications. Code verification and blocking processes must also be aligned in a way that doesn t interfere with software patch deployment. With a few exceptions, post-infection remediation functions (quarantine and code removal) are generally nonexistent in these solutions because they focus on preventing the attack before any damage can be done. Another mode of application exploit prevention inserts itself as an enforcer in memory, monitoring a defined set of processes that have been profiled to be misused by most exploits. By modeling the bad behavior of exploits, the set of malicious activity to be watched for is reduced to a manageable level and allows for prevention of new attacks with relatively low processor overhead. This mode of application exploit prevention requires an intimate knowledge of each operating system s weaknesses, and therefore is typically limited to covering the most widely used operating systems. 5. Data and application isolation contains running apps/tasks. Endpoint execution isolation solutions execute commonly used applications and/or user tasks within those applications as a means of protecting against known and unknown exploits. Supported applications (and their associated tasks) execute within logical containers, with all behaviors and interactions between the application/task and outside environment monitored closely (including networking and disk input/output). One of the major benefits of this technology is the fact that even if a piece of malicious code is allowed to run, its ability to interact with the system as a whole is severely limited by the logical separation put into place between the exploited application and the rest of the system. On the other hand, endpoint execution isolation generally places a greater demand on system resources when compared with other forms of endpoint protection. Fifty-seven percent of our survey respondents said that these solutions cause at least occasional noticeable end user performance impact. 2 Also, endpoint process isolation products generally only support a limited number of commonly used applications. As a result, only 25% of our survey respondents felt the solutions delivered critical value. Each of these five prevention-oriented endpoint security approaches provides a different balance of security versus usability. Furthermore, most of them address unknown malware or unknown exploits, but not both. Our survey shows that finding solutions that maximize both requirements are what S&R pros are looking for: Today s endpoint security requires a shift from detection to prevention and must increase protection against zero-day threats. Not all current prevention capabilities are able to effectively prevent unknown or unpatchable threats (see Figure 7). Our survey found that
7 FIGURE 7 Today s Endpoint Security Solutions Must Provide Zero-Day Coverage How long does it take for each endpoint security solution to respond to new threats? (Prevention [no prior knowledge of threat required]) Requires manual effort to load new threats/signatures Protection is in place for new threats less than 72 hours from public announcement Some new threats are covered by existing heuristic/ model-based protection, others are covered within 24 hours of announcement New threats/signatures are updated automatically; however, it can take > 1 week for newly announced threats/vulnerabilities to be covered Protection is available the same day as public announcement Don t know/na Data/app isolation 2% 43% 34% 15% Application exploit prevention Patch deployment capabilities 8% 3% 14% 3 40% 37% 32% 19% 11% Privilege management 2 30% 2 Whitelisting 8% 41% 33% Base: 125 North American IT security decision-makers responsible for endpoint security some of the top-desired prevention techniques today, patch deployment and some types of app exploit prevention, can take days to update, meaning zero-day threats must be handled with other endpoint protection capabilities. Other prevention techniques like whitelisting often require a workflow process with approvals, and 55% of the time require multiple days to respond to a new threat. When using one of these techniques, you want to look for those that provide protection against zero days without having to wait for a product update. Endpoint Protection Must Include Prevention Of Zero-Day And Targeted Unique Exploits Our survey shows that security pros are looking for these capabilities in their endpoint security solutions: Set-and-forget prevention solutions. We asked respondents what functionality they would like to see in an endpoint protection solution. Not surprisingly, the most desired capabilities protect against never-before-seen malware, and exploits of unpatched vulnerabilities in the browser, OS, and third-party apps, which are the top endpoint threats for security pros (see Figure 8). Figure 9 maps the options available to provide strong prevention capabilities against the top-three-ranking requirements from our survey (see Figure 9). Strong integration of endpoint and network protection to stop malware before it even reaches the endpoint. Respondents in our survey said that endpoint integration with network security was the most valuable detection capability. It is also a highly desired feature of endpoint security. Solutions that stop malicious processes at the lowest level (also known as instant patching ). If an exploit does manage to evade detection by network protection for email or web traffic, the expectation is growing that the endpoint will be able to monitor itself at the process memory level, detect abnormal behavior, and prevent exploits from executing. This functionality is sought as a form of instant patching and acknowledges that the attackers will always be able to create new exploits faster than security pros can spot and patch vulnerabilities.
8 FIGURE 8 Prevention Of Zero-Day Exploits And Protection For Unpatched OS/Browsers Top The Want List What functionality would you like to see from your endpoint protection solution? (Rank your top five) 1 2 3 4 5 Ability to prevent never-before-seen malware (zero-day malware) Ability to protect against exploitation of unpatched vulnerabilities in browsers Ability to protect against exploitation of unpatched vulnerabilities in operating systems Integration into network security (i.e., web/email security gateways) Ability to protect against exploitation of unpatched vulnerabilities in productivity software Lower operational costs for incident response 8% 7% 8% 7% 3% More automation in remediation/response 4% 5% 2% 2% Logging and forensic collection of network traffic to/from endpoint 10% 10% Logging and forensic collection of memory activity (inspection into active processes) Logging and forensic collection of disk read/write activity 9% 10% 19% 11% 8% 13% 4% 13% 10% 10% 8% 9% 10% 7% 14% 4% 14% 7% 11% 11% Integration into correlation/analytics tools 9% 7% 5% 3% Less pressure to deploy patches before fully tested 5% 5% 8% 4% 7% Integration into cloud security gateways 4% 7% 4% 7% Base: 125 North American IT security decision-makers responsible for endpoint security FIGURE 9 Endpoint Prevention Solutions Capabilities Checklist
9 Key Recommendations Forrester recommends that security pros choose carefully when replacing or augmenting standard antivirus solutions for endpoint protection. The best solutions will be those that offer a combination of strong integration between endpoint and network security components in addition to some form of zero-day exploit prevention for OS, browser, and thirdparty applications. To protect their endpoints, security pros should: Focus on prevention. Prevention requires some combination of sophisticated baseline process behavior modeling and careful control over applications. Products that require an update before they can block a new zeroday exploit or products that detect indicators of compromise (IOCs) and then attempt to mitigate the damage are not providing a real prevention capability. The ultimate prevention capability would prevent patient zero. Look for a match between the level of effort required to support a given solution and the capabilities of your support staff. Reduce the attack surface through a balance of prevention, detection, and remediation proficiency. The most mature organizations make sure that they have the basics of vulnerability and patch management down cold, but realize that patching does not address the zero-day threat. They should use a risk-based approach to determine where to deploy advanced solutions in their network. Integrate endpoint security with network security to create a virtuous cycle of detection and prevention. Some attacks are launched across the Internet via email or waterhole vectors, while others arrive directly at the endpoint via portable storage devices or a laptop that is outside the corporate network. This means that both the endpoint and the network must be prepared to prevent never-before-seen threats. The best solutions look to share information on what these threats look like across both the endpoint and the network in order to increase the speed and coverage of response to rapidly evolving threats. Focus on decreasing attack surface while creating as little friction as possible for employees. Security pros are tasked with balancing the need for protecting sensitive data stored on employee devices with the need to enable employee productivity and innovation. When choosing any security technology to be used on an employee device, do not underestimate the importance of preserving endpoint performance and user experience. Employees are continually installing new software and have little tolerance for security products that stand in the way of their own innovation or productivity.
10 Appendix A: Methodology In this study, Forrester conducted an online survey of 125 organizations in North America with over 500 employees to evaluate endpoint security solutions. Survey participants included decision-makers in IT security responsible for endpoint security. Questions provided to the participants asked respondents about their current endpoint security technologies across three domains: detection, remediation, and prevention. We also asked about the value, impact on end users, and deployment issues with each technology. In addition, we also conducted three interviews with endpoint security decisionmakers, one of which was a contact from Palo Alto Networks. Respondents were offered financial compensation as a thank you for time spent on the interviews. The study began in April 2015 and was completed in May 2015. Appendix B: Demographics/Data
11 FIGURE 10 Survey Demographics In which country do you work? 20,000 or more employees 5,000 to 19,999 employees 1,000 to 4,999 employees 500 to 999 employees United States, 98% Canada, 2% Using your best estimate, how many employees work for your firm/organization worldwide? 18% 18% 22% 42% Which of the following roles in IT are you significantly involved in? IT security IT operations IT infrastructure Cloud infrastructure/operations/ architect Networking/telecommunications Information and knowledge management Sourcing and vendor management Solution/application architecture Application development and delivery Software testing and QA Business analyst Other (please specify) 1% 14% 34% 49% 45% 44% 62% 62% 61% 78% 74% 100% Which of the following best describes the industry to which your company belongs? Healthcare Financial services and insurance Retail Manufacturing and materials Business or consumer services Government Energy, utilities, waste mgmt. Other (please specify) Education and nonprofits Telecommunications services Transportation and logistics Electronics Construction Chemicals and metals Consumer product manufacturing 5% 3% 3% 2% 2% 1% 1% 1% 11% 10% 8% 21% 21% Which title best describes your position at your organization? Manager 2 Director 39% C-level executive 22% Vice president 14% Base: 125 North American IT security decision-makers responsible for endpoint security (percentages may not total 100 because of rounding)
12 FIGURE 11 Survey Demographics: Endpoint Responsibilities Which of the following categories of technology decision-making are you significantly involved in? (Select all that apply) Infrastructure or data security Security event/incident management IT compliance Threat and vulnerability management Identity and access management 94% 92% 8 82% 80% Managing third-party security services 60% What is your level of responsibility around your organization s endpoint security? Iamoftenthefinaldecision-makerforendpoint security 59% Iprovidesignificantinputto thefinaldecision-maker around endpoint security 41% Base: 125 North American IT security decision-makers responsible for endpoint security Appendix C: Endnotes 1. 2.