Endpoint Security Technology A 360 View of the Buying Process

Similar documents
A Guide to MAM and Planning for BYOD Security in the Enterprise

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Solution Spotlight BEST PRACTICES FOR DEVELOPING MOBILE CLOUD APPS REVEALED

The True Story of Data-At-Rest Encryption & the Cloud

Endpoint Security: Moving Beyond AV

Endpoint protection for physical and virtual desktops

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Protecting Your Organisation from Targeted Cyber Intrusion

Rethink defense-in-depth security model

E-Guide SIX ENTERPRISE CLOUD STORAGE AND FILE-SHARING SERVICES TO CONSIDER

Host-based Protection for ATM's

Ovation Security Center Data Sheet

Protecting Point-of-Sale Environments Against Multi-Stage Attacks

Managing Virtual Desktop Environments

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

INTRODUCING isheriff CLOUD SECURITY

How to Define SIEM Strategy, Management and Success in the Enterprise

How to Develop Cloud Applications Based on Web App Security Lessons

How SSL-Encrypted Web Connections are Intercepted

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

V1.4. Spambrella Continuity SaaS. August 2

CA Host-Based Intrusion Prevention System r8.1

Seven for 7: Best practices for implementing Windows 7

Top five strategies for combating modern threats Is anti-virus dead?

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Global IT Security Risks: 2012

Taxonomy of Intrusion Detection System

Enterprise Data Protection

HOW TO SELECT THE BEST SOLID- STATE STORAGE ARRAY FOR YOUR ENVIRONMENT

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

MDM features vs. native mobile security

SANS Top 20 Critical Controls for Effective Cyber Defense

McAfee Server Security

Internet threats: steps to security for your small business

avast! Business products 2012

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Payment Card Industry Data Security Standard

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

IBM Endpoint Manager for Core Protection

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Preparing for the cloud: Understanding the infrastructure impacts Eight essential tips for a successful cloud migration

Viewfinity Privilege Management Integration with Microsoft System Center Configuration Manager. By Dwain Kinghorn

VALTX ABSOLUTE SECURITY

Chapter 9 Firewalls and Intrusion Prevention Systems

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Endpoint Security for DeltaV Systems

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Top Four Considerations for Securing Microsoft SharePoint

INSTANT MESSAGING SECURITY

Safeguarding the cloud with IBM Security solutions

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Best Practices for Database Security

Malware and Other Malicious Threats

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Building A Secure Microsoft Exchange Continuity Appliance

Industrial Security Solutions

Trends in Zero-Day Kernel Exploits and Protection 2015

Small and Midsize Business Protection Guide

Industrial Security for Process Automation

Cyber Security Solutions for Small Businesses Comparison Report: A Sampling of Cyber Security Solutions Designed for the Small Business Community

MANAGEMENT SOLUTIONS SAFEGUARD BUSINESS CONTINUITY AND PRODUCTIVITY WITH MIMECAST

E-Guide BEST PRACTICES FOR CLOUD BASED DISASTER RECOVERY

Symantec Messaging Gateway 10.5

The User is Evolving. July 12, 2011

Symantec Messaging Gateway 10.6

The Business Case for Security Information Management

Key best practices for cloud testing

Mobile First Government

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

ios7: 3 rd party or platform-enabled MAM? Taking a look behind the scenes with Jack Madden

IBM Data Security Services for endpoint data protection endpoint encryption solution

10 BenefIts. that only an Integrated platform security solution can BrIng

Data warehouse software bundles: tips and tricks

INFORMATION PROTECTED

Data Loss Prevention Program

Endpoint protection for physical and virtual desktops

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

AntiVirus and AntiSpam scanning The Axigen-Kaspersky solution

2013 Cloud Storage Expectations

6 Point SIEM Solution Evaluation Checklist

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

for businesses with more than 25 seats

Proven LANDesk Solutions

Intrusion Defense Firewall

Reducing the cost and complexity of endpoint management

Building a Business Case:

Hybrid cloud computing explained

Single-Vendor Security Ecosystems Offer Concrete Benefits Over Point Solutions

Features Business Perspective.

Symantec Mobile Security

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

Managed Security Services for Data

Five keys to a more secure data environment

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Protecting personally identifiable information: What data is at risk and what you can do about it

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Transcription:

Endpoint Security Technology A 360 View of the Buying Process

It s vital to secure all the various endpoints in your organization against a constant bombardment of daily threats. Learn how endpoint protection software can help block malicious network traffic while providing secure access to your sensitive business data. From Business Problem to Technical Solution From Business Problem to Technical Solution By Karen Scarfone Most organizations today are facing a rapid increase in the number of client devices endpoints like desktops, laptops, smartphones and tablets. An employee may have three or four endpoints that have been issued by the organization, as well as one or more of their own personal devices. Multiply these by the number of users in your organization and the sheer volume of endpoints IT must manage becomes overwhelming. Each endpoint in your organization represents multiple attack vectors against the organization s systems, networks, and most importantly, sensitive data. Organizations are increasingly focused on safeguarding their sensitive data, such as customer databases, patient health records, financial information, etc. At the same time, users are demanding increased access to this sensitive data from their organization-issued and personally owned endpoints. It s become even more important for organizations to protect endpoints that access their network against numerous daily threats. A single data breach on an endpoint anything from a malware infection on a laptop to a lost smartphone holding a sensitive database can cost an organization millions of dollars and seriously damage its reputation. According to a recent Ponemon study, the average cost of a U.S. data breach in 2012 was $5.4 million. To prevent such incidents from occurring, composite software suites known as endpoint protection software have been developed. These suites use a combination of prevention and detection techniques to identify Page 1 of 20

malicious activity and treat it accordingly by blocking malicious network traffic or preventing malicious software from being executed. Endpoint protection software is also used to identify known vulnerabilities in endpoints, such as incorrect security configuration settings and missing patches for operating systems and applications. Many of the technologies bundled within endpoint protection software have been available as standalone products or in loosely bundled product suites for many years. Examples include antivirus software, host-based firewalls (also known as personal firewalls), and host-based intrusion detection/intrusion prevention software. What makes endpoint protection software different from standalone products or loose bundles is that the endpoint protection software s components are fully integrated into a single product, with a single interface and management capability. Ideally, all the parts of endpoint protection software work together seamlessly. This creates a superior solution to using separate standalone products or loosely bundled product suites, and attempts to integrate the individual components in an after-the-fact way. The capabilities most often provided by endpoint protection software include: Antivirus software Application whitelisting Device control Endpoint data loss prevention (DLP) Enterprise mobile device management (MDM) Host-based firewall Host-based intrusion detection/prevention system Storage encryption Vulnerability assessment Most endpoint protection software offers several, but not all, of these capabilities. However, products are rapidly evolving to cover all of these capabilities, as well as to prepare to add the next generation of security capabilities to these products in the future. Even products that only offer some of the possible endpoint protection Page 2 of 20

software capabilities can still be very effective at stopping threats, which ultimately means fewer successful attacks. Endpoint security has reached a point where it s basically become a necessity to use an integrated endpoint protection software suite instead of stovepiped standalone technologies. Small businesses that have minimal security threats may do well with more lightweight solutions, such as those that focus on malware prevention and email based threats. Yet, larger enterprises are almost certain to need the gamut of capabilities that endpoint protection software provides today, and will provide in the foreseeable future. The business benefits of endpoint protection software can be organized into the following categories: decreasing data breaches and other incidents, easing deployment of new security technologies, reducing costs and blocking unwanted activity. Decrease Data Breaches and Other Incidents: Having a single integrated product means endpoint protection software should provide more effective and efficient prevention and detection capabilities than its standalone counterparts would. This would lead to reduced opportunities for exploitation and ultimately fewer data breaches and other incidents within an organization. Prevention and detection is more efficient because the content of interest the Web request, email message, file write is analyzed in many ways in one session, not separately several times in succession. There is a great deal of overhead involved in analysis in parsing protocols, file formats, and other ways that data is stored or transmitted. Using a fully integrated product eliminates most of this overhead, allowing it to be incurred once instead of several times for each piece of content. Effectiveness is another important aspect of having a single integrated product. Ideally, the various capabilities within a product can collaborate with each other, particularly to identify unknown threats. Imagine that a new form of malware, previously unseen, attempts to enter an endpoint. The antivirus software may not be able to detect it on its own because it is primarily signature-based, but the endpoint protection software may notice suspicious attempts to transfer sensitive data to a known malicious website. This activity might be detected by a combination of the host-based firewall, endpoint DLP Page 3 of 20

software, and application whitelisting (in monitoring mode). By correlating security events seen by the various individual detection capabilities, the endpoint protection software can identify malicious events that no single capability can properly recognize on its own. Another important facet of endpoint protection software is that it provides so many varied security capabilities. It provides a layered defense-in-depth solution all on its own. Each capability that it provides is effective against different types of threats, so when an organization combines all of those capabilities, it is addressing a much wider range of threats than any single capability product could address on its own. Ease Deployment of New Security Technologies: Having many capabilities integrated into a single product can significantly ease deployment of new security technologies. Over time, endpoint protection software typically adds new capabilities; some of the most recent include endpoint data loss prevention (DLP), application whitelisting and enterprise mobile device management (MDM). Taking advantage of these emerging security technologies does not require acquisition and deployment of a completely new product, but rather simply configuring and enabling a new feature in the existing endpoint protection software deployment. With this, organizations can take advantage of new security capabilities much more quickly and easily than was previously possible. This accelerates the adoption of new security capabilities, allowing an organization to potentially gain a competitive advantage against other organizations that are slower adopters of endpoint security technologies. Reduce Costs: Generally speaking, it s going to be less expensive to buy one product (endpoint protection software) than to buy all of its equivalent components separately. This does not just include the software cost itself, but also the infrastructure supporting the software. Assuming that the endpoint protection software is fully integrated, in a smaller organization it could run on a single server (more likely on two servers for redundancy). Imagine how many separate servers might be needed if the software was purchased as standalone components. In larger organizations, the solutions will need to be scalable anyway, so an organization can simply deploy Page 4 of 20

another instance of the endpoint protection software server if it needs more processing power. This is much simpler than having to monitor the performance of several different server products and manage the scalability of each one separately. The reduction in labor from using an integrated solution may also be significant. Security administrators have a single management interface for all of these disparate endpoint security capabilities instead of a separate interface for each of them. Typical maintenance processes such as applying patches to the endpoint protection software should be significantly simpler and faster with an integrated solution. Incident investigation will also be streamlined because there is a single interface for all of the events monitored by the software. Block Unwanted Activity: Most data breaches occur because of inadvertent actions, not intentional behavior. Users, for example, may be in the habit of copying important files onto a USB flash drive as backups, but they do not realize that these USB flash drives are inherently insecure (not encrypted, not requiring authentication before use, etc.) Copying sensitive data to a flash drive may not be a direct data breach in and of itself, but it is a policy violation (and quite possibly a regulatory violation, depending on the type of data) and could eventually lead to a data breach, especially if the flash drive is lost or stolen. Endpoint protection software, primarily through its device control and DLP capabilities, can detect and stop such data leaks before they occur, long before a breach is possible. This reduces the sprawl of sensitive data, giving the organization fewer instances to protect and to audit. Endpoint protection software can even educate the user on what the nature of the policy violation is, helping the user to understand what s wrong and how it should be addressed. Page 5 of 20

To properly evaluate endpoint protection software, you must understand the diverse capabilities that are available and how they will integrate into your environment. Learn the different options of endpoint protection software and how each feature helps to detect and stop malicious behavior. RFP Technology Decisions RFP Technology Decisions Karen Scarfone Endpoint protection software use a combination of techniques to detect and stop malicious behavior, but the types of techniques and capabilities vary. The capabilities most often provided by endpoint protection software include: Antivirus software Application whitelisting Device control Endpoint data loss prevention (DLP) Enterprise mobile device management (MDM) Host-based firewall Host-based intrusion detection/prevention system Storage encryption Vulnerability assessment However, few endpoint protection software solutions provide all the capabilities in this list. Endpoint protection software may also provide application-specific security services, such as Web site filtering and antispam protection. Security Capabilities Let s look at the security capabilities that are most commonly provided by endpoint protection software in more detail. Note that the extent to which each of these capabilities is implemented may vary from product to product Page 6 of 20

(for example, endpoint DLP may be more rigorously implemented in one product and storage encryption in another). Contents Antivirus: This is the standard antivirus software that s been available for endpoints for many years. It is best suited to detect known instances of malware. Unfortunately, antivirus software, while still an important component of endpoint security, is not nearly as effective as it used to be because of the highly customized and targeted nature of many of today s malware threats. Symantec recently reported that less than 50% of malware was detected by antivirus software in 2012. Antivirus software is primarily signature-based, and you generally can t use signatures for identifying the novel and unknown. Application whitelisting: Application whitelisting is a feature that limits which applications may be installed and/or executed on an endpoint. It is only useful for environments that are able to tightly restrict what applications are to be used while still providing the necessary services to their users. However, if application whitelisting can be used in an environment on its user endpoints, it can prevent the execution of known and unknown malware, as well as attack tools and other malicious software. It can also prevent use of applications with known vulnerabilities that could be exploited to access sensitive data or otherwise gain unauthorized access to the endpoint. Device control: Device control, sometimes referred to as port control, is software that prevents unauthorized endpoint use of connected mobile devices and removable media, most notably USB drives and CDs/DVDs. Device control can prohibit all use of certain classes of mobile devices and/or removable media. It can also more granularly limit what types of data may be stored on mobile devices and removable media, often working in conjunction with endpoint DLP technology (described below). Device control can help prevent the spread of malware, as well as blocking the sprawl of sensitive data to locations other than its origin. Endpoint DLP: One of the newest components of endpoint protection software, endpoint DLP, is intended to stop inadvertent and intentional breaches of sensitive data, ranging from Social Security and credit card numbers to proprietary intellectual property (e.g., blueprints and other Page 7 of 20

sensitive documents). Endpoint DLP monitors an endpoint s storage to identify sensitive data and monitors an endpoint s use to identify actions involving sensitive data, such as copying and pasting from a customer database to an email message. Endpoint DLP can run in a monitoring-only mode that observes and logs policy violations, or in an enforcement mode that stops attempted policy violations from succeeding. Enterprise MDM: Enterprise MDM software is geared toward controlling and protecting mobile devices, primarily smartphones and tablets but also laptops in some cases. Enterprise mobile device management software traditionally provides some of the other security capabilities that endpoint protection software does, including endpoint DLP, device control and storage encryption. Think of enterprise MDM as a suite of security controls that protects sensitive data on an endpoint. One of the most notable emerging features of enterprise MDM software is establishing a secure sandbox for an organization s applications and data to be housed in. This helps to isolate it from other threats and vulnerabilities on the endpoint. Host-based firewall: Host-based firewalls, also known as personal firewalls, have been around almost as long as antivirus software. And like antivirus software, they have lost effectiveness over the years as the nature of threats has changed. Most of today s threats are at the application layer, not the network layer. While a host-based firewall still provides valuable protection to endpoints by blocking unwanted connection attempts it doesn t stop the vast majority of threats against endpoints. Note that some host-based firewalls have application firewall capabilities built-in that may provide some additional protection for application-generated network traffic. Host-based intrusion detection/prevention system: The functionality provided by a host-based intrusion detection/prevention system (IDPS) can vary greatly among implementations. Some analyze attempts to execute code on the endpoint, some analyze the endpoint s incoming and outgoing network traffic, some monitor the endpoint s file system and some analyze the endpoint s logs. Most IDPS perform a combination of two or more of these techniques. The primary benefit of using host-based IDPS is to detect unknown threats based on their suspicious or unusual behavior. Page 8 of 20

Storage encryption: The most common implemented form of storage encryption for endpoint protection software is full disk encryption. Full disk encryption completely encrypts the endpoint s storage media (other than perhaps the boot sector) so that the data stored on the media cannot be recovered when the endpoint has been powered off or is otherwise in an unauthenticated state. This protects against a data breach should the endpoint be lost or stolen. Some endpoint protection software also provides forms of storage encryption other than full disk encryption, such as file or disk encryption. These forms of encryption are active even when a host is fully booted, and it only allows access to the sensitive data after proper authentication has been provided. Vulnerability assessment: The exact nature of vulnerability assessment software varies among endpoint protection software, but the fundamental idea is that it detects known vulnerabilities in the endpoint, primarily its operating system and common applications (Web browser, email client, etc.) The types of vulnerabilities it can detect may include missing patches, outdated software and misconfigured security settings. Vulnerability assessment software generally has no capability to stop threats; rather, it can notify users and system administrators of security problems so that they can be addressed before exploitation occurs. Some vulnerability assessment software can even make recommendations on how to address known vulnerabilities. Technical Architecture The main technical architecture of an endpoint protection software solution comprises one or more centralized management servers and agent software installed onto each endpoint. Typically, this agent software is embedded into the operating system so that it intercepts endpoint activity as it occurs, permitting it to be blocked as needed. An example is integrating a host-based firewall into the endpoint s network stack so that all network activity has to go through the host-based firewall. Achieving this level of integration necessitates installing the agent software with administrative privileges. The centralized management servers used for endpoint protection software are typical of many security technologies. They are used for full lifecycle Page 9 of 20

management of the endpoint agent software, including agent deployment, agent configuration (e.g., enterprise policy management), agent monitoring (e.g., incident response, vulnerability response) and agent updating. Usually, the data collected by each endpoint is transmitted to the centralized servers for processing, reporting and archival purposes. Because the centralized management servers are such a key component of an endpoint protection software deployment, even the most basic implementation generally necessitates the installation of at least two servers. This provides redundancy should one server fail, the other server can keep operating in its place. Sizable enterprises are likely to deploy more than two servers for example, servers to support different geographic locations, or several additional servers to support increased workloads. Your Vendor You should ask these important questions in an endpoint protection software evaluation: 1. Which of the following features are built into your product? If any features are provided by a third party (for example, an antivirus vendor), indicate the vendor s identity and the typical delay from the release of a third-party update to its availability in your product. o Antivirus o Application whitelisting o Data loss prevention (DLP) o Device control o Host-based firewall o Host-based intrusion detection/prevention system o Storage encryption o Vulnerability assessment 2. What other features does your product provide that are not listed in question 1 (for example, website filtering)? 3. Which of the following features provided by separate products can be managed from your product? o Antivirus o Application whitelisting Page 10 of 20

o Data loss prevention (DLP) o Device control o Host-based firewall o Host-based intrusion detection/prevention system o Storage encryption o Vulnerability assessment 4. For all the features from questions 1, 2, and 3 that you support, do you have a single management console? If not, how many consoles are there and which features does each console support? 5. Does your product support mobile devices (smartphones, tablets, etc.)? Does the mobile device support include built-in enterprise mobile device management (MDM) functionality and/or integration with third-party enterprise MDM solutions? 6. For endpoints (including mobile devices, if supported), which operating systems and major operating system versions are supported? For each of these, what are the performance requirements (CPU, memory, storage)? 7. Describe in terms of technical methods (signature-based, anomalybased, behavior-based, policy-based, etc.) how your solution detects malware threats, both known and unknown (e.g., zero-day). 8. Which of the features from questions 1 and 2 need to be updated frequently to retain their effectiveness? An example is updating antivirus signatures to detect the latest malware threats. For each feature that needs updates, how frequently are updates made available? Are updates pushed or pulled to the endpoint? How often are updates acquired (weekly, daily, hourly, etc.)? 9. Does your product work in a virtualized environment? If not, what functionality is lost or what operational problems exist as compared to non-virtualized environments? 10. How scalable is your solution? For example, if your product requires the use of management servers, how many clients can be supported by each management server? This is a representative list of endpoint protection software vendors. Page 11 of 20

Arkoon Network Security AVG Beyond Trust CheckPoint Software Eset F-Secure GFI Software IBM Kaspersky Lab LANDesk Lumension Security McAfee Panda Security Sophos Symantec Trend Micro In order to protect your endpoints from threats, it is essential to evaluate your potential endpoint security software solution and its ability to integrate into your environment. Decision Time Decision Time Karen Scarfone Although it s critical to secure endpoints against today s threats, an endpoint protection software solution may not be the optimal choice for a particular environment. Many organizations already have a significant investment, both in terms of software and expertise, in their existing point solutions. This could be antivirus software from one vendor and endpoint data loss prevention (DLP) software from another vendor. And there are some distinct advantages Page 12 of 20

to using point solutions, such as being able to acquire the best in breed solution for each security capability. Contents Another reason why endpoint protection software solutions may not be appropriate for an organization is that it may not be in a position to take full advantage of what an endpoint protection software solution has to offer. For example, an organization s security posture and limited resources might preclude it from using endpoint DLP, enterprise mobile device management (MDM), and some of the other newer capabilities that endpoint protection software solutions support. So such an organization might be wasting significant money paying for endpoint protection software that they won t be able to take full advantage of; purchasing and supporting just the needed point solutions might be a better, much less expensive option. What makes endpoint protection software solutions generally more attractive than point solutions is the integrated capabilities that they can provide. Note that can is the operative word here some endpoint protection software solutions comprise several point solutions loosely integrated with each other, bundled under a single name but really functioning as separate products. This is not much of an improvement over just acquiring each of the point solutions separately. Part of the evaluation of any prospective endpoint protection software should be a careful examination of how well its respective components are integrated. Ideally there should be a single interface for managing all of them, and technical integration between related components (for example, endpoint DLP and device control working together to prevent the spread of sensitive data to removable media). If this integration is lacking, such as a vendor purchasing or licensing other vendors products without taking a holistic approach to implementing and integrating those products with each other, it may be wise to investigate other endpoint protection software solutions that are more highly integrated. Whether an organization selects an endpoint protection software solution or a set of point solutions, it is inevitable that incidents will occur. No security solution is 100% effective, not even an endpoint protection software solution with all the varied security capabilities it provides. Also, there are capabilities that endpoint protection software lacks that are essential for endpoint security, such as patch management. However, an endpoint protection software solution is the single most effective endpoint security control of Page 13 of 20

those that are currently available. In combination with patch management capabilities and application-specific security controls (e.g., antispam for email, Web content filtering for Web browsing), endpoint protection software can stop most of today s threats against endpoints. What remains for organizations to deal with is twofold. Some incidents will occur because of user error, such as being tricked by a malicious email message (e.g., spam, phishing). This is best dealt with by conducting training and awareness activities for users to help them better understand security, to know their roles and responsibilities, and to learn how they should act under various circumstances. Other incidents will happen not because of users, but because of shortcomings in the endpoint protection software itself. For example, there may be a zero-day vulnerability in an endpoint, and an attacker may be able to exploit it using methods not readily detectable by the endpoint protection software. This is more likely to be true if not all components of the endpoint protection software are deployed perhaps if application whitelisting is not being used. As a result, organizations need to give serious consideration to using all of the available security capabilities that endpoint protection software can provide. Implementing all of these capabilities at one time is generally not reasonable, especially because some of the capabilities can require significant fine-tuning to reduce false positives and negatives (endpoint DLP, host-based IDPS, host-based firewalls, etc.) Deploying all the capabilities at once and automatically stopping anything that s identified as suspicious is a recipe for disaster. Instead, endpoint protection software should be deployed using a phased approach, slowly increasing the spread and functionality over time to more gently identify operational problems. Scalability is also a concern the more components of the endpoint protection software solution that are active, the more resources necessary on both the endpoints and the management servers (and the networks between them). Before selecting a solution, it is prudent to do stress testing on real endpoints to see how much performance may be impacted. It s not so much a question of whether your organization is ready for endpoint protection software virtually every endpoint needs to be running antivirus Page 14 of 20

software, a host-based firewall, and other capabilities available in endpoint protection software. It s more a question of whether a set of point solutions or an integrated endpoint protection software solution is the way to go. One final consideration is the operating systems on which an organization s endpoints run. It may not be possible to find a single endpoint protection software solution that supports all of your organization s operating system variants and versions. This may necessitate acquiring multiple endpoint protection software solutions or updating/replacing endpoints to use supported operating system versions. Neither of these are choices to be taken lightly; they have serious repercussions. : Factors to Consider 1. Do you already have point solutions from different vendors deployed? Switching from point solutions to an integrated endpoint protection software solution can be a major ordeal if your existing point solutions are from multiple vendors. Switching solutions generally isn t too problematic if you are switching from vendor A s standalone antivirus software to the same vendor s endpoint protection software that includes the same antivirus product. However when multiple vendors are involved, odds are that the organization will have to replace one or more of the point solutions with completely different products. Again, this isn t the end of the world, but it s going to require more testing, training, and overall effort than simply switching from the standalone version of an application to the integrated version of the same application. Alternately, an organization may decide to keep one or two of its point solutions (e.g., full disk encryption software) and not use those corresponding features offered by the endpoint protection software. 2. Which security capabilities are built into your endpoint operating systems? Endpoint operating systems, such as Windows and Mac OS X, are increasingly providing native support for a variety of endpoint security capabilities. Examples include application whitelisting, device control, hostbased firewalls and storage encryption. These capabilities can be particularly Page 15 of 20

effective if the endpoints are part of a domain (e.g., Active Directory), which allows them to be centrally managed. If several of the security capabilities are already being provided through these means, acquiring an endpoint protection software solution may largely be unnecessary; instead, buying point solutions for the missing capabilities may be the way to go. 3. Which security capabilities will you deploy first? As previously mentioned, it s recommended that an organization deploy endpoint protection software in a phased approach, limiting both the number of endpoints running the software and the number of security capabilities being used initially. For the latter, the organization will need to choose which capabilities will be deployed first. It might be the most fundamental capabilities, such as antivirus software and host-based firewalls, or it might be the new features that don t already exist in the environment, such as endpoint DLP or application whitelisting. Regardless of the reason for selecting certain capabilities, the organization should pay particular attention to these capabilities when evaluating possible solutions to help support the success of the initial deployment. 4. How will you secure your major applications? Most endpoint protection software doesn t provide application-specific protections, such as anti-spam and Web content filtering. Because so many attacks come through email or Web traffic, it is critical to ensure that these security capabilities are present, either in the endpoint itself or on the organization s networks, such as anti-spam running on organization email servers and Web security gateways running on internal networks. However, if an organization s endpoints are mobile and odds are that some or most are then controls such as Web security gateways won t help unless external traffic from the endpoints is tunneled onto the organization s network so it can be examined there. In short, make sure that you re looking at the whole solution and not focusing on just a single piece of software when considering application security. 5. Will you be deploying it to your mobile devices? Endpoint protection software is increasingly supporting smartphones and tablets. At the same time, smartphones and tablets keep becoming more like Page 16 of 20

laptops; for example, some of the Microsoft mobile devices run the same version of the operating system as laptops do. It is becoming increasingly important, especially for these devices with laptop-like operating systems, to protect them from the same threats that desktops and laptops face. Unfortunately, at this time, the security controls available for mobile devices are still fairly immature. Before purchasing any endpoint protection software, if you re planning on using it to support mobile devices, be sure to test its mobile device support thoroughly. Additionally, consider whether a fullfledged enterprise MDM solution would be more effective than an endpoint protection software solution. Both classes of products have somewhat similar capabilities, but enterprise MDM solutions are more likely to provide robust support for mobile platforms. 6. What resources are required? Estimating how much effort will be needed to design, deploy, maintain and monitor endpoint protection software is very challenging because it has so many different components, each of which involves its own level of effort. There are several reasons for this, including the amount of tuning needed for each component and the relationship each one has to the organization s policies. For example, deploying a host-based firewall may be relatively straightforward because an organization s policies permit all internallyinitiated communications and prohibit all externally-initiated communications destined for internal endpoints. On the other hand, implementing endpoint DLP may be extremely resource intensive because of the complexity of DLP policies needed to implement the organization s policies regarding the handling of its sensitive data. DLP policies necessitate significant resources not only to implement the policies, but also to monitor them over time and continue to tune them to improve detection and prevention performance. An important part of evaluating endpoint protection software is estimating the level of effort that will be needed to support it, and ensuring that the necessary qualified personnel are dedicated to the task. Page 17 of 20

About the Author Karen Scarfone, Principal Consultant, Scarfone Cybersecurity Contents Karen Scarfone is the Principal Consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for Federal civilian agencies and the public. She has co-authored over 50 NIST Special Publications and Interagency Reports during the past ten years. Page 18 of 20

Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 19 of 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information