Eternal vigilance is the price of liberty. This famous and enduring statement should be heeded by every corporate information security professional as there is simply no room for complacency in today's ever-changing threat landscape. Security programs need to be robust and agile enough to be able to survive this dynamic environment without having to readjust to every new threat. In order to be successful in protecting the company's data assets and ensuring that workers are able to be productive in a safe and secure manner, security teams cannot rest on their laurels (it's been a while since I've sat on a laurel). In order to realize maximum effectiveness, everything (the people, processes, and technologies) that compose the security program needs to be re-evaluated on a constant basis. For the purpose of this write-up, I will focus on evaluating a mainstay of any security program: endpoint protection
By no means am I advocating change for the sake of change by switching your endpoint protection vendor whenever you are displeased with its performance or capabilities. Such endeavours are not practical or cost effective. This process should not be taken lightly, as you are not just choosing a security vendor; you are selecting a strategic partner that will play an instrumental role in your overall security roadmap. Before selecting any solution, you need to determine what qualities you are seeking in an endpoint protection solution. I've identified the key areas to keep in mind when comparing potential endpoint security partners and evaluating the necessity of making any changes.
Movement beyond signature-based detection
The current malware growth rate makes it impossible for vendors to be able to uniquely identify and protect against these threats using only signatures. This explosive growth rate coupled with enhanced malware mutation capabilities has drastically reduced the effectiveness and sustainability of signature detection. It was due to the industry's unwillingness to ditch signature-based detection that led to the unmitigated rise and success of cybercrime. It would be wise to work with a vendor that advocates innovative approaches for handling malware and protecting corporate endpoints and data.
Documentation and support
Documentation and support are areas that are often dismissed as trivial and unimportant. However, products with excellent documentation are generally easier to deploy and make it easier to troubleshoot configuration issues (at least in my personal experience). Additionally, having top-notch support cannot be underestimated as overworked security administrators cannot spare the time needed to peruse Google every time a problem arises. One cannot discount the importance of having a knowledgeable support team to contact in order to quickly resolve trouble areas. Security companies that take the time to develop a supportive ecosystem for their products (thorough and easy to follow documentation partnered with excellent customer support) make great strategic partners for any corporate security department.
More and more security companies are consolidating their endpoint product offerings into a single suite. This benefits corporate security teams as it reduces the total cost of ownership, reduces the number of clients that need to be installed on endpoints, and centralizes management, monitoring and deployment. Centralized monitoring is valuable to security administrators and analysts as they can quickly gauge and assess the current security posture of corporate endpoints without having to piece together information from disparate systems (lowering the likelihood that possible security incidents go unnoticed). By broadening the endpoint protection scope to include tools such as application control (white-listing), device control, host intrusion protection systems (focus on behavioural monitoring), expanded functionality antivirus, antispyware, firewall, data loss prevention, and full disk encryption we dramatically lower the collective risk that endpoints pose to an organization.
Understanding the limitations of any product is the most important point to consider when evaluating new or replacement endpoint solutions. We need to be realistic and realize that no solution is going to provide 100% immunity from malware or the latest threats. Generally speaking, we want to the solution to keep employee productivity from being disrupted by malware, to lower the amount of time and resources needed to clean infected computers, and to ensure that any critical business data is encrypted and well protected. We cannot possibly expect these solutions to effectively protect against covert persistent threats by themselves. They form but a part of a much larger security puzzle.
Personally, I would like to see more context in endpoint protection suites so that the entire threat lifecycle can be better explored and understood (what was the entry point of the malware, what exploits were targeted) and allow for better integration with vulnerability management tools for quicker remediation. If we can gain a better understanding of where the defenses failed and gain broader insight (is it a serious problem or one-time incident) this information can provide practical threat intelligence.
What are your thoughts on endpoint protection suites? What suggestions do you have for evaluating and comparing potential solutions? I'd love to hear your thoughts.
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.