Endpoint security solutions: What you should consider when comparing vendors

Dominic Vogel identifies several key areas to evaluate when your organization is comparing solutions for an endpoint protection suite.

Eternal vigilance is the price of liberty. This famous and enduring statement should be heeded by every corporate information security professional as there is simply no room for complacency in today's ever-changing threat landscape. Security programs need to be robust and agile enough to be able to survive this dynamic environment without having to readjust to every new threat. In order to be successful in protecting the company's data assets and ensuring that workers are able to be productive in a safe and secure manner, security teams cannot rest on their laurels (it's been a while since I've sat on a laurel). In order to realize maximum effectiveness, everything (the people, processes, and technologies) that compose the security program needs to be re-evaluated on a constant basis. For the purpose of this write-up, I will focus on evaluating a mainstay of any security program: endpoint protection

By no means am I advocating change for the sake of change by switching your endpoint protection vendor whenever you are displeased with its performance or capabilities. Such endeavours are not practical or cost effective. This process should not be taken lightly, as you are not just choosing a security vendor; you are selecting a strategic partner that will play an instrumental role in your overall security roadmap. Before selecting any solution, you need to determine what qualities you are seeking in an endpoint protection solution. I've identified the key areas to keep in mind when comparing potential endpoint security partners and evaluating the necessity of making any changes.

Movement beyond signature-based detection

The current malware growth rate makes it impossible for vendors to be able to uniquely identify and protect against these threats using only signatures. This explosive growth rate coupled with enhanced malware mutation capabilities has drastically reduced the effectiveness and sustainability of signature detection. It was due to the industry's unwillingness to ditch signature-based detection that led to the unmitigated rise and success of cybercrime. It would be wise to work with a vendor that advocates innovative approaches for handling malware and protecting corporate endpoints and data.

Documentation and support

Documentation and support are areas that are often dismissed as trivial and unimportant. However, products with excellent documentation are generally easier to deploy and make it easier to troubleshoot configuration issues (at least in my personal experience). Additionally, having top-notch support cannot be underestimated as overworked security administrators cannot spare the time needed to peruse Google every time a problem arises. One cannot discount the importance of having a knowledgeable support team to contact in order to quickly resolve trouble areas. Security companies that take the time to develop a supportive ecosystem for their products (thorough and easy to follow documentation partnered with excellent customer support) make great strategic partners for any corporate security department.

Extra functionality

More and more security companies are consolidating their endpoint product offerings into a single suite. This benefits corporate security teams as it reduces the total cost of ownership, reduces the number of clients that need to be installed on endpoints, and centralizes management, monitoring and deployment. Centralized monitoring is valuable to security administrators and analysts as they can quickly gauge and assess the current security posture of corporate endpoints without having to piece together information from disparate systems (lowering the likelihood that possible security incidents go unnoticed). By broadening the endpoint protection scope to include tools such as application control (white-listing), device control, host intrusion protection systems (focus on behavioural monitoring), expanded functionality antivirus, antispyware, firewall, data loss prevention, and full disk encryption we dramatically lower the collective risk that endpoints pose to an organization.

Realize limitations

Understanding the limitations of any product is the most important point to consider when evaluating new or replacement endpoint solutions. We need to be realistic and realize that no solution is going to provide 100% immunity from malware or the latest threats. Generally speaking, we want to the solution to keep employee productivity from being disrupted by malware, to lower the amount of time and resources needed to clean infected computers, and to ensure that any critical business data is encrypted and well protected. We cannot possibly expect these solutions to effectively protect against covert persistent threats by themselves. They form but a part of a much larger security puzzle.

Personally, I would like to see more context in endpoint protection suites so that the entire threat lifecycle can be better explored and understood (what was the entry point of the malware, what exploits were targeted) and allow for better integration with vulnerability management tools for quicker remediation. If we can gain a better understanding of where the defenses failed and gain broader insight (is it a serious problem or one-time incident) this information can provide practical threat intelligence.

What are your thoughts on endpoint protection suites? What suggestions do you have for evaluating and comparing potential solutions? I'd love to hear your thoughts.


Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.


Think of most of these as the bullet-proof vest, the last line of defense when a pointy lead thing comes your way. The other defenses required are much more robust and include: - UTM (unified threat management) appliances which can enforce policy, identify when users are doing bad things, and do the heuristic things that we all wish anti-malware could do. - Content Filtering: most malware comes from untrusted sites, and an aggressive proxy solution like WebSense keeps the people away from the bad stuff. - NAC (Network Access Control): being able to enforce policy and compliance with patching and malware updates as well as keeping untrusted hosts from the physical network is most useful - Workstation controls: restricting user admin rights, using something other than IE, installing a safe-search browser add-on. Restrictions that prevent the use of USB flash-drives are required, unless these are controlled by something like Pointsec Protector. - User education: Hopefully your employees or students have been trained not to click on links in email messages unless they know what the link is, or to respond to the emails about found-money in Iraq, or fall for phishing attacks.


I have some point I like to share on what you should consider in choosing a vendor contract - first you need to have the hole process documented, implementation, migration , backups... - you should consider a health check schedule, and don't forget the report. - service level agreement SLA ??should mentions a clear statement of how issues and problems are categorized, based on severity and business impact. - when a vendor offer you a solution which have multiple component, make sure you are not paying for something that you don't need. - You could ask for a list of previous implementations and how big was it, at least for the last tow years. - A small chapter within the proposal document that have CVs of the team that is going to work in your production environment would be a great thing. I hope I add something helpful.

Editor's Picks