Endpoint
2/18/2016
10:30 AM
Doug Cahill
Doug Cahill
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Navigating Next-Gen Endpoint Security: A Buyers Journey

Organizations will face a market in a state of transition as they evaluate information security solutions from both new and established vendors.

After Operation Aurora in 2009, “we’ll catch it on the wire” was an oft-heard phrase reflecting a network-centric orientation to security and the concession that signature-based antivirus was ineffective against never-seen-before components of an advanced persistent threat, the behavior of which the industry now frames in the context of the cybersecurity kill chain.

The incessant rate of attacks against the increasingly mobile and multi-device operator of endpoints (whose human gullibility is the vulnerability that makes spear phishing and drive-by downloads serially successful) is such that many organizations are now revisiting their endpoint security strategies -- both products and processes.

But executing upon this imperative in a market rife with confusion and ripe for consolidation is not a small thing. Enterprise Strategy Group (ESG) has conducted interviews with dozens of enterprises that have navigated this market in transition en route to improving their endpoint security postures. What can we learn from those that have made the journey? Have they, in fact, reached their destination? Here’s a summary of our findings, which will be presented at this year’s RSA conference in March.

It starts with operational efficiency

In a holistic security methodology, prevention, detection, and response are not mutually exclusive concepts; they work in concert with prevention controls employed to reduce the attack surface area and with detection and response controls to deal with the inevitable introduction of the new and unknown. But some organizations simply do not have the resources nor the expertise to utilize detection and response solutions, and often opt for greater prevention efficacy, as measured not only in a reduction in malware detected by network-based sandboxes but also in fewer calls to the help desk. Operational efficiency is a critical success factor for all companies refreshing their endpoint security solution sets, especially those with fewer resources.

Add layers of prevention

Advanced prevention controls include containerization, binary runtime inspection, and application control. Some organizations that seek improved prevention effectiveness layer such controls by keeping signature-based antivirus in place for the more pedestrian viruses while also deploying an advanced control for advanced malware. Customers with an Enterprise License Agreement (ELA) with Microsoft may utilize Security Essentials as their antivirus engine and reallocate budget to an advanced anti-malware product.

Another layered prevention model is to employ antivirus to address the “known bad,” and application control for a default-deny approach of only allowing known good, an approach well suited for systems with little to no drift, but one that does require some care and feeding to create group-specific whitelists.

For large organizations, proactive monitoring

The second approach is one typically put in play by larger organizations that do have the resources, as well as the skill sets, to view prevention as simply reducing the attack surface and employing an endpoint detection and response solution (EDR) to proactively monitor system activity. Since the detection method of EDR products is fundamentally rooted in determining anomalous and potentially malicious deviations from a norm, the first step for users of these products is to determine what is normal. Establishing a baseline requires a contextual understanding of one’s own environment (i.e., what is normal) and then a period of suppressing alarms and cultivating rules to essentially train the EDR solution to alert at a higher level of fidelity, thus optimizing the signal:noise ratio so security analysts are not triaging an onslaught of false positives.

A prevent, detect and respond spectrum of starting points

These approaches are not mutually exclusive, and as ESG research has discovered, each one is typically a starting point at one end of the spectrum. Nearly all enterprises have plans to further secure their endpoints by applying additional controls to complete the prevent-detect-respond continuum. But while ESG research highlights the fact that customers prefer an endpoint security suite that aggregates prevention, detection, and response functionality from a single vendor, enterprises will also purchase and deploy point tools to protect their highest-value targets.

Another option for adding detection and response to the endpoint mix is for organizations without the resources to operate such a solution to engage with a managed security services provider (MSSP). Also on the radar screen of next steps is integration with analytics platforms for correlation and with network security controls to expedite detection, reduce dwell time, and terminate communication with a command-and-control server.

The new focus on protecting end users, and their multitude of endpoints, is indicative of an evolution from the old network-centric security model to one that is also host-centric across endpoints, server workloads, and IoT devices. Where customers start is largely a function of resources and skills, based on a balance between detection efficacy and operational efficiency. As the endpoint security industry goes through its transition, we can learn much from those who are at least part of the way along on their journey. 

More on this topic:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Doug Cahill is a senior analyst covering cybersecurity at Enterprise Strategy Group drawing upon more than 25 years of industry experience across a broad range of cloud, host, and network-based products and markets. Prior to joining ESG, Doug held executive leadership ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.