Endpoint
2/18/2016
10:30 AM
Doug Cahill
Doug Cahill
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Navigating Next-Gen Endpoint Security: A Buyer’s Journey

Organizations will face a market in a state of transition as they evaluate information security solutions from both new and established vendors.

After Operation Aurora in 2009, “we’ll catch it on the wire” was an oft-heard phrase reflecting a network-centric orientation to security and the concession that signature-based antivirus was ineffective against never-seen-before components of an advanced persistent threat, the behavior of which the industry now frames in the context of the cybersecurity kill chain.

The incessant rate of attacks against the increasingly mobile and multi-device operator of endpoints (whose human gullibility is the vulnerability that makes spear phishing and drive-by downloads serially successful) is such that many organizations are now revisiting their endpoint security strategies -- both products and processes.

But executing upon this imperative in a market rife with confusion and ripe for consolidation is not a small thing. Enterprise Strategy Group (ESG) has conducted interviews with dozens of enterprises that have navigated this market in transition en route to improving their endpoint security postures. What can we learn from those that have made the journey? Have they, in fact, reached their destination? Here’s a summary of our findings, which will be presented at this year’s RSA conference in March.

It starts with operational efficiency

In a holistic security methodology, prevention, detection, and response are not mutually exclusive concepts; they work in concert with prevention controls employed to reduce the attack surface area and with detection and response controls to deal with the inevitable introduction of the new and unknown. But some organizations simply do not have the resources nor the expertise to utilize detection and response solutions, and often opt for greater prevention efficacy, as measured not only in a reduction in malware detected by network-based sandboxes but also in fewer calls to the help desk. Operational efficiency is a critical success factor for all companies refreshing their endpoint security solution sets, especially those with fewer resources.

Add layers of prevention

Advanced prevention controls include containerization, binary runtime inspection, and application control. Some organizations that seek improved prevention effectiveness layer such controls by keeping signature-based antivirus in place for the more pedestrian viruses while also deploying an advanced control for advanced malware. Customers with an Enterprise License Agreement (ELA) with Microsoft may utilize Security Essentials as their antivirus engine and reallocate budget to an advanced anti-malware product.

Another layered prevention model is to employ antivirus to address the “known bad,” and application control for a default-deny approach of only allowing known good, an approach well suited for systems with little to no drift, but one that does require some care and feeding to create group-specific whitelists.

For large organizations, proactive monitoring

The second approach is one typically put in play by larger organizations that do have the resources, as well as the skill sets, to view prevention as simply reducing the attack surface and employing an endpoint detection and response solution (EDR) to proactively monitor system activity. Since the detection method of EDR products is fundamentally rooted in determining anomalous and potentially malicious deviations from a norm, the first step for users of these products is to determine what is normal. Establishing a baseline requires a contextual understanding of one’s own environment (i.e., what is normal) and then a period of suppressing alarms and cultivating rules to essentially train the EDR solution to alert at a higher level of fidelity, thus optimizing the signal:noise ratio so security analysts are not triaging an onslaught of false positives.

A prevent, detect and respond spectrum of starting points

These approaches are not mutually exclusive, and as ESG research has discovered, each one is typically a starting point at one end of the spectrum. Nearly all enterprises have plans to further secure their endpoints by applying additional controls to complete the prevent-detect-respond continuum. But while ESG research highlights the fact that customers prefer an endpoint security suite that aggregates prevention, detection, and response functionality from a single vendor, enterprises will also purchase and deploy point tools to protect their highest-value targets.

Another option for adding detection and response to the endpoint mix is for organizations without the resources to operate such a solution to engage with a managed security services provider (MSSP). Also on the radar screen of next steps is integration with analytics platforms for correlation and with network security controls to expedite detection, reduce dwell time, and terminate communication with a command-and-control server.

The new focus on protecting end users, and their multitude of endpoints, is indicative of an evolution from the old network-centric security model to one that is also host-centric across endpoints, server workloads, and IoT devices. Where customers start is largely a function of resources and skills, based on a balance between detection efficacy and operational efficiency. As the endpoint security industry goes through its transition, we can learn much from those who are at least part of the way along on their journey. 

More on this topic:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Doug Cahill is a senior analyst covering cybersecurity at Enterprise Strategy Group drawing upon more than 25 years of industry experience across a broad range of cloud, host, and network-based products and markets. Prior to joining ESG, Doug held executive leadership ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.