Sharpening Endpoint Security

Antivirus The unfortunate truth about antivirus software is that it isn't very effective. It can stop most common forms of malware, but it fails when facing a targeted a...

The unfortunate truth about antivirus software is that it isn't very effective. It can stop most common forms of malware, but it fails when facing a targeted attack that doesn't use off-the-shelf malware.

Treat antivirus software as just one layer in the endpoint protection model, not the cornerstone of host security. Find a product that has strong reviews, works well when tested in-house and has management features that fit your organization. Look for easy-to-push virus definition updates, the ability to perform in-place upgrades as new versions of the software are released, and reporting features such as the ability to identify outdated endpoints and those that repeatedly have malware problems.

Application Whitelisting

Some consider application whitelisting to be the next phase of endpoint security. Instead of trying to block known malware, whitelist the known good applications. The list of legitimate apps is much shorter than the malware list.

Critics of application whitelisting say that identifying known good applications isn't all that easy. Ultimately, the effectiveness of whitelisting and ease of initial configuration will depend upon the environment. Environments where the desktop configurations are tightly controlled and users aren't allowed to install software will be better suited for whitelisting than those where practically every desktop has a custom configuration.

Data Leak Prevention

DLP tools are designed to prevent sensitive data from leaving the company network. They may be host-based, network-based or a hybrid.

A hybrid approach usually works best. Network-based DLP is easier to deploy, but it's less effective because it can't see into encrypted network traffic. Host-based DLP requires a software agent running on the endpoint, which many organizations are reluctant to deploy, but it offers better control and visibility by directly monitoring activity on the endpoint host. At the host level, DLP can monitor files and content being viewed by a user, block the use of removable media and ensure that sensitive files are blocked or encrypted before being sent through email.

Removable Media Control

The two most common methods of importing or exporting data from an endpoint are through the network, using email or Dropbox, for instance, or through removable media, such as USB flash drives and iPods. Security professionals pay more attention to the former approach, while the latter is an afterthought. While many products can manage removable media, some companies continue to disable USB, sometimes going so far as physically damaging or removing ports and optical drives from end users' machines.

Many companies write policies on how to use USB devices but fail to enforce them. To monitor and control removable media, use host-based DLP or endpoint security tools from antivirus vendors that offer basic USB management. At the policy level, you can block all USB storage devices, allow only preapproved devices or force devices to be read-only.

Employee Awareness

5 steps to promoting security awareness

Humans are the most vulnerable endpoint, but they can also be a security organization's most effective resource. With the right training, users are likely to identify and stop a sophisticated phishing attack.

The problem with employee awareness programs is that they fail to engage users, teach them practical lessons and empower them. Give users information they can relate to, such as lessons they can use at home to protect themselves and their kids. (For more, see box)

Network Protection

Endpoint security doesn't stop at the host. For years, security experts have been recommending a defense-in-depth, or layered, approach. You can also layer protection at the network level. Here we're talking about intrusion-detection and -prevention systems, content security gateways, DLP, firewalls and network segmentation.

Your best defense will come from combining layers of host and network security tools. The key is to design the layers in a way that even if several fail, at least one will be effective.

Once you've created these layers, consider running penetration tests, mock attack simulations and table-top exercises to see how your layered defense holds up. Apply the lessons learned from those tests to correct and enhance defenses. While a layered defense can appear complicated, it's the best way to keep your company and its data safe.

chart: most effective security practices

John Sawyer is a senior security analyst with InGuardians. Read more by him at