In the wake of recent malware exploits, enterprises are now looking for new endpoint security tools. Security professionals want tools that can detect and block known and unknown exploits and malware. At the same time, they prefer endpoint protection technologies that are easy to deploy, configure and operate on a day-to-day basis.
What makes endpoint protection platforms different from traditional anti-virus software, which relies on signatures of known threats, is its ability to analyse processes, changes and connection to spot foul play and catch zero-day exploits.
The value of endpoint protection platforms is that they can identify specific attacks and speed the response to them once they are detected. They do this by gathering information about communications that go on among endpoints and other devices on the network, as well as changes made to the endpoint itself that may indicate compromise. The database of this endpoint telemetry then becomes a forensic tool for investigating attacks, mapping how they unfolded, discovering what devices need remediation and perhaps predicting what threat might arise next.
“The endpoint remains the most attractive and soft target for cyber criminals and cyber espionage actors to get inside the door of their targets. Trends such as the Internet of Things (IoT), BYOD, mobility, social media and cloud computing have redefined enterprise security with the industry experiencing more data breaches, cyberattacks, hacking and other malicious activities,” says Scott Manson, Cybersecurity Lead – Middle East and Africa, Cisco
Harish Chib, VP of MEA at Sophos says the best defence against the threat of APTs is a strong next-gen endpoint that makes use of a range of different prevention techniques to ensure that nothing slips through the net. “Increasingly this is being supplemented by a coordinated security setup, where multiple solutions communicate to share contextual information meaning faster detection and an automated response.”
Does the push towards comprehensive endpoint security suits means the end of traditional AV solutions? Ahmed Ali, senior systems engineer at Fidelis Cybersecurity, says next-gen endpoint security was not originally designed to replace anti-virus solutions. “The core functionality of next-gen endpoint security is to provide advanced prevention and detection mechanisms which act as a second layer of defence. Nevertheless, adding the capability of performing known bad file hashes and signature based checks to the next-gen endpoint protection platforms is not that big of a challenge, in which case next-gen endpoint security solutions would have the ability to replace traditional anti-virus solutions.”
Morey Harbour, VP of technology at BeyondTrust, offers a different spin and says next generation endpoint security is merely a compensating control for poor security design, hygiene, and an inability for vendors and end users to adopt security best practices from the start or retrofit them into existing installations.
“If you consider security best practices for vulnerability, patch, privilege, logging, auditing, application control, and identity, the need for a next generation endpoint solution is muted. That is, if vulnerabilities are patched timely, privileges controlled and monitored, only trusted applications are executed, and network communications restricted (lateral movement), then the need for a machine learning or artificial intelligence solution is mitigated. I would encourage all end users not to rely on the next best endpoint solution but rather clean up the security basics first. The ability to stop a threat is higher if the basics are done well versus buying another layer branded as next generation anti-virus,” he adds.
Manson from Cisco believes endpoint security will consolidate in the near future. Endpoint security software is going through massive changes in order to best address new threats and new requirements. What’s needed is a truly transformational change in how we approach detecting advanced threats and breach activity. We need continuous protection and visibility from the point of entry through propagation and post infection remediation, he adds.
While there is no single endpoint product that can suit all situations, there are a few key things to consider in your purchase:
Going agent or agentless.
The upside of the agentless approach is that the product can track endpoints that might be used to compromise your network, such as IP cameras and other embedded devices that aren’t running traditional endpoint operating systems.
Another upside is because there is no code installed on an endpoint nothing is exposed to a potential attacker.
A third advantage to going agentless is that some products with agents only have them for particular Windows versions and are still working on their Mac and Linux agents. Other products have begun to recognise the mobile universe and either integrate with mobile device management tools or have specific iOS and Android agents.
What does the endpoint user see on their desktop?
Products that install endpoint agents vary widely in terms of what an end user can observe and how stealthy they operate: some obscure any listing in the Windows Control Panel Programmes list or taskbar icons, others operate more like ordinary applications. And those that operate without agents are completely invisible, of course.
How is the product configured and managed?
Each product has a combination of web and native management consoles, and some (even the SaaS-based tools) have fairly complex installation routines. Many of them will require consulting contracts to get setup properly.
“Organisations expect next-generation endpoint security to protect against known and unknown threats in an automated fashion that can seamlessly integrate with other elements in the security architecture as part of a cohesive security strategy. This allows organizations to reduce management complexity yet respond to sophisticated threats effectively with a leaner security team,” sums up Tony Zabaneh, Senior Systems Engineer – Channel, at Fortinet.