"Humans, alas, remain gullible and flawed. Regardless of any training you provide employees continue to click stuff, share information, and fall for simple social engineering attacks. So endpoints remain some of the weakest links in your security defenses."
The Endpoint Security Buyer’s Guide
I couldn’t say it better myself. Endpoints are often the entry point in a breach or an advanced persistent attack. And they are certainly the entry point for most ransomware and social engineering attacks. The use of endpoint protection products has long been considered a best practice for securing endpoints. Unfortunately, those tools aren’t keeping up with today’s threat environment. Advanced threats, and truth be told, even less advanced threats, are often more than adequate for fooling the average employee into clicking something they shouldn’t. So organizations are looking at and evaluating a plethora of next-gen endpoint security (NGES) solutions.
With that in mind, here are 10 tips to consider if you’re looking at NGES solutions.
Tip 1: Begin with the end in mind
Don’t let the tail wag the dog. A risk reduction strategy should always always start by assessing problems and then looking for potential solutions to those problems. But all too often we get enamored with a “shiny” new technology (e.g., the latest silver bullet) and we end up trying to shoehorn that technology into our environments without fully assessing if it solves an understood and identified problem. So what problems are you trying to solve?
- Is your existing endpoint protection tool failing to stop threats?
- Do you need better visibility into activity on the endpoint?
- Are compliance requirements mandating continuous endpoint monitoring?
- Are you trying to decrease the time and costs of incident response?
Define the problems to address, and then you’ll have a measuring stick for success.
Tip 2: Know your audience. Who will be using the tool?
Understanding the problem that needs to be solved is a key first step in understanding who owns the problem and who would (operationally) own the solution. Every functional team has its strengths, weaknesses, preferences and prejudices. Define who will need to use the solution, and others that could benefit from its use. Is it:
- Security operations,
- IT operations,
- The governance, risk & compliance (GRC) team,
- Helpdesk or end user support team,
- Or even the server team, or a cloud operations team?
Tip 3: Know what you mean by endpoint
Another often overlooked early step in defining the problem is defining the endpoint. Yes, we all used to know what we meant when we said endpoint but today endpoints come in a lot more varieties than in the past.
Sure we want to protect desktops and laptops but how about mobile devices (e.g. phones and tablets), virtual endpoints, cloud based endpoints, or Internet of Things (IoT) devices? And how about your servers? All of these devices, of course, come in multiple flavors so platform support needs to be addressed as well (e.g. Windows only, Mac OSX, Linux, etc?). Also, consider support for endpoints even when they are working remote, or are working offline. What are your requirements and what are “nice to haves?”
Tip 4: Start with a foundation of all the time visibility
Continuous visibility is a foundational capability for addressing a host of security and operational management issues on the endpoint. The old adage is true - that you can’t manage what you can’t see or measure. Further, you can’t secure what you can’t properly manage. So it must start with continuous or all-the-time visibility.
Visibility is foundational to Management and Security
And think about what visibility means. Enterprises need a single source of truth that at a minimum monitors, stores, and analyzes the following:
- System data - events, logs, hardware state, and file system details
- User data - activity logs and behavior patterns
- Application data - attributes of installed apps and usage patterns
- Binary data - attributes of installed binaries
- Processes data – tracking information and statistics
- Network connectivity data - statistics and internal behavior of network activity on the host
Tip 5: Keep track of your visibility data
Endpoint visibility data can be stored and analyzed on premise, in the cloud, or some combination of both. There are benefits to each. The appropriate approach varies, but is usually driven by regulatory requirements, internal privacy policies, the endpoints being monitored, and the overall cost considerations.
Know if your organization requires on-premise data retention
Know whether your organization allows for cloud based data retention and analysis or if you are constrained to on-premise solutions only. Within Ziften, 20-30% of our customers store data on-premise simply for regulatory reasons. However, if legally an option, the cloud can offer cost advantages (among others).
Tip 6: Know what is on your network
Understanding the problem you are trying to solve requires understanding the assets on the network. We find that as many as 30% of the endpoints we initially discover on customers’ networks are unmanaged or unknown devices. This obviously creates a huge blind spot. Reducing this blind spot is a critical best practice. In fact, SANS Critical Security Controls 1 and 2 are to perform an inventory of authorized and unauthorized devices and software attached to your network. So look for NGES solutions that can fingerprint all connected devices, track software inventory and utilization, and perform on-going continuous discovery.
Tip 7: Know where you are exposed
After figuring out what devices you need to watch, you need to make sure they are running in up to date configurations. SANS Critical Security Controls 3 recommends ensuring secure configurations monitoring for laptops, workstations, and servers. SANS Critical Security Controls 4 recommends enabling continuous vulnerability assessment and remediation of these devices. So, look for NGES solutions that provide all the time monitoring of the state or posture of each device, and it’s even better if it can help enforce that posture. Also look for solutions that deliver continuous vulnerability assessment and remediation.
Keeping your overall endpoint environment hardened and free of critical vulnerabilities prevents a huge amount of security issues and eliminates a lot of backend work on the IT and security operations teams.
Tip 8: Cultivate continuous detection and response
An important end goal for many NGES solutions is supporting continuous device state monitoring, to enable effective threat or incident response. SANS Critical Security Control 19 recommends robust incident response and management as a best practice.
Look for NGES solutions that provide all-the-time or continuous threat detection, which leverages a network of global threat intelligence, and multiple detection techniques (e.g., signature, behavioral, machine learning, etc). And look for incident response solutions that help prioritize identified threats and/or issues and provide workflow with contextual system, application, user, and network data. This can can help automate the appropriate response or next steps. Finally, understand all the response actions that each solution supports – and look for a solution that provides remote access that is as close as possible to “sitting at the endpoint keyboard”.
Tip 9: Consider forensics data collection
In addition to incident response, organizations should be prepared to address the need for forensic or historical data analysis. The SANS Critical Security Control 6 recommends the maintenance, monitoring and analysis of all audit logs. Forensic analysis can take many forms, but a foundation of historical endpoint monitoring data will be key to any investigation. So look for solutions that maintain historical data that permits:
- Forensic tasks include tracing lateral threat movement through the network over time,
- Pinpointing data exfiltration attempts,
- Determining root cause of breaches, and
- Determining appropriate remediation actions.
Tip 10: Tear down the walls
IBM’s security group, which supports an impressive ecosystem of security partners, estimates that the average enterprise has 135 security tools in place and is working with 40 security vendors. IBM customers certainly skew to large enterprise but it’s a common refrain (complaint) from organizations of all sizes that security products don’t integrate well enough.
And the complaint is not just that security products don’t play well with other security products, but also that they don’t always integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations need to consider these (and other) integration points as well as the vendor’s willingness to share raw data, not just metadata, through an API.
Bonus Tip 11: Plan for customizations
Here’s a bonus tip. Assume that you’ll want to customize that shiny new NGES solution shortly after you get it. No solution will meet all of your needs right out of the box, in default configurations. Find out how the solution supports:
- Custom data collection,
- Alerting and reporting with custom data,
- Custom scripting, or
- IFTTT (if this then that) functionality.
You know you’ll want new paint or new wheels on that NGES solution soon – so make sure it will support your future customization projects easy enough.
Look for support for simple customizations in your NGES solution
Follow the bulk of these tips and you’ll undoubtedly avoid many of the common pitfalls that plague others in their evaluations of NGES solutions.
For more information watch the Dark Reading webinar with EMA Research Director David Monahan.