Charles Leaver – Easily Assess A Next Gen Endpoint Security Service Using These 10 Pointers

Written By Roark Pollock And Presented By Charles Leaver CEO Ziften


The Endpoint Security Buyer’s Guide

The most typical point for an advanced consistent attack or a breach is the endpoint. And they are certainly the entry point for many ransomware and social engineering attacks. The use of endpoint protection products has actually long been considered a best practice for protecting end points. Regrettably, those tools aren’t keeping up with today’s hazard environment. Advanced threats, and truth be told, even less advanced threats, are frequently more than sufficient for fooling the typical staff member into clicking something they shouldn’t. So companies are looking at and evaluating a variety of next generation end point security (NGES) solutions.

With this in mind, here are 10 suggestions to think about if you’re looking at NGES solutions.

Tip 1: Start with the end in mind

Don’t let the tail wag the dog. A danger decrease strategy must always start by examining issues then looking for possible fixes for those problems. But all frequently we get enamored with a “shiny” new innovation (e.g., the latest silver bullet) and we end up attempting to shoehorn that innovation into our environments without fully evaluating if it solves an understood and determined problem. So exactly what issues are you aiming to fix?

– Is your existing endpoint protection tool failing to stop threats?
– Do you require better visibility into activity on the end point?
– Are compliance requirements mandating continuous endpoint tracking?
– Are you aiming to decrease the time and costs of incident response?

Specify the issues to address, then you’ll have a measuring stick for success.

Suggestion 2: Know your audience. Exactly who will be utilizing the tool?

Comprehending the issue that has to be resolved is a crucial initial step in understanding who owns the problem and who would (operationally) own the solution. Every functional team has its strengths, weaknesses, preferences and prejudices. Specify who will need to utilize the solution, and others that could benefit from its usage. Is it:

– Security group,
– IT operations,
– The governance, risk and compliance (GRC) team,
– Helpdesk or end user assistance group,
– And even the server team, or a cloud operations team?

Tip 3: Know what you imply by end point

Another often ignored early step in specifying the problem is specifying the endpoint. Yes, all of us used to know what we meant when we said endpoint but today end points are available in a lot more ranges than before.

Sure we want to protect desktops and laptops however how about mobile devices (e.g. phones and tablets), virtual endpoints, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, naturally, can be found in numerous flavors so platform support has to be addressed as well (e.g. Windows only, Mac OSX, Linux, etc?). Also, consider support for end points even when they are working remote, or are working offline. What are your needs and exactly what are “nice to haves?”

Pointer 4: Start with a foundation of continuous visibility

Continuous visibility is a foundational ability for dealing with a host of security and operational management concerns on the end point. The old saying is true – that you can’t manage what you cannot see or measure. Even more, you cannot secure what you can’t correctly manage. So it must begin with constant or all-the-time visibility.

Visibility is foundational to Security and Management

And think of what visibility suggests. Enterprises require a single source of fact that at a minimum monitors, stores, and evaluates the following:

– System data – events, logs, hardware state, and file system information
– User data – activity logs and behavior patterns
– Application data – attributes of installed apps and use patterns
– Binary data – characteristics of installed binaries
– Processes data – tracking details and statistics
– Network connection data – statistics and internal behavior of network activity on the host

Suggestion 5: Track your visibility data

End point visibility data can be saved and analyzed on premise, in the cloud, or some combination of both. There are advantages to each. The appropriate method differs, but is normally enforced by regulatory requirements, internal privacy policies, the endpoints being monitored, and the general expense considerations.

Know if your company needs on premise data retention

Know whether your company allows for cloud based data retention and analysis or if you are constrained to on-premise services only. Within Ziften, 20-30% of our customers store data on premise merely for regulative factors. Nevertheless, if lawfully an alternative, the cloud can provide expense benefits (among others).

Tip 6: Know exactly what is on your network

Understanding the issue you are trying to solve needs understanding the assets on the network. We have found that as much as 30% of the end points we at first find on clients’ networks are unmanaged or unidentified devices. This clearly creates a huge blind spot. Reducing this blind spot is an important best practice. In fact, SANS Critical Security Controls 1 and 2 are to perform a stock of licensed and unapproved devices and software attached to your network. So search for NGES solutions that can fingerprint all linked devices, track software stock and usage, and perform on-going continuous discovery.

Suggestion 7: Know where you are exposed

After finding out what devices you need to monitor, you have to ensure they are running in up to date configurations. SANS Critical Security Controls 3 suggests ensuring safe and secure configurations monitoring for laptop computers, workstations, and servers. SANS Critical Security Controls 4 recommends allowing constant vulnerability evaluation and remediation of these devices. So, search for NGES services that provide all the time monitoring of the state or posture of each device, and it’s even better if it can assist implement that posture.

Also try to find solutions that provide constant vulnerability assessment and removal.

Keeping your general end point environment hardened and devoid of critical vulnerabilities avoids a substantial quantity of security issues and eliminates a great deal of backend pressure on the IT and security operations groups.

Tip 8: Cultivate constant detection and response

A crucial objective for many NGES services is supporting continuous device state monitoring, to make it possible for effective risk or event response. SANS Critical Security Control 19 recommends robust event response and management as a best practice.

Try to find NGES solutions that offer all-the-time or constant hazard detection, which leverages a network of global hazard intelligence, and several detection techniques (e.g., signature, behavioral, artificial intelligence, etc). And try to find incident response services that help focus on identified risks and/or concerns and provide workflow with contextual system, application, user, and network data. This can help automate the proper response or next steps. Lastly, understand all the response actions that each solution supports – and search for a solution that supplies remote access that is as close as possible to “sitting at the end point keyboard”.

Suggestion 9: Think about forensics data gathering

In addition to incident response, companies must be prepared to address the requirement for forensic or historic data analysis. The SANS Critical Security Control 6 advises the upkeep, tracking and analysis of all audit logs. Forensic analysis can take numerous forms, but a structure of historical end point monitoring data will be crucial to any examination. So look for services that maintain historic data that allows:

– Forensic tasks include tracing lateral risk movement through the network over time,
– Determining data exfiltration efforts,
– Figuring out origin of breaches, and
– Identifying suitable remediation actions.

Idea 10: Tear down the walls

IBM’s security team, which supports an excellent environment of security partners, estimates that the typical enterprise has 135 security tools in place and is dealing with 40 security suppliers. IBM customers definitely tend to be big businesses however it’s a common refrain (grievance) from companies of all sizes that security solutions do not integrate properly.

And the problem is not simply that security solutions do not play well with other security services, but likewise that they do not constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations have to think about these (and other) integration points along with the supplier’s desire to share raw data, not simply metadata, through an API.

Bonus Idea 11: Prepare for customizations

Here’s a bonus idea. Assume that you’ll wish to customize that glossy new NGES service quickly after you get it. No service will satisfy all your requirements right out of the box, in default setups. Find out how the service supports:

– Customized data collection,
– Notifying and reporting with customized data,
– Custom scripting, or
– IFTTT (if this then that) functionality.

You know you’ll desire new paint or new wheels on that NGES service soon – so make certain it will support your future modification tasks easy enough.

Look for support for easy modifications in your NGES service

Follow the bulk of these ideas and you’ll unquestionably avoid a lot of the typical errors that plague others in their assessments of NGES solutions.