Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften
The Endpoint Security Purchaser’s Guide
The most common point for an innovative persistent attack or a breach is the endpoint. And they are certainly the entry point for many ransomware and social engineering attacks. Making use of endpoint protection products has actually long been considered a best practice for securing end points. Unfortunately, those tools aren’t staying up to date with today’s hazard environment. Advanced threats, and truth be told, even less sophisticated threats, are typically more than appropriate for fooling the typical staff member into clicking something they shouldn’t. So organizations are looking at and examining a plethora of next-gen end point security (NGES) solutions.
With that in mind, here are ten pointers to consider if you’re looking at NGES services.
Idea 1: Begin with the end first
Don’t let the tail wag the dog. A threat reduction strategy ought to always start by examining problems and then searching for potential fixes for those problems. However all frequently we get captivated with a “glossy” brand-new innovation (e.g., the most recent silver bullet) and we end up aiming to shoehorn that innovation into our environments without fully evaluating if it resolves a comprehended and identified problem. So exactly what issues are you attempting to solve?
– Is your existing end point security tool failing to stop dangers?
– Do you need much better visibility into activities at the endpoint?
– Are compliance requirements mandating constant end point tracking?
– Are you trying to reduce the time and costs of incident response?
Specify the issues to address, then you’ll have a measuring stick for success.
Pointer 2: Know your audience. Who will be using the tool?
Understanding the problem that needs to be fixed is a key primary step in understanding who owns the issue and who would (operationally) own the solution. Every functional team has its strengths, weaknesses, preferences and biases. Define who will need to utilize the solution, and others that might gain from its usage. Maybe it’s:
– Security group,
– IT operations,
– The governance, risk & compliance (GRC) team,
– Helpdesk or end user support team,
– And even the server group, or a cloud operations team?
Suggestion 3: Know what you suggest by endpoint
Another often ignored early step in defining the issue is defining the end point. Yes, we all used to know what we implied when we said endpoint however today end points come in a lot more varieties than before.
Sure we want to safeguard desktops and laptops however how about mobile phones (e.g. phones and tablets), virtual end points, cloud based endpoints, or Internet of Things (IoT) devices? And how about your servers? All of these devices, of course, are available in multiple tastes so platform support has to be attended to also (e.g. Windows only, Mac OSX, Linux, etc?). Also, think about support for endpoints even when they are working remote, or are working offline. Exactly what are your needs and exactly what are “great to haves?”
Pointer 4: Start with a foundation of continuous visibility
Continuous visibility is a fundamental ability for dealing with a host of security and operational management problems on the endpoint. The old expression is true – that you cannot manage what you can’t see or measure. Even more, you can’t secure exactly what you cannot effectively manage. So it must start with continuous or all-the-time visibility.
Visibility is foundational to Management and Security
And think of what visibility implies. Enterprises require one source of truth that at a minimum tracks, stores, and evaluates the following:
– System data – events, logs, hardware state, and file system details
– User data – activity logs and behavior patterns
– Application data – characteristics of installed apps and usage patterns
– Binary data – attributes of installed binaries
– Processes data – tracking info and data
– Network connection data – data and internal habits of network activity on the host
Suggestion 5: Keep an eye on your visibility data
End point visibility data can be kept and analyzed on the premises, in the cloud, or some mix of both. There are benefits to each. The proper approach differs, however is generally enforced by regulatory requirements, internal privacy policies, the endpoints being monitored, and the total expense factors to consider.
Know if your organization needs on premise data retention
Know whether your company allows for cloud based data retention and analysis or if you are constrained to on-premise services only. Within Ziften, 20-30% of our customers save data on-premise merely for regulatory factors. Nevertheless, if lawfully a choice, the cloud can provide expense benefits (among others).
Pointer 6: Know exactly what is on your network
Comprehending the issue you are trying to resolve needs comprehending the assets on the network. We find that as much as 30% of the endpoints we initially discover on customers’ networks are unmanaged or unidentified devices. This clearly produces a substantial blind spot. Lowering this blind spot is a vital best practice. In fact, SANS Critical Security Controls 1 and 2 are to carry out an inventory of authorized and unauthorized devices and software applications connected to your network. So look for NGES services that can finger print all connected devices, track software applications inventory and utilization, and perform ongoing constant discovery.
Suggestion 7: Know where you are exposed
After finding out exactly what devices you have to view, you need to make sure they are operating in up to date configurations. SANS Critical Security Controls 3 recommends ensuring safe and secure setups tracking for laptop computers, workstations, and servers. SANS Critical Security Controls 4 advises enabling continuous vulnerability evaluation and removal of these devices. So, look for NGES services that offer continuous monitoring of the state or posture of each device, and it’s even of more benefit if it can help impose that posture.
Likewise try to find services that provide constant vulnerability evaluation and removal.
Keeping your overall end point environment solidified and devoid of important vulnerabilities avoids a huge quantity of security concerns and eliminates a great deal of back end work on the IT and security operations groups.
Idea 8: Cultivate continuous detection and response
An important end goal for lots of NGES solutions is supporting continuous device state tracking, to enable reliable threat or event response. SANS Critical Security Control 19 advises robust incident response and management as a best practice.
Try to find NGES solutions that supply all-the-time or continuous danger detection, which leverages a network of global threat intelligence, and several detection techniques (e.g., signature, behavioral, artificial intelligence, etc). And search for incident response services that help prioritize determined dangers and/or problems and supply workflow with contextual system, application, user, and network data. This can assist automate the appropriate response or next actions. Finally, comprehend all the response actions that each solution supports – and look for a solution that supplies remote access that is as close as possible to “sitting at the end point keyboard”.
Tip 9: Think about forensics data collection
In addition to event response, companies ought to be prepared to attend to the requirement for forensic or historical data analysis. The SANS Critical Security Control 6 suggests the upkeep, monitoring and analysis of all audit logs. Forensic analysis can take lots of forms, however a structure of historic endpoint monitoring data will be key to any investigation. So look for solutions that maintain historical data that permits:
– Forensic tasks include tracing lateral risk movement through the network in time,
– Identifying data exfiltration efforts,
– Identifying source of breaches, and
– Identifying proper remediation actions.
Suggestion 10: Tear down the walls
IBM’s security group, which supports an outstanding community of security partners, estimates that the typical enterprise has 135 security tools in situ and is working with 40 security suppliers. IBM customers certainly skew to large businesses however it’s a typical refrain (complaint) from companies of all sizes that security solutions don’t integrate well enough.
And the complaint is not simply that security products do not play well with other security products, however also that they don’t always integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations have to think about these (and other) integration points as well as the supplier’s desire to share raw data, not simply metadata, through an API.
Additional Tip 11: Prepare for modifications
Here’s a bonus idea. Assume that you’ll want to personalize that glossy brand-new NGES service quickly after you get it. No service will meet all of your requirements right out of the box, in default setups. Find out how the solution supports:
– Custom data collection,
– Signaling and reporting with custom-made data,
– Customized scripting, or
– IFTTT (if this then that) performance.
You understand you’ll want new paint or brand-new wheels on that NGES solution soon – so make certain it will support your future customization jobs simply enough.
Try to find support for basic customizations in your NGES service
Follow the bulk of these ideas and you’ll unquestionably avoid a lot of the typical pitfalls that plague others in their evaluations of NGES solutions.