Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften
The End Point Security Buyer’s Guide
The most common point for a sophisticated persistent attack or a breach is the end point. And they are definitely the entry point for many ransomware and social engineering attacks. Using endpoint security products has actually long been thought about a best practice for securing end points. Unfortunately, those tools aren’t keeping up with today’s hazard environment. Advanced risks, and truth be told, even less advanced hazards, are typically more than appropriate for tricking the typical staff member into clicking something they should not. So companies are taking a look at and assessing a wide variety of next generation end point security (NGES) services.
With that in mind, here are ten suggestions to think about if you’re looking at NGES services.
Idea 1: Start with the end first
Do not let the tail wag the dog. A threat decrease method should always start by evaluating problems then looking for prospective fixes for those issues. However all frequently we get captivated with a “shiny” brand-new technology (e.g., the most recent silver bullet) and we end up trying to shoehorn that technology into our environments without fully examining if it solves a comprehended and identified issue. So what problems are you attempting to fix?
– Is your existing end point protection tool failing to stop threats?
– Do you need much better visibility into activities at the endpoint?
– Are compliance requirements mandating continuous end point tracking?
– Are you trying to decrease the time and expense of incident response?
Specify the problems to resolve, and after that you’ll have a measuring stick for success.
Pointer 2: Understand your audience. Who will be using the tool?
Understanding the problem that needs to be resolved is an essential initial step in understanding who owns the issue and who would (operationally) own the service. Every functional group has its strengths, weaknesses, choices and biases. Specify who will need to utilize the solution, and others that might benefit from its usage. Maybe it’s:
– Security team,
– IT team,
– The governance, risk and compliance (GRC) team,
– Helpdesk or end user support team,
– Or even the server team, or a cloud operations team?
Idea 3: Know exactly what you imply by endpoint
Another frequently overlooked early step in specifying the problem is specifying the end point. Yes, we all used to know what we meant when we said endpoint but today end points are available in a lot more varieties than before.
Sure we want to secure desktops and laptop computers but how about mobile devices (e.g. smartphones and tablets), virtual endpoints, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All of these devices, obviously, come in multiple flavors so platform assistance has to be addressed also (e.g. Windows only, Mac OSX, Linux, etc?). Likewise, think about support for endpoints even when they are working remote, or are working offline. Exactly what are your requirements and what are “nice to haves?”
Idea 4: Start with a foundation of all the time visibility
Constant visibility is a fundamental ability for resolving a host of security and operational management problems on the endpoint. The old saying is true – that you can’t manage what you cannot see or measure. Further, you cannot secure what you can’t properly manage. So it needs to begin with constant or all the time visibility.
Visibility is foundational to Security and Management
And think about what visibility suggests. Enterprises require one source of fact that at a minimum tracks, stores, and evaluates the following:
– System data – occasions, logs, hardware state, and file system information
– User data – activity logs and behavior patterns
– Application data – characteristics of installed apps and usage patterns
– Binary data – attributes of set up binaries
– Procedures data – tracking info and statistics
– Network connection data – stats and internal behavior of network activity on the host
Pointer 5: Keep an eye on your visibility data
End point visibility data can be saved and evaluated on the premises, in the cloud, or some mix of both. There are benefits to each. The proper approach varies, however is generally enforced by regulatory requirements, internal privacy policies, the endpoints being kept track of, and the overall cost factors to consider.
Know if your company needs on premise data retention
Know whether your organization allows for cloud based data retention and analysis or if you are constrained to on premise services only. Within Ziften, 20-30% of our customers keep data on premise just for regulatory factors. However, if lawfully an option, the cloud can provide expense benefits (to name a few).
Pointer 6: Know exactly what is on your network
Comprehending the issue you are attempting to solve requires understanding the assets on the network. We find that as many as 30% of the end points we initially find on clients’ networks are unmanaged or unknown devices. This undoubtedly develops a huge blind spot. Reducing this blind spot is a vital best practice. In fact, SANS Critical Security Controls 1 and 2 are to carry out an inventory of authorized and unapproved devices and software connected to your network. So try to find NGES services that can fingerprint all linked devices, track software applications stock and utilization, and carry out on-going continuous discovery.
Tip 7: Know where you are exposed
After determining what devices you need to monitor, you need to make certain they are operating in up to date configurations. SANS Critical Security Controls 3 suggests guaranteeing safe configurations monitoring for laptops, workstations, and servers. SANS Critical Security Controls 4 suggests making it possible for constant vulnerability evaluation and remediation of these devices. So, search for NGES services that supply all the time tracking of the state or posture of each device, and it’s even of more benefit if it can help impose that posture.
Also try to find services that provide continuous vulnerability evaluation and removal.
Keeping your total endpoint environment solidified and without vital vulnerabilities avoids a huge amount of security issues and gets rid of a lot of back end work on the IT and security operations teams.
Idea 8: Cultivate constant detection and response
An essential end goal for numerous NGES services is supporting continuous device state monitoring, to enable efficient threat or event response. SANS Critical Security Control 19 advises robust event response and management as a best practice.
Try to find NGES services that offer all the time or continuous threat detection, which leverages a network of worldwide threat intelligence, and numerous detection methods (e.g., signature, behavioral, machine learning, etc). And look for event response services that assist prioritize recognized dangers and/or concerns and offer workflow with contextual system, application, user, and network data. This can assist automate the appropriate response or next steps. Lastly, understand all the response actions that each solution supports – and search for a solution that provides remote access that is as close as possible to “sitting at the endpoint keyboard”.
Tip 9: Consider forensics data collection
In addition to event response, companies must be prepared to resolve the need for forensic or historic data analysis. The SANS Critical Security Control 6 advises the upkeep, tracking and analysis of all audit logs. Forensic analysis can take lots of kinds, however a structure of historic end point monitoring data will be essential to any investigation. So look for services that preserve historical data that allows:
– Forensic jobs include tracing lateral threat movement through the network with time,
– Pinpointing data exfiltration attempts,
– Determining origin of breaches, and
– Figuring out proper removal actions.
Tip 10: Tear down the walls
IBM’s security group, which supports a remarkable ecosystem of security partners, estimates that the typical enterprise has 135 security tools in place and is working with 40 security suppliers. IBM clients definitely skew to big enterprise however it’s a typical refrain (complaint) from companies of all sizes that security products don’t integrate properly.
And the complaint is not just that security services don’t play well with other security products, however likewise that they do not constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations need to consider these (as well as other) integration points in addition to the supplier’s willingness to share raw data, not just metadata, through an API.
Additional Suggestion 11: Plan for customizations
Here’s a bonus suggestion. Assume that you’ll want to tailor that glossy brand-new NGES service soon after you get it. No solution will fulfill all of your needs right out of the box, in default configurations. Learn how the solution supports:
– Customized data collection,
– Informing and reporting with custom data,
– Custom scripting, or
– IFTTT (if this then that) functionality.
You know you’ll want new paint or brand-new wheels on that NGES solution soon – so make sure it will support your future modification jobs easy enough.
Look for assistance for easy customizations in your NGES service
Follow the bulk of these suggestions and you’ll undoubtedly prevent many of the common mistakes that plague others in their assessments of NGES services.