Content

Endpoint security

Endpoint security as a category may sound the same as it always has but it definitely is not. First, there is the concept of next-generation endpoint security versus traditional approaches. Second, there is the use of the cloud. Additionally, there is the increased emphasis on malware to the extent that some very competent products address nothing else. 

Finally, we saw a most interesting approach to endpoint security. This approach is heavily forensic in nature. In fact, one might think of it as DFIR [digital forensics, incident response] for the endpoint. That makes sense since a breach at an endpoint might be significantly obfuscated so that traditional techniques won't be able to find the necessary evidence.

We can start with the traditional approach to endpoint security. In this approach each endpoint has an agent that reports various activities depending on what the administrator configures it for. Typical functions include DLP, anti-malware and, perhaps, a firewall and IDS/IPS at the endpoint. In years past, these were a bit cumbersome. The agents were rather large and affected the endpoint's performance. Not so today. Agents are slim and they gather a huge amount of data. There are real advantages to this "old school" approach to securing the endpoint. There is a breadth and depth possible that may not be available in other approaches. Additionally, these products have greater DLP coverage relative to physical devices. For example, thumb drives and CDs or DVDs are easy for this type of endpoint security product.

...you really can create a custom endpoint security environment...

The cloud products, or "next-generation" endpoint security products, focus heavily on malware. Even so, they do a very good job of DLP which is a major objective for endpoint security. These are extremely effective for what they are. Would we use one exclusively as our endpoint protection? That depends on how we want to deploy our enterprise. If, for example, a large part of our workforce is mobile, this is an excellent application of the next-generation approach. 

We may still have the issue of such things as thumb drives and CDs/DVDs, of course, and even that is covered, to some extent, by next-generation tools. If our users are on laptops, the approach works well given the threat of loss or theft of the computer itself. If we extend the cloud tools to mobile devices - tablets, smartphones, etc. - we have even more protection because we can add such functions as remote wipe.

Now to the odd tool in the lot. Odd only because it's the only one of its type in this group and probably anywhere. This is the endpoint security tool that takes a forensic approach to endpoint security. We liked this because it takes the position that once you have an exfiltration problem, the best way to meet the emergency is forensically. That's a very interesting approach and it has a lot to recommend it.

So, here's the point: You have a lot of choices. This is better than in years past when all you could do was put a big agent on every machine and look at every action of the user or intruder. Today, you really can create a custom endpoint security environment by mixing more than one of these products to get customized coverage depending on your particular enterprise and users. Remember that at the end of the day the objective is to avoid data exfiltration. So, really, endpoint security comes down to two things: anti-malware and DLP. Of the two, it's hard to pick out the more important challenge. A lot depends on your particular architecture and the way your users employ their devices - not forgetting that there may be multiple devices per person, especially if you allow BYOD.

We were impressed by the next-generation tools. But the traditional tools are excellent for a lot of applications. And the forensic approach is intriguing. In the hands of an experienced engineer it would be very tough to beat. The bottom line is that there are a lot of devices and, along with that, a lot of types of devices. Any or all could have sensitive information on them. You need a strategy for preventing data loss. So, unlike a few years ago, you can match the technique to your environment.

Will the enterprise ever be borderless? We think that it's likely. And that will place a heavy burden on the endpoints. So, for most organizations, a mix of two or more types of endpoint tools is the right way to go.



Specifications for endpoint security tools                    =yes =no

Product

Cylance

DeviceLock

ESET

Guidance Software

Invincea

Pulse Secure

Raytheon

SentinalOne

Threat Track

Trend Micro

Saas (S),
On-Prem (O)
or both (B)

S

O

B

O

S

O

B

O

B

DLP

Physical 
devices

Works with a gateway

Anti-malware

Partial

Protects 
against social-engineering

Reputation checking

 ○

Encryption

Supports 
Active Directory

Mobile device support

(Android=A, iOS=I, None=N)


Partial

A

A, I

N

A, I

A

A, I

A, I

Endpoint 
devices 
supported

(Android=A, iOS=I, None =N)

M, 
W, L, O
M, W, O
virtual

M, W, L, O

M, 
W, L, O

W

W, L, 

M, W, L

M, W

M, W, L

Self-provision

Partial


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.