GroupTest: Endpoint security

Recently a colleague told me of an organization that was abandoning its tape back-up system and was distributing USB drives instead. My initial thought was of the first lost USB drive with Social Security numbers, credit card numbers or other personal information. My mind immediately jumped to encrypting the USB drives. Encryption alone was not the answer. The data held on these drives was at risk, even when attached to an endpoint device. This data would need to be protected by improved virus and spyware protection, new variant detection, anti-rootkit security, malware and remnant removal, plus firewall security. But on further reflection, I began to think about all the places where data is stored today and how few security measures were taken to protect this data where it resides most frequently: the end-user's machine and devices.

In this group review, we focused on endpoint security -- the security for the machines and devices that are all too often lost, stolen or hacked into. There were three major categories of endpoint device protection: the network protection type, which includes firewall, anti-virus, encryption and VPN technologies or some combination thereof; the device protection, which protects sensitive data from being transferred to external devices, such as drives and iPods; and the data leakage type, which protects the endpoint by verifying what applications running on the endpoint are legitimate.

These solutions help to eliminate the legal liability, customer service costs and other ramifications of data breach disclosures through the use of extensive monitoring and reporting of data, not just at rest, but in transit as well. Endpoint security solutions should help the enterprises meet regulatory compliance requirements for data security and, in some cases, should provide assurance that data leakage did not actually occur.

Recent statistics say 70 percent of IT security breaches originate from within the enterprise. Thus, enterprises today are making internal security, especially internal access to network resources, their highest priority, even above gateway solutions, like AV and firewalls.

Today's greatest enterprise security challenge is providing access to key information without exposing it to risk, and trusting internal users while retaining enough control over their actions to verify their reliability. It's simply too easy to connect a smart phone, MP3 player, digital camera or memory stick, and walk away with sensitive or confidential material. While it is difficult enough to control which devices are walking into or out of your organization, there still remains the risk of a port being used to gather information as well. Ports aren't just USB and FireWire, but also PCMCIA, Bluetooth, IrDA and WiFi. And these are just the laptop devices. Today's printers often have internal hard drives measuring in the gigabytes, and often these printers have wireless connections and USB ports.

It is often asked of security professionals if they can answer the following questions: Do you know what is connected to your end-user's laptop? Can you identify these devices as legitimate or rogue devices? Are the users at the endpoint permitted or are they trespassing? Are you equipped to locate the security breach and identify the intruder?

Of course, all new security protection needs to be compatible with the existing infrastructure. It needs to be easy enough for the overburdened IT staff to manage, and able to generate reports for management, auditors and perhaps the police. Too, it must be easy to install to the entire enterprise, easy to keep up-to-date, and must securely log all access. Plus, it has to alert the security staff when a breach occurs and be effective against evolving threats.

How we tested
In almost every case, the software package only supported Windows-based platforms that were Windows 2000 and newer. BigFix was a notable exception in that it supported clients besides the standard Microsoft clients. We chose Windows XP as the client to test the configuration on. Almost every offering was a tiered offering with a control server required. To meet the needs of the management end, we used a Windows 2003 server. In most cases only one server was needed, but in some cases a second server was needed. We did all testing inside of a virtual environment. Testing was done a number of different ways depending on the class of security offering we were testing. We tested using everything from a small USB drive up to our libraries of rootkits, botnets and other malicious software.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.