Over the years, threats have evolved from simple attacks to very advanced threats that can cripple an organization and hide their tracks. As the attacks have evolved, so have our protection needs. We have gone from the single point of protection on mainframes and Unix servers to a large number of endpoints across many networks. We went from Layer 3 security appliances to protect the entire network from the outside to place more of an importance on the endpoints. We’ve seen this grow from antivirus solutions to tools that use machine learning and provide in-depth threat hunting tools.
In this year’s look at endpoint security tools, the SC Labs team saw these tools to continue to evolve. We are noticing more and more solutions moving to cloud management systems and deprecating the once standard on-prem server. While making this transition seems to be the direction most are going, we do lose out on supporting legacy systems that are off network or on air-gapped segments. While this may not be a big deal for all organizations, it does present some obstacles for those looking to update to the newer technologies.
One main benefit of the cloud solutions are they are able to share information quickly across all end users as the cloud dashboards are all connected to a threat intelligence engine inside their private cloud environment. This allows users of the system to be aware of attacks that are found by other users of these toolsets.
Protecting the endpoint is only one side of the coin here; what happens when something gets through? Almost all the solutions we looked at have some sort of endpoint detection and response (EDR) capability to help understand how the attack got in, what it did once it was in and where it spread. These tools are becoming more and more necessary as the advanced malware variants continue to multiply.
Another standout feature we are starting to see is remediation efforts; it is one thing for a solution to tell you something got through your defenses, but organizations need to know how to get rid of it. We’ve seen this included in a few toolsets, but it’s something that is a differentiator in this space. It may not be a big deal to remove a few files or kill a few processes when you have a hundred endpoints, but what about for a thousand or more? The implementation of real-time response makes threat mitigation straightforward since you to connect to a command-line interface and kill processes and remove files. This is a huge tool in remediating machines, not at your physical location.
While the typical endpoint rollout is something that needs to be planned and slowly rolled out, these next-gen tools are no different. While they do provide the “monitor-only” mode, you will need to slowly roll them out and build policies to protect your organization. These are no small feat and as these are different processes for all vendors, SC Labs recommends looking into deployment services from the provider.
So where do we go next? Are we looking for self-healing technologies in this space or are we looking for the next generation of these tools to bring in DLP and other endpoint staples to their offering to give us complete control in one central tool? While I don’t have those answers, what I can say is these tools have come leaps and bounds from where we were in the mid-90s when I started doing desk-side support.
PICK OF THE LITTER
This month we looked at some leading Endpoint Protection solutions and saw some technologies moving in new directions that will continue to change and evolve this space. CrowdStrike Falcon continues to amaze us here at SC Labs. This tool looks polished and very well put together. With the updates to Falcon X and Falcon Insight, this tool has it all. The addition of the real-time response makes it the SC Labs Best Buy product. Cybereason’s Deep Hunting Platform is another powerful tool with a lot of promise. Their EDR component is very detailed and one of the best we’ve seen, making it SC Labs Recommended.