Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften
The Endpoint Security Purchaser’s Guide
The most common point for an advanced consistent attack or a breach is the end point. And they are certainly the entry point for most ransomware and social engineering attacks. Making use of endpoint security products has long been thought about a best practice for protecting endpoints. Unfortunately, those tools aren’t keeping up with today’s threat environment. Advanced risks, and truth be told, even less advanced threats, are typically more than sufficient for fooling the average staff member into clicking something they should not. So organizations are looking at and examining a huge selection of next generation end point security (NGES) services.
With that in mind, here are 10 tips to consider if you’re looking at NGES solutions.
Pointer 1: Start with the end in mind
Do not let the tail wag the dog. A danger reduction strategy should always start by assessing issues and after that trying to find possible solutions for those issues. But all frequently we get enamored with a “shiny” new innovation (e.g., the current silver bullet) and we wind up aiming to shoehorn that technology into our environments without fully examining if it solves an understood and determined problem. So exactly what issues are you aiming to fix?
– Is your current endpoint protection tool failing to stop hazards?
– Do you require much better visibility into activities at the endpoint?
– Are compliance requirements dictating continuous end point tracking?
– Are you attempting to decrease the time and expense of incident response?
Define the problems to deal with, and after that you’ll have a measuring stick for success.
Tip 2: Understand your audience. Who will be using the tool?
Comprehending the issue that has to be resolved is an essential initial step in understanding who owns the problem and who would (operationally) own the solution. Every practical group has its strengths, weak points, choices and prejudices. Specify who will need to utilize the solution, and others that could take advantage of its use. It could be:
– Security team,
– IT group,
– The governance, risk and compliance (GRC) group,
– Help desk or end user support group,
– And even the server group, or a cloud operations team?
Tip 3: Know what you mean by end point
Another frequently neglected early step in defining the problem is defining the end point. Yes, all of us used to understand what we implied when we said end point however today endpoints come in a lot more ranges than before.
Sure we want to protect desktops and laptop computers however how about mobile devices (e.g. smartphones and tablets), virtual end points, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, of course, can be found in numerous flavors so platform assistance needs to be attended to too (e.g. Windows only, Mac OSX, Linux, etc?). Also, think about assistance for endpoints even when they are working remote, or are working offline. Exactly what are your requirements and what are “great to haves?”
Pointer 4: Start with a foundation of all the time visibility
Continuous visibility is a fundamental ability for dealing with a host of security and functional management problems on the endpoint. The old expression is true – that you cannot manage exactly what you cannot see or determine. Even more, you can’t protect what you cannot appropriately manage. So it must start with constant or all the time visibility.
Visibility is foundational to Management and Security
And think about exactly what visibility means. Enterprises need one source of truth that at a minimum monitors, stores, and examines the following:
– System data – occasions, logs, hardware state, and file system details
– User data – activity logs and behavior patterns
– Application data – characteristics of installed apps and use patterns
– Binary data – characteristics of set up binaries
– Processes data – tracking info and stats
– Network connection data – stats and internal habits of network activity on the host
Idea 5: Keep track of your visibility data
End point visibility data can be saved and examined on the premises, in the cloud, or some combination of both. There are benefits to each. The proper approach varies, but is usually enforced by regulatory requirements, internal privacy policies, the end points being monitored, and the overall expense factors to consider.
Know if your organization requires on-premise data retention
Know whether your company allows for cloud based data retention and analysis or if you are constrained to on premise services only. Within Ziften, 20-30% of our clients keep data on premise just for regulatory reasons. However, if legally an alternative, the cloud can offer expense advantages (to name a few).
Pointer 6: Know what is on your network
Comprehending the issue you are aiming to resolve needs understanding the assets on the network. We have found that as much as 30% of the endpoints we at first find on customers’ networks are unmanaged or unidentified devices. This obviously develops a big blind spot. Minimizing this blind spot is a vital best practice. In fact, SANS Critical Security Controls 1 and 2 are to carry out a stock of licensed and unauthorized devices and software connected to your network. So look for NGES services that can finger print all connected devices, track software inventory and utilization, and perform on-going constant discovery.
Pointer 7: Know where you are vulnerable
After figuring out exactly what devices you have to monitor, you need to make sure they are running in up to date configurations. SANS Critical Security Controls 3 recommends making sure safe setups tracking for laptops, workstations, and servers. SANS Critical Security Controls 4 suggests enabling continuous vulnerability evaluation and remediation of these devices. So, search for NGES solutions that supply constant tracking of the state or posture of each device, and it’s even better if it can assist implement that posture.
Also look for services that provide continuous vulnerability assessment and remediation.
Keeping your overall end point environment hardened and free of important vulnerabilities prevents a huge amount of security issues and gets rid of a great deal of back end pressure on the IT and security operations teams.
Tip 8: Cultivate constant detection and response
A crucial end goal for lots of NGES services is supporting constant device state tracking, to enable reliable hazard or event response. SANS Critical Security Control 19 advises robust event response and management as a best practice.
Try to find NGES solutions that supply all-the-time or constant threat detection, which leverages a network of worldwide danger intelligence, and several detection methods (e.g., signature, behavioral, machine learning, etc). And try to find incident response services that help prioritize identified dangers and/or concerns and provide workflow with contextual system, application, user, and network data. This can assist automate the proper response or next actions. Lastly, understand all the response actions that each solution supports – and try to find a solution that offers remote access that is as close as possible to “sitting at the end point keyboard”.
Pointer 9: Think about forensics data gathering
In addition to event response, companies must be prepared to address the need for forensic or historical data analysis. The SANS Critical Security Control 6 advises the maintenance, monitoring and analysis of all audit logs. Forensic analysis can take numerous types, but a structure of historic end point monitoring data will be essential to any examination. So look for solutions that preserve historical data that allows:
– Forensic jobs include tracing lateral threat movement through the network gradually,
– Pinpointing data exfiltration efforts,
– Determining origin of breaches, and
– Identifying proper remediation actions.
Suggestion 10: Take apart the walls
IBM’s security team, which supports a remarkable community of security partners, estimates that the average business has 135 security tools in situ and is working with 40 security vendors. IBM customers definitely skew to big enterprise however it’s a typical refrain (problem) from organizations of all sizes that security solutions don’t integrate well enough.
And the grievance is not just that security services do not play well with other security products, but also that they don’t constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations need to think about these (and other) integration points along with the vendor’s desire to share raw data, not just metadata, through an API.
Bonus Tip 11: Prepare for personalizations
Here’s a bonus pointer. Presume that you’ll wish to tailor that shiny brand-new NGES service shortly after you get it. No service will fulfill all of your needs right out of the box, in default configurations. Find out how the service supports:
– Custom data collection,
– Notifying and reporting with custom data,
– Customized scripting, or
– IFTTT (if this then that) performance.
You understand you’ll want new paint or new wheels on that NGES solution soon – so make certain it will support your future personalization projects easy enough.
Try to find support for simple modifications in your NGES service
Follow the bulk of these suggestions and you’ll certainly prevent a lot of the common mistakes that pester others in their assessments of NGES services.