Written By Roark Pollock And Presented By Charles Leaver CEO Ziften
The Endpoint Security Buyer’s Guide
The most typical point for a sophisticated relentless attack or a breach is the endpoint. And they are definitely the entry point for many ransomware and social engineering attacks. Making use of endpoint security products has actually long been considered a best practice for securing end points. Unfortunately, those tools aren’t staying up to date with today’s danger environment. Advanced risks, and truth be told, even less advanced risks, are typically more than appropriate for fooling the average employee into clicking something they should not. So organizations are looking at and assessing a huge selection of next-gen endpoint security (NGES) solutions.
With that in mind, here are ten tips to think about if you’re looking at NGES solutions.
Idea 1: Begin with the end first
Do not let the tail wag the dog. A danger decrease technique should always start by evaluating issues and then looking for possible solutions for those problems. However all too often we get captivated with a “glossy” brand-new technology (e.g., the most recent silver bullet) and we wind up trying to shoehorn that innovation into our environments without totally evaluating if it solves an understood and identified problem. So exactly what issues are you aiming to resolve?
– Is your current end point security tool failing to stop dangers?
– Do you require much better visibility into activities at the end point?
– Are compliance requirements dictating constant end point tracking?
– Are you trying to reduce the time and expense of incident response?
Specify the problems to resolve, and then you’ll have a measuring stick for success.
Suggestion 2: Understand your audience. Exactly who will be using the tool?
Comprehending the issue that has to be fixed is an essential first step in understanding who owns the problem and who would (operationally) own the solution. Every functional group has its strengths, weak points, choices and prejudices. Define who will need to utilize the solution, and others that could gain from its usage. Is it:
– Security group,
– IT group,
– The governance, risk and compliance (GRC) group,
– Helpdesk or end user assistance group,
– Or perhaps the server group, or a cloud operations team?
Idea 3: Know what you suggest by endpoint
Another typically overlooked early step in defining the problem is defining the endpoint. Yes, all of us used to know what we implied when we stated endpoint however today end points come in a lot more varieties than before.
Sure we want to secure desktops and laptop computers but how about mobile devices (e.g. smartphones and tablets), virtual endpoints, cloud based endpoints, or Internet of Things (IoT) devices? And how about your servers? All of these devices, obviously, can be found in several tastes so platform assistance needs to be attended to also (e.g. Windows only, Mac OSX, Linux, etc?). Likewise, consider assistance for end points even when they are working remote, or are working offline. What are your needs and exactly what are “nice to haves?”
Tip 4: Start with a structure of continuous visibility
Continuous visibility is a fundamental ability for resolving a host of security and functional management problems on the end point. The old adage is true – that you can’t manage what you cannot see or determine. Even more, you can’t secure exactly what you cannot effectively manage. So it must start with constant or all the time visibility.
Visibility is foundational to Management and Security
And think of what visibility implies. Enterprises need one source of truth that at a minimum monitors, saves, and analyzes the following:
– System data – events, logs, hardware state, and file system details
– User data – activity logs and habit patterns
– Application data – attributes of installed apps and usage patterns
– Binary data – attributes of set up binaries
– Procedures data – tracking info and stats
– Network connection data – stats and internal behavior of network activity on the host
Suggestion 5: Monitor your visibility data
End point visibility data can be kept and analyzed on the premises, in the cloud, or some mix of both. There are advantages to each. The suitable technique differs, but is typically driven by regulative requirements, internal privacy policies, the end points being monitored, and the total cost considerations.
Know if your company needs on-premise data retention
Know whether your company enables cloud based data retention and analysis or if you are constrained to on premise services only. Within Ziften, 20-30% of our clients keep data on-premise simply for regulative factors. Nevertheless, if legally an alternative, the cloud can offer cost advantages (to name a few).
Pointer 6: Know what is on your network
Understanding the problem you are attempting to solve requires comprehending the assets on the network. We have found that as many as 30% of the endpoints we at first find on customers’ networks are un-managed or unknown devices. This obviously produces a huge blind spot. Minimizing this blind spot is a vital best practice. In fact, SANS Critical Security Controls 1 and 2 are to perform an inventory of authorized and unauthorized devices and software applications attached to your network. So search for NGES solutions that can finger print all connected devices, track software stock and usage, and perform ongoing constant discovery.
Suggestion 7: Know where you are exposed
After finding out exactly what devices you need to monitor, you need to make certain they are operating in up to date setups. SANS Critical Security Controls 3 advises ensuring safe and secure configurations tracking for laptops, workstations, and servers. SANS Critical Security Controls 4 advises making it possible for continuous vulnerability evaluation and remediation of these devices. So, look for NGES services that supply constant tracking of the state or posture of each device, and it’s even of more benefit if it can help enforce that posture.
Also look for solutions that provide constant vulnerability evaluation and remediation.
Keeping your general endpoint environment solidified and free of important vulnerabilities prevents a huge quantity of security concerns and removes a great deal of backend pressure on the IT and security operations teams.
Tip 8: Cultivate constant detection and response
An essential objective for numerous NGES solutions is supporting constant device state monitoring, to allow reliable risk or incident response. SANS Critical Security Control 19 recommends robust incident response and management as a best practice.
Search for NGES solutions that provide all-the-time or continuous danger detection, which leverages a network of global risk intelligence, and multiple detection methods (e.g., signature, behavioral, machine learning, etc). And try to find incident response solutions that help prioritize determined dangers and/or issues and provide workflow with contextual system, application, user, and network data. This can help automate the proper response or next steps. Finally, understand all the response actions that each solution supports – and look for a service that supplies remote access that is as close as possible to “sitting at the endpoint keyboard”.
Pointer 9: Consider forensics data collection
In addition to event response, organizations need to be prepared to attend to the need for forensic or historical data analysis. The SANS Critical Security Control 6 suggests the upkeep, monitoring and analysis of all audit logs. Forensic analysis can take numerous types, but a structure of historic end point monitoring data will be key to any examination. So try to find solutions that maintain historical data that permits:
– Forensic tasks include tracing lateral threat movement through the network gradually,
– Determining data exfiltration efforts,
– Determining source of breaches, and
– Figuring out proper remediation actions.
Suggestion 10: Tear down the walls
IBM’s security team, which supports an outstanding ecosystem of security partners, estimates that the typical business has 135 security tools in place and is dealing with 40 security suppliers. IBM customers definitely tend to be large businesses however it’s a common refrain (complaint) from companies of all sizes that security services don’t integrate well enough.
And the complaint is not just that security services don’t play well with other security solutions, however likewise that they do not always integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations need to think about these (and other) integration points as well as the supplier’s willingness to share raw data, not just metadata, through an API.
Additional Pointer 11: Prepare for customizations
Here’s a bonus idea. Assume that you’ll want to customize that glossy brand-new NGES solution quickly after you get it. No solution will satisfy all of your needs right out of the box, in default setups. Find out how the solution supports:
– Custom data collection,
– Signaling and reporting with custom data,
– Custom-made scripting, or
– IFTTT (if this then that) performance.
You know you’ll want new paint or brand-new wheels on that NGES solution quickly – so ensure it will support your future customization jobs easy enough.
Look for support for easy personalizations in your NGES solution
Follow the bulk of these tips and you’ll undoubtedly prevent many of the common pitfalls that plague others in their assessments of NGES services.