Written By Roark Pollock And Presented By Charles Leaver CEO Ziften
The Endpoint Security Purchaser’s Guide
The most common point for an innovative persistent attack or a breach is the end point. And they are definitely the entry point for many ransomware and social engineering attacks. Making use of endpoint security products has actually long been considered a best practice for securing end points. Sadly, those tools aren’t staying up to date with today’s threat environment. Advanced hazards, and truth be told, even less innovative dangers, are often more than appropriate for tricking the average worker into clicking something they should not. So companies are taking a look at and assessing a myriad of next generation end point security (NGES) solutions.
With this in mind, here are ten ideas to consider if you’re looking at NGES solutions.
Idea 1: Start with the end in mind
Don’t let the tail wag the dog. A threat reduction method ought to always begin by evaluating issues and then looking for potential solutions for those issues. However all too often we get captivated with a “shiny” brand-new technology (e.g., the latest silver bullet) and we wind up aiming to squeeze that innovation into our environments without totally assessing if it solves a comprehended and recognized issue. So exactly what problems are you aiming to resolve?
– Is your current endpoint security tool failing to stop risks?
– Do you require better visibility into activities at the end point?
– Are compliance requirements mandating continuous end point monitoring?
– Are you aiming to reduce the time and expense of incident response?
Specify the issues to deal with, then you’ll have a measuring stick for success.
Suggestion 2: Know your audience. Exactly who will be utilizing the tool?
Comprehending the issue that needs to be fixed is a key first step in understanding who owns the problem and who would (operationally) own the solution. Every functional group has its strengths, weaknesses, choices and prejudices. Specify who will need to use the service, and others that might benefit from its use. It could be:
– Security team,
– IT team,
– The governance, risk & compliance (GRC) group,
– Helpdesk or end user support team,
– Or even the server team, or a cloud operations group?
Tip 3: Know exactly what you suggest by end point
Another often overlooked early step in defining the problem is specifying the endpoint. Yes, we all used to know exactly what we implied when we stated end point but today endpoints come in a lot more varieties than before.
Sure we want to protect desktops and laptops however how about mobile devices (e.g. smartphones and tablets), virtual end points, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, naturally, can be found in numerous tastes so platform assistance has to be attended to also (e.g. Windows only, Mac OSX, Linux, etc?). Likewise, consider assistance for endpoints even when they are working remote, or are working offline. Exactly what are your requirements and exactly what are “nice to haves?”
Tip 4: Start with a structure of constant visibility
Continuous visibility is a foundational capability for addressing a host of security and functional management problems on the end point. The old expression is true – that you cannot manage exactly what you can’t see or determine. Even more, you cannot secure exactly what you can’t properly manage. So it needs to start with continuous or all the time visibility.
Visibility is foundational to Security and Management
And think of what visibility suggests. Enterprises require one source of truth that at a minimum monitors, stores, and evaluates the following:
– System data – events, logs, hardware state, and file system information
– User data – activity logs and behavior patterns
– Application data – attributes of set up apps and usage patterns
– Binary data – attributes of installed binaries
– Processes data – tracking details and data
– Network connectivity data – statistics and internal behavior of network activity on the host
Idea 5: Monitor your visibility data
Endpoint visibility data can be saved and evaluated on the premises, in the cloud, or some combination of both. There are benefits to each. The suitable approach varies, however is usually enforced by regulative requirements, internal privacy policies, the endpoints being monitored, and the overall expense considerations.
Know if your company requires on premise data retention
Know whether your company enables cloud based data retention and analysis or if you are constrained to on-premise options only. Within Ziften, 20-30% of our customers store data on-premise just for regulative reasons. Nevertheless, if lawfully an option, the cloud can provide expense advantages (among others).
Pointer 6: Know exactly what is on your network
Comprehending the problem you are attempting to resolve requires comprehending the assets on the network. We have found that as much as 30% of the endpoints we initially find on customers’ networks are un-managed or unknown devices. This obviously develops a big blind spot. Minimizing this blind spot is an important best practice. In fact, SANS Critical Security Controls 1 and 2 are to perform an inventory of authorized and unapproved devices and software applications attached to your network. So search for NGES services that can finger print all connected devices, track software applications stock and utilization, and carry out on-going continuous discovery.
Pointer 7: Know where you are vulnerable
After figuring out exactly what devices you need to watch, you have to make sure they are running in up to date setups. SANS Critical Security Controls 3 suggests making sure protected setups tracking for laptops, workstations, and servers. SANS Critical Security Controls 4 suggests enabling continuous vulnerability assessment and remediation of these devices. So, search for NGES services that provide all the time tracking of the state or posture of each device, and it’s even of more benefit if it can help enforce that posture.
Likewise try to find solutions that provide constant vulnerability evaluation and remediation.
Keeping your total endpoint environment hardened and devoid of critical vulnerabilities avoids a substantial amount of security problems and gets rid of a great deal of back end pressure on the IT and security operations teams.
Tip 8: Cultivate continuous detection and response
A crucial end goal for numerous NGES services is supporting constant device state monitoring, to enable reliable threat or event response. SANS Critical Security Control 19 recommends robust incident response and management as a best practice.
Search for NGES services that provide all-the-time or constant threat detection, which leverages a network of international hazard intelligence, and numerous detection strategies (e.g., signature, behavioral, machine learning, etc). And search for incident response solutions that help focus on determined risks and/or concerns and provide workflow with contextual system, application, user, and network data. This can assist automate the appropriate response or next steps. Finally, comprehend all the response actions that each solution supports – and look for a service that supplies remote access that is as close as possible to “sitting at the endpoint keyboard”.
Idea 9: Consider forensics data gathering
In addition to event response, organizations need to be prepared to resolve the need for forensic or historic data analysis. The SANS Critical Security Control 6 advises the maintenance, monitoring and analysis of all audit logs. Forensic analysis can take many forms, however a structure of historical endpoint monitoring data will be crucial to any examination. So search for solutions that keep historic data that allows:
– Forensic jobs include tracing lateral risk motion through the network gradually,
– Pinpointing data exfiltration efforts,
– Identifying origin of breaches, and
– Identifying appropriate removal actions.
Idea 10: Tear down the walls
IBM’s security team, which supports a remarkable community of security partners, approximates that the average enterprise has 135 security tools in place and is working with 40 security suppliers. IBM customers certainly skew to large enterprise however it’s a common refrain (complaint) from companies of all sizes that security products don’t integrate well.
And the problem is not simply that security products don’t play well with other security solutions, however likewise that they don’t always integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations have to consider these (and other) integration points in addition to the supplier’s willingness to share raw data, not simply metadata, through an API.
Bonus Suggestion 11: Plan for modifications
Here’s a bonus suggestion. Assume that you’ll wish to tailor that shiny new NGES service quickly after you get it. No solution will meet all of your needs right out of the box, in default setups. Discover how the solution supports:
– Customized data collection,
– Notifying and reporting with custom data,
– Custom-made scripting, or
– IFTTT (if this then that) performance.
You understand you’ll desire brand-new paint or new wheels on that NGES service soon – so make certain it will support your future customization jobs easy enough.
Try to find assistance for easy modifications in your NGES service
Follow the bulk of these ideas and you’ll unquestionably avoid a number of the common mistakes that pester others in their assessments of NGES solutions.