Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften
The Endpoint Security Purchaser’s Guide
The most typical point for a sophisticated persistent attack or a breach is the end point. And they are definitely the entry point for the majority of ransomware and social engineering attacks. Making use of endpoint protection products has long been thought about a best practice for securing endpoints. Unfortunately, those tools aren’t staying up to date with today’s risk environment. Advanced hazards, and truth be told, even less advanced threats, are often more than adequate for deceiving the typical staff member into clicking something they should not. So companies are taking a look at and evaluating a variety of next generation end point security (NGES) solutions.
With that in mind, here are ten tips to think about if you’re taking a look at NGES services.
Tip 1: Begin with the end in mind
Do not let the tail wag the dog. A threat reduction method ought to constantly begin by evaluating issues and after that trying to find possible fixes for those issues. But all too often we get enamored with a “shiny” brand-new innovation (e.g., the most recent silver bullet) and we end up trying to shoehorn that technology into our environments without fully assessing if it solves an understood and determined problem. So exactly what problems are you aiming to fix?
– Is your existing end point protection tool failing to stop dangers?
– Do you require better visibility into activity on the end point?
– Are compliance requirements dictating constant end point tracking?
– Are you trying to reduce the time and expense of incident response?
Define the issues to address, then you’ll have a measuring stick for success.
Pointer 2: Know your audience. Exactly who will be using the tool?
Understanding the problem that needs to be resolved is a key initial step in understanding who owns the problem and who would (operationally) own the service. Every functional team has its strengths, weak points, choices and prejudices. Specify who will need to utilize the solution, and others that might take advantage of its use. Maybe it’s:
– Security operations,
– IT operations,
– The governance, risk & compliance (GRC) group,
– Helpdesk or end user support group,
– And even the server group, or a cloud operations group?
Pointer 3: Know exactly what you mean by endpoint
Another often neglected early step in defining the issue is defining the end point. Yes, all of us used to know exactly what we implied when we said end point however today end points come in a lot more varieties than before.
Sure we want to protect desktops and laptops but how about mobile devices (e.g. phones and tablets), virtual end points, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, of course, are available in numerous flavors so platform assistance has to be attended to too (e.g. Windows only, Mac OSX, Linux, etc?). Likewise, consider support for endpoints even when they are working remote, or are working offline. What are your requirements and exactly what are “good to haves?”
Tip 4: Start with a foundation of constant visibility
Continuous visibility is a foundational capability for attending to a host of security and functional management problems on the end point. The old adage holds true – that you can’t manage exactly what you cannot see or determine. Even more, you can’t protect what you can’t properly manage. So it must begin with continuous or all the time visibility.
Visibility is foundational to Management and Security
And think about exactly what visibility suggests. Enterprises need a single source of truth that at a minimum monitors, stores, and evaluates the following:
– System data – events, logs, hardware state, and file system details
– User data – activity logs and habit patterns
– Application data – attributes of installed apps and use patterns
– Binary data – attributes of set up binaries
– Processes data – tracking details and stats
– Network connectivity data – stats and internal habits of network activity on the host
Pointer 5: Track your visibility data
Endpoint visibility data can be saved and analyzed on the premises, in the cloud, or some mix of both. There are benefits to each. The proper technique varies, but is generally enforced by regulative requirements, internal privacy policies, the endpoints being monitored, and the total cost considerations.
Know if your company requires on premise data retention
Know whether your organization allows for cloud based data retention and analysis or if you are constrained to on premise solutions only. Within Ziften, 20-30% of our clients keep data on premise just for regulatory factors. Nevertheless, if lawfully an alternative, the cloud can provide expense advantages (to name a few).
Idea 6: Know exactly what is on your network
Comprehending the problem you are trying to resolve needs understanding the assets on the network. We find that as many as 30% of the end points we initially discover on customers’ networks are unmanaged or unidentified devices. This certainly develops a big blind spot. Minimizing this blind spot is a vital best practice. In fact, SANS Critical Security Controls 1 and 2 are to perform a stock of authorized and unapproved devices and software applications attached to your network. So search for NGES services that can fingerprint all connected devices, track software inventory and utilization, and carry out on-going continuous discovery.
Idea 7: Know where you are vulnerable
After finding out exactly what devices you have to track, you have to make certain they are running in up to date setups. SANS Critical Security Controls 3 recommends making sure secure setups tracking for laptops, workstations, and servers. SANS Critical Security Controls 4 advises making it possible for continuous vulnerability evaluation and removal of these devices. So, try to find NGES solutions that provide all the time monitoring of the state or posture of each device, and it’s even better if it can help enforce that posture.
Likewise search for services that provide continuous vulnerability assessment and remediation.
Keeping your total endpoint environment solidified and free of vital vulnerabilities prevents a huge quantity of security issues and removes a lot of back end pressure on the IT and security operations teams.
Suggestion 8: Cultivate continuous detection and response
An important objective for lots of NGES solutions is supporting continuous device state monitoring, to enable effective hazard or event response. SANS Critical Security Control 19 recommends robust incident response and management as a best practice.
Try to find NGES solutions that provide all the time or continuous threat detection, which leverages a network of global threat intelligence, and several detection techniques (e.g., signature, behavioral, artificial intelligence, etc). And try to find event response solutions that assist prioritize determined threats and/or concerns and offer workflow with contextual system, application, user, and network data. This can assist automate the suitable response or next actions. Lastly, comprehend all the response actions that each service supports – and look for a solution that offers remote access that is as close as possible to “sitting at the endpoint keyboard”.
Pointer 9: Consider forensics data collection
In addition to incident response, organizations need to be prepared to deal with the need for forensic or historical data analysis. The SANS Critical Security Control 6 advises the maintenance, monitoring and analysis of all audit logs. Forensic analysis can take numerous forms, but a foundation of historic endpoint monitoring data will be crucial to any examination. So try to find solutions that preserve historic data that permits:
– Forensic tasks consist of tracing lateral danger movement through the network over time,
– Pinpointing data exfiltration efforts,
– Identifying source of breaches, and
– Figuring out suitable removal actions.
Pointer 10: Take down the walls
IBM’s security group, which supports an impressive community of security partners, approximates that the average business has 135 security tools in place and is working with 40 security vendors. IBM customers definitely tend to be large enterprise but it’s a common refrain (grievance) from organizations of all sizes that security solutions do not integrate properly.
And the problem is not just that security solutions don’t play well with other security solutions, but likewise that they don’t always integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations need to think about these (and other) integration points in addition to the supplier’s determination to share raw data, not just metadata, through an API.
Additional Pointer 11: Plan for modifications
Here’s a bonus pointer. Assume that you’ll want to customize that shiny new NGES service quickly after you get it. No solution will satisfy all your needs right out of the box, in default setups. Find out how the solution supports:
– Customized data collection,
– Notifying and reporting with custom data,
– Custom-made scripting, or
– IFTTT (if this then that) functionality.
You know you’ll desire brand-new paint or brand-new wheels on that NGES solution soon – so make certain it will support your future modification projects easy enough.
Try to find support for simple customizations in your NGES solution
Follow the bulk of these suggestions and you’ll certainly avoid many of the typical errors that pester others in their assessments of NGES services.