Post on 20-Aug-2015
Presents
2014 Ultimate Endpoint Security Buyer’s Guide2014 Ultimate Endpoint Security Buyer’s Guide
Mike Rothman, President
mrothman@securosis.com
Twitter: @securityincite
About SecurosisAbout Securosis
• Independent analysts with backgrounds on
both the user and vendor side.
• Focused on deep technical and industry
expertise.
• We like pragmatic.
• We are security guys - that’s all we do.
Advanced Malware is AdvancedAdvanced Malware is Advanced
• Attacks > Defenses
• Advanced Attackers > You
• Yet you can track the
indicators and follow their trail.
• But first you need to
understand the kill chain.
http://flic.kr/p/4UPRJ7
The Kill ChainThe Kill Chain
http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain#
Defining Endpoint SecurityDefining Endpoint Security
Anti-Malware: Protecting Endpoints from Attack
Anti-Malware: Protecting Endpoints from Attack
The Negative Security ModelThe Negative Security Model
http://www.despair.com/tradition.html
How customers view Endpoint ProtectionHow customers view Endpoint Protection
• Compliance is the main driver
for endpoint protection
• Whether it works or not is not
the issue.
• And to be clear, traditional
anti-malware technology
doesn’t work anymore.
http://flic.kr/p/9kC2Q1
Adversaries: Better and BetterAdversaries: Better and Better
Advanced Malware
Polymorphism
Sophisticated targeting
Professional Processes
http://www.flickr.com/photos/dzingeek/4587871752/
You don’t know what malware is going to look like...
But you DO know what software should and should
not do.
You don’t know what malware is going to look like...
But you DO know what software should and should
not do.
Advanced Protection TechniquesAdvanced Protection Techniques
• Better Heuristics• Profile the “Big 7” (browsers,
Java, Adobe, Word, Excel, PPT, Outlook)
• “Application HIPS”
• Better Isolation (Sandboxes)• Browser Isolation• O/S Isolation (virtualization)
• White Listing (endpoints user experience impact, good for servers)
• Endpoint Activity Monitoring• Device Forensics• Retrospective Alerting
Endpoint Hygiene: Reducing Attack Surface
Endpoint Hygiene: Reducing Attack Surface
Endpoint HygieneEndpoint Hygiene
Patch Management ProcessPatch Management Process
http://www.flickr.com/photos/smallritual/6964911694/
Patch Management Technology ConsiderationsPatch Management Technology Considerations
• Coverage (OS and apps)
• Library of patches
• Intelligence/Research
• Discovery
• Patch deployment and
software removal
• Agent vs. agentless
• Handling remote devices
• Deployment/scalability
architecture
• Scheduling flexibility
Configuration Management ProcessConfiguration Management Process
http://www.flickr.com/photos/smallritual/6964911694/
Configuration Management Technology ConsiderationsConfiguration Management Technology Considerations
• Coverage (OS and apps)
• Discovery
• Supported standards and benchmarks
• Agent vs. agentless
• Handling remote devices
• Integration with
operational processes
• Policy exceptions
• Who has the “special
machines?”
Device Control Use CasesDevice Control Use Cases
• Data Leakage
• Data Privacy (Encryption)
• Malware Proliferation
(Sneakernet)
http://www.flickr.com/photos/rave2npg/2667464740/
Device Control ProcessDevice Control Process
Device Control Technology ConsiderationsDevice Control Technology Considerations
• Device support
• Policy granularity
• Encryption algorithm
support
• Agent (small footprint)
• Hardware key logger
protection
• Offline support
• Forensics
• Grace periods/User
override
Blurring lines between technologiesBlurring lines between technologies
• Periodic Controls
(Patch/Config) with
Vulnerability Management & IT
Ops
• Device Control with Endpoint
DLP
• Who wants the hot potato?
• Accountability and
organizational complexities
http://www.flickr.com/photos/zen/253267347/
The Impact of BYOD and MobilityThe Impact of BYOD and Mobility
BYODBYOD
• Not just mobile devices
• Selective
enforcement/granularity of
policies
• Require Anti-malware?
• Manage Hygiene?
http://www.flickr.com/photos/jennip/8465930151/
Mobility/Smart DevicesMobility/Smart Devices
• Management a bigger problem
than security (for now)
• Mobile malware?
• MDM/MAM and other
management technologies
• Containers
http://www.flickr.com/photos/becw/2404120929/
BYOD/Mobile stand alone?BYOD/Mobile stand alone?
No...
http://www.flickr.com/photos/rabanito/3191183434/
Endpoint Security PlatformEndpoint Security Platform
Brings it all together
into a well oiled
machine...
http://www.flickr.com/photos/andrewl04/3163980834/
Buying ConsiderationsBuying Considerations
Endpoint Security Platform Buying ConsiderationsEndpoint Security Platform Buying Considerations• Dashboard
• Discovery
• Asset Repository
Integration
• Alert Management
• Alert queue
• Navigation/workflow
• Agent Management
• Policy Creation and Management
• Baselines/Templates for customization
• Alert only policies
• System Administration
• Reporting
To Cloud or Not to CloudTo Cloud or Not to Cloud
• No server management
• Uptime
• Multi-tenancy: Data segregation and protection
• User experience
http://www.flickr.com/photos/52859023@N00/644335254
Buying Process/Vendor SelectionBuying Process/Vendor Selection
• Buying Process: Define
Requirements, Short list,
Test/PoC, Test support,
Negotiate
• Confirm with peer group
• Big vs. small vendor
• Platform vs. pricing leverage
• Research & Intelligence
http://www.flickr.com/photos/jeffanddayna/4081090389/
SummarySummary
• Don’t forget about the security
of endpoint security
• Exploitable agents
• Weak platform security
• Cloud app vulnerabilities
• Malware protection remains a
cat/mouse game
• BYOD/Mobility just another
consideration
http://www.flickr.com/photos/74571262@N08/6710953053/
Read our stuffRead our stuff• Blog
• http://securosis.com/blog
• Research
• http://nexus.securosis.com/
• http://securosis.com/research
• We publish (almost) everything for free
• Contribute. Make it better.
Mike RothmanSecurosis LLC
Mike RothmanSecurosis LLC
mrothman@securosis.com
http://securosis.com/blog
Twitter: @securityincite