Presents

2014 Ultimate Endpoint Security Buyer’s Guide2014 Ultimate Endpoint Security Buyer’s Guide

Mike Rothman, President

mrothman@securosis.com

Twitter: @securityincite

About SecurosisAbout Securosis

• Independent analysts with backgrounds on

both the user and vendor side.

• Focused on deep technical and industry

expertise.

• We like pragmatic.

• We are security guys - that’s all we do.

Advanced Malware is AdvancedAdvanced Malware is Advanced

• Attacks > Defenses

• Advanced Attackers > You

• Yet you can track the

indicators and follow their trail.

• But first you need to

understand the kill chain.

http://flic.kr/p/4UPRJ7

The Kill ChainThe Kill Chain

http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain#

Defining Endpoint SecurityDefining Endpoint Security

Anti-Malware: Protecting Endpoints from Attack

Anti-Malware: Protecting Endpoints from Attack

The Negative Security ModelThe Negative Security Model

http://www.despair.com/tradition.html

How customers view Endpoint ProtectionHow customers view Endpoint Protection

• Compliance is the main driver

for endpoint protection

• Whether it works or not is not

the issue.

• And to be clear, traditional

anti-malware technology

doesn’t work anymore.

http://flic.kr/p/9kC2Q1

Adversaries: Better and BetterAdversaries: Better and Better

Advanced Malware

Polymorphism

Sophisticated targeting

Professional Processes

http://www.flickr.com/photos/dzingeek/4587871752/

You don’t know what malware is going to look like...

But you DO know what software should and should

not do.

You don’t know what malware is going to look like...

But you DO know what software should and should

not do.

Advanced Protection TechniquesAdvanced Protection Techniques

• Better Heuristics• Profile the “Big 7” (browsers,

Java, Adobe, Word, Excel, PPT, Outlook)

• “Application HIPS”

• Better Isolation (Sandboxes)• Browser Isolation• O/S Isolation (virtualization)

• White Listing (endpoints user experience impact, good for servers)

• Endpoint Activity Monitoring• Device Forensics• Retrospective Alerting

Endpoint Hygiene: Reducing Attack Surface

Endpoint Hygiene: Reducing Attack Surface

Endpoint HygieneEndpoint Hygiene

Patch Management ProcessPatch Management Process

http://www.flickr.com/photos/smallritual/6964911694/

Patch Management Technology ConsiderationsPatch Management Technology Considerations

• Coverage (OS and apps)

• Library of patches

• Intelligence/Research

• Discovery

• Patch deployment and

software removal

• Agent vs. agentless

• Handling remote devices

• Deployment/scalability

architecture

• Scheduling flexibility

Configuration Management ProcessConfiguration Management Process

http://www.flickr.com/photos/smallritual/6964911694/

Configuration Management Technology ConsiderationsConfiguration Management Technology Considerations

• Coverage (OS and apps)

• Discovery

• Supported standards and benchmarks

• Agent vs. agentless

• Handling remote devices

• Integration with

operational processes

• Policy exceptions

• Who has the “special

machines?”

Device Control Use CasesDevice Control Use Cases

• Data Leakage

• Data Privacy (Encryption)

• Malware Proliferation

(Sneakernet)

http://www.flickr.com/photos/rave2npg/2667464740/

Device Control ProcessDevice Control Process

Device Control Technology ConsiderationsDevice Control Technology Considerations

• Device support

• Policy granularity

• Encryption algorithm

support

• Agent (small footprint)

• Hardware key logger

protection

• Offline support

• Forensics

• Grace periods/User

override

Blurring lines between technologiesBlurring lines between technologies

• Periodic Controls

(Patch/Config) with

Vulnerability Management & IT

Ops

• Device Control with Endpoint

DLP

• Who wants the hot potato?

• Accountability and

organizational complexities

http://www.flickr.com/photos/zen/253267347/

The Impact of BYOD and MobilityThe Impact of BYOD and Mobility

BYODBYOD

• Not just mobile devices

• Selective

enforcement/granularity of

policies

• Require Anti-malware?

• Manage Hygiene?

http://www.flickr.com/photos/jennip/8465930151/

Mobility/Smart DevicesMobility/Smart Devices

• Management a bigger problem

than security (for now)

• Mobile malware?

• MDM/MAM and other

management technologies

• Containers

http://www.flickr.com/photos/becw/2404120929/

BYOD/Mobile stand alone?BYOD/Mobile stand alone?

No...

http://www.flickr.com/photos/rabanito/3191183434/

Endpoint Security PlatformEndpoint Security Platform

Brings it all together

into a well oiled

machine...

http://www.flickr.com/photos/andrewl04/3163980834/

Buying ConsiderationsBuying Considerations

Endpoint Security Platform Buying ConsiderationsEndpoint Security Platform Buying Considerations• Dashboard

• Discovery

• Asset Repository

Integration

• Alert Management

• Alert queue

• Navigation/workflow

• Agent Management

• Policy Creation and Management

• Baselines/Templates for customization

• Alert only policies

• System Administration

• Reporting

To Cloud or Not to CloudTo Cloud or Not to Cloud

• No server management

• Uptime

• Multi-tenancy: Data segregation and protection

• User experience

http://www.flickr.com/photos/52859023@N00/644335254

Buying Process/Vendor SelectionBuying Process/Vendor Selection

• Buying Process: Define

Requirements, Short list,

Test/PoC, Test support,

Negotiate

• Confirm with peer group

• Big vs. small vendor

• Platform vs. pricing leverage

• Research & Intelligence

http://www.flickr.com/photos/jeffanddayna/4081090389/

SummarySummary

• Don’t forget about the security

of endpoint security

• Exploitable agents

• Weak platform security

• Cloud app vulnerabilities

• Malware protection remains a

cat/mouse game

• BYOD/Mobility just another

consideration

http://www.flickr.com/photos/74571262@N08/6710953053/

Read our stuffRead our stuff• Blog

• http://securosis.com/blog

• Research

• http://nexus.securosis.com/

• http://securosis.com/research

• We publish (almost) everything for free

• Contribute. Make it better.

Mike RothmanSecurosis LLC

Mike RothmanSecurosis LLC

mrothman@securosis.com

http://securosis.com/blog

Twitter: @securityincite