Charles Leaver – 10 Ways To Assess Next Gen Endpoint Security Services
Written By Roark Pollock And Presented By Charles Leaver CEO Ziften
The Endpoint Security Purchaser’s Guide
The most typical point for an innovative relentless attack or a breach is the end point. And they are definitely the entry point for most ransomware and social engineering attacks. The use of endpoint protection services has long been thought about a best practice for securing endpoints. Sadly, those tools aren’t staying up to date with today’s danger environment. Advanced risks, and truth be told, even less advanced threats, are frequently more than adequate for tricking the average employee into clicking something they should not. So organizations are looking at and examining a wide variety of next generation end point security (NGES) solutions.
With this in mind, here are ten pointers to consider if you’re taking a look at NGES solutions.
Idea 1: Start with the end first
Don’t let the tail wag the dog. A threat reduction method ought to constantly start by evaluating problems then trying to find prospective solutions for those problems. But all frequently we get captivated with a “shiny” brand-new technology (e.g., the current silver bullet) and we wind up aiming to shoehorn that innovation into our environments without fully examining if it solves a comprehended and determined issue. So what problems are you trying to solve?
– Is your current endpoint security tool failing to stop risks?
– Do you need better visibility into activities at the endpoint?
– Are compliance requirements mandating constant endpoint monitoring?
– Are you trying to reduce the time and costs of incident response?
Specify the issues to address, and then you’ll have a measuring stick for success.
Pointer 2: Know your audience. Who will be utilizing the tool?
Understanding the issue that has to be fixed is a crucial first step in understanding who owns the issue and who would (operationally) own the service. Every functional team has its strengths, weaknesses, choices and biases. Define who will need to utilize the service, and others that could gain from its usage. It could be:
– Security team,
– IT operations,
– The governance, risk & compliance (GRC) group,
– Helpdesk or end user support team,
– Or perhaps the server team, or a cloud operations team?
Suggestion 3: Know exactly what you imply by end point
Another typically neglected early step in specifying the issue is specifying the endpoint. Yes, all of us used to know exactly what we implied when we stated end point but today endpoints are available in a lot more varieties than before.
Sure we want to safeguard desktops and laptops however how about mobile phones (e.g. smartphones and tablets), virtual endpoints, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, naturally, come in numerous flavors so platform support has to be attended to too (e.g. Windows only, Mac OSX, Linux, etc?). Likewise, consider assistance for endpoints even when they are working remote, or are working offline. Exactly what are your needs and exactly what are “great to haves?”
Tip 4: Start with a foundation of all the time visibility
Constant visibility is a foundational ability for addressing a host of security and functional management issues on the endpoint. The old expression holds true – that you can’t manage exactly what you cannot see or measure. Even more, you cannot secure exactly what you cannot appropriately manage. So it should start with continuous or all-the-time visibility.
Visibility is foundational to Security and Management
And think about what visibility suggests. Enterprises need a single source of fact that at a minimum monitors, saves, and examines the following:
– System data – events, logs, hardware state, and file system details
– User data – activity logs and habit patterns
– Application data – attributes of installed apps and use patterns
– Binary data – characteristics of set up binaries
– Processes data – tracking details and statistics
– Network connectivity data – statistics and internal habits of network activity on the host
Idea 5: Track your visibility data
Endpoint visibility data can be kept and examined on the premises, in the cloud, or some combination of both. There are advantages to each. The appropriate method differs, but is generally enforced by regulative requirements, internal privacy policies, the endpoints being monitored, and the total expense considerations.
Know if your organization needs on-premise data retention
Know whether your company enables cloud based data retention and analysis or if you are constrained to on-premise options only. Within Ziften, 20-30% of our clients keep data on-premise merely for regulatory factors. However, if lawfully an alternative, the cloud can offer expense benefits (among others).
Tip 6: Know what is on your network
Comprehending the issue you are trying to solve requires understanding the assets on the network. We have found that as many as 30% of the end points we initially discover on clients’ networks are unmanaged or unidentified devices. This obviously develops a big blind spot. Minimizing this blind spot is a critical best practice. In fact, SANS Critical Security Controls 1 and 2 are to perform a stock of licensed and unauthorized devices and software applications connected to your network. So search for NGES solutions that can fingerprint all linked devices, track software applications stock and utilization, and carry out ongoing continuous discovery.
Pointer 7: Know where you are exposed
After finding out what devices you need to watch, you need to make certain they are running in up to date configurations. SANS Critical Security Controls 3 recommends ensuring safe and secure setups monitoring for laptops, workstations, and servers. SANS Critical Security Controls 4 suggests making it possible for constant vulnerability assessment and removal of these devices. So, try to find NGES solutions that provide constant tracking of the state or posture of each device, and it’s even of more benefit if it can assist impose that posture.
Likewise search for solutions that deliver constant vulnerability evaluation and remediation.
Keeping your general endpoint environment hardened and devoid of crucial vulnerabilities prevents a substantial amount of security concerns and removes a lot of back end pressure on the IT and security operations groups.
Idea 8: Cultivate continuous detection and response
A crucial end goal for numerous NGES solutions is supporting continuous device state monitoring, to enable efficient threat or event response. SANS Critical Security Control 19 advises robust incident response and management as a best practice.
Look for NGES services that offer all the time or constant danger detection, which leverages a network of worldwide risk intelligence, and several detection methods (e.g., signature, behavioral, artificial intelligence, etc). And search for incident response solutions that help prioritize identified hazards and/or problems and provide workflow with contextual system, application, user, and network data. This can assist automate the appropriate response or next actions. Lastly, understand all the response actions that each service supports – and search for a service that provides remote access that is as close as possible to “sitting at the endpoint keyboard”.
Idea 9: Think about forensics data collection
In addition to incident response, organizations need to be prepared to attend to the need for forensic or historical data analysis. The SANS Critical Security Control 6 suggests the upkeep, tracking and analysis of all audit logs. Forensic analysis can take lots of kinds, however a foundation of historic end point tracking data will be essential to any examination. So try to find services that maintain historic data that permits:
– Forensic jobs include tracing lateral danger movement through the network gradually,
– Pinpointing data exfiltration efforts,
– Identifying source of breaches, and
– Figuring out suitable remediation actions.
Tip 10: Take down the walls
IBM’s security team, which supports an excellent ecosystem of security partners, estimates that the average business has 135 security tools in situ and is working with 40 security vendors. IBM customers certainly skew to large businesses but it’s a typical refrain (problem) from organizations of all sizes that security products don’t integrate well enough.
And the grievance is not simply that security services don’t play well with other security services, however also that they don’t constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations have to think about these (and other) integration points along with the vendor’s desire to share raw data, not simply metadata, through an API.
Additional Suggestion 11: Plan for customizations
Here’s a bonus suggestion. Assume that you’ll want to tailor that glossy new NGES service quickly after you get it. No solution will fulfill all of your requirements right out of the box, in default configurations. Find out how the service supports:
– Custom data collection,
– Signaling and reporting with custom data,
– Customized scripting, or
– IFTTT (if this then that) performance.
You know you’ll want new paint or new wheels on that NGES solution quickly – so ensure it will support your future modification projects simply enough.
Look for support for simple personalizations in your NGES solution
Follow the bulk of these pointers and you’ll unquestionably prevent much of the common mistakes that plague others in their evaluations of NGES services.