Advanced Endpoint Security Analysis

Abstract

This report presents the most current and relevant next generation endpoint security data from agnostic third party consultants along with industry surveys*. The purpose is to help organizations understand their specific endpoint security needs and prioritize budget and resources for next generation endpoint security investments.

What you will learn:

• How to differentiate between the varying marketing messages from endpoint vendors.
• Understand the most important criteria when choosing an endpoint security product.
• Why traditional antivirus alone does not protect endpoints.

Traditional Anti-virus is No Longer Enough

Due to the changing landscape, next generation endpoint security products have emerged to address these advanced threats.  CISOs and security professionals’ interest in these new products are fueled by a move away from traditional anti-virus solutions that are ineffective and disruptive to the enterprise.

In today’s landscape, traditional anti-virus is no longer enough to protect endpoints. Threats have moved from disruptive viruses to sophisticated stealth malware, APTs, ransomware, and exploits. These new threats are not only dynamic, but they are harder to detect and created for the purpose of extracting valuable company data. Traditional antivirus also invovles writing signatures to determine is a sample is bad, often after it is already running. 

90% of the organizations are planning to spend money in 2016 on an advanced endpoint security solution to address the gap that traditional AV is leaving behind.*

Only 5% of organizations believe their current traditional AV is doing an adequate job protecting against advanced malware*

Organizations believe their current traditional AV solution is only 30-50% effective against advanced malware*

 

Noise and Clutter in the Next Gen Endpoint Markets

There are more than 55 vendors laying claim to endpoint security and more than 20 are “next-gen” products. It is a complex, but important and highly-visible decision.

The market still lacks clear definitions for basic terminology such as “prevent”, “detain”, “contain”, and “visibility”, which misleads the publics’ perception of each solution’s capabilities. It is necessary to clarify these terms with each vendor to ensure an accurate review.  

Challenges for organizations:

• Ensuring a solution does not impact worker productivity, performance, or credibility
• Understanding the varied approaches
• Differentiating between products
• Understanding how a solution will fit within their enterprise

Most of the organizations had the preconceived notion that the Vendors analyzed would have the capacity for advanced prevention, while in reality only 25% of the vendors actually have those capabilities*

 

How to Choose a Next Gen Endpoint Security Product?

Why these criteria are important:

• Efficacy: A solution must have high security efficacy.
• Productivity: A solution cannot impact the end user.
• Credibility: There must be no negative impact on security leadership.

EFFICACY

Organizations should choose endpoint security products that deliver meaningful security value as measured by the effectiveness of the products ability to meet their technical and business requirements.

PRODUCTIVITY

Drags on productivity negatively impact revenue and make it difficult for security teams to gain the buy-in and respect of executives and the organization. The product must not interfere with, or have the potential to impact, mission critical business applications while providing protection to the endpoint. Once configured to operate in your environment, the product must have no impact on end user productivity. The platform should provide immediate value and should be able to be quickly deployed within your environment without disrupting business operations.

CREDIBILITY

CISOs must ensure their endpoint security product is effective and does not impact productivity, otherwise it may damage their reputation and credibility within their organization.

The majority of CISOs cite productivity, efficacy and credibility as three of the most important criteria when selecting a Next Gen Endpoint security product*

 

What are the Different Approaches to Endpoint Security?

The market is still emerging, and therefore difficult to navigate. Solutions fall into one of four approaches to endpoint security. Those include:

Data Detection/Visibility and Incident Response – These solutions silently collect and observe countless critical operating system components such as processes, registry changes, file writes, network connections, etc. Once collected, this information is forwarded to a central brain where deep analytics is performed. Differences exist between products as to how data is analyzed and presented to administrators; some solutions provide additional context to data by incorporating threat intelligence while others compare individual host data against other machines within the enterprise to spot anomalies. Products may block some traditional forms of malware, yet as core competencies, typically will not provide direct prevention or blocking capabilities against advanced malware, and instead, are intended to be used as powerful visibility stop-gap tools to reduce the time administrators spend to evaluate indicators of compromise across the organization. 

Advanced Protection – Solutions falling in this category provide protection through detection and prevention by leveraging unique, vendor-specific malware detection techniques such as machine learning and artificial intelligence. These solutions are typically paired with capabilities for memory and exploit protection. Products differ in the level of protection they offer; some solutions are better suited for a direct replacement to existing signature based Antivirus and are extremely effective at blocking malware, while others offer complementary protection against advanced exploits.

Isolation/Sandboxing – This approach provides protection by “roping off” certain high risk applications from the underlying operating system. Individual applications, such as web browsers, office suites, email clients, or other high-risk programs can be shunted to a separate, self-contained processing area (container) within the computing environment so that if a threat is present, it will not have access to other critical system processes. These secure areas typically self-destruct when an infection is detected to return the container to a known good state.

Whitelisting - Whitelisting allows administrators to “lockdown” endpoints so that they will only run approved applications and their supporting dependencies. This type of protection is accomplished by creating an initial system baseline consisting of hashes and application specific fingerprints and comparing all files and programs attempting to run against it. Good and approved applications matching the system baseline will run while unknown ones will be denied the ability to execute. Whitelisting is a strategy to reduce the available attack surface on endpoints.

75% of organizations admitted to being confused by vendor presentations in terms of capabilities, value and overall Vendor messaging*

Conclusion

• Endpoint is a top concern due to an influx of complex and dynamic malware.
• Organizations are bombarded with similar messages in the vendor marketspace.
• When selecting vendors, organizations must understand their most important business and technical requirements. Is it impact on worker productivity, protection regardless of network connectivity, malware protection capabilities, or other factors?
• When evaluating vendors, clarify the terms vendors use to market (“prevent”, “detain”, “contain”, and “visibility”) to ensure an accurate review.
• Review the four approaches to next gen endpoint security.
• If your security team does not have the time, expertise, or resources, utilize an agnostic third party organization to help identify the best endpoint security solution for your environment.

* K logix interviewed 100+ information security professionals in a year-long study.