Chuck Leaver – How To Evaluate Next Gen Endpoint Security Services

Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften


The End Point Security Buyer’s Guide

The most common point for a sophisticated consistent attack or a breach is the end point. And they are certainly the entry point for many ransomware and social engineering attacks. Making use of endpoint protection products has actually long been thought about a best practice for protecting endpoints. Regrettably, those tools aren’t keeping up with today’s danger environment. Advanced threats, and truth be told, even less advanced dangers, are often more than sufficient for deceiving the average worker into clicking something they should not. So organizations are looking at and examining a wide variety of next-gen endpoint security (NGES) services.

With this in mind, here are ten suggestions to think about if you’re looking at NGES solutions.

Suggestion 1: Begin with the end in mind

Do not let the tail wag the dog. A risk decrease method should always begin by assessing issues and then trying to find possible solutions for those problems. But all frequently we get fascinated with a “shiny” new innovation (e.g., the most recent silver bullet) and we wind up attempting to shoehorn that technology into our environments without completely evaluating if it fixes a comprehended and identified issue. So exactly what problems are you attempting to resolve?

– Is your existing end point security tool failing to stop risks?
– Do you require better visibility into activity on the endpoint?
– Are compliance requirements mandating constant endpoint monitoring?
– Are you trying to decrease the time and expense of incident response?

Specify the problems to attend to, and then you’ll have a measuring stick for success.

Idea 2: Know your audience. Exactly who will be using the tool?

Comprehending the issue that needs to be resolved is a crucial primary step in understanding who owns the issue and who would (operationally) own the service. Every functional team has its strengths, weaknesses, choices and prejudices. Specify who will need to use the solution, and others that might benefit from its use. Maybe it’s:

– Security group,
– IT operations,
– The governance, risk and compliance (GRC) group,
– Help desk or end user assistance team,
– Or perhaps the server group, or a cloud operations group?

Idea 3: Know what you mean by end point

Another often ignored early step in specifying the problem is defining the endpoint. Yes, all of us used to understand what we meant when we stated endpoint but today end points are available in a lot more varieties than before.

Sure we wish to safeguard desktops and laptops however how about mobile devices (e.g. phones and tablets), virtual endpoints, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, naturally, are available in multiple flavors so platform support needs to be resolved also (e.g. Windows only, Mac OSX, Linux, etc?). Also, think about assistance for endpoints even when they are working remote, or are working offline. Exactly what are your needs and what are “great to haves?”

Suggestion 4: Start with a structure of constant visibility

Constant visibility is a fundamental capability for attending to a host of security and operational management problems on the endpoint. The old saying holds true – that you cannot manage what you cannot see or determine. Even more, you cannot protect what you can’t appropriately manage. So it needs to begin with constant or all-the-time visibility.

Visibility is fundamental to Management and Security

And think about what visibility means. Enterprises require one source of reality that at a minimum monitors, stores, and evaluates the following:

– System data – events, logs, hardware state, and file system information
– User data – activity logs and behavior patterns
– Application data – characteristics of installed apps and usage patterns
– Binary data – attributes of set up binaries
– Procedures data – tracking details and data
– Network connection data – stats and internal behavior of network activity on the host

Pointer 5: Keep track of your visibility data

End point visibility data can be kept and evaluated on premise, in the cloud, or some combination of both. There are advantages to each. The proper method differs, but is usually driven by regulative requirements, internal privacy policies, the end points being monitored, and the total expense considerations.

Know if your organization needs on-premise data retention

Know whether your company enables cloud based data retention and analysis or if you are constrained to on premise solutions only. Within Ziften, 20-30% of our customers keep data on premise just for regulatory factors. However, if lawfully a choice, the cloud can provide cost advantages (among others).

Pointer 6: Know what is on your network

Comprehending the problem you are aiming to solve needs comprehending the assets on the network. We find that as many as 30% of the end points we initially discover on clients’ networks are un-managed or unidentified devices. This clearly creates a huge blind spot. Decreasing this blind spot is an important best practice. In fact, SANS Critical Security Controls 1 and 2 are to carry out a stock of licensed and unauthorized devices and software applications attached to your network. So try to find NGES solutions that can fingerprint all connected devices, track software stock and usage, and perform on-going continuous discovery.

Tip 7: Know where you are exposed

After figuring out what devices you have to monitor, you have to make certain they are running in up to date setups. SANS Critical Security Controls 3 advises guaranteeing safe and secure configurations tracking for laptops, workstations, and servers. SANS Critical Security Controls 4 advises enabling continuous vulnerability assessment and remediation of these devices. So, look for NGES services that supply all the time tracking of the state or posture of each device, and it’s even of more benefit if it can help implement that posture.

Likewise look for services that provide continuous vulnerability assessment and removal.

Keeping your total end point environment solidified and free of crucial vulnerabilities prevents a substantial amount of security problems and gets rid of a great deal of backend pressure on the IT and security operations teams.

Pointer 8: Cultivate continuous detection and response

An important end goal for lots of NGES services is supporting constant device state monitoring, to make it possible for efficient risk or event response. SANS Critical Security Control 19 suggests robust incident response and management as a best practice.

Look for NGES services that provide all-the-time or constant danger detection, which leverages a network of worldwide threat intelligence, and multiple detection methods (e.g., signature, behavioral, machine learning, etc). And search for event response services that assist focus on identified risks and/or concerns and provide workflow with contextual system, application, user, and network data. This can assist automate the suitable response or next actions. Lastly, understand all the response actions that each service supports – and search for a solution that supplies remote access that is as close as possible to “sitting at the end point keyboard”.

Idea 9: Consider forensics data collection

In addition to event response, organizations should be prepared to deal with the requirement for forensic or historical data analysis. The SANS Critical Security Control 6 recommends the maintenance, monitoring and analysis of all audit logs. Forensic analysis can take lots of forms, but a structure of historic endpoint tracking data will be essential to any examination. So try to find solutions that preserve historical data that permits:

– Forensic tasks consist of tracing lateral danger motion through the network gradually,
– Pinpointing data exfiltration efforts,
– Determining origin of breaches, and
– Determining appropriate remediation actions.

Pointer 10: Tear down the walls

IBM’s security group, which supports an impressive community of security partners, estimates that the average business has 135 security tools in situ and is dealing with 40 security suppliers. IBM clients certainly skew to big enterprise however it’s a typical refrain (complaint) from organizations of all sizes that security solutions do not integrate properly.

And the complaint is not simply that security services don’t play well with other security services, but also that they do not constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations need to consider these (and other) integration points along with the supplier’s willingness to share raw data, not just metadata, through an API.

Bonus Tip 11: Plan for customizations

Here’s a bonus tip. Presume that you’ll wish to personalize that shiny brand-new NGES service soon after you get it. No solution will satisfy all of your requirements right out of the box, in default setups. Find out how the solution supports:

– Customized data collection,
– Notifying and reporting with customized data,
– Customized scripting, or
– IFTTT (if this then that) functionality.

You understand you’ll desire new paint or brand-new wheels on that NGES service quickly – so make certain it will support your future modification jobs easy enough.

Look for assistance for easy modifications in your NGES solution

Follow the bulk of these tips and you’ll certainly prevent a lot of the typical mistakes that pester others in their assessments of NGES solutions.


No Responses Yet to “Chuck Leaver – How To Evaluate Next Gen Endpoint Security Services”

Leave a Reply