Although it's critical to secure endpoints against today's threats, an endpoint protection software product may not always be the optimal choice for a particular environment. Many organizations already have significant investments -- both in terms of software and expertise -- in their existing point technologies. This could be antimalware software from one vendor and endpoint data loss prevention (DLP) software from another vendor. And there are some distinct advantages to using point products, such as being able to acquire the "best in breed" technology for each security capability.
Another reason why endpoint protection software may not be appropriate for an organization is that the organization may not be in a position to take full advantage of what an endpoint protection software technology has to offer. For example, an organization's security posture and limited resources might preclude it from using endpoint DLP, enterprise mobile device management (MDM) and some of the other newer capabilities that endpoint protection software products support. This organization might be wasting significant money paying for endpoint protection software that it won't be able to take full advantage of; purchasing and supporting just the needed point products might be a better, much less expensive option.
What makes endpoint protection software technologies generally more attractive than point products is the integrated capabilities that they can provide. Note that can is the operative word here -- some endpoint protection software comprise several point products loosely integrated with each other, bundled under a single name but really functioning as separate products. This is not much of an improvement over just acquiring each of the point products separately. Part of the evaluation of any prospective endpoint protection software should be a careful examination of how well its respective components are integrated. Ideally there should be a single interface for managing all of them, and technical integration between related components (e.g., endpoint DLP and device control working together to prevent the spread of sensitive data to removable media). If this integration is lacking -- such as a vendor purchasing or licensing other vendors' products without taking a holistic approach to implementing and integrating those products with each other -- it may be wise to investigate other endpoint protection software products that are more highly integrated.
Whether an organization selects an endpoint protection software technology or a set of point products, it is inevitable that incidents will occur. No security product is 100% effective, not even an endpoint protection software one with all the varied security capabilities it provides. Also, there are capabilities that endpoint protection software lacks that are essential for endpoint security, such as patch management. However, an endpoint protection software product is the single most effective endpoint security control of those that are currently available. In combination with patch management capabilities and application-specific security controls (e.g., antispam for email, Web content filtering for Web browsing), endpoint protection software can stop most of today's threats against endpoints.
What remains for organizations to deal with is twofold. Some incidents occur because of user error, such as being tricked by a malicious email message (e.g., spam, phishing). This is best dealt with by conducting training and awareness activities for users to help them better understand security, to know their roles and responsibilities, and to learn how they should act under various circumstances. Other incidents happen not because of users, but because of shortcomings in the endpoint protection software itself. For example, there may be a zero-day vulnerability in an endpoint, and an attacker may be able to exploit it using methods not readily detectable by the endpoint protection software. This is more likely to be true if not all components of the endpoint protection software are deployed -- perhaps if application whitelisting is not being used. As a result, organizations need to give serious consideration to using all of the available security capabilities that endpoint protection software can provide. Implementing all of these capabilities at one time is generally not reasonable, especially because some of the capabilities can require significant fine-tuning to reduce false positives and negatives (endpoint DLP, host-based intrusion detection/prevention system, host-based firewalls, etc.) Deploying all the capabilities at once and automatically stopping anything that's identified as suspicious is a recipe for disaster.
Instead, endpoint protection software should be deployed using a phased approach, slowly increasing the spread and functionality over time to more gently identify operational problems. Scalability is also a concern -- the more components of the endpoint protection software product that are active, the more resources necessary on both the endpoints and the management servers (and the networks between them). Before selecting a product, it is prudent to do stress testing on real endpoints to see how much performance may be impacted.
It's not so much a question of whether your organization is ready for endpoint protection software -- virtually every endpoint needs to be running antimalware software, a host-based firewall and other capabilities available in endpoint protection software.
It's more a question of whether a set of point products or an integrated endpoint protection software is the way to go.
One final consideration is the operating systems on which an organization's endpoints run. It may not be possible to find a single endpoint protection software product that supports all of your organization's operating system variants and versions. This may necessitate acquiring multiple endpoint protection software technologies or updating/replacing endpoints to use supported operating system versions. Neither of these are choices to be taken lightly; they have serious repercussions.
About the author:
Karen Scarfone is senior cybersecurity engineer at tapestry technologies Inc. and the principal consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for federal civilian agencies and the public.
Read five best strategies for endpoint security