This content is part of the Essential Guide: Understanding endpoint security products, features and vendors

Essential Guide

Browse Sections
Manage Learn to apply best practices and optimize your operations.

Investing in endpoint security software: Final considerations

Before investing in an endpoint security software product, be sure your enterprise asks itself these six critical questions.

Before taking the plunge and making an endpoint security software investment, it is critical your enterprise ask itself a number of questions to ensure it gets the most bang for its buck.

Below are a few considerations to keep in mind.

Do you already have point products from different vendors deployed?

Switching from point products to an integrated endpoint security software technology can be a major ordeal if your existing point products are from multiple vendors. Switching products generally isn't too problematic if you are switching from vendor A's standalone antimalware software to the same vendor's endpoint protection software that includes the same antimalware product. However, when multiple vendors are involved, odds are the organization will have to replace one or more of the point products with a completely different technology. Again, this isn't the end of the world, but it's going to require more testing, training and overall effort than simply switching from the standalone version of an application to the integrated version of the same application. Alternately, an organization may decide to keep one or two of its point products (e.g., full disk encryption software) and not use those corresponding features offered by the endpoint protection software.

Which security capabilities are built into your endpoint operating systems?

Endpoint operating systems, such as Windows and Mac OS X, are increasingly providing native support for a variety of endpoint security capabilities. Examples include application whitelisting, device control, host-based firewalls and storage encryption. These capabilities can be particularly effective if the endpoints are part of a domain (e.g., Active Directory) that allows them to be centrally managed. If several of the security capabilities are already being provided through these means, acquiring an endpoint protection software product may largely be unnecessary; instead, buying point products for the missing capabilities may be the way to go.

Which security capabilities will you deploy first?

As previously mentioned, it's recommended that an organization deploy endpoint protection software in a phased approach, limiting both the number of endpoints running the software and the number of security capabilities being used initially. For the latter, the organization needs to choose which capabilities will be deployed first. It might be the most fundamental capabilities, such as antimalware software and host-based firewalls, or it might be the new features that don't already exist in the environment, such as endpoint data loss prevention (DLP)  or application whitelisting. Regardless of the reason for selecting certain capabilities, the organization should pay particular attention to these capabilities when evaluating possible products to help support the success of the initial deployment.

How will you secure your major applications?

Most endpoint protection software doesn't provide application-specific protections, such as antispam and Web content filtering. Because so many attacks come through email or Web traffic, it is critical to ensure these security capabilities are present, either in the endpoint itself or on the organization's networks, such as antispam running on organization email servers and Web security gateways running on internal networks. However, if an organization's endpoints are mobile -- and odds are some or most are -- then controls such as Web security gateways won't help unless external traffic from the endpoints is tunneled onto the organization's network so it can be examined there. In short, make sure you're looking at the whole product and not focusing on just a single piece of software when considering application security.

Will you be deploying it to your mobile devices?

Endpoint protection software is increasingly supporting smartphones and tablets. At the same time, smartphones and tablets keep becoming more like laptops; for example, some of the Microsoft mobile devices run the same version of the operating system as laptops do. It is becoming increasingly important -- especially for these devices with laptop-like operating systems -- to protect them from the same threats that desktops and laptops face. Unfortunately, at this time, the security controls available for mobile devices are still fairly immature. Before purchasing any endpoint protection software, if you're planning on using it to support mobile devices, be sure to test its mobile device support thoroughly. Additionally, consider whether a full-fledged enterprise mobile device management technology would be more effective than endpoint protection software. Both classes of products have somewhat similar capabilities, but enterprise MDM is more likely to provide robust support for mobile platforms.

What resources are required?

Estimating how much effort will be needed to design, deploy, maintain and monitor endpoint security software is challenging because it has so many different components, each of which involves its own level of effort. There are several reasons for this, including the amount of tuning needed for each component and the relationship each one has to the organization's policies. For example, deploying a host-based firewall may be relatively straightforward because an organization's policies permit all internally initiated communications and prohibit all externally initiated communications destined for internal endpoints. However, implementing endpoint DLP may be extremely resource-intensive because of the complexity of DLP policies needed to implement the organization's policies regarding the handling of its sensitive data. DLP policies necessitate significant resources, not only to implement the policies, but also to monitor them over time and continue to tune them to improve detection and prevention performance. An important part of evaluating endpoint protection software is estimating the level of effort that will be needed to support it, and ensuring the necessary qualified personnel are dedicated to the task.

About the author:
Karen Scarfone is senior cybersecurity engineer at tapestry technologies Inc. and the principal consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for federal civilian agencies and the public.

Next Steps

Uncover considerations for cloud endpoint security services

Get help creating a network endpoint security policy for hostile endpoints

This was last published in January 2015

Dig Deeper on Endpoint protection and client security