Even products that only offer some of the possible endpoint protection software capabilities can still be very...
effective at stopping threats, which ultimately means fewer successful attacks. Endpoint security has reached a point where it's basically become a necessity to use an integrated endpoint protection software suite instead of stove-piped standalone technologies. Small businesses that have minimal security threats may do well with more lightweight products, such as those that focus on malware prevention and email-based threats. Yet, larger enterprises are almost certain to need the gamut of capabilities that endpoint protection software provides today, and will provide in the foreseeable future.
The business benefits of endpoint protection software can be organized into the following categories: decreasing the number of data breaches and other incidents, easing the deployment of new security technologies, reducing costs and blocking unwanted activity.
Decrease data breaches and other incidents
Having a single integrated endpoint security suite means endpoint protection software should provide more effective and efficient prevention and detection capabilities than its standalone counterparts would. This would lead to reduced opportunities for exploitation and ultimately fewer data breaches and other incidents within an organization. Prevention and detection is more efficient because the content of interest -- the Web request, email message, file write -- is analyzed in many ways in one session, not separately several times in succession. There is a great deal of overhead involved in analysis -- in parsing protocols, file formats and other ways that data is stored or transmitted. Using a fully integrated product eliminates most of this overhead, allowing it to be incurred once instead of several times for each piece of content.
Effectiveness is another important aspect of having a single integrated product. Ideally, the various capabilities within a product can collaborate with each other, particularly to identify unknown threats. Imagine that a new form of malware, previously unseen, attempts to enter an endpoint. The antimalware software may not be able to detect it on its own because it is primarily signature-based, but the endpoint protection software may notice suspicious attempts to transfer sensitive data to a known malicious website. This activity might be detected by a combination of the host-based firewall, endpoint DLP software and application whitelisting (in monitoring mode). By correlating security events seen by the various individual detection capabilities, the endpoint protection software can identify malicious events that no single capability can properly recognize on its own.
Another important facet of endpoint protection software is that it provides so many varied security capabilities. It provides a layered defense-in-depth solution all on its own. Each capability that it provides is effective against different types of threats, so when an organization combines all of those capabilities, it is addressing a much wider range of threats than any single capability product could address on its own.
Ease deployment of new security technologies
Having many capabilities integrated into a single product can significantly ease deployment of new security technologies. Over time, endpoint protection software typically adds new capabilities; some of the most recent include endpoint DLP, application whitelisting and enterprise mobile device management. Taking advantage of these emerging security technologies does not require acquisition and deployment of a completely new product, but rather simply configuring and enabling a new feature in the existing endpoint protection software deployment.
With this, organizations can take advantage of new security capabilities much more quickly and easily than was previously possible. This accelerates the adoption of new security capabilities, allowing an organization to potentially gain a competitive advantage against other organizations that are slower adopters of endpoint security suites.
Generally speaking, it's going to be less expensive to buy one product (endpoint protection software) than to buy all of its equivalent components separately. This does not just include the software cost itself, but also the infrastructure supporting the software. Assuming that the endpoint protection software is fully integrated, in a smaller organization it could run on a single server (more likely on two servers for redundancy). Imagine how many separate servers might be needed if the software was purchased as standalone components. In larger organizations, the products will need to be scalable anyway, so an organization can simply deploy another instance of the endpoint protection software server if it needs more processing power. This is much simpler than having to monitor the performance of several different server products and manage the scalability of each one separately.
The reduction in labor from using an integrated product may also be significant. Security administrators have a single management interface for all of these disparate endpoint security capabilities instead of a separate interface for each of them. Typical maintenance processes such as applying patches to the endpoint protection software should be significantly simpler and faster with an integrated technology. Incident investigation will also be streamlined because there is a single interface for all of the events monitored by the software.
Block unwanted activity
Most data breaches occur because of inadvertent actions, not intentional behavior. Users, for example, may be in the habit of copying important files onto a USB flash drive as backups, but they do not realize that these USB flash drives are inherently insecure (not encrypted, not requiring authentication before use, etc.) Copying sensitive data to a flash drive may not be a direct data breach in and of itself, but it is a policy violation (and quite possibly a regulatory violation, depending on the type of data) and could eventually lead to a data breach, especially if the flash drive is lost or stolen.
Endpoint protection software, primarily through its device control and DLP capabilities, can detect and stop such "data leaks" before they occur, long before a breach is possible. This reduces the sprawl of sensitive data, giving the organization fewer instances to protect and to audit. Endpoint protection software can even educate the user on what the nature of the policy violation is, helping the user to understand what's wrong and how it should be addressed.
About the author:
Karen Scarfone is senior cybersecurity engineer at tapestry technologies Inc. and the principal consultant for Scarfone Cybersecurity in Clifton, Virginia. She provides cybersecurity publication consulting services, specializing in network and system security guidelines. Scarfone was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), where she oversaw the development of system and network security publications for federal civilian agencies and the public.
Is endpoint security the weakest link? Learn more here
Learn how to improve NAC with secure endpoints