If you’ve been to a security conference in the last year you’ve probably seen more than 20 different vendors all talking about endpoint security. Some might be talking about next generation anti-virus, endpoint detection and response, and even the much lauded machine learning. How do you cut through the clutter and noise to find what you are looking for?
Next generation endpoint security (NGES) is the convergence of multiple technologies. When I talk to customers about what’s missing in their AV, they say it doesn’t do a good job of showing anything after the fact, so they picked up an endpoint detection and response (EDR) tool. Now they have the insight they need, but have an additional technology they need to learn to use, another console to use that doesn’t tie in with their existing infrastructure, and another vendor to manage. NGES is designed to provide protection, detection, and response capabilities in an integrated solution. We leverage the cloud to perform all the heavy analytics so it doesn’t affect system performance.
Can we agree on why anti-virus is no longer effective?
- Detection: or more aptly, our belief in the lack thereof. However, we don’t know what we don’t know and that means if your endpoint security is missing something, you have no idea. This is why you need something that not only inspects files at point-of-entry onto the endpoint, but also looks at file activity in a sandbox, and continuously analyzes file behavior once they’re on the endpoint to rapidly detect malicious behavior when it happens. One detection mechanism alone isn’t going to cut it.
- Bloat: Unless you’ve already adopted a cloud based solution, much of the analysis from legacy antivirus is being done on the endpoint. And rescans are process intensive. Additionally, many organization have multiple endpoint tools running alongside each other. That’s bad. You and all the employees in your company have a job to do. Slowing endpoints to a crawl while something is being analyzed in the background by multiple tools just causes frustration, and the belief that it’s the system’s fault. Cue the “My computer is running really slow” IT ticket!
- Visibility: The lack of visibility is probably the biggest problem with most legacy endpoint security technologies out there. They don’t provide security teams with a comprehensive view of file or user activity over time, across all of their endpoints. You can’t stop what you can’t see. The defense in depth models persists today because attackers are always finding new and innovative ways to get their hands on your data.
- Alert Fatigue and False Positives: How many alerts do you have to deal with each day? Are the alerts prioritized or correlated to tell the whole story? If the answers to those questions are “way too much; and no…” then alerts have become more of a hindrance than what they should be—a first responder to help you contain and eliminate threats, and inform your security decision-making.
There is a reason the defense in depth model still exists today. Attackers are always finding new and innovative ways to get their hands on your data.
So what’s really an effective strategy?
Cut the fat
Agent bloat doesn’t have to be an issue anymore. First of all, get a solution that does the analysis in the cloud – either public or private. Your users will thank you. Second, consolidate the bulk of endpoint security tools into one. When smartphones came along, they could still do everything your old flip phone could – make calls, text, tell time. They also gave you capabilities you never had before – web browsing, email, applications, video calls. Next generation endpoint security brings together a lot of what you know with new protection, detection, and response techniques.
The integrated approach
This has long been accepted as a best practice in many industries. For example, cars have anti-lock brakes, seat belts, air bags, tire-pressure monitoring, lane-departure warning systems, blind-spot detection, the list goes on. If you relied solely on one of these, you create a single point of failure. Don’t rely on a single detection engine or method. It creates a single point of failure in your endpoint security. It’s not worth it. Having multiple detection engines all working together in one solution, is critical.
…One last thing
Machine Learning has been a hot topic this year. Between random forest and super forest techniques (read: Using Decision Forests to Detect Advanced Threats), these are detection techniques, not a silver bullet. Cisco uses machine learning in many different ways. We recently launched Encrypted Traffic Analytics where we apply machine learning to detect malware in encrypted network traffic. We use it inside AMP for Endpoints to analyze web traffic and to pinpoint malware operating inside a network. It’s one of the techniques we use, but it’s not a silver bullet.
Want to see NGES in action? Check out this video:
https://www.youtube.com/watch?v=mzw_x35o03w
Test your security for free and get ahead of ransomware with a free trail of Next Generation Endpoint Security here.
The visibility and simplicity of implementing AMP for Endpoints makes it a winning product with most partners. Great article!