Say “Small Footprint” Again. I Dare You, I Double Dare You.

During the past 18 months or so, we have seen the emergence of innovative endpoint security solutions. The list is long; it is hard to keep track of all the solutions in the space. In no particular order, here is a sampling:  Bromium, Invincea, IBM Trusteer, Cylance, Palo Alto Networks Next-Gen Endpoint Protection (Cyvera), Microsoft Enhanced Mitigation Experience Toolkit (EMET), Bit9 + Carbon Black, Confer, CounterTack Sentinel, Cybereason, CrowdStrike Falcon Host, Guidance Software Cybersecurity, Hexis HawkEye G, FireEye HX, Triumfant, Tanium, and Verdasys Digital Guardian. 

I take many briefings from these types of vendors (primarily the ones I cover in Forrester’s Endpoint Visibility and Control category) and within the first 5 minutes of the conversation, the vendor mentions that their solution has a “small footprint.”  The use of this phrase is the equivalent of nails scratching their way across a chalkboard for me. When was the last time you heard anyone say that they have a “large footprint?” Please provide more information: Do you run in user or kernel land? What are the impacts to utilization? Even if a vendor truly has a “small footprint,” when that new agent is deployed to a host that already has four or five agents running, the collective footprint is far from small.

I am a recovering endpoint security administrator; I am very familiar with the challenges and nuances of operationalizing endpoint security. At various points in my practitioner career I managed: McAfee VirusScan, McAfee Host DLP, SafeBoot encryption (now McAfee), Guidance Software EnCase servlets, Configuresoft (now EMC) agents, as well as Identity Finder DLP agents. My experiences managing these types of solutions are the reason the comment "small footprint" causes me so much angst. It casually minimizes the struggles of endpoint security. 

Digging a bit deeper:

  • A “small footprint” that beats the user into submission isn’t the right answer either. These endpoint solutions must not negatively affect the user experience. You can have the most effective security control, but if it is so intrusive that employees can’t work, it won’t be in production for very long.  Remember Host Intrusion Prevention system (HIPS?) These new endpoint solutions must demonstrate that they can be effective AND transparent to users.  
  • The user experience isn’t the only perspective that you need to consider; the administrator’s experience operationalizing the solution is also important. Dashboards and an intuitive user interface enhance operational effectiveness. Scalability is another important consideration: Deploying a solution to 100 endpoints is one thing, deploying a solution to 100,000 endpoints is an entirely different matter. Once again you can have the most effective security control, but if you cannot actually deploy and manage it you have invested the equivalent of vaporware. 
  • Some of the solutions above focus on prevention (e.g. Bromium, Cylance, Invincea, Palo Alto Networks Next-Gen Endpoint Protection).  The logic is that if you can prevent then why waste time with visibility and response? Remember, to be effective within your organization, prevention must meet the two requirements I just mentioned. I want prevention to work, I really do. It is particularly important for organizations that simply don't have the resources for detection and response. Prevention is ideal, but working under the assumption that determined adversaries will find a way to circumvent your controls, visibility is also important. This is where the EVC solutions come into play.
  • Just because one of the new endpoint solutions markets itself as being able to stop zero day exploitation, it doesn't mean that you are safe. The adversary might target the prevention solution itself. The attacks against Microsoft EMET are a perfect example. EMET uses techniques to prevent exploits related to memory corruption, making it harder for attackers to find and exploit vulnerabilities. It is a popular target; most recently Offensive Security researchers were able to disable all of its protections. Remember, if something runs code, it can be exploited. 

Chris Sherman and I have written several pieces of research designed to help Forrester clients navigate the new endpoint security landscape. There is more to come in the future. 

Forrester's definition of EVC: Endpoint visibility and control (EVC) seeks to provide detailed visibility into activity occurring on the endpoint. EVC solutions can provide details on endpoint process executions, application/file/registry modifications, network activity, active memory, as well as kernel-driver activity. Some EVC solutions provide visibility only, while others also provide the ability to contain malicious endpoint behavior.


Walk quietly and carry a big stick

Good post, Rick. Hopefully the industry can start to engage in more meaningful discussions, but it will take collaboration to define these criteria. Bromium CTO Simon Crosby has blogged about it a bit more here:

Thanks for the comment

Thanks for the comment Clinton.

Staying out of the kernel helps..

Hi Rick,
I think you are very much on point.
For any product to truly be "low footprint" it has to be imperceptible to the user, easy to deploy and easy to maintain at any scale.
And for that to happen you have to design it with all those things in mind.

"First, do no harm" - before you can protect your users you have to make sure you yourself do not interfere with their activity.

This is why we stayed out of the kernel when we implemented our silent sensor. The worst thing you can do is start randomly crashing users' machines. Even Microsoft sometimes causes crashes (like in last week's updates) when they are deep in the OS.

If you actively bind the operations of a process you put your users at risk - i think every vendor should strive to reduce that risk.

It may be harder to provide full visibility and keep away from that tempting deep dive - so we must do what is hard(er) and find ways to get the same data without writing yet another driver.

If you know your windows internals and take the time to dive into all that the OS has to offer it turns out you can keep your users safe and keep to that very important rule - do no harm.