Posted by Rick Holland on July 24, 2014
During the past 18 months or so, we have seen the emergence of innovative endpoint security solutions. The list is long; it is hard to keep track of all the solutions in the space. In no particular order, here is a sampling: Bromium, Invincea, IBM Trusteer, Cylance, Palo Alto Networks Next-Gen Endpoint Protection (Cyvera), Microsoft Enhanced Mitigation Experience Toolkit (EMET), Bit9 + Carbon Black, Confer, CounterTack Sentinel, Cybereason, CrowdStrike Falcon Host, Guidance Software Cybersecurity, Hexis HawkEye G, FireEye HX, Triumfant, Tanium, and Verdasys Digital Guardian.
I take many briefings from these types of vendors (primarily the ones I cover in Forrester’s Endpoint Visibility and Control category) and within the first 5 minutes of the conversation, the vendor mentions that their solution has a “small footprint.” The use of this phrase is the equivalent of nails scratching their way across a chalkboard for me. When was the last time you heard anyone say that they have a “large footprint?” Please provide more information: Do you run in user or kernel land? What are the impacts to utilization? Even if a vendor truly has a “small footprint,” when that new agent is deployed to a host that already has four or five agents running, the collective footprint is far from small.
I am a recovering endpoint security administrator; I am very familiar with the challenges and nuances of operationalizing endpoint security. At various points in my practitioner career I managed: McAfee VirusScan, McAfee Host DLP, SafeBoot encryption (now McAfee), Guidance Software EnCase servlets, Configuresoft (now EMC) agents, as well as Identity Finder DLP agents. My experiences managing these types of solutions are the reason the comment "small footprint" causes me so much angst. It casually minimizes the struggles of endpoint security.
Digging a bit deeper:
- A “small footprint” that beats the user into submission isn’t the right answer either. These endpoint solutions must not negatively affect the user experience. You can have the most effective security control, but if it is so intrusive that employees can’t work, it won’t be in production for very long. Remember Host Intrusion Prevention system (HIPS?) These new endpoint solutions must demonstrate that they can be effective AND transparent to users.
- The user experience isn’t the only perspective that you need to consider; the administrator’s experience operationalizing the solution is also important. Dashboards and an intuitive user interface enhance operational effectiveness. Scalability is another important consideration: Deploying a solution to 100 endpoints is one thing, deploying a solution to 100,000 endpoints is an entirely different matter. Once again you can have the most effective security control, but if you cannot actually deploy and manage it you have invested the equivalent of vaporware.
- Some of the solutions above focus on prevention (e.g. Bromium, Cylance, Invincea, Palo Alto Networks Next-Gen Endpoint Protection). The logic is that if you can prevent then why waste time with visibility and response? Remember, to be effective within your organization, prevention must meet the two requirements I just mentioned. I want prevention to work, I really do. It is particularly important for organizations that simply don't have the resources for detection and response. Prevention is ideal, but working under the assumption that determined adversaries will find a way to circumvent your controls, visibility is also important. This is where the EVC solutions come into play.
- Just because one of the new endpoint solutions markets itself as being able to stop zero day exploitation, it doesn't mean that you are safe. The adversary might target the prevention solution itself. The attacks against Microsoft EMET are a perfect example. EMET uses techniques to prevent exploits related to memory corruption, making it harder for attackers to find and exploit vulnerabilities. It is a popular target; most recently Offensive Security researchers were able to disable all of its protections. Remember, if something runs code, it can be exploited.
Chris Sherman and I have written several pieces of research designed to help Forrester clients navigate the new endpoint security landscape. There is more to come in the future.
- Prepare For The Post-AV Era Part 1: Five Alternatives To Endpoint Antivirus
- Prepare For The Post-AV Era Part 2: Layer Your Endpoint Security Tools For Max Protection
- Targeted-Attack Hierarchy Of Needs, Part 1
- Targeted-Attack Hierarchy Of Needs, Part 2
Forrester's definition of EVC: Endpoint visibility and control (EVC) seeks to provide detailed visibility into activity occurring on the endpoint. EVC solutions can provide details on endpoint process executions, application/file/registry modifications, network activity, active memory, as well as kernel-driver activity. Some EVC solutions provide visibility only, while others also provide the ability to contain malicious endpoint behavior.