Endpoint Security – Cutting Through the Complexity With Clear-Cut Requirements

Alex Haynes
CISO   IBS Software

Endpoint security has evolved drastically over the past 10 years. While previously it only referred to
‘anti-virus’ and typically only on workstations, endpoint security has been replaced by a bewildering array of options that can do dozens of things. With the increase in options, we naturally get an increase in complexity, and combine this with new solutions being labelled with new acronyms (a lot of these vendor driven) and it is completely normal to feel a bit lost in the acronyms and what they actually represent.

Let’s start at the basics. Endpoints now refers to any end user device, such as mobile devices, workstations or laptops, and can also refer to servers connected to company infrastructure. While previously, the only endpoint security product available was the humble ‘anti-virus’ – this was a mainstay of most devices and was signature based with everything that entails – it required regular connectivity for regular signature updates and performed regular scanning. These are still in use today and are more and more referred to as a ‘legacy’ anti-virus due to their signature-based dependencies, which have many weaknesses. The primary weakness is they are trivial to bypass. 

These anti-virus solutions also included peripheral modules that did ‘other’ things, but still have use cases present today: DLP Technology was the first, used to alert or block the usage of certain data sets to stop them from leaving the network. Encryption was also onboarded onto these agents and could be applied to help encrypt user laptops and removable devices. Application control was another, where a whitelist of applications could be fed into the endpoint as policy to prevent unwanted applications being used.  Finally, ‘network’ based policy management, such as web filtering and/or network segregation, existed to prevent users connecting to rogue Wi-Fi networks or only visiting certain sites while on work machines.

That was then, and this is now; technology has evolved quite a bit. Today, there is NGAV (Next-Generation Anti-Virus), an erroneous moniker simply because it has now existed for the better part of five years.  It is current generation technology; however, it sounds fancy used in vendor presentations. They differ from legacy anti-virus in that they are typically ‘signatureless’ so they do not rely on signature updates, and do not even require network connectivity. They also typically have a very light footprint on the device, so they do not use many resources and do not perform any regular scanning (which was a common user gripe with legacy solutions).  

Vendors have now also lumped EDR (Endpoint Detection and Response) into this area, which effectively gives a detailed breakdown on the forensic activity on the device which can be leveraged to monitor identity threats proactively. While legacy anti-virus did have rudimentary forensic functionality, it required additional manual intervention on behalf of an analyst to determine if a process was friendly or not. 

EDR takes this to the next level, running analysis on every process and what it is doing, and linking this to the device itself to assist the analyst on deciding what to do. The ‘response’ portion is usually the automated rulesets within the solution that can quarantine a device and/or process should it meet certain criteria, and these can be automatically or manually set at a policy level. To be fair, legacy anti-virus also had this functionality; however, the responses were ‘script-based’, meaning you had to instruct a specific script to run, and that script would either quarantine the machine or just terminate the process. 

XDR is a recent terminology addition which refers to ‘eXtended’ detection and response.  While the idea is not new, XDR simply refers to looking at responses across ‘all’ assets and devices, as opposed to a single device. If you find yourself now thinking of SIEM technology that is okay, it resembles this too. This is where things can be confusing, where vendors have simply created a new label for a product that effectively does what another technology was intended for, but now does it better. While SIEM and UBA fall into this alphabet soup, we will not dive into them. 

Now that we have covered this, next up is how do you distinguish what you should be looking for? Well, you can essentially ignore vendors and concentrate instead on requirements. A fancy ‘next-gen’ anti-virus is of no use to you if you have no budget for it, even though it will theoretically give you more protection. Likewise, EDR may not be much use if you have no use for forensic information on devices, or do not have security analysts to draw upon to triage things like this. Likewise, DLP and web filtering can, and are often offloaded to other centralized tools to process company-wide and may do this better. There are even dedicated endpoint agents for ‘vulnerability scanning’ which we have not even touched on, but they can be (and are) bundled with other ‘endpoint security’ products.  

To navigate through the terminology swamp, the best thing is to always work backwards. Identify what you need on your endpoints (web filtering, DLP, vulnerability management, anti-virus, forensics, or application control) and then work backwards through various feature sets until you find one that matches it. Don’t forget budget as a criterion, of course – new and fancy is often pricier, which makes it more important that you end up with what you need, not just what a vendor wants you to buy.

Alex Haynes

Tags: , , , , , ,