Over the years, we have evolved from the single point of protection on mainframes and Unix servers to networks. With that evolution, we developed the notion of defense-in-depth (yes, we have that on mainframes after a fashion, but with networks it became a completely different story). Now we were looking at gateways and such things as firewalls, UTMs and, ultimately, intrusion prevention systems. Then someone started thinking about the endpoints. Of course, there already was anti-virus on the endpoints, but thinking about the vulnerability of the endpoints took a bit of a leap and we started to see such things as access control and DLP. Before we knew it, an entire genre of endpoint security was born.
The next step was to begin the process of getting the endpoints to talk to and play nice with gateways and such. Once that was accomplished, we sort of sunk into the doldrums of security and saw a lot of old wine in new bottles. The emergence of sophisticated attacks was a wakeup call. Now we realized that everything in the security stack needed to work together. Still, the idea of loading up the endpoint with a lot of computing overhead posed challenges. The signature files for anti-malware products were starting to get pretty large and there were pundits in the industry who opined that we were reaching the end of the useful life of endpoint anti-malware.
That would have been true if we had retained the same architecture, but we didn't. With the advent of the cloud as a computing platform and a place to aggregate the collective data from all of a vendor's customers we had the beginnings of a completely new endpoint paradigm. All that was left was a way to take advantage of those massive amounts of data and do the heavy compute tasks in the cloud instead of on the endpoint exclusively. The folks with big data management tools and techniques, as well as machine learning and artificial intelligence, moved in and brought some significant answers. We had added the data scientist to our development staff and companies started talking about data science in the same breath as they talked about security technology.
In this year's look at endpoint security tools, this evolution was glaringly obvious to us. The tools that caught our attention most strongly fit the mold of big data, cloud computing and machine learning. Another thing we noticed was that some of the tools we looked at explicitly acknowledged that organizations probably have made an investment in some aspect of the endpoint tool set, and went out of their way to be accommodating. Those that didn't made the transition as easy as possible by finding the competing products that they were about to replace and uninstalled them as cleanly as possible without leaving the endpoints unprotected in the process.
We saw both physical appliances and virtual ones as well as software that could be installed - with lots of patience and help from the vendor. These are not simple devices. However, installing is just the first part of the process. Setting up configurations and policies and pushing them out to the endpoints can be a real challenge. When you deploy one of these, plan your deployment carefully. You need to make sure that you've covered all of your policy bases. At the same time, don't leave your enterprise unprotected during your deployment.
Another challenge, if you are building a new endpoint system into an existing security stack (especially if you are ripping and replacing), is avoiding conflicting policies. Our advice in that case is to trim back everything you can to bare bones, except those critical areas such as malware - which you tighten up as much as you can - and start adding in the most important policies, checking carefully for conflicts. At this stage it is useful to put policies on notify-only to avoid bringing the enterprise to its knees due to a conflict.
It's also a good idea to deploy in segments rather than hitting the entire enterprise at once. We've heard of marathon cutovers on entire enterprises and the usual result is a lot of very tired engineers. With tired engineers comes errors, so be prudent as you plan your deployment. This has become more important in recent years due to the strong interaction between systems in the typical enterprise security stack. If you keep these things in mind - plus the three magic words for success: plan, Plan, PLAN - you'll manage fine. Just don't forget to have the rudiments of your plan in mind as you shop for product. After spending a couple of hundred thousand dollars it is a pretty bad time to identify incompatibilities or potential deployment nightmares.
Specifications for endpoint security tools ●=yes ○=no
Product | Carbon Black | Comodo | CrowdStrike | Cylance | ESET | Kaspersky Lab | McAfee | Nyotron | Symantec |
Access control to removable media | ○ | ● | ● | ● | ● | ● | ● | ○ | ● |
Access control to files and folders | ● | ● | ● | ● | ● | ○ | ● | ○ | ● |
Endpoint firewall | ○ | ● | ● | ○ | ● | ● | ● | ○ | ● |
Endpoint malware protection | ● | ● | ● | ● | ● | ● | ● | ● | ● |
Offers DLP | ○ | ● | ○ | ○ | ● | ● | ● | ○ | ○ |
Mobile device management | ○ | ● | ○ | ○ | ● | ● | ○ | ○ | ○ |
Compatible with Windows | ● | ● | ● | ● | ● | ● | ● | ● | ● |
Compatible with Mac endpoints | ● | ● | ● | ● | ● | ● | ● | ○ | ● |
Compatible with Linux endpoints | ○ | ● | ● | ● | ● | ● | ● | ○ | ● |
Compatible with Android | ○ | ● | ○ | ○ | ● | ● | ○ | ○ | ○ |
Compatible with iOS endpoints | ○ | ● | ○ | ○ | ● | ● | ○ | ○ | ○ |
Includes regulatory compliance templates | ○ | ● | ● | ○ | ● | ● | ● | ○ | ○ |
Available as a physical appliance | ○ | ● | ○ | ○ | ○ | ○ | ○ | ● | ○ |
Available as a virtual appliance | ○ | ● | ○ | ○ | ● | ● | ○ | ● | ○ |
Available as a cloud service | ● | ● | ● | ● | ● | ○ | ● | ● | ○ |
Available as software for | ○ | ● | ● | ● | ● | ● | ● | ● | ● |
Prevents exfiltration of classified file attachments | ○ | ● | ● | ○ | ● | ○ | ● | ● | ○ |
Performs network inspection | ○ | ● | ● | ○ | ● | ● | ● | ○ | ● |
Performs network | ○ | ● | ● | ○ | ● | ● | ● | ○ | ● |
Next-generation analysis | ● | ● | ● | ● | ● | ● | ● | ● | ● |