Eight Steps to Ironclad IT Endpoint Protection

Care to wager what’s causing your CIO’s insomnia these days? Perhaps it’s the putting “yips” on the golf course. Maybe it’s that diehard crabgrass in the yard, or could be a zoned-out child feigning interest in the dinner conversation while texting friends under the table. But odds are it’s a recurring nightmare of critical business data lost, stolen or maliciously exposed in a major breach of security systems or policy.

Let’s face it. Securing your company’s IT endpoints is growing more complex and more costly. Whether it’s sensitive financial data, a new product design, customer account information or patient medical records, the frequency of security failures, the scale of data loss, and the total cost of remediation and recovery are all skyrocketing.

LANDesk’s approach to endpoint security begins with a comprehensive hardware and software management system and provides you an incremental path to add integrated layers of security, creating an ironclad endpoint protection platform that costs less than point solutions and is easier to manage.

The Endpoint is the Starting Point
Endpoint security is a war that must be fought day and night, without rest, on thousands of desktop and laptop battlefields, connecting inside the local network and traveling far beyond. Consider the most commonly compromised class of data – personal identity information. According to the Privacy Rights Clearinghouse (http://www.privacyrights.org/), the incidence of data loss and theft has increased by 1700% since 2004. More than 217 million records of US residents were exposed due to security breaches between January 2005 and December 2007.

The vector of loss might be a stolen laptop, a misplaced disk or backup tape, a prohibited file-sharing application, a concealed thumb drive, or a rogue wireless access point. The agent of loss might be an otherwise diligent manager with legitimate rights to the missing data, a disgruntled employee bent on revenge, or a criminal orchestrating a targeted attack.

A Combination of Security Measures is Necessary but Inadequate
Most businesses rely on a combination of firewalls, intrusion detection systems (IDS) and antivirus software to defend their internal resources against a tsunami of threats. But while all these measures are necessary, today’s threat environment is simply too dynamic for any point solution to afford effective protection. The only practical and survivable defensive strategy is to deploy multiple layers of protective technology, carefully chosen for tight integration, central management, and convenient automation.

Protective Layers Lessen Your Risk of Exposure
In the dead of winter, layers of clothing trump a single puffy parka in keeping out the cold. By the same token, the only way to defend your critical IT assets against relentless and inventive assault is to envelop every asset in multiple defensive layers that present independent and qualitatively distinct barriers on every approach. Eight key components of a multi-layered endpoint security strategy would certainly include:

1. Asset discovery and inventory – securing your network starts by knowing what devices are connected to it
2. Patch and vulnerability management and deployment – keeping out security vulnerabilities and attacks
3. Malware protection and blacklisting – blocking known bad programs with application control capabilities
4. Whitelisting – application control that allows only known good programs
5. Data loss prevention – preventing the loss of business data radiating from the desktop or laptop PC
6. Proactive mobile management – enforcing policies on all your computers no matter where they are in the world
7. Network access control – controlling access to the network by contractors, partners, consultants, etc.
8. Security executive dashboard – being able to view the security status of your environment in light of the compliance regulations you’re striving to meet

As mentioned earlier, a combination of firewall, IDS, and antivirus point products is inadequate. Moreover, trying to address all your organization’s endpoint security needs with separate point solutions would be prohibitively expensive and an administrative nightmare.

The other key consideration is that significant overlap exists between the requirements of endpoint security administration and core PC lifecycle management. Not surprisingly, providers of both systems management and security products are moving to expand and consolidate their offerings into integrated solutions, something LANDesk has been doing for years. According to recent research from Gartner Inc., traditional point products have been eclipsed by broader suites of related security technologies, including antivirus, anti-spyware, HIPS, a personal firewall, network access control (NAC) and data loss prevention (DLP), comprising what Gartner terms the endpoint protection platform. 1

Build a Proven Endpoint Protection Platform with LANDesk
LANDesk’s approach to endpoint security begins with a comprehensive systems management solution that enables you to add tightly woven security layers that leverage the same client-side software agent, server infrastructure and administrative console to reduce complexity and save money. Let’s consider the eight key components of a multi-layered endpoint security strategy individually, and how LANDesk provides solutions to help you build a proven endpoint protection platform.

1. Asset Discovery and Inventory
You can’t secure a network without knowing what devices are connected and what software is running on those devices. Basic capabilities should include discovery and inventory of all connected hardware and software, regardless of whether a particular device is under management or a local firewall is operating.

Users of LANDesk’s flagship solution, LANDesk ® Management Suite, are accustomed to the convenience of technologies that easily identify, locate and inventory computer assets, assess their configuration and management status, and determine whether a local firewall is enabled. Users can even access systems at remote, distributed sites over the Internet, without a VPN. A sister solution – LANDesk ® Security Suite – extends these capabilities with wireless access point discovery technology that uses notebook PC wireless NICs to locate and classify all access points within and adjacent to the enterprise environment, allowing administrators to block access to those that are unauthorized.

2. Patch and Vulnerability Management and Deployment
Staying current with operating system and application security patches is one of your IT department’s most complex and labor intensive undertakings. A robust patch solution that includes scanning, vulnerability assessment, download and staging, distribution and maintenance capabilities is essential. Maintenance must extend beyond Windows and Office applications because non-Microsoft browsers, media players, and backup and security software are increasingly frequent targets.

LANDesk patch management and high-frequency vulnerability scanning capabilities pinpoint configuration, patching and software update requirements quickly and easily, based on your company’s needs and chosen level of detail. Custom scans let you define and search for specific condition sets. Defining and maintaining secure configurations is simplified with role-based administration and policy-based management tools.

3. Malware Protection and Blacklisting
Innovations in malicious software continue to accelerate. By some accounts, the total number of malicious software signatures associated with viruses, Trojans, keyloggers, spyware, adware and rootkits doubled in 2007, and zero-day attacks continue to be a particular problem. Malicious code defense should include several components: conventional signature-based antivirus and anti-spyware protection that is aggressively updated and centrally managed, combined with a host intrusion prevention solution capable of blacklisting or blocking unauthorized code execution and detecting irregular application behavior, even in the absence of a recognized malware signature.

With LANDesk ® Host Intrusion Prevention System (HIPS), a new plug-in for LANDesk Security Suite, you gain added assurance that your organization is equipped to prevent zero-day threats and rootkits, even before a fix is available. It features application control or blacklisting capabilities to block known bad programs, plus application whitelisting technology to allow known good programs.

4. Whitelisting
As just mentioned, application whitelisting offers precise control over the code that can run on enterprise systems. Today the number of malicious applications being written and released is surpassing the number of legitimate ones. If you continue to blacklist the applications you want barred from your IT environment, that list will eventually become enormous and unmanageable. By contrast, the known or “whitelisted” applications you want to allow in your environment is something more manageable, and proven technologies are now available that help you be able to do that extremely well, such as LANDesk HIPS.

For example, system startup control in LANDesk HIPS lets your IT staff specify which programs a given system can run at startup, automatically preventing unspecified programs from running. Adminstered from the same console used to run LANDesk Security Suite and LANDesk Management Suite, LANDesk HIPS extends the breadth and depth of the LANDesk endpoint protection platform to offer the most complete, layered security solution available from a single console.

5. Data Loss Prevention
The most common vectors of business data loss all radiate from the desktop or laptop PC. They include the machines themselves – laptops that travel far beyond the enterprise perimeter, connect to many different networks, and get lost or stolen – plus all of their peripheral storage devices, unsecured network interfaces, unauthorized software and ill-considered user behavior. Under-managed endpoints constitute a chronically porous perimeter where data can leak away undetected via USB devices, CD/DVD drives, and ad hoc bridges to Bluetooth personal area networks, 802.11 wireless LANs and P2P file sharing networks.

The most problematic of these are USB devices – flash drives (sometimes called thumb drives), portable disk drives, iPods and other portable media players. More than a billion of these portably compact devices have been sold, and are now used in every environment, by conscientious employees, for entirely legitimate and productive applications. Yet they have also become a favorite tool of the data thief, adding thumb-sucking and pod slurping to the threat lexicon. A well-publicized demonstration of the latter stripped all the document files from a PC in just 65 seconds.

• LANDesk provides IT managers with granular control of user access to portable mass storage devices and media drives. Key features include read/write-level access control of all USB devices and removable disk drives. For the USB interface, LANDesk technology provides an auditable record of file transfers to and from the client system, and supports encryption enforcement with the integrated LANDesk cryptography solution. What’s more, the LANDesk client agent enforces access control policy with or without a connection to the corporate policy server – a critical consideration in preventing data loss from globetrotting mobile laptops.

6. Proactive Mobile Management
Scanning and remediation capabilities available via a managed security gateway can be extended beyond the corporate firewall, enabling your IT team to manage any mobile machine using any existing Internet connection, certificate-based authentication and SSL encryption. The LANDesk ® Management Gateway Appliance is such a technology – a plug-in appliance to manage machines centrally and proactively according to IT’s schedule.

7. Network Access Control
Managing the configuration of machines already on the network is futile unless the same discipline is applied to those requesting new connections. Access control functionality is required that provides remote configuration assessment, with quarantine and remediation capabilities for non-compliant machines.

LANDesk ® Network Access Control lets you prevent compromised or non-compliant systems from connecting to your network until they have been fully remediated. The solution supports four of the most popular industry standards for network access control: Cisco NAC, IPSec, 802.1x, and DHCP. NAC is an essential tool for managing the inevitable security threats posed by mobile users and systems that operate outside the enterprise environment for long periods of time, often connecting with many unknown networks and environments in the interim.

8. Security Executive Dashboard
Finally, organizations need the ability to document the implementation of security policies, compliance with those policies, and the ROI on security investment. Capabilities should include historical reporting, trending and performance analytics. LANDesk makes it easy to track and document the progress and ROI of security initiatives with a variety of reporting options. Detailed historical reports on policy enforcement and patch deployment are displayed in an easily-understood executive dashboard that clearly documents policies, performance, problem areas and trends over time.

Conclusion
When all is said and done, the security of your company’s data depends on a complete but flexible toolset capable of managing, maintaining and securing a diverse and mobile client population, in any location, at any time, without impairing the efficiency and productivity of its users. Rest assured, LANDesk delivers multiple layers of protection, administered from a single console that helps you discover and inventory assets, ease patch and vulnerability management and deployment, block malicious applications and allow known good ones, control and encrypt USB devices to prevent data leakage, enforce endpoint security policies for mobile users, grant network access control, and much more.

Reference:
1 Peter Firstbrook, Arabella Hallawell, John Girard, Neil MacDonald Magic Quadrant for Endpoint Protection Platforms, 2007, Gartner, Inc., December 21, 2007.