The Call for Endpoint Security

There are four primary reasons why endpoint security is becoming such a critical part of an enterprise’s overall security strategy. First, we’ve done a pretty good job in network security, and in most cases, the firewalls and intrusion prevention systems are doing a good job at stopping things at the gateway.

Another one is that we’re more mobile, so your endpoint now lives outside of your enterprise gateway in many cases. People work in hotels or from home, and laptops have surpassed desktops in the corporate environment. A lot of people say the perimeter is gone. I think it’s moved, or perforated, because the network perimeter of a corporation is generally pretty good, but it’s just that more things come and go throughout the perimeter.

The third reason is that endpoints are targeted more by attackers. They’ve realized that a lot of good data is on the endpoint, and because it’s mobile and on the web, there are ways of getting to that endpoint that are of much greater concern.

The fourth reason is that through Web 2.0 and other interactive items, the endpoint is interacting with websites a lot more, so it becomes a nice avenue to get into the enterprise and to get the data that resides on that endpoint.

Emerging threats in the enterprise

The usage of spam to deliver malicious content continues to be a huge problem.

Malicious code and programs are still being included in spam messages that try to entice you to open them and then they plant some type of malicious data on your machine or try to create a hole.

The second threat issue relates to Web 2.0 and increased usage of the web. There are many bad websites out there, or worse, there are appropriate websites that have been hijacked, so to speak, where malware is planted on a legitimate website. In those instances, somebody clicks on something or there’s a vulnerability in the browser, and it plants spyware or some other malware.

Those two issues are our greatest concern as we begin looking at the endpoint directory. The third issue is just the tried and true method of stealing laptops. That’s a concern because you’re not really sure who stole it or whether someone stole it for content or just because they wanted to pawn the machine.

One common inaccurate assumption related to today’s vulnerabilities is the notion that you just need anti-virus. Today many of the malware and activities going on are much greater than what anti-virus can handle alone. That’s why we’re seeing continuous growth in what we call endpoint security suites that contain all of your important security activities to help stop malware. We’re also seeing growth in whitelisting or positive security that allows only certain applications to run and nothing else.

Implementing an endpoint security strategy

Your endpoint security has to be tied to your overall security posture, so you still need to have good overall network security to keep from having it wide open. You can still use some type of URL filtering at the gateway to prevent employees from getting to sites that are specifically malicious. Anti-spam is important as I mentioned because spam is still a large avenue for malware.

When you get past that, you have to consider what you need to do for your endpoint. In my opinion one of the first things to do is ensure that you have a strong patching process. Make sure that your endpoints are patched to remove any of the known vulnerabilities in the operating systems and applications.

The next thing is choosing security suites, which includes the anti-virus, anti-spyware, and some type of intrusion prevention, which is normally used to try to prevent an application from being executed that shouldn’t be executed.

Those are hard for end users to manage in many cases so a corporation will want to lock them down as much as you can to make the impact on the user limited, and part of that is what we’re calling whitelisting or positive security. This refers to when you have a corporate asset allowing only specific applications to run – many of these programs now have signature databases that will tell you that these programs are the authorized versions, while blocking other applications like Skype and so forth that might not be appropriate on an employee’s machine.

In terms of the new browser security activities, they’re still fairly new but there are programs that give warnings as to the type of website you’re visiting or that are using virtualization to sandbox browsing. One new product in this area is ZoneAlarm ForceField, which creates a virtual browser to help prevent malware from being installed through web applications. So there are definitely technologies out there designed to help improve vulnerabilities associated with web browsing.

The last item of course is some type of endpoint encryption because you should have critical data encrypted, so that if your machine is stolen, important data doesn’t get accessed.

Strengthening your security

There are a number of vendors who are offering innovations in endpoint security, especially trying to make it better for the enterprise with improved manageability and control. We’re seeing companies who weren’t previously considered as endpoint security providers, such as patch management vendors, offering endpoint security by expanding their product portfolios to add additional features, especially in the area of positive security capabilities.

In many ways, the vendors have been responsive to the concerns of enterprises about having too many agents. Enterprises don’t want to have five to ten different security products; they want to be able to manage applications in a centralized manner. So the vendors have been working to tie various agents or applications together into an easy-to-deploy and manage package.

In addition, Unified Threat Management is a way of helping to make your enterprise perimeter defenses much better by doing the central management, single console, protections from blended threats, so that something that may evade your anti-virus may get caught in your IPS. The consolidation of features and management keeps costs down by having a single platform. At the device level, an endpoint security suite is the endpoint equivalent of network UTM.

Defense–in-depth security is so pervasive and complex that you can’t do everything on the endpoint and not worry about the network or access control. UTM and endpoint security complement each other in that respect, especially if you have a VPN client or SSL VPN, so there’s a way to tie your endpoint and your UTM together in a comprehensive way.

Emerging security trends

There is an emerging trend towards virtualized endpoint security, a way of running an application in a virtual environment so that it does not infect the overarching hardware or operating system of your machine.

If you use this virtualized environment to run company applications on an untrusted machine, your company application won’t be infected because it’s running in a trusted virtual environment, which doesn’t care about the security issues associated on the machine. That’s a trend that I think will continue to grow as hardware gets more robust at running virtualized applications.

There’s also a strong future for positive security (i.e. only allowing what is supposed to run to run). It used to be that anything could be run except what’s forbidden, such as a malware that shows up on your AV.

If you turn that around and delegate only certain items as acceptable to be run, it causes a few challenges in the enterprise but many enterprises have come to view that as being one of the better ways of controlling an environment because it removes the number of variables that you need to deal with. So when anything that doesn’t fit the template automatically gets dropped, you don’t have to worry about what vulnerabilities or applications will be encountered – it makes it much easier to identify what’s good and what’s bad.

Another security issue is many products now include the ability to manage or protect the transfer of data via your USB port to a Flash drive or some other device. Many products either disallow it or have an automatic encryption capability so that information that’s passed to a USB port can be encrypted. That’s becoming a feature of many security products, so if you have concerns about information on your machines that employees are downloading and putting on USB tokens, which are very easy to lose, then you can get them encrypted.

In closing, threats continue to be a problem, but there are many security solutions that are designed to vastly improve endpoint security.

Charles Kolodgy is a Research Director for IDC’s Security Products service. In this role, he executes primary research projects, and analyzes markets for both vendors and user customers. Kolodgy’s responsibilities within the Security Products service includes both hardware and software security products.