Endpoints – laptops, desktops and servers – are vulnerable to attack. And with blended threats on the increase, administrators are looking to secure not only their internal networks but their perimeters too. However, not all endpoint security solutions are sufficiently integrated to deliver the functionality and manageability needed.
Fred Mitchell, security business unit manager at distributor Drive Control Corporation (DCC), explains: "Administrators are keenly aware of the importance of securing endpoints. However, this often translates into installing antivirus, antispyware, desktop firewall, intrusion prevention and device control technology individually on each endpoint. This is not only time-consuming, but also increases IT complexity and costs.
"Organisations then need to provide management, training and support for a variety of different endpoint security solutions. Also, differing technologies can often work against one another or impede system performance due to high resource consumption. As endpoint security solutions mature – and there are plenty available – organisations need ensure they invest in a product that will assist them to resolve these issues.
"Ideally, they need a solution that combines antivirus, antispyware and firewalls with advanced proactive protection technologies in a single deployable agent that can be administered from a central management console. Comprehensive endpoint visibility, which includes graphical reporting, centralised logging and threshold alerting, is a must.
"In addition, such a solution needs to be customisable and should be able to leverage existing IT investments – ie, work with leading software deployment tools, patch management tools, SIM tools, databases and operating systems."
A multilayered approach significantly lowers risks. An integrated solution, on the other hand, will reduce administrative overhead by reducing head count and hours associated with managing multiple point solutions, notes Mitchell.
It enables operational efficiencies such as a single communication method and content delivery system across all of its security technologies. It also enables service configuration and exclusions to be performed globally at a single point on the client or at the management server.
Furthermore, automated security updates to the agent provide hassle-free protection from the latest threats.
"In effect, an integrated solution lowers costs by minimising the effort associated with managing endpoint security, user and network downtime, and remediation efforts," says Mitchell. "However, a single, unified console is essential to enable centralised management. Such a console will allow administrators to create and manage policies, assign them to agents, view logs and run reports for endpoint security activities."
Administrators should also be aware of the benefits of a customisable interface, which will allow them to decide which technologies can run at the client and which configuration options will not be available to the end user. "This will give the administrator the necessary flexibility and control to protect endpoint devices in a manner that meets their organisation's unique requirements," says Mitchell.
There are some typical shortcomings in endpoint security solutions that administrators should look out for, Mitchell advises. Among these are antivirus and antispyware solutions that only function on a single operating system and do not provide full protection due to a lack of interoperability with other endpoint security technologies, such as personal firewall, device control and intrusion prevention.
Network threat protection, which is critical to protect from blended threats and to inhibit outbreaks, also has to encompass more than a firewall. Solutions need to include a blend of state-of-the-art protection technologies, including intrusion prevention and sophisticated capabilities to control network communications.
Says Mitchell: "A threat often first infects a single laptop while outside the network perimeter, and then when the laptop connects to the internal network, the threat spreads to other endpoints. Endpoint firewalls can be leveraged not only to block internal network attacks from breaching any endpoint connected to the network, but also to prevent these threats from ever leaving the initially infected endpoint.
"To do so, the firewall must incorporate a number of features. These include: a rule-based firewall engine; predefined antivirus, antispyware, and personal firewall checks; firewall rule triggers on applications, host, services and time; full TCP/IP support; the option to allow or block support of network protocols and
protocol drivers; and packet and stream intrusion prevention system (IPS) blocking, custom IPS signatures blocking and generic exploit blocking for proactive threat protection."
The level of proactive threat protection an endpoint security solution provides is key, emphasises Mitchell. "While signature-based file scanning and network scanning technologies cover key areas of necessary protection, nonsignature-based technologies are needed to address the growing number of unknown threats used in stealth attacks. These are referred to as proactive threat protection technologies.
"Solutions that include sophisticated heuristics technology that analyses the behaviour of processes running in a system to detect potential threats, are most effective. Most host-based IPS' only examine what they consider to be 'bad behaviour'. As a result, they often falsely identify acceptable applications as threats and shut them down, causing productivity problems for users and help desk nightmares for administrators. More advanced solutions, however, will score both good and bad behaviour of applications, providing more accurate threat detection and significantly reducing the number of false positives."
A final point to consider is whether the solution purchased is network access control ready. Explains Mitchell: "It is critical to be able to control access to corporate networks and enforce endpoint security policy – regardless of how endpoints are connected to the network. The network access control feature discovers and evaluates endpoint compliance status, provisions the appropriate network access, provides automated remediation capabilities and continually monitors endpoints for changes in compliance status. For administrators it is important to ensure that network access control technology is integrated into the agent and can be easily enabled with no additional agent software needing to be deployed on the endpoint device."
Concludes Mitchell: "Organisations can no longer rely solely on traditional antivirus and antispyware solutions. They need to take a holistic approach to endpoint security that effectively protects their organisation from threats at all levels, while providing seamless interoperability that simplifies management and lowers total cost of ownership. The solutions that will enable this are now available – it's just a matter of selecting the right one."