There are a lot of new products emerging to secure the end point. This makes sense given the nature of the attacks we’re seeing, but it’s also leading to some confusion. I thought I would try help out with some categorization.
Category 1: Signature-based defenses. These are traditional anti-virus and malware products. The signature-based solutions have a serious problem – or rather a deadly combination of two problems. There are so many new signatures that it becomes more and more expensive to manage them all. At the same time, signatures are less effective as attackers learn to work around this entire technology, and we end up paying more for less as time goes on. A lot of people are hoping to skip this layer, but unfortunately, I don’t think we’re ready for this. I’m encouraging clients to keep category 1 products in the budget for 2016.
Category 2: Network Defenses. Category 2 comprises firewall and IDS at each end point. Similar to signatures, this is technology that many advanced attackers are leapfrogging. However, it’s still a good idea; in fact, for notebooks or other computers that leave your perimeter, it’s a requirement.
Category 3: Encryption. If it walks out the door, it needs to be encrypted. Period.
Category 4: Configuration Control and Patching. As previously mentioned, 99.9% of successful attacks exploit known and patchable vulnerabilities. Managing patches, both for the OS and applications is a priority.
Category 5: End Point Analytics. This is a new product area for most of my clients. Once a client has been identified as infected, you need tools to determine the exact nature of the breach and stop its spread within your organization. Lacking these tools, many organizations simply rebuild infected machines, restore backups, and hope for the best. This gives the persistent attacker more chances to simply stay below your radar.
Category 6: Containers. This is an emerging technology area that operates high-risk activities, like browsing, in a secure container. This technology has a lot of promise, but the devil is in the details with regard to implementation.
Category 7: Advanced Malware Defense. These programs use advanced analytics or behavior analysis to catch and stop malware. I would also place solutions that manage application execution (i.e., white listing) in this category. This is probably the future of Category 1, and although they provide a great extra layer of protection, they’re probably not ready to replace A/V today.
I know seven categories sounds like a lot. Here are some suggestions for managing this:
- Get a suite solution. I know this sounds obvious, but I’m often surprised that people won’t make good use of available suite solutions.
- Try not to buy more than one thing in each category. I know that this also sounds obvious, but again, you’d be surprised.
- Get Category 5 (analytics) under control. This is the new “must have” from my perspective. Data is power in a breach scenario.
- If you’re a high-value target, you should be well down the road on categories 6 and 7. If you’re not, put these technologies on your evaluation list for next year.
I know that specific manufacturer names are conspicuously missing from this discussion. Sorry. Gotham is partnered with many of the partners in these categories and I just don’t need hate mail about specific vendor commentary. If you have a question about a specific manufacturer, feel free to private message me and I’ll respond.