Endpoint Protection

SearchSecurity.com reports on recent Windows vulnerabilities causing certain Endpoint software packages to struggle with the handling of a new exploit. A  zero day exploit affecting Microsoft Windows via an XML flaw was found to return mixed results amongst Endpoint software packages as some failed to contain the attack.

“Only Kaspersky Lab’s Total Space Security 6.0 stopped the exploits cold by blocking URL access. Sophos Endpoint Security and control detected the URL, but only issued a warning without blocking it. However, it did detect and block the exploit.

Symantec’s Endpoint Protection 11.0.2 failed to detect the URL or the exploit, but detected and quarantined the malware payload. Trend Micro’s Officescan 8.0 SP1 R3 performed similarly, but failed to quarantine one of the malware’s two components, apparently because the attack thwarted its ability to gain the necessary permissions.

Both McAfee’s Total Protection for Endpoint and AVG’s Internet Security Network Edition 8.0 failed to detect and stop the attack at any of the three stages.”

The Herald reports on remarks made by the Scottish National Party (SNP) who are pointing out the poor performance of data security in 2008 by the government which lost 13 million files, the equivalent of 28 per minute.

It is also noted that the figure includes only known high profile cases of data loss and not smaller or unreported cases, the figure is therefore thought to be higher. Pete Wishart, SNP Home affairs spokesman - “These diabolical figures reveal a shockingly cavalier approach to data security by the Labour government”.

Many high risk projects such as the ID cards scheme and a single central communications database are under pressure from groups concerned about the track record of data security by the government.

Kaspersky, founded in 1997 with its HQ located in Russia is the latest large security player to throw its weight and experience into the Endpoint Security market.

Endpoint is an emerging market in the security field built around the need to identify and protect sensitive data in our ever more mobile world. Symantec have already firmly established themselves in the Endpoint arena with their Endpoint Protection product.

Vnunet reports on Kaspersky’s prediction that they expect to enter the top 5 Endpoint Security vendors in 4th place behind Trend Micro by the end of the year.

Kaspersky believe that their technological investment and expertise will provide the extra value needed to become a market leader.

The market for endpoint protection has been rapidly evolving over the years and emerging from the traditional virus protection has come two new areas namely Data Loss Prevention (DLP) and Content Monitoring and Filtering (CMF). Both these areas have been adopted by Gartner to support their 2008 Magic Quadrant. It is clear that anti-virus and its associated companions of Spam protection, phishing prevention, etc is not enought to protect an endpoint. Large vendors try to spice up their ‘endpoint’ offerings with PC tune ups, backups, in order to maintain their price points or way to expand the footprint of software into the customer. A term suitably named as ‘bloating’ out the customer.

It seems that the fragmentation into nebulous components of offerings is required in order for software vendors to maximise their revenue opportunity and to expand their foot print within the customer to ward off competition. But how many of the multitude of products actually do what the customer needs which is a combination of many things in order to protect, manage, control, monitor, capture the vital information resident on or passing through the endpoint. I would argue that none of the current vendors who have based their current offerings on out-dated network security models provide what the customer really needs.

In reality, protecting data from entering or leaving an organisation begins and ends with the endpoint. It is here that thorough protection is required and where the battle is won or lost. Even if that endpoint is a laptop or a virtual desktop then the same logic applies. However, just protecting at the point won’t sell network scanning, database security and all the add-ons so frequently mentioned. In addition if the protection is managed at the endpoint then the need for heavy backend infrastructure is nullified.

Here is a list of functionality that true, customer-oriented endpoint protection and control should have as standard. Included should be the monitoring, control and prevention of any method of moving data off the corporate network via an endpoint such as USB sticks, CD/DVD writing, HTTP uploads, IM, email, etc. There should be targeted and configurable encryption. There should be sophisticated search facilities to look for any text, credit card numbers, whether embedded in files to multiple and compressed levels. It should have inventory collection, audit capability and collection. It should have executable protection for malicious code. It needs to have ICA filters, prevention of copying forbidden files onto the endpoint. I think you get the picture that endpoing protection is all of these in one package not broken out seperately - A customer does not know which of these he may need or not need but all of the above attributes are required for a complete endpoint protection capability.

It is clear from meeting customers that the technology fix continues with security - the belief that a product will solve all the security problems in an organisation. This misguided expectation is exploited by vendors who sell every flavour and permutation for each identified security flaw. This results in customers wasting a lot of money on shelfware (software that is never installed and sits on the shelf) or problems trying to effectively deploy the product with no clear idea of configuration or threat.

However, simple consideration before buying a product fix could be to consider what are the security policies that an organisation shouid reasonably implement which would then save time and money. With protection of information, it is vital to define the policies that are reasonable and actionable to do the job. Once the policies have been set, agreed and communicated then the tool can be matched to the policy.

So many clients buy a product that they cannot effectively use as there are no existing policies defining what the product should do. It takes time to get the product reflecting the policies. From experience, one should start with strategic policies that, at a high level, define the overarching rules of the organisation. These can then be broken down into tactical policies. From the tactical policies, the standard operating procedures can be defined and written.

In summary, product purchase is used as an excuse for ‘ doing something’ wiht security but with no organisational framework defining its use.