Endpoint Protection

First it was the cuts in private sector firms and now it is the public sector. The easiest and quickest cuts that make a difference to the bottom line are to remove people who are usually the largest cost item. Sadly redundancy is now a major occurrence in a working life. I know of many capable, intelligent and hard working people who have been made redundant two or three times in their lives sometimes more. It is increasingly a tool of organisations to quickly get rid of people. In general, redundancy is never executed against the legal guidelines which results in court cases and compromise agreements.

So what has all this to do with Information Security. The removal of staff from an organisation is currently the biggest threat to an organisations information. Redundancy or whatever method is used can result in animosity, resentment, and malicious intent on the part of the former employee. Of course most organisations are understanding and sensitive to emplyees and most follow the rules. However, sales of DLP software has been rising and the most sited reason for purchase is protection of contact databases, intellectual property and sales information from disgruntled employees.

The threat is real and active and who knows how much critical informaiton has been taken by upset and revengeful emplyees without anyone knowing. Please add any comments to this post on your experiences of cost cutting and data loss.

The Information Commisioners Office (ICO) or the privacy watchdog has published figures on data breaches that makes disturbing reading. What’s more is that the ICO  is getting so concerned that it will be introducing fines on comapnies and public bodies that recklessly or deliberately break the rules. Fines up to half a million may be imposed on losses of information. In total, 434 organisations reported data security breaches in the past 12 months, up from 277 the year before. This is what Deputy information commissioner David Smith said: “The majority of organisations get data protection right, but regrettably a significant minority of management teams are failing to take data protection seriously enough. Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media.”

Well what a surprise! But what is really interesting and scary is that there are fines coming! But I thought that if you breached the Data Protection Act then you would be fined or sued anyway. However, what is clear is that this affects all businesses; large or small; SMB or large multinationals. So Data Loss Prevention is for all organisations that have personal data stored but it is not sufficient to just use device control, the ICO is saying any data loss from any channel! So does that mean that first generation products that really only do encryption and device control will be replaced by the second generation products that provide device, IM, and all the goodies? I think this is a call to action for vendors to smarten up their act and work with others to gain functionality rather than buy and try to integrate. You can read some more here http://news.bbc.co.uk/1/hi/uk_politics/8354655.stm

Latest reports on conficker infections include not only Ealing Council (see previous post) but also Oxford Brookes University, Manchester City Council and Whipps Cross University Hospital NHS Trust. Prior to this, the Houses of Parliament and Ministry of Defence were infected.

So AV has been proved to be powerless with this worm and even the DLP vendors do not have any defence as they tend to focus on information passing out of the organisation. Application control should be a part of a DLP solution to stop worms from running and spreading to the rest of the organisation. In most cases it is not as AV and most DLP is focused internally not at the endpoint which is the highest risk. Maybe Windows 7 will save us but how many will implement the application control features and AV and DLP. Not many I fear - Take a look at our sponsors product and if implemented will protect against zero day attacks and Conficker worms as well as the normal DLP features.

7th Space reports ESET, the leader in proactive threat protection, has been included in leading analyst firm Gartner’s “Magic Quadrant for Endpoint Protection Platforms,” published May 4, 2009.1

ESET is the only company with over 50 VB100 awards and continues to lead the industry with the highest detection rates and zero false positives - the winning formula in malware protection.

SC Magazine reports Information security professionals need to develop a plan. Many have no idea that TCG even exists, he says, but this is no longer acceptable. “Since laptops and desktop PCs will come with encryption ‘baked in’, it is incumbent upon IT and SC Magazine reports endpoint management and security teams to create a plan for phasing in systems with self-encrypting drives and to phase out encryption software over time.”

Information Week reports We start our Rolling Review of data loss prevention products with Safend Protector Endpoint, the lone entry in our DLP mix whose primary emphasis is endpoint security. The other players have strong DLP capabilities at both the network level and the endpoint, but we wanted to include a company that operates exclusively in the endpoint market because not all IT shops want, or can afford, a soup-to-nuts system from the likes of RSA, Websense, or Symantec (NSDQ: SYMC).

Regardless of how large or complex your organization is, battling data loss threats must start with an emphasis on the endpoint. Safend estimates that 60% of corporate data resides on endpoints, and that’s where Safend Protector Endpoint aims its DLP resources.

SC magazine reports on a survey by Checkpoint regarding the growth and implementation of encryption technologies among UK businesses.

The results showed a small growth of just one percent since November 2007. Just under half of the survey participants said that they had implemented encryption and the rest without any level of data encryption.

Given the high profile data loss of public organisations over this period, the importance of data security seems to be of a lower priority perhaps when compared with the current financial and market issues facing many businesses.

Equally the implications for poor data security practices and the potential threat this poses to business is not well understood. As business moves into further reliance on data centric services vendors may see more reactionary responses to crisis rather than a proactive understanding from businesses.

Symantec have released Endpoint Encryption 7. eChannelLine reports that the product is aimed at providing advanced encryption for desktops, laptops and portable storage devices.

Symantec have designed the product to fit in with a wide variety of configurations among is larger enterprise customers. Support is provided for non-domain customers such as Novell eDirectory clients. These users should be able to have a single sign-on experience in a similar way to that of windows clients.

Group policys are implemented so that CD’s for example  that might be burned for use in a closed group of users, access will only be available to members of that group.

Administrators can administer encryption to hard drives for protection of sensitive data when lost of stolen. Symantec is releasing three versions of the software with the full version costing around $110 per seat.

The market for endpoint protection has been rapidly evolving over the years and emerging from the traditional virus protection has come two new areas namely Data Loss Prevention (DLP) and Content Monitoring and Filtering (CMF). Both these areas have been adopted by Gartner to support their 2008 Magic Quadrant. It is clear that anti-virus and its associated companions of Spam protection, phishing prevention, etc is not enought to protect an endpoint. Large vendors try to spice up their ‘endpoint’ offerings with PC tune ups, backups, in order to maintain their price points or way to expand the footprint of software into the customer. A term suitably named as ‘bloating’ out the customer.

It seems that the fragmentation into nebulous components of offerings is required in order for software vendors to maximise their revenue opportunity and to expand their foot print within the customer to ward off competition. But how many of the multitude of products actually do what the customer needs which is a combination of many things in order to protect, manage, control, monitor, capture the vital information resident on or passing through the endpoint. I would argue that none of the current vendors who have based their current offerings on out-dated network security models provide what the customer really needs.

In reality, protecting data from entering or leaving an organisation begins and ends with the endpoint. It is here that thorough protection is required and where the battle is won or lost. Even if that endpoint is a laptop or a virtual desktop then the same logic applies. However, just protecting at the point won’t sell network scanning, database security and all the add-ons so frequently mentioned. In addition if the protection is managed at the endpoint then the need for heavy backend infrastructure is nullified.

Here is a list of functionality that true, customer-oriented endpoint protection and control should have as standard. Included should be the monitoring, control and prevention of any method of moving data off the corporate network via an endpoint such as USB sticks, CD/DVD writing, HTTP uploads, IM, email, etc. There should be targeted and configurable encryption. There should be sophisticated search facilities to look for any text, credit card numbers, whether embedded in files to multiple and compressed levels. It should have inventory collection, audit capability and collection. It should have executable protection for malicious code. It needs to have ICA filters, prevention of copying forbidden files onto the endpoint. I think you get the picture that endpoing protection is all of these in one package not broken out seperately - A customer does not know which of these he may need or not need but all of the above attributes are required for a complete endpoint protection capability.

It is clear from meeting customers that the technology fix continues with security - the belief that a product will solve all the security problems in an organisation. This misguided expectation is exploited by vendors who sell every flavour and permutation for each identified security flaw. This results in customers wasting a lot of money on shelfware (software that is never installed and sits on the shelf) or problems trying to effectively deploy the product with no clear idea of configuration or threat.

However, simple consideration before buying a product fix could be to consider what are the security policies that an organisation shouid reasonably implement which would then save time and money. With protection of information, it is vital to define the policies that are reasonable and actionable to do the job. Once the policies have been set, agreed and communicated then the tool can be matched to the policy.

So many clients buy a product that they cannot effectively use as there are no existing policies defining what the product should do. It takes time to get the product reflecting the policies. From experience, one should start with strategic policies that, at a high level, define the overarching rules of the organisation. These can then be broken down into tactical policies. From the tactical policies, the standard operating procedures can be defined and written.

In summary, product purchase is used as an excuse for ‘ doing something’ wiht security but with no organisational framework defining its use.