Endpoint Security Technology Nirvana

For years, endpoint security was defined by antivirus software and a few leading vendors like Kaspersky Lab, McAfee (Intel Security), Sophos, Symantec, and Trend Micro, and Webroot.  This perception has changed over the past few years.  CISOs are now demanding endpoint profiling, advanced threat detection, and forensic capabilities opening the door for other vendors like Bit9/Carbon Black, Cisco, Confer, Digital Guardian, FireEye, ForeScout, Hexis Cyber Solutions, Great Bay Software, Guidance Software, Invincea, Palo Alto, RSA, SentinelOne, Tanium, etc.

Yup, endpoint security is in-play again, but software implementation is leading to yet another IT and security issue as organizations install multiple agents on endpoints and add a plethora of management systems for centralized control of each endpoint security function.  In this scenario, organizations are addressing IT risk while adding operational complexity at the same time – far from an ideal situation.

Is there any way to improve security without creating endpoint security chaos?  Yes, with an integrated endpoint security suite that covers the whole cybersecurity enchilada.  Now I would contend that no one vendor can offer this today but security professionals would certainly buy it if it were available.  According to ESG research, 58% of enterprise security professionals would prefer a comprehensive endpoint security suite from a single vendor rather than purchase, install, and operate an assortment of best-of-breed point tools (note: I am an ESG employee).

So there is a multi-billion dollar opportunity out there for a comprehensive endpoint security suite and yet no vendor can offer this today.  Hmm, just what would this type of suite look like?  In my humble opinion, a full-featured endpoint security suite would need the following:

• A wide assortment of prevention capabilities.  Endpoint security must include preventative functionality such as standard AV, browser sandboxing, application controls, firewall/HIPS, reputation services, and dynamic rule generation based upon the latest threat intelligence.  These capabilities combine device-based agents with cloud intelligence. 
• Device protection.  I’m thinking of things like port blocking and full-disk encryption.  Basic stuff to safeguard the device and enforce acceptable use policies.
• Functionality for detection and response.  Prevention controls must be supplemented with things like static/dynamic file analysis, behavioral heuristics, and endpoint forensic capture/analysis.  Aside from real-time detection, endpoint security should also include retrospective capabilities to flag files that were originally classified as benign but later discovered to be malicious.  Finally, endpoint security must offer granular remediation, allowing security and IT operations team to clean up systems with confidence rather than re-image every infected machine.
• Data security controls.  It would be really nice if endpoint security included some DRM or rights management functionality.  Things like sensitive data discovery, classification, usage enforcement, file-level encryption, etc.
• Endpoint profiling.  This is a risk management requirement that provides wide-ranging endpoint visibility for the security team – things like detailed real-time data on asset management, configuration management, and vulnerability management for all endpoints on the network.  Think continuous monitoring and real-time query capabilities in order to identify and respond to changes in IT risks.
• Password vaulting.  A secure password vault would certainly make life easier for users and would also reduce password resets easing the burden of help desk personnel.
• Some type of PC backup.  As long as we are creating a super product here, including backup makes sense to me.

Now product functionality is important, but this type of super endpoint security suite would also have to accommodate the nuances of IT organizations and industry trends.  This would require:

• Role-based access control and customized GUIs.  My theoretical endpoint security suite would be accessed and managed by a bunch of different IT and security roles including compliance managers, line-of-business managers, security analysts, and IT operations staff.  Each of these groups will need secure and secure role-based access controls and customized management portals/GUIs to use the endpoint security suite for their particular needs.  In other words, one product but many profiles for various administrators and tasks.
• An open and standards-based design.  Even fully-functional endpoint security will need to interface with other IT and security systems, so product suites should include open APIs, message buses, and support for common scripting.  It would also be nice if security telemetry was presented in a standard format like STIX/TAXII.
• A modular design.  Since it’s almost impossible to simply “rip-and-replace” everything at once, comprehensive endpoint security suites must be designed so they can be consumed in digestible chunks while providing an upgrade path for additional modules over time.  This will allow enterprise organizations to start by addressing their biggest pain-points and progress from there. 
• Strong ties with identity management.  To enforce security policies, individual devices must be equated with individuals AND offer strong authentication credentials of their own.  To make this happen, endpoint security suites would likely interoperate with Active Directory and/or cloud-based IAM services and include device identity capabilities using TPM chips, X.509 certificates, or support for the FIDO specification.
• On-board intelligence.  I know I’m reaching for the moon here but it would be nice if endpoint security suites could learn about device functionality and behavior and then apply the right security controls automatically.  For example, endpoint security would understand that an endpoint acting as a POS device would benefit from application controls and specific firewall settings and then apply these controls without human intervention. 

Even in the best of circumstances, my endpoint security suite nirvana would be a strategic initiative that would likely take a few years to roll out.  Given this, endpoint security suite vendors would need an enterprise-class sales force that can sell strategic solutions to “C-level” executives, and professional services to help organizations deploy these super endpoint security suites in phases over time.