10 essential enterprise security tools (and 11 nice-to-haves)

If organizations are struggling to keep up with security challenges, it certainly isn’t because of a lack of available tools. Over the past two decades or so, security vendors have brought to market a bewildering array of products designed to address the challenges enterprises face from constantly evolving threat and infrastructure landscapes.

These tools perform a broad range of functions from endpoint and network protection to cloud security to identity and access control. Some are absolutely fundamental to enterprise security. Others are less so but provide important point solutions for certain organizations or infrastructures.

The following is a listing of product categories separated into two groups. The first includes the types of tools that are essential to enterprise security. The second are product types that are great to have, but in most organizations are not must-have.

Note: The products listed under each category are representative of tools in that particular class. Their inclusion in this list does not indicate the products are market leaders or are the most popular products in that particular category.

10 essential security tools

1. Network access control (NAC)

NAC products allow enterprises to enforce security policies on devices and users attempting to access their network. NAC products can help identify who and from where someone is attempting to log in. They also help ensure that the device being used has the needed security patches, antivirus software and other controls before granting the user role-based access to enterprise assets.

Why NACs are essential

With the growing complexity of enterprise IT infrastructures and ever-changing regulations, you need a way to know what is connecting to your network and that you are handling access rules and controls consistently. Most of the NAC vendors have had to adapt their products to better address the increased use of mobile devices, including employee-owned smartphones and tablets, and the growing number of internet of things (IoT) devices connecting to a network.

NAC products

Aruba ClearPass Policy Manager provides role and device-based network access control. Organizations can use the product to enforce security policies on corporate and personally owned devices that employees, trusted outsiders, and guests use to access their network.

ForeScout CounterACT provides enterprises a way to discover, classify and assess all devices on their network without requiring an endpoint agent on them. The technology is designed to enable instant visibility into any device that connects to an enterprise network and to enforce policy-based access control on them. It uses a combination of active scanning techniques and passive discovery and profiling to discover devices—including rogue devices—on the network.

2. Data loss protection (DLP)

DLP tools protect against sensitive data being accidentally or maliciously transmitted outside an organization. They work by monitoring network traffic for data elements that match specific characteristics or patterns—such as those associated with credit card or Social Security numbers. Administrators can use the products to alert them about sensitive data potentially egressing the network or they can use them to actively block transmission of such data. Increasingly many DLP products are designed to protect against data leaks in the cloud.

Why DLP tools are essential

Hackers can and will get past an organization’s defenses and gain access to data and systems. DLP tools are a key weapon to detect hacker activity once they are in. They are also critical for identifying possible insider threats by red-flagging unusual employee behavior. Recent privacy regulations that can levy significant fines if a data loss occurs only increase the value of having a good DLP solution in place.

DLP products

Symantec Data Loss Prevention is designed to protect against data leaks via endpoints, cloud apps, email and web communications. The technology ships with out-of-the-box policies that organizations can use to ensure compliance with regulations such as the EU’s General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

McAfee DLP is part of a broader suite of data protection and encryption technologies. It protects against data leaks on the network, at the endpoint, on storage systems and in the cloud. McAfee DLP can be deployed through the company’s ePolicy Orchestrator security management platform. It supports features that allow enterprises to create an inventory of assets, categorize large volumes of unclassified data and to scan the data for policy violations.

3. Firewalls

Firewalls are purpose-built systems for filtering network traffic using rules that administrators set. Firewalls protect against malware, unauthorized logins and a variety of other security threats. Administrators can use a firewall to block traffic based on originating IP or IP range, URLs, the ports to which traffic may be headed and other criteria. The latest firewalls also do deep packet inspection, application level traffic filtering and intrusion detection and prevention.

Why firewalls are essential

While the move to the cloud is eliminating the kinds of boundaries that traditional firewalls were designed to defend, most firewall products today have evolved beyond pure perimeter defense to providing more client-side protections against some of the biggest risks including URL and attachment filtering, patch discovery, and inline patching.  

Firewall products

Fortinet FortiGate is a next-generation firewall technology that can be deployed at the network edge, in data centers, internal network segments and in the cloud. FortiGate is powered by a special-purpose security processor and can, among other things, inspect SSL for malware hiding in encrypted traffic.

Cisco Firepower NGFW Series is a family of fully integrated firewall products with capabilities for threat prevention, threat detection, application firewalling, and advanced malware protection.

4. Intrusion prevention systems (IPS)

An IPS is an inline technology that usually is deployed right behind the enterprise firewall for inspecting traffic flows and automatically dropping malicious data packets and taking other proactive action to mitigate threats. It incorporates the functions of intrusion detection systems (IDSs), which only scan networks and report on potential threats, and adds capabilities to automatically respond to anomalies based on preset rules.

Why an IPS is essential

An IPS complements a firewall or other network defense by doing deeper analysis on network traffic to identify patterns that match known threats. Having an IPS in place can significantly cut down on response time and prevent additional damage from the threat source by blocking traffic from the source address and resetting the connection.

IPS products

Cisco Next Generation IPS (NGIPS) is available in both hardware and software form factors. The products include features like Cisco’s Application Visibility and Control (AVC) technology for monitoring against application-level threats, the company’s Advanced Malware Protection (AMP) sandboxing and malware blocking capability and URL filtering.

Trend Micro TippingPoint Threat Protection System is anext generation IPS that touts real-time detection, enforcement and remediation of threats. Key features include on-box SSL inspection, advanced threat analysis and a real-time machine learning capability for detecting evolving and short-lived threats.

5. Endpoint protection

Endpoint protection tools protect desktops, laptops and other endpoint devices against viruses, worms and a wide range of other malware and malicious activity. Tools in this category often combine traditional antivirus capabilities with antimalware protection, firewall and intrusion detection functions.

Why endpoint protection is essential

Endpoint protection tools offer both malware detection and remediation capabilities against known and unknown threats that make it past detection and prevention defenses at the network level. Many endpoint protection tools enable continuous monitoring of endpoint devices and typically can be managed centrally. In this age of ransomware, cryptomining and phishing, protection at the client layer is vitally important.

Endpoint protection products

ESET Endpoint Security combines antivirus and antimalware capabilities with web filtering, firewall and botnet protection features. The product is positioned as capable of protecting against ransomware, targeted attacks, fileless attacks and advanced persistent threats.

Symantec Endpoint Security is agent-based and integrates endpoint detection and remediation (EDR), deception and hardening against known and new threats. The technology allows organizations to deploy baits and decoys to trick attackers into revealing their presence and can limit or quarantine suspicious apps.

6. Identity and access management (IAM)

IAM products help organizations control user access to enterprise systems and data. Such products help ensure that authorized individuals are able to gain access to the right enterprise resources at the right time. Many IAM products allow organizations to control access to enterprise assets based on a user’s role in the organization.

Why IAM is essential

As companies migrate more applications and data to the cloud, traditional boundaries dissolve and perimeter protection becomes less meaningful. Identity becomes the new perimeter. That  makes the ability to accurately authenticate and authorize people and devices connecting to your network a requirement.

IAM products

SailPoint Technologies IdentityIQ is an on-premise identity governance platform designed to give organizations complete visibility overs users and the applications, systems and data they access. The technology integrates features that allow organizations to put control in place to ensure that access to enterprise systems and data is always in compliance with corporate policies.

Centrify Next Gen Access is designed to help organizations control access to endpoints, applications and infrastructure. The products allow organizations to enable SSO and MFA. The technology can also be used to manage privileged user access to critical enterprise resources.

For information on more IAM products, see The best IAM software: Rating the top 10 products.

7. Cloud access security brokers (CASB)

CASBs allow organizations to enforce security policies on users accessing cloud services. CASBs can be deployed on premises or in the cloud and are placed between the cloud service provider and the cloud service user. They can be used to enforce a slew of security policies including authentication, authorization, SSO and malware detection and prevention.

Why CASBs are essential

The latest iterations of CASBs have more features and integrate better with other enterprise security tools. That’s good, because it allows CASBs to pinpoint where an organization is most vulnerable to security threats or compliance issues. They can also help organizations manage identity and authentication across multiple cloud applications.

CASB products

Netskope Security Cloud can be deployed entirely in the cloud, as an on-premise appliance, or both. Organizations can use Security Cloud to enforce policies on enterprises users accessing sanctioned or unsanctioned cloud services via a browser, desktop app or a mobile app.

McAfee Skyhigh Security Cloud gives enterprises a way to gain complete visibility over user behavior in the cloud including what apps and data they access and the context of that access. It supports features that enable real-time policy enforcement across cloud services.

8. Antimalware tools

Antimalware tools are often confused with antivirus software, though their capabilities are somewhat different. Antimalware products can protect organizations not just against viruses and worms but also against spyware, ransomware, Trojans and a range of other threats. In fact, enterprise-class antimalware tools have largely replaced standalone antivirus solutions.

Why antimalware is essential

Classic computer viruses are no longer the top threat. Ransomware and cryptomining now account for the vast majority of attacks initiated at the client level. Organizations need both antivirus and antimalware capabilities to defend against these modern threats.

Antimalware products

Kaspersky Anti-Virus works by scanning PCs for viruses, ransomware, spyware and other malicious code. Recent editions of the software can scan for drive-by cryptomining tools as well.

Webroot SecureAnywhere Business Endpoint Protection is an endpoint protection tool that can help enterprises protect against malware threats across multiple vectors including email, browsers, apps, files and URLs. The company touts an advanced behavioral heuristics capability for identifying previously unknown threats.

For information on more enterprise antimalware products, see The best antivirus software? Kaspersky, Bitdefender and Trend Micro lead in latest tests.

9. Endpoint detection and response (EDR)

EDR tools detect and remediate threats on endpoint devices. The products work by monitoring user and endpoint system and constantly comparing the behavior against behaviors associated with known threats.

Why EDR tools are essential

EDR is an emerging category of security products designed to augment the capabilities of traditional antivirus, antimalware and other endpoint protection products. The goal is to help organizations more quickly detect endpoint threats and to provide information that can help them more quickly mitigate it.

EDR products

SentinelOne EDR integrates functions for endpoint threat protection, detection, response and remediation. SentinelOne’s endpoint agent uses a static AI engine that is designed to block malware threats before they execute on the endpoint.

CrowdStrike Falcon Insight continuously monitors and record activities on the endpoint and is designed to spot indicators of attack that other security controls might have missed. When an attack is detected the tool can take actions like automatically stopping malicious processes, deleting corrupted files and containing traffic.

10. Mobile threat defense

Mobile threat defense products assist organizations in protecting mobile devices from the same kinds of threats that have plagued desktop systems for year such as viruses, worms, ransomware, phishing, spyware and data loss. Gartner has described products in this class as needing to protect mobile devices at the application level, the network level and the device level.

Why mobile threat defense is essential

Nearly all organizations struggle with managing the mobile devices that connect to their networks—both those they own and those their employees own. An enterprise mobility management (EMM) or mobile device management (MDM) solution will not have the security detection and prevention capabilities as a mobile threat defense tool. Without those capabilities, mobile devices are a soft vector through which hackers can gain access to a network.

Mobile threat defense products

Wandera continuously scans apps installed on a mobile device for signs of malware or other malicious activity. It compares the data from such scans with data collected from billions of other end points to identify threats. Wandera’s product also protect against attempted malware downloads, phishing attempts and other threats at the network level.

Zimperium zIPS Mobile Intrusion Prevention System is an intrusion prevention system designed to protect Android and iOS devices against mobile attacks at the device, network and application layer. zIPS, monitors the entire mobile device for malicious activity and uses machine-learning to analyze any deviations from normal behavior for the device.

The nice-to-haves

1. Security information and event management (SIEM)

SIEM tools help organizations aggregate, correlate and analyze logs and security event data from security systems, computer and network devices, applications, databases and other sources across the enterprise network. The tools can enable early threat detection and help organizations investigate and respond to incidents and ensure compliance with regulatory requirements for log retention and management.

Why you might need an SIEM product

SIEM is used mostly in larger organizations or public companies where its centralized management and reporting capabilities help with regulatory compliance. The price point for SIEM products tends to be high, so many smaller companies can’t afford it.

SIEM products

Splunk Enterprise Security is an analytics-driven SIEM product that enables real-time visibility into the security status of their network. The technology supports a ‘correlation searches’ feature that administrators can configure so they are alerted on any events that meet specific static and dynamic thresholds.

LogRhythm NextGen SIEM collects and correlates a broader set of forensic data than SIEM products that focus on collecting mostly exception-based data. The technology uses a behavioral-and scenario-based analytics to help organization reduce the mean time to detect security incidents and to respond to them. Security organizations can use the platform to track their mean time to detect incidents and mean time to respond to them so they can monitor how well they are doing.

2. Web content filtering

Content filtering appliances and software enable organizations to enforce policies restricting access to websites and content deemed inappropriate, offensive or illegal. The tools can also be used to control access to bandwidth hogging sites and services as well.

Why you might need a web content filtering tool

Many organizations use such tools to block access to content and sites that might be considered as impacting productivity such as social media sites or sports sites. Organizations often deploy web content filtering to comply with an industry or regulatory requirement.

Web content filtering products

Forcepoint URL Filtering allows organizations to block or control access to web content using over 120 security and content categories. The technology supports the creation of custom filters for permitting or denying access to users on a timed or a permanent basis.

Barracuda Web Security Gateway can be used to restrict access to sites and content, based on organizational policies. The content filtering function is part of a broader suite of web security and management capabilities that include anti-spyware, malware and virus protection.

3. Authorization software

Authorization software products are used to grant individuals rights and permission to enterprise systems based on their identities. While an authentication system confirms the identity of an individual, an authorization tool uses that identity to determine and grant the user the appropriate rights and permissions.

Why you might need authorization software

Such tools help organizations establish fine-grained and context-aware access control and among other things enforce policies for separation of duties.

Authorization software products

Axiomatics Dynamic Authorization Suite can be used to implement dynamic authorization for business applications, APIs and microservices to big data repositories and in the cloud. A set of reporting and governing tools allow organizations to ensure that policies in place for meeting compliance requirements are in fact delivering the desired results.

Oracle Entitlements Server (OES) is designed to enable policy-driven, real-time authorization in application, database and service oriented architecture environments. Organizations can use it to centrally define application entitlements and then enforce the access policies either centrally or in a distributed fashion.

4. Endpoint encryption

Endpoint encryption tools can be used to encrypt sensitive data on desktop computers, laptops and other endpoint devices. Some products also support encryption of sensitive data on removable media, USB drives and SD cards. Endpoint encryption products typically support both full disk encryption and file-level encryption capabilities.

Why you might need endpoint encryption

If you have valuable data or intellectual property stored on endpoint devices, then you need to do more than trust your network or cloud security measures to keep bad actors from taking them. Encrypting important files at the device levels means that they are useless to hackers if they gain access to them.

Endpoint encryption products

Check Point Full Disk Encryption Software Blade encrypts user data, operating system files, temporary files and even erased files on a disk. The encryption is certified to Federal Information Processing Standards (FIPS), which means it is approved for use within the US federal government.

Sophos SafeGuard Encryption offers full-disk encryption using Microsoft BitLocker and Mac FileVault. It also can be used to encrypt files individually. The technology encrypts data as soon as it is created and supports an always-on Synchronized Encryption capability that continuously validates the user, application and device integrity before enabling access to encrypted data.

5. Virtualization security

Virtualization security products can help organizations monitor and secure virtualized environments and software-defined infrastructure against malware and other threats. The products can help organizations get better visibility into and control over virtual and software-defined environments.

Why you might need virtualization security

Obviously, if you run virtualized environments, you need a security infrastructure to match. Traditional approaches and tools won’t adequately protect you. Virtualization security tools provide controls and processes at each virtual machine. They also allow for setting consistent security policies across the virtual environment.

Virtualization security products

Bitdefender GravityZone is engineered for deployment in virtualized environments. Companies can use it to manage security on on-premises and cloud-based virtual machines via a single console and without the need for multiple agents on the VMs.

Hytrust Cloud Control is an access control, forensic logging and policy enforcement product for VMware environments. It ensures that hypervisor administrators are only allowed to take approved actions and to block actions that are not approved. The technology can be used to enforce policies where secondary approval might be needed for certain particularly impactful actions.

6. User activity monitoring

User activity monitoring tools enable administrators to monitor user behavior on enterprise systems and networks. Products in this category enable user activity monitoring through log collection and analysis, keystroke logging, video recording and other means.

Why you might need user activity monitoring

Any organization at high risk for insider threats or compromised privileged user accounts needs to be on the lookout for the appropriate red flags. Such tools can be used to monitor for any kind of malicious behavior on corporate endpoints and networks. Enterprises typically use such tools to detect insider threats, both accidental and malicious.

User activity monitoring products

Veriato Employee Monitoring Software supports a variety of options for tracking and monitoring user activity including via screen recording, web activity-monitoring, file and document tracking and keystroke logging.

ObserveIT Insider Threat Detection and Prevention helps enterprises identify risky insider behavior by monitoring and auditing all user action on enterprise systems. Organizations can detect anomalous behavior using hundreds of out-of-the-box insider threat and enable alerts based on risky activity.

7. Enterprise password managers

Password managers help ensure that users have strong, unique passwords controlling access to enterprise account. Password mangers typically store the passwords securely in encrypted fashion and help enforce policies for strong passwords, shared accounts and for provisioning and de-provisioning users. Many enterprise password managers integrate with Active Directory and other user directories and offer centralized administration capabilities.

Why you might need an enterprise password manager

Many companies look to SSO to help their employees and admins escape password hell. However, SSO typically leaves gaps. For example, not all cloud applications can easily be brought into an SSO solution. An enterprise password manager can help employees maintain good password practices while reducing the stress level of admins tasked with enforcing those practices.

Enterprise password management products

CyberArk Enterprise Password Vault is a specialized enterprise password manager designed specifically for managing and monitoring access to privileged accounts such as those used by database and network administrators. The Enterprise Password Vault assists enterprises in securing, rotating and controlling accessing to privileged account passwords and SSH keys based on enterprise policy and compliance requirements.

LastPass Enterprise integrates with Active Directory and other directories such as Okta and Microsoft Azure ID to assist organizations in areas such as account creations, group management and user account termination. Administrators can use it to centralized password management functions, control shared access and implement multifactor authentication.

8. Endpoint compliance

Organizations can use endpoint compliance tools to ensure that the desktops, laptops and other endpoint devices used by their employees are compliant with requirements for patching, antivirus updates, operating system versions, group policies, USB settings and a wide range of other security controls.

Several tools in this category allow administrators to gain and maintain real-time visibility over their endpoint environment and in some cases—enable automated remediation of non-compliant devices.

Why you might need endpoint compliance

Heavily regulated industries such as finance, government or healthcare must ensure compliance at all levels of their infrastructure. Endpoint compliance tools can help make sure all the connected user devices—often the most difficult to manage—comply.

Endpoint compliance products

Trustwave Endpoint Protection Suite is part of a broader cloud-hosted endpoint protection service that integrates anti-malware, policy enforcement and compliance management services. The compliance function is designed to assist organizations covered under the PCI Data Security Standard to meet requirements for endpoint security.

Accelerite Sentient assists enterprises in discovering both managed and unmanaged endpoint devices on their network and to run vulnerability scans on them to assess their compliance with relevant requirements. Organizations can use Accelerite Sentient to perform a risk assessment of their endpoint environment so they can identify issues that need mitigation.

9. Security incident response

Incident response (IR) tools assist organizations in understanding the events that might have resulted in a security incident so they can formulate an effective response to it. Incident response tools can be quite varied in capabilities. Typically, such tools automate key tasks associated with incident response such as searching for indicators of compromise (IoCs) and other artifacts of an attack, imaging infected systems for forensics analysis, and blocking or taking offline compromised systems to mitigate attack damage.

Why you might need a security IR tool

Any company at high risk of a targeted attack can benefit from implementing an IR tool, but those in highly regulated industries have more incentive. A good IR tool will help meet requirements for responding to and reporting on breaches and other incidents.

Security IR products

Swimlane Security Orchestration and Response (SOAR) aggregates security information and event data from heterogeneous security systems and automatically acts upon any alerts it receives using an automated workflow. The system centralizes data in a single screen that allows analysts to more easily analyze and interact with all data related to an incident.

Carbon Black CB Response assists enterprises in capturing a wide range of information on endpoint security events so incident responders have a clear understanding of what might have happened. The information includes a complete data record of both online and offline systems making it possible for responders to visualize how an event might have played out and to uncover the root cause for it.

10. Container security

The growing adoption of microservices and cloud-native applications is driving the need for products capable of detecting and mitigating security threats and vulnerabilities in these environments. Container security products are designed to assist organizations in exerting more control over the security of container images and to ensure the images are in compliance with organizational requirements. Such tools are optimized to deal with the short-lived nature of containers.

Why you might need container security tools

Securing containers and microservices with traditional security tools simply will not work. Traditional tools are not designed for the level of granularity at which containers work, their speed of deployment, or the data traffic volume they generate. If you use containers and microservices, you must use security tools designed for them.

Container security products

Twistlock Container Cybersecurity Platform is positioned as suitable for securing containers in Docker, Kubernetes and other cloud-native environments. It provides a range of vulnerability management, run-time defense, firewall, and compliance management for use through the entire software development lifecycle

Tenable.io Container Security supports devops by enabling end-to-end visibility into Docker container images. Devops teams can integrate the technology into the build process and use it to detect malware, vulnerabilities and policy violations in Docker images.

11. Cloud workload security

Cloud workload security products are more broadly focused than container security tools in that they assist enterprise in protecting workloads not just on containers but any cloud instance. Products in this class are geared toward helping organizations detect vulnerabilities, protect against malware and intrusion attempts and ensure that cloud workloads are being protected in compliance with required standards.

Why you might need a cloud workload security tool

If a significant amount of your IT infrastructure is run in the cloud, you should consider a cloud workload security solution even if it’s hosted by a leading provider. The more varied the workloads you run—for example, a combination of web servers, containers or Hadoop nodes—the more you need a workload tool to manage and secure your cloud instance.

Cloud workload security products

CloudPassage Halo Cloud Secure is part of its broader Halo Cloud Secure security portfolio. Organizations can use the workload protection service to assess the attack surface of their cloud workload, identify vulnerabilities and manage local access controls on the servers hosting their data. The service helps detect policy violations, configuration changes and other issues that might weaken workload security.

Dome9 Compliance Engine is designed to help organizations continuously monitor cloud workloads running on AWS, Microsoft Azure, Google Cloud and multi-cloud settings. The hosted service helps organizations assess their compliance status, identify issues that may be putting that status at risk and fix those issues in place.