The Endpoint Consensus
By: Darin Barton CISSP, CISA
Long Live Endpoint Security
In 2011, global leaders in IT security were quite vocal in their belief that endpoint security was dead, and in the years to follow we saw a definite shift in focus from ‘endpoints’ to ‘network’ based solutions.
I don’t believe those “global leaders” ever intended to suggest that we would no longer need security on the endpoint. Rather, they were referring to an end of strictly relying on endpoints with signature based security and moving to beefier network based solutions. Solutions which could employ better anomaly and behavioral detection methods on a grander scale.
Within two years, it became very apparent that this strategy was not enough to protect our business networks. With the onslaught of mobile devices, virtual systems and wireless – combined with an increase of social engineering and phishing attacks – the global security market needed to quickly adopt to a new standard which combined the benefits of both network and endpoint protection models.
Now, in 2018, the death of endpoint security could not be further from the truth; and not only is it alive and well, it may be a key factor in how you secure your environments going forward.
Endpoint Leading Security Models
Between 2015 and 2017 we saw generous strides in the homogeneous security market by manufacturers, including:
- Fortinet – Security Fabric
- Checkpoint – NextGen Threat Protection
- Trend Micro – Network Defense
Their goal was to create holistic and centrally managed solutions allowing all pieces to communicate with each other when malicious traffic (or an attack) was identified and then enact some type of mitigation process. While not perfect, the ability to automatically quarantine and/or control endpoints and deny their traffic from traversing VLANs was always a key piece of the solution.
These security models often incorporated (but were not limited too):
- UTM or Enterprise Firewalls
- IPS (Intrusion Prevention Systems)
- Mail Gateways and SMTP Servers
- WAF (Web Application Firewalls)
- Virtual Security
- Sandboxing (both Cloud and appliances); and,
- Endpoint Security
While not all attacks originate on the endpoint (ie. an infected piece of inbound email) the goal of most attacks is to compromise an endpoint to gain system access into the business network. While many attacks can be thwarted through network and cloud-based solutions the most effective attacks are zero-day exploits or phishing type attacks that trick users into visiting infected sites or to click on inappropriate links. My inference being, the ability to quarantine or control an endpoint is more important now than ever.
Which Solutions are Best?
Selecting the right solution is heavily dependent on your business environment, your existing infrastructure, your ability to execute, staffing and experience. I always try to leverage a company’s existing security, if possible, especially if their purchases are not fully depreciated.
For example, if you already have Trend Micro Smart Protection Complete deployed on endpoints, and you can’t bear the thought of a lengthy redeployment, then take full advantage of what you have.
The Smart Protection Complete Suite is stacked with licensing for mail, web and mobile security that are industry leading and work sufficiently well. When combined with Trend Micro’s Deep Security (for virtual server/client security), Deep Discovery (for network sandboxing) and Tipping Point (for IPS) you now have an holistic solution that is difficult to beat and you’ve fully leveraged your capital expenditures. (Be aware, you must have an independent SSL Inspection Appliance to decrypt traffic before it is sent to your security appliances for inspection. I recommend that you look at Symantec/Bluecoat SSL Visibility or F5 Orchestrator as possible options.)
On the other hand, if you are looking to refresh your endpoints and firewalls at the same time and you want tightly integrated communications in a single platform then a Fortinet, Checkpoint or Palo Alto solution are solid bets.
All these solutions have UTM firewalls, sandboxing and endpoint security (at a minimum) and include an SSL inspection capability so a third-party SSL inspection appliance is not required. Just make sure you scope your appliances properly to ensure they can take the enhanced utilization required by the SSL inspection process.
When planning your cyber security strategy, it’s important to maintain a focus on your endpoints and clearly understand how they integrate with your other security platforms. Your ability to seamlessly and dynamically quarantine and control these devices is an important and necessary criteria to designing an effective solution.
- Think holistically
- Look for tight integration between endpoints and other security platforms
- Endpoint quarantine, control and management is essential
- Leverage your existing implementations as much as possible
- Ensure SSL inspection is a key part of the overall solution
:Darin Barton CISSP, CISA is a senior security professional in Toronto Canada, with 20+ years experience in cybersecurity and currently employed with Access 2 Networks Inc. (A2N).