Wednesday, June 27, 2007

End Point Security, how far should you go?

Every time a new security concern emerges within the IT industry, security vendors present products that claim to address the problem.

Once the main commodity security products had established themselves, along came VPNs, then SSL VPNs, and following some major scandals, regulatory compliance. Most recently, vendors have begun offering products to address customers’ needs for a Network Access Control (NAC) solution - but does this satisfy the need for comprehensive endpoint security?

Endpoint security should cover all aspects of activity at the endpoint and address both hidden potential threats and actual weaknesses that could result in a security breach. Many vendors offer products that resolve specific security issues related to the endpoint, and describe these as ‘endpoint security’ solutions. However, this is misleading for customers: for example, vendors offering products that control the use of memory sticks, digital cameras or any other type of USB memory device are not offering endpoint security, they are offering device control.

If this is claimed to prevent classified information leaving the organisation, customers are further misled, because copying to a device is not the only way to leak information. The same applies to vendors offering application control products: applications are just one category of security threat that may occur on an endpoint; even in networks that lock down installations so that only approved applications may be installed, the endpoint remains open to other security breaches.

Combining commodity security products such as personal firewalls, anti-virus and behavioural IDS/IPS does not constitute an endpoint security solution. These products should be obligatory for any security-savvy organisation wanting to keep its network safe. The layer of endpoint security needs to cover other less-monitored activities like processes, services and their configurations and start-up commands that boot with the OS, as well as the obvious application and device control.

Add to the mix some form of change-control that can identify a bypassed proxy or disabled group policy, plus functionality that includes detecting multiple network connections from a single PC or using a wireless connection while connected to a LAN, and one is closer to a full view of an endpoint’s activity throughout its connection to the network. A comprehensive solution must also have remediation capabilities to minimise the impact on administrators managing the company endpoints. A product that identifies problems but does not offer remediation cannot be considered a complete solution.

An endpoint security solution must address all aspects of misuse, misconfiguration and malicious activity. Most NAC products describe quarantining endpoints that do not conform to company policy (without necessarily offering any immediate remediation). They also suggest that each endpoint must exhibit a specific set of security requirements and show a clean bill of health without malware infections before being allowed to join the network.

The problem is that quite apart from the fact that the checks offered are not sufficient to provide a complete picture of the endpoint’s security status, they are almost always performed only when the endpoint joins the network. So, while NAC has its benefits and provides a valuable barrier against infected endpoints from joining an otherwise clean network, it is only a small part endpoint security, especially for endpoints fixed inside the network that may not log off at the end of a day. Unless a NAC solution offers complete endpoint security functionality on a continuous basis, it must be seen as a separate product that merely complements endpoint security.

A company sourcing an endpoint security solution usually does so either because it has already experienced a breach from within its network, or it perceives that a problem exists in controlling endpoint usage, which needs to be addressed before it becomes insurmountable. Before identifying a vendor, the company should identify known weaknesses in the security framework of its internal network. It should also try to define whether the main source of the problem is LAN-based endpoints or those that connect externally. Is it the users and what they bring into the network, such as portable memory devices, music players or software?

It could be lack of awareness or experience, evidenced by inadvertently disabling or removing critical applications, downloading from potentially harmful websites, or wasting resources using bandwidth sapping applications. There is a plethora of nuisances as well as threats that can compromise a network, some of them hidden. It is essential to source a solution that can identify both obvious and hidden threats efficiently and easily, and provide a mechanism to remedy the problems found.

No comments: