Explore how strength of protection, false positive rate and simplicity of management are key factors in evaluating and adopting the right solution.
Global Head Infosec, DPO, Jaquar Group
In my last blog I shared my views around prediction and protection from cyber-attacks and how it has been an enterprise priority for quite some time now. The nature of threats as well as the perimeter of security is constantly evolving and is not pre-defined.
Based on the criteria for evaluation of endpoint security solutions mentioned in Part 1, there are three factors the contribute to ensuring seamless security from threats. These include, strength of protection, false positive rate, and simplicity of management.
Strength of Protection
To evaluate and gauge the strength of protection for any endpoint security solution, the enterprise should focus on four primary questions, including:
- Can the solution block unknown and zero-day attacks?
Traditional antivirus protection relies on matching to identify malware. In order to determine if a file is malicious, it looks up the file’s signature in a database of known malicious signatures. If the lookup returns a match, antivirus blocks the file from executing. This match-based approach can only block known files and applications. With hundreds of thousands of unknown or repackaged malware samples released every day, match-based protection isn’t enough.
Fortunately, newer endpoint protection companies leverage predictive models to identify and block unknown and zero-day attacks. Predictive models use sophisticated analytical techniques, such as machine learning, to understand the characteristics of malware and “predict” the likelihood that an unknown application is malicious. This enables them to block never-before-seen attacks with a high degree of certainty.
- Does the solution have the ability to monitor system processes down to the CPU-level?
When evaluating protection that monitors system processes at runtime, it’s important to ask what behaviours it is able to see. Some protection solutions only have visibility into processes user space and at the operating system level. More sophisticated behavior-based protection will include visibility into activity at lower levels of the system, including CPU.
Visibility into CPU-level is critical for blocking malware that attempts to manipulate and make changes in memory. Without this CPU-level visibility, protection is limited because it cannot see these types of attacks.
- Does the solution provide coverage across the major threat vectors, including exploits, file less, and file-based malware and that too on run time?
File less attacks also known as non-malware attacks, in-memory attacks, script-based malware are now responsible for 71% of endpoint infections. Invariably, security against file-based attacks is critical for endpoint protection, but many vendors still lack the ability to identify and block file less attacks and exploits (which partly explains their rising popularity).
Traditional antivirus and many next- generation antivirus products work by scanning files, and therefore can only block file-based malware. Whereas, file less attacks leave no malicious artifacts on the system and can’t be identified by scans. Blocking file less attacks and exploits requires endpoint protection that has the ability to monitor system processes in real-time and recognize sequences of malicious behaviour. To identify file less attacks and exploits, it’s important to confirm that the protection is looking at the actual behaviours as they are happening at runtime.
- Does the protection work locally and offline?
Some endpoint security solutions rely on cloud-based lookup and analysis to identify unknown malware. However, reliance on the cloud for protection creates two problems. First, protection won’t work if the device is offline, and second, even when the device is online, sending data to and from the cloud creates lag time that can slow down users as they try to access the applications, they need to do their job. Therefore, the focus should be on solutions that work locally on the endpoint, to ensure that devices are protected from malware whether online or offline.
False Positive Rate
An effective endpoint security solution should not bring along a trade-off between strong protection and false positives. False positives result in loss of productivity for device owners and protection admins alike. When false positives occur, device owners are blocked from using legitimate programs that are necessary to do their jobs, and adm ins are faced with the task of investigating and unblocking them.
With a move away from match-based models to predictive models, false positives have started to seem like a necessary evil. Some solutions take a heavy- handed approach that blocks malware but also flags a lot of legitimate software in the process. Fortunately, solutions can be taught to distinguish between malware and goodware by using machine learning to train protection models against both malware and goodware samples.
While evaluating, it’s important to understand how the endpoint protection works to mitigate false positives, reduce noise, and manage any false positives that do arise. In case of a rare occurrence, the solution should be able to:
- Unblock the affected user as soon as possible
- Take action to ensure that the same false positive doesn’t happen again on the affected device or other devices in the network
- Ensure that overrides can be easily applied across the organization, rather than device by device
Here, solutions with cloud-based management are usually best for this.
Simplicity of Management
Stronger protection does not have to indicate greater and more complex work for the end user and the enterprise. While enterprises must request a POC or a trial to get first hand experience of the solution, there are five important questions that can help evaluate the simplicity of management, including:
- Can the solution be deployed without custom services?
Products that require services to deploy usually come with the hidden cost of additional services down the road. If the solution can’t easily be set up without security expertise, it will likely be difficult to manage without security expertise.
- Is the management cloud based?
Cloud-based management enables enterprises team to easily see what’s going on with the endpoint protection, anytime, anywhere. An effective solution allows the user to easily manage devices and protection from a central, cloud-based management portal, and sends automatic notifications to keep them up-to-date on any incidents that require attention.
- Are the updates automatic?
The best endpoint protection products update protection models as needed to provide coverage against the latest threats. Most cloud-based solutions are able to push out these updates to all endpoints automatically without IT involvement. This is important because it prevents IT from becoming a bottleneck to facilitate better protection, and ensures maximum coverage as soon as it’s available.
- How much CPU does the solution use?
Endpoint protection that consumes a lot of CPU can slow down machines leading to productivity issues for device users. Solutions that use 1% or less of CPU are ideal, with POC the product to ensure that it works in the enterprise environment without any performance issues.
- Does the solution require administrator action on a frequent or ongoing basis?
Some solutions come with management overheads by placing the burden of decision making on the admin, or worse, the device user. When the protection sees an application it doesn’t recognize, it will ask the admin or user whether the application should be allowed to run. This is not only a management annoyance, but a security risk. Sophisticated endpoint protection can identify malware with confidence, and automatically block attacks without administrator or user involvement.
Promoting endpoint security to mitigate cyber attacks
In conclusion, it is evident that endpoint security is a great cause of concern for enterprises in the modern age. With the rampant increase in endpoint threats, enterprises need to adopt a sophisticated endpoint protection solution. A focus on the above mentioned criteria is critical to ensure that the solution prevent attacks before the cause harm without adding significant management overhead and preventing any false positive
About the author
Mansi is a strategic planner and thinker with 20 years’ experience in all verticals of IT, be it SDLC, information security, programme management, operations, business processes, business excellence, or analytics. She has prestigious certifications like PMP & Six Sigma Black Belt, ITIL, ISO 27001 Implementer, and PCI DSS compliance under her belt. The above combination provides her an edge to better understand business processes, people, and technology, allowing her to plan, monitor, and implement information programs across the organization.
Legacy software transitions, ERP implementations, IT infrastructure roadmap creation and execution, business continuity planning, incident and risk management, deployment of cyber and information security framework, user awareness trainings, GDPR, application security, etc., are some of the key assignments handled.
She is also on the advisory board for EC-Council’s CASE certification and has bagged many awards in the information technology and security space. She firmly believes in giving back to the community and has done numerous webinars, seminars, panel discussions, and white papers to share knowledge, in addition to several projects for the upliftment of women in IT and information security.