Endpoint Security Requires Comprehensive Solution Approach

May 23, 2006

Establishing a comprehensive endpoint security solution is a daunting and complicated undertaking requiring a thorough understanding of the challenges and priorities, says Mark Bouchard, founder of consulting firm Missing Link Security Services.

"A number of factors, such as accounting for unmanaged nodes, increase the scope of the challenge," Bouchard notes. "In addition, selecting and stitching together an appropriate set of countermeasures often depends on navigating a complex and proliferating landscape of applicable point products."

The biggest challenge, Bouchard said, may be in defining the scope properly. "Underestimating the scope of endpoint security responsibilities is a common issue that leads to diminished effectiveness, as well as the creation of a patchwork of multiple, potentially independent 'solutions,' over time," he warns.

Key to getting endpoint security right is addressing both managed and unmanaged endpoints, or those that are beyond the companies typical sphere of administrative control such as those of business partners or employees using personal computers from home.

Another important endpoint security issue is preventing an endpoint from becoming "a threat vector in its own right," he said. The network and its computing and information resources must be protected from endpoints that are potentially infected, Bouchard says.

However, the node itself is likely to play an increasingly important role. For example, promising network admission and access control countermeasures will be far more effective when they can take advantage of a client-based agent that is capable of performing an in-depth audit of an endpoint's security posture and configuration.

A comprehensive endpoint security solution requires a series of specific countermeasures for both managed and unmanaged endpoints, Bouchard says. Key managed endpoint tools include:

Firewalls: These only allow traffic explicitly allowed by your policy. But because they operate at the network layer, they cannot stop application-layer attacks that are conveyed over protocols and connections allowed by the computer systems rule base; Application Control: This picks up where firewalls leave off. It can supply the missing granularity needed to refine the definition of traffic allowed by your policy. It can reduce the flow of unnecessary traffic and any dangerous code it contains. Advanced controls can be used to signal a potential threat to an endpoint; and Host Integrity Checking: This involves auditing an endpoint to ensure the presence of critical attributes, including registry settings that correspond with specific patches, the date on an antivirus signature file, and the presence and version of the antivirus software itself.

Dealing with unmanaged endpoints presents a bigger challenge to the system administrator, Bouchard notes. Because you don't control them from an administrative standpoint, "any protective measures that are used must be ephemeral." He recommends countermeasures for unmanaged endpoints, including on-demand:

Host integrity checking; Cache cleaning; Malicious code protection; Firewalls; and Secure virtual workspaces.

But a complete solution also requires a unified agent architecture, he says. "What this means is that administrators should be able to select -- and license -- whichever countermeasures are deemed necessary for a given group of endpoints and then have those be deployed as a single, ideally integrated, package."

In addition, all countermeasures for managed and unmanaged endpoints should be administered via a single, centralized management system. Proper features include integrated policy development, push-and-pull configuration capabilities, role-based administration, monitoring and alerting, consolidated logging and reporting and integration with corporate identity and policy stores. -- Michael Causey