There are a few big misconceptions that companies have about endpoint security tools. It starts with a belief by executive leadership that you can buy a product that will plug gaps without significant internal costs. This of course leads shoddy product implementations, little to no training on the new product and lack of resources assigned to the product once it’s in production.
The end result of this philosophy is IT and security are left with a piece of hardware or software that few know how to effectively use and do not have the staff to truly manage it. It is important to note that poorly managed security tools have lead to some of the largest security breaches (Target, Sony, Anthem).
So with all that said, endpoint protection is one of the bread-n-butter components of an effective security defense. It is also one of the most poorly managed components due to the lack of new technology “sparkle”, such as the latest IDS/IPS tools.
Here are a few tips to bounce against your (hopefully) current endpoint protection (EP) solutions:
- Endpoint protection must have appropriately configured policies to effective. Lax policies equal far less protection against aggressive malware. Review your vendor’s best practices guide on this issue.
- Your Endpoint protection must be monitored from a central server. Trained security personnel must follow up on suspicious activity reported by the endpoint software. You would be surprised how often this is not the case.
- Endpoint protection is not a panacea for poor patching practices on the end user devices. Devices that lag behind in patching can be easily compromised by malicious software. There are too many zero-day and known vulnerabilities for antivirus/malware software to effectively protect against.
- Employees can often subvert enterprise endpoint protection by uninstalling the software or killing processes depending upon what policies are in place. Also, employees can respond to phishing emails that can bypass endpoint protection by cloaking malicious processes inside legitimate ones.
- Keeping your A/V signatures updated isn’t the only challenge. Ensure you are running current code for your scan engine, HIPS, DLP tools etc. Maybe not the bleeding edge, but no more than two minor revisions behind.
This list was created based on issues I have found when working with my clients on updating their security program. Drop a comment below if you have more to add or if you have a question.