Endpoint security has come a long way from the early days of Norton. Now, with so many names in endpoint security, it can be difficult working out which one is best for your organisation. How sophisticated does it really need to be? Do I still need it?
That last one was actually a trick question – of course you still need endpoint protection (EPP), today more than ever! But, they’re not all the same. And don’t assume that you should just buy whatever is popular or best-selling either. The working world has changed forever with an ever-increasing mobile workforce with laptops, smartphones, tablets all needing smarter and faster endpoint security. And the fact that so much more of what we use in business is now cloud-based has really driven the evolution in this market. In some cases, EPP may not even be suitable for cloud workloads where Cloud Workload Protection Platforms (CWPP) would be more appropriate. To this point, Gartner says that the biggest shift in endpoint security comes from the change to cloud-delivered solutions from network managed endpoint security in the past which is a big factor when considering your options.
So, what should I be looking for?
Simple protection is no longer seen as sufficiently capable of dealing with the sophisticated modern threats, and in response, solutions have had to evolve better detection and response capabilities. This has seen the emergence of endpoint detection and response (EDR) – consider it the next-gen term for endpoint protection. While there are still varying levels of EDR, it is based around the idea that all system activities and events on the endpoint device are recorded – providing deep visibility and allowing further response actions to take place either manually or automatically.
EDR evolution is being driven by advances in AI and machine learning (ML) which allows protection to go beyond signature-based mechanisms to more sophisticated suspicious behaviour detection. This is where the real advances are being made, so any solution without some form of EDR (like most of the legacy solutions) are probably not suitable for the majority of environments today.
Other considerations include:
- Cloud delivered – look for something that is truly agile with frequent updates that are available without having to connect the device to the internal network.
- Automated – of course anything that can automate tasks, through trusted algorithms, that were previously manual, frees up already stretched IT security teams.
- Real-time - speed and smarts that means data is continuously consumed and scanned, finding and resolving threats in minutes rather than days, with minimal disruption to business operations.
Who are the key players and how do they compare?
Quick disclaimer: this is not an exhaustive comparison, nor a recommendation, these are just a few of the solutions that we work with and talk about the most.
If you are looking for one of the most innovative and fastest growing vendors, then you can’t go past CrowdStrike and their Falcon platform. As one of the strongest leaders in Gartner’s Magic Quadrant for Endpoint Protection Platforms they offer an easy to deploy system that supports physical, virtual and cloud environments - sending recorded data from endpoint events to the cloud for detection and analysis. The extensibility of the Falcon platform through the CrowdStrike store is another compelling capability.
With its Defender Advanced Threat Protection (ATP) offering, Microsoft is also squarely placed in the leaders’ quadrant with other long-term players. This solution might be right for those wishing to reduce the complexity from having many vendors, and simply add on to what they have. Obviously, it has the unique advantage of being tightly integrated with the Windows OS, but it also includes an incident response console. This consolidates alerts and response activities across Office 365 ATP, Azure ATP and Active Directory – meaning it has the largest underlying database (or data lake) of all the solutions (which is what powers the AI and ML functionality).
If you need to start slow and add to your endpoint protection solution when needed, then Carbon Black may suit. They provide a single agent approach that allows you to seamlessly integrate enhanced offerings with the core product. There’s also a sophisticated toolset comprising online and offline detection signatures, machine learning, software behaviour monitoring, process isolation, memory protection and exploit prevention. This solution is best suited to organisations with highly skilled personnel and mature security operations – they also offer guaranteed data sovereignty which is often needed for some highly regulated industries.
Given these are just a few of the players in the market and each of them has many different offerings and levels of security, the decision to change or update your endpoint security is not easy. Before you get started, there are two things you need to do:
1. Know your network. You can’t defend your network if you don’t know all your access points. This might include hardware, software, devices and any other connection point into your organisation.
2. Decide what you want to protect. Are you looking for a suite of products that covers a wide range of protection, or do you need something more specific because you already have other solutions in place?
As a member of the CyberCX group of companies, Basis Networks bridges the gap between transformative business requirements and your networking and cybersecurity infrastructure. Regardless of your solutions in place, or the challenges that you have, we’d be happy to talk further about the next generation of security tools available.