IBM EndPoint

COMPUTERWORLDIDG Enterprise iseGuide

Endpoint security continues to be one of the

most effective ways for enterprises to secure

their IT systems. In the constant battle to

keep up with new threats, IT departments need

to make sure their endpoints are properly

protected and up to date with the most recent

software. While other security technologies

are also essential to a comprehensive security

strategy, endpoint security remains a corner-

stone of protection.

In this eGuide, CSO and InfoWorld examine

the latest trends in endpoint security. Read on to

learn how this important enterprise technology

can help you better protect your organization.

Endpoint Security

Many enterprise security attacks can

be prevented with a solid endpoint

security strategy

Endpoint Security Trends for 2015: What Can We Expect?

2

predictions

After years of predicted demise,

AV software continues to protect

Death of Antivirus Software Greatly Exaggerated

5

analysis

Large organizations should

delegate endpoint security to a group

dedicated to malware prevention

and detection

Endpoint Security Demands Organizational Changes

8

opinion

presents

in partnership with


of2 9

BY KIM CRAWLEY, CSO | Endpoint security is definitely an ap-

proach that I favor. Keeping a network secure is an immense

challenge that requires constant work and vigilance. Why intro-

duce a client or server to your network before making sure that

the device is as security hardened as possible?

In my data center work experience, a very significant per-

centage of the major network vulnerabilities Ive had to fix were

caused by the introduction of poorly secured computers. Its a

surprisingly common blunder.

Network-based information security attacks have been making

the news with increased frequency throughout 2014. Its even

gotten to a point where a lot of those incidents are being report-

ed in mainstream publications and websites. And you can bet

that for each incident that makes the news, there are possibly

thousands more that we dont get to read about.

A lot of these problems can be prevented with a solid end-

point security strategy. Are corporations and institutions going to

get smarter about it? In the rapid pace of tech, how will endpoint

security implementation evolve in 2015? From my keen observa-

tions of whats going on in the IT world, heres what I predict.

BYOD R.I.P.?As personal and business smartphone usage has exploded since

about 2007, people who work in office environments carry their

work home with them on the same devices they use to watch cat

videos on YouTube, empty their wallets with Candy Crush Saga,

and conduct their personal banking. Many of them even use their

phones to pay for stuff in malls and restaurants, thanks to NFC

payment apps such as Google Wallet and Apple Pay. Businesses

will often allow BYOD (bring your own device), thinking that itll

increase productivity and save them money by not having to

purchase mobile devices for their employees.

But BYOD introduces a multitude of security problems to

corporate networks, even when they dont contain a businesss

sensitive data. The app payment, banking, and NFC payment

examples I cited are examples of how sensitive personal financial

data may be on employees personal phones and tablets.

Also, mobile malware is an ever increasing risk.

As consumers and businesses shift to using mobile devices

for a greater percentage of their daily activities, cybercriminals

will place a larger emphasis on targeting these platforms - specif-

Endpoint Security Trends for 2015: What Can We Expect?Many enterprise security attacks can be prevented with a solid

endpoint security strategy

In my data center

work experience,

a very significant

percentage of the

major network

vulnerabilities Ive

had to fix were

caused by the

introduction of

poorly secured

computers. Its

a surprisingly

common blunder.


of3 9

ically Android and jailbroken iOS devices. Remote find, lock, and

wipe arent enough, said Mark Bermingham of Kaspersky Lab.

It also makes it far too complicated to thoroughly run a

penetration test and security harden an offices network when so

many employees own devices get connected to it. Attention em-

ployees! Give us all of your personal smartphones for 36 hours

so that we can test their security! Yeah, that will go over well.

So, in 2015, I believe that many businesses that have BYOD

policies will scrap them altogether. They may either switch to

CYOD (choose your own device thats completely administered

and controlled by an IT security policy) when smartphones and

tablets are completely necessary for work, or eliminate work

done on mobile devices if its functionally possible. More and

more often, we may see USB ports in office PCs being carefully

controlled so that employees cannot mount the file systems of

their personal devices to them.

A different antivirus approachBoth consumer and enterprise antivirus software tends to work

based on signatures. If antivirus developers constantly keep up

on the latest malware and crypters (programs used to help mal-

ware evade signature antivirus shields), their software will usu-

ally do a great job of preventing some malware infections. But for

obvious reasons, signatures are useless for zero-day attacks.

Signatures have been dying for quite a while. The sheer

number of malware samples we see every day completely over-

whelms our ability to keep up with them, said F-Secures Mikko

H. Hypponen.

Antivirus software, both consumer and enterprise, will still use

signatures for many years to come. But anomaly-based malware

detection will become a greater component in the products of

competent antivirus developers.

Currently, anomaly detection algorithms are much more so-

phisticated in IDS and IPS devices. They focus on network activ-

ity rather than code. Antivirus developers are already researching

better ways to implement anomaly-detection in antivirus shields.

False positives are going to be a huge problem, and therell

always be bugs in the system. Sandboxing suspicious packets

only sometimes works, and most sandboxing functions for such

purposes are limited to the Windows platform. But Im optimistic

that there will be a lot of progress in anomaly-based malware

detection research in 2015. As malware development gets ever

more sophisticated (Stuxnet! Regin!), thatll be an absolute must.

Itd make me so happy to hear zero-day attacks becoming

less frequent!

Vendor reductionThe greater the number of vendors a business has to deal with

for their firewalls, IPSs, and antivirus solutions, the more com-

plex a network administrators job is. Also, money spent on one

vendors product may take away funds for something else.

When IT departments find that expensive antivirus soft-

ware products are no more effective than inexpensive antivirus

products, the temptation to switch antivirus vendors is perfectly

understandable.

Palo Alto Networks surveyed 555 of their customers. They

asked Would you consider switching to free enterprise antivi-

rus in order to fund more advanced endpoint protection for your

company? 44% of respondents said theyd either consider it, or

theyre already doing it.

If antivirus heavyweights like Symantec want to stay competi-

tive in the enterprise, they may need to package their antivirus

Listennow

Increase Field Service Productivity

free podcast

listen to the podcast


of4 9

software licenses with other products that are applicable to

endpoint security more often, and cut license prices altogether.

Limiting license commitment duration may also help. If a corpo-

ration is stuck in a three-year license, that doesnt make it easy

for them to switch to another vendor if they become dissatisfied

with the performance of their current vendors product.

Another excellent idea is if network security appliance ven-

dors like Cisco and Juniper Networks make deals with antivirus

vendors like Kaspersky and Symantec. They could cooperate to

make packages for enterprise customers that include OS anti-

virus and firewalls in addition to IPS/IDS devices that contain

antivirus software and hardware firewalls. Its such a great idea

of mine, that its possible they may be considering that already.

I just hope, for the sake of the industry, that they dont buy each

others companies.

I watch information security trends very closely, and I write about

a lot of my observations. So, by the time 2015 is over, well see how

correct or incorrect I am. But Im feeling pretty darn confident!

Kim Crawley is a Security Researcher for the InfoSec Institute.

Listennow

Enhance Your PC Refresh

free podcast



of5 9

BY JOHN P. MELLO JR., CSO | An executive at a company whose

name is synonymous with antivirus software raised eyebrows

last year when he pronounced the death of that form of system

protection. Nevertheless, while the effectiveness of that software

may have waned over the years, security experts say the pro-

nouncement by Symantecs senior vice president for information

security Brian Dye was premature.

Certainly the growth in sophistication of malware has made

untenable the use of signature-based antivirus software as a

standalone source of protection for systems. More than half the

threats we stop arent stopped by our AV software, said Chandra

Rangan, vice president for product marketing at Symantec.

Were trying to educate people, he added. Were saying that

if you just have signature-based antivirus, its not enough.

While signature-based antivirus software alone doesnt pro-

vide enough protection in todays threat landscape, its still mak-

ing a significant contribution to system security. If you went to

any of the Fortune 1000 companies and said, Antivirus is dead;

remove it from all your systems, you would find a lot of security

officers laughing at you, said Brian Kenyon, chief technical strat-

egist with Intel Security (formerly McAfee). The reality iseven

in its current formAV stops a lot of stuff today.

Kenyon added that blocking threats is only one part of anti-

viruss job in protecting systems. Its not just about stopping

things, he said. Its also about cleaning things and eradicating

them from a system.

But, he continued, If you asked, Is the current AV architec-

ture and capability the future of our industry? I would definitely

say, No, not in its current form, but I dont believe its dead.

Limiting the definition of antivirus to signature-based software

may be doing an injustice to the technology. AV is not defined

by signatures; it is defined by protection against malicious soft-

ware, said Randy Abrams, a research director at NSS Labs, an

independent testing service. Products that only protect against

viruses and only with signatures have been dead since the 90s.

Malware fighting antivirus software continues to have value

in the enterprise, even as powerful new defense platforms come

online, like breach defense systems (BDS). These systems are

designed to quickly detect and contain security breaches that ev-

ery enterprise has or will have experienced, Abrams explained.

Initially BDS products performed their role as described; how-

ever, IT personnel were left cleaning up the problem.

AV vendors began to seize on the opportunity and offer a

complete end-to-end solution, he continued. The result has

Death of Antivirus Software Greatly ExaggeratedAfter years of predicted demise, AV software continues to protect

If you asked,

Is the current AV

architecture and

capability the future

of our industry?

I would definitely say,

No, not in its current

form, but I dont

believe its dead.

Brian Kenyon chief technical strategist

Intel Security


of6 9

been that the pure play BDS vendors have had to add malware

detection and remediation functionality to their systems.

Pronouncing antiviruss death is nothing new. In 2006, for

example, Hurwitz & Associates released a report titled Anti-vi-

rus is dead. In it, analyst Robin Bloor maintained that antivirus

would be replaced by tools that used whitelisting to wipe mal-

ware from the computing scene. Whitelisting is used effectively

today in some environments, but it has its drawbacks.

White listing is a great solution for controlled environments,

like retail POS systems, manufacturing and health systems,

Intels Kenyon said. You say what applications can run and

anything outside that list fails to run so malware never activates.

When whitelisting is brought to the consumer or end-user

corporate environment, its maintenance can be burdensome

because end-users are constantly adding apps to their devices.

Thats why we havent seen a huge amount of whitelisting in the

user environment, Kenyon noted.

Its been great on servers, great for data centers, great for

controlled retail environments, but its been a challenge on your

traditional desktop/laptop, he added.

Like apocalyptic prophets, though, antiviruss detractors

continue to forecast the technologys demise. Brian Dye was

correct, said Gaurav Banga, co-founder and CEO of endpoint

security vendor Bromium. AV is dead.

Banga cited a survey his company conducted in June of 300

information security pros as evidence of dissatisfaction with

antivirus. A hefty number of the pros85 percentdont believe

that antivirus can stop targeted attacks, like Advanced Persistent

Threats and spear phishing, which are a substantial part of the

current threat landscape.

Moreover, Banga argued, antivirus is ineffective against poly-

morphic and Zero Day attacks, also popular among intruders.

Both those methods exploit systems before signatures to combat

them are immediately available.

It takes security researchers days to detect new threats and

write new signatures, giving a polymorphic attack more than

enough time to change its code, Banga said. When advanced

attacks can be executed at a moments notice, the signatures to

detect them are still days away.

Antivirus softwares inability to deal with sophisticated threats

isnt the only criticism leveled at it in recent times. Last year,

a researcher at Singapore-based COSEINC maintained many

antivirus programs contain vulnerabilities that actually make the

systems theyre installed on more susceptible to attack.

Researcher Joxean Koret explained that antivirus engines typi-

cally run with the highest system privileges possible. Exploiting

vulnerabilities in them will provide attackers with root or system

access, he continued. Their attack surface is very large, because

they must support a long list of file formats. To deal with all

those file types, the software uses file format parsers, which typi-

cally have bugs.

Nevertheless, Bromiums Banga noted, AV software may

likely continue to serve consumers, who generally have less

need for robust protection or the savvy to manage more featured

products.

However, he added, security-conscious organizations have

already started to transition away from AV solutions.

There are those, though, who maintain antivirus isnt as im-

potent as its critics say it is. Jaeson Schultz, a threat researcher

with Cisco Systems Security Business Group, asserted that

antivirus software has evolved over the past five years to provide

greater protection. Not only has antivirus software added more


of7 9

heuristic functionalitywhich enables it to deal more effectively

with non-signature threatsbut it blocks an assortment of mal-

ware, such as rootkits, remote access trojans (RAT), keyloggers,

spyware, adware, and even potentially unwanted applications. It

will even protect users against malware vectors like email, social

media and files transmitted via the web.

Without AV software as part of future securities, wed be

giving up the idea of protecting endpoints and mobile devices,

leaving millions of people at the mercy of cyber criminals.

It is an arms race, Schultz said. As new avenues for exploita-

tion arise, new counter-functionality is being built into AV software.

Certainly it is a bit hyperbolic to claim AV software is dead,

he added. Many people still depend on anti-virus as an integral

part of their multi-layered defense.

While its unlikely that dire assessments of antivirus software

will go away, its also unlikely that those assessments will be

fulfilled any time soon. As Chris Doggett, managing director of

Kaspersky Lab North America, observed, Cyber attacks will

continue to grow in number and complexity, and AV software will

always be a part of the bigger security solution that is fighting

against them for both users and organizations.

Without AV software as part of future securities, he continued,

wed be giving up the idea of protecting endpoints and mobile de-

vices, leaving millions of people at the mercy of cyber criminals.

Listennow

Mobile Device Management

free podcast



of8 9

BY JON OLTSIK, NETWORK WORLD | Pity endpoint security software.

Venerable antivirus has gotten a bad reputation for being an ineffec-

tive commodity product. This situation is illustrated by some recently

published ESG research (note: I am an employee of ESG). Security

professionals working at enterprise organizations (i.e. more than

1,000 employees) were given a series of statements and asked wheth-

er they agreed or disagreed with each. The research revealed that:

62% of respondents strongly agreed or agreed with the statement: Endpoint security software is effective for

detecting/blocking older types of malware but is not effec-

tive for detecting/blocking zero day and/or polymorphic

malware commonly used for targeted attacks today.

52% of respondents strongly agreed or agreed with the statement: Our continued use of traditional endpoint se-

curity software is driven by regulatory compliance require-

ments for the most part.

44% of respondents strongly agreed or agreed with the statement: Endpoint security software is a commodity

product with little measurable differences between brands.

Wow, its no wonder why some have declared that endpoint

security software is dead. Negative opinions like these have put

leading security firms like Kaspersky, McAfee, Sophos, Symantec,

Trend Micro, and Webroot on the defensive and opened the door

for endpoint antimalware upstarts like Bromium, Cisco/Sourcefire,

Cylance, Crowdstrike, IBM, Invincea, Malwarebytes, and Triumfant.

No question that new threats and requirements are changing

the endpoint market and this is sure to disrupt the status quo.

That said, there is more to this story than technology alone.

Allow me to elaborate.

Endpoint security software was considered somewhat of a

security panacea in the past. Install AV on each PC, maintain a

steady diet of vulnerability scanning, patch management, and

signature updates and you were pretty well protected from the

flood of pedestrian adware, spyware, viruses, and worms.

This formula worked pretty well for many years, leading to a

set it and forget it mentality in many organizations. And since

AV software was part of standard PC configurations, endpoint

security management was delegated to junior IT operations per-

sonnel who owned PC provisioning and help desk support.

Endpoint Security Demands Organizational ChangesLarge organizations should delegate endpoint security to a group

dedicated to malware prevention and detection

CISOs must take

ownership of end-

point security and

designate a group of

specialists who own

endpoint security

controls as part of an

overall responsibility

for incident preven-

tion, detection, and

response.


of9 9

Alas, somewhere around 2007 the endpoint security land-

scape changed. Organized hackers got serious about attacks by

using stealthy malware, evasion techniques, rootkits, and zero-

day exploits. In response, endpoint security software vendors in-

troduced countermeasures like static/dynamic payload analysis,

file reputation services, and integrated cloud intelligence.

Yup, cybersecurity was going through a profound change as

malware and endpoint security vendors engaged in an accel-

erating cat and mouse technology game. Unfortunately, many

of the foot soldiers in this battle (i.e. the IT operations team)

were caught in the fog of war. In too many cases, they didnt

know about advanced malware or the new antimalware capabili-

ties baked into their traditional AV products. These folks simply

continued to deploy endpoint security in a default configuration,

rendering it less-and-less effective over time.

Regrettably, this situation still exists at many organizations. IT

operations handles endpoint security, deploys endpoint secu-

rity software in some minimal configuration, organizations get

breached, and pundits declare AV as dead.

This is a pathetic state of affairs, and it needs to change.

CISOs must take ownership of endpoint security and designate a

group of specialists who own endpoint security controls as part

of an overall responsibility for incident prevention, detection, and

response. This group should gain an understanding of endpoint

security requirements and product capabilities and then create a

plan to tailor endpoint security controls to mitigate risk on vari-

ous types of endpoint devices.

In summary, weve treated endpoint security as a PC provi-

sioning and IT operations task for too long. By doing so, we are

assigning endpoint security to staffers with the wrong skills and

we arent using our endpoint security tools correctly. I suggest

we fix this organizational issue before making radical changes to

our endpoint security technology strategies or throwing existing

endpoint security technologies under the proverbial bus.

Listennow

Valley Agricultural Upgrades

free podcast


Documents

IBM EndPoint