COMPUTERWORLDIDG Enterprise iseGuide
Endpoint security continues to be one of the
most effective ways for enterprises to secure
their IT systems. In the constant battle to
keep up with new threats, IT departments need
to make sure their endpoints are properly
protected and up to date with the most recent
software. While other security technologies
are also essential to a comprehensive security
strategy, endpoint security remains a corner-
stone of protection.
In this eGuide, CSO and InfoWorld examine
the latest trends in endpoint security. Read on to
learn how this important enterprise technology
can help you better protect your organization.
Endpoint Security
Many enterprise security attacks can
be prevented with a solid endpoint
security strategy
Endpoint Security Trends for 2015: What Can We Expect?
2
predictions
After years of predicted demise,
AV software continues to protect
Death of Antivirus Software Greatly Exaggerated
5
analysis
Large organizations should
delegate endpoint security to a group
dedicated to malware prevention
and detection
Endpoint Security Demands Organizational Changes
8
opinion
presents
in partnership with
COMPUTERWORLDIDG Enterprise iseGuide
of2 9
BY KIM CRAWLEY, CSO | Endpoint security is definitely an ap-
proach that I favor. Keeping a network secure is an immense
challenge that requires constant work and vigilance. Why intro-
duce a client or server to your network before making sure that
the device is as security hardened as possible?
In my data center work experience, a very significant per-
centage of the major network vulnerabilities Ive had to fix were
caused by the introduction of poorly secured computers. Its a
surprisingly common blunder.
Network-based information security attacks have been making
the news with increased frequency throughout 2014. Its even
gotten to a point where a lot of those incidents are being report-
ed in mainstream publications and websites. And you can bet
that for each incident that makes the news, there are possibly
thousands more that we dont get to read about.
A lot of these problems can be prevented with a solid end-
point security strategy. Are corporations and institutions going to
get smarter about it? In the rapid pace of tech, how will endpoint
security implementation evolve in 2015? From my keen observa-
tions of whats going on in the IT world, heres what I predict.
BYOD R.I.P.?As personal and business smartphone usage has exploded since
about 2007, people who work in office environments carry their
work home with them on the same devices they use to watch cat
videos on YouTube, empty their wallets with Candy Crush Saga,
and conduct their personal banking. Many of them even use their
phones to pay for stuff in malls and restaurants, thanks to NFC
payment apps such as Google Wallet and Apple Pay. Businesses
will often allow BYOD (bring your own device), thinking that itll
increase productivity and save them money by not having to
purchase mobile devices for their employees.
But BYOD introduces a multitude of security problems to
corporate networks, even when they dont contain a businesss
sensitive data. The app payment, banking, and NFC payment
examples I cited are examples of how sensitive personal financial
data may be on employees personal phones and tablets.
Also, mobile malware is an ever increasing risk.
As consumers and businesses shift to using mobile devices
for a greater percentage of their daily activities, cybercriminals
will place a larger emphasis on targeting these platforms - specif-
Endpoint Security Trends for 2015: What Can We Expect?Many enterprise security attacks can be prevented with a solid
endpoint security strategy
In my data center
work experience,
a very significant
percentage of the
major network
vulnerabilities Ive
had to fix were
caused by the
introduction of
poorly secured
computers. Its
a surprisingly
common blunder.
COMPUTERWORLDIDG Enterprise iseGuide
of3 9
ically Android and jailbroken iOS devices. Remote find, lock, and
wipe arent enough, said Mark Bermingham of Kaspersky Lab.
It also makes it far too complicated to thoroughly run a
penetration test and security harden an offices network when so
many employees own devices get connected to it. Attention em-
ployees! Give us all of your personal smartphones for 36 hours
so that we can test their security! Yeah, that will go over well.
So, in 2015, I believe that many businesses that have BYOD
policies will scrap them altogether. They may either switch to
CYOD (choose your own device thats completely administered
and controlled by an IT security policy) when smartphones and
tablets are completely necessary for work, or eliminate work
done on mobile devices if its functionally possible. More and
more often, we may see USB ports in office PCs being carefully
controlled so that employees cannot mount the file systems of
their personal devices to them.
A different antivirus approachBoth consumer and enterprise antivirus software tends to work
based on signatures. If antivirus developers constantly keep up
on the latest malware and crypters (programs used to help mal-
ware evade signature antivirus shields), their software will usu-
ally do a great job of preventing some malware infections. But for
obvious reasons, signatures are useless for zero-day attacks.
Signatures have been dying for quite a while. The sheer
number of malware samples we see every day completely over-
whelms our ability to keep up with them, said F-Secures Mikko
H. Hypponen.
Antivirus software, both consumer and enterprise, will still use
signatures for many years to come. But anomaly-based malware
detection will become a greater component in the products of
competent antivirus developers.
Currently, anomaly detection algorithms are much more so-
phisticated in IDS and IPS devices. They focus on network activ-
ity rather than code. Antivirus developers are already researching
better ways to implement anomaly-detection in antivirus shields.
False positives are going to be a huge problem, and therell
always be bugs in the system. Sandboxing suspicious packets
only sometimes works, and most sandboxing functions for such
purposes are limited to the Windows platform. But Im optimistic
that there will be a lot of progress in anomaly-based malware
detection research in 2015. As malware development gets ever
more sophisticated (Stuxnet! Regin!), thatll be an absolute must.
Itd make me so happy to hear zero-day attacks becoming
less frequent!
Vendor reductionThe greater the number of vendors a business has to deal with
for their firewalls, IPSs, and antivirus solutions, the more com-
plex a network administrators job is. Also, money spent on one
vendors product may take away funds for something else.
When IT departments find that expensive antivirus soft-
ware products are no more effective than inexpensive antivirus
products, the temptation to switch antivirus vendors is perfectly
understandable.
Palo Alto Networks surveyed 555 of their customers. They
asked Would you consider switching to free enterprise antivi-
rus in order to fund more advanced endpoint protection for your
company? 44% of respondents said theyd either consider it, or
theyre already doing it.
If antivirus heavyweights like Symantec want to stay competi-
tive in the enterprise, they may need to package their antivirus
Listennow
Increase Field Service Productivity
free podcast
listen to the podcast
COMPUTERWORLDIDG Enterprise iseGuide
of4 9
software licenses with other products that are applicable to
endpoint security more often, and cut license prices altogether.
Limiting license commitment duration may also help. If a corpo-
ration is stuck in a three-year license, that doesnt make it easy
for them to switch to another vendor if they become dissatisfied
with the performance of their current vendors product.
Another excellent idea is if network security appliance ven-
dors like Cisco and Juniper Networks make deals with antivirus
vendors like Kaspersky and Symantec. They could cooperate to
make packages for enterprise customers that include OS anti-
virus and firewalls in addition to IPS/IDS devices that contain
antivirus software and hardware firewalls. Its such a great idea
of mine, that its possible they may be considering that already.
I just hope, for the sake of the industry, that they dont buy each
others companies.
I watch information security trends very closely, and I write about
a lot of my observations. So, by the time 2015 is over, well see how
correct or incorrect I am. But Im feeling pretty darn confident!
Kim Crawley is a Security Researcher for the InfoSec Institute.
Listennow
Enhance Your PC Refresh
free podcast
listen to the podcast
COMPUTERWORLDIDG Enterprise iseGuide
of5 9
BY JOHN P. MELLO JR., CSO | An executive at a company whose
name is synonymous with antivirus software raised eyebrows
last year when he pronounced the death of that form of system
protection. Nevertheless, while the effectiveness of that software
may have waned over the years, security experts say the pro-
nouncement by Symantecs senior vice president for information
security Brian Dye was premature.
Certainly the growth in sophistication of malware has made
untenable the use of signature-based antivirus software as a
standalone source of protection for systems. More than half the
threats we stop arent stopped by our AV software, said Chandra
Rangan, vice president for product marketing at Symantec.
Were trying to educate people, he added. Were saying that
if you just have signature-based antivirus, its not enough.
While signature-based antivirus software alone doesnt pro-
vide enough protection in todays threat landscape, its still mak-
ing a significant contribution to system security. If you went to
any of the Fortune 1000 companies and said, Antivirus is dead;
remove it from all your systems, you would find a lot of security
officers laughing at you, said Brian Kenyon, chief technical strat-
egist with Intel Security (formerly McAfee). The reality iseven
in its current formAV stops a lot of stuff today.
Kenyon added that blocking threats is only one part of anti-
viruss job in protecting systems. Its not just about stopping
things, he said. Its also about cleaning things and eradicating
them from a system.
But, he continued, If you asked, Is the current AV architec-
ture and capability the future of our industry? I would definitely
say, No, not in its current form, but I dont believe its dead.
Limiting the definition of antivirus to signature-based software
may be doing an injustice to the technology. AV is not defined
by signatures; it is defined by protection against malicious soft-
ware, said Randy Abrams, a research director at NSS Labs, an
independent testing service. Products that only protect against
viruses and only with signatures have been dead since the 90s.
Malware fighting antivirus software continues to have value
in the enterprise, even as powerful new defense platforms come
online, like breach defense systems (BDS). These systems are
designed to quickly detect and contain security breaches that ev-
ery enterprise has or will have experienced, Abrams explained.
Initially BDS products performed their role as described; how-
ever, IT personnel were left cleaning up the problem.
AV vendors began to seize on the opportunity and offer a
complete end-to-end solution, he continued. The result has
Death of Antivirus Software Greatly ExaggeratedAfter years of predicted demise, AV software continues to protect
If you asked,
Is the current AV
architecture and
capability the future
of our industry?
I would definitely say,
No, not in its current
form, but I dont
believe its dead.
Brian Kenyon chief technical strategist
Intel Security
COMPUTERWORLDIDG Enterprise iseGuide
of6 9
been that the pure play BDS vendors have had to add malware
detection and remediation functionality to their systems.
Pronouncing antiviruss death is nothing new. In 2006, for
example, Hurwitz & Associates released a report titled Anti-vi-
rus is dead. In it, analyst Robin Bloor maintained that antivirus
would be replaced by tools that used whitelisting to wipe mal-
ware from the computing scene. Whitelisting is used effectively
today in some environments, but it has its drawbacks.
White listing is a great solution for controlled environments,
like retail POS systems, manufacturing and health systems,
Intels Kenyon said. You say what applications can run and
anything outside that list fails to run so malware never activates.
When whitelisting is brought to the consumer or end-user
corporate environment, its maintenance can be burdensome
because end-users are constantly adding apps to their devices.
Thats why we havent seen a huge amount of whitelisting in the
user environment, Kenyon noted.
Its been great on servers, great for data centers, great for
controlled retail environments, but its been a challenge on your
traditional desktop/laptop, he added.
Like apocalyptic prophets, though, antiviruss detractors
continue to forecast the technologys demise. Brian Dye was
correct, said Gaurav Banga, co-founder and CEO of endpoint
security vendor Bromium. AV is dead.
Banga cited a survey his company conducted in June of 300
information security pros as evidence of dissatisfaction with
antivirus. A hefty number of the pros85 percentdont believe
that antivirus can stop targeted attacks, like Advanced Persistent
Threats and spear phishing, which are a substantial part of the
current threat landscape.
Moreover, Banga argued, antivirus is ineffective against poly-
morphic and Zero Day attacks, also popular among intruders.
Both those methods exploit systems before signatures to combat
them are immediately available.
It takes security researchers days to detect new threats and
write new signatures, giving a polymorphic attack more than
enough time to change its code, Banga said. When advanced
attacks can be executed at a moments notice, the signatures to
detect them are still days away.
Antivirus softwares inability to deal with sophisticated threats
isnt the only criticism leveled at it in recent times. Last year,
a researcher at Singapore-based COSEINC maintained many
antivirus programs contain vulnerabilities that actually make the
systems theyre installed on more susceptible to attack.
Researcher Joxean Koret explained that antivirus engines typi-
cally run with the highest system privileges possible. Exploiting
vulnerabilities in them will provide attackers with root or system
access, he continued. Their attack surface is very large, because
they must support a long list of file formats. To deal with all
those file types, the software uses file format parsers, which typi-
cally have bugs.
Nevertheless, Bromiums Banga noted, AV software may
likely continue to serve consumers, who generally have less
need for robust protection or the savvy to manage more featured
products.
However, he added, security-conscious organizations have
already started to transition away from AV solutions.
There are those, though, who maintain antivirus isnt as im-
potent as its critics say it is. Jaeson Schultz, a threat researcher
with Cisco Systems Security Business Group, asserted that
antivirus software has evolved over the past five years to provide
greater protection. Not only has antivirus software added more
COMPUTERWORLDIDG Enterprise iseGuide
of7 9
heuristic functionalitywhich enables it to deal more effectively
with non-signature threatsbut it blocks an assortment of mal-
ware, such as rootkits, remote access trojans (RAT), keyloggers,
spyware, adware, and even potentially unwanted applications. It
will even protect users against malware vectors like email, social
media and files transmitted via the web.
Without AV software as part of future securities, wed be
giving up the idea of protecting endpoints and mobile devices,
leaving millions of people at the mercy of cyber criminals.
It is an arms race, Schultz said. As new avenues for exploita-
tion arise, new counter-functionality is being built into AV software.
Certainly it is a bit hyperbolic to claim AV software is dead,
he added. Many people still depend on anti-virus as an integral
part of their multi-layered defense.
While its unlikely that dire assessments of antivirus software
will go away, its also unlikely that those assessments will be
fulfilled any time soon. As Chris Doggett, managing director of
Kaspersky Lab North America, observed, Cyber attacks will
continue to grow in number and complexity, and AV software will
always be a part of the bigger security solution that is fighting
against them for both users and organizations.
Without AV software as part of future securities, he continued,
wed be giving up the idea of protecting endpoints and mobile de-
vices, leaving millions of people at the mercy of cyber criminals.
Listennow
Mobile Device Management
free podcast
listen to the podcast
COMPUTERWORLDIDG Enterprise iseGuide
of8 9
BY JON OLTSIK, NETWORK WORLD | Pity endpoint security software.
Venerable antivirus has gotten a bad reputation for being an ineffec-
tive commodity product. This situation is illustrated by some recently
published ESG research (note: I am an employee of ESG). Security
professionals working at enterprise organizations (i.e. more than
1,000 employees) were given a series of statements and asked wheth-
er they agreed or disagreed with each. The research revealed that:
62% of respondents strongly agreed or agreed with the statement: Endpoint security software is effective for
detecting/blocking older types of malware but is not effec-
tive for detecting/blocking zero day and/or polymorphic
malware commonly used for targeted attacks today.
52% of respondents strongly agreed or agreed with the statement: Our continued use of traditional endpoint se-
curity software is driven by regulatory compliance require-
ments for the most part.
44% of respondents strongly agreed or agreed with the statement: Endpoint security software is a commodity
product with little measurable differences between brands.
Wow, its no wonder why some have declared that endpoint
security software is dead. Negative opinions like these have put
leading security firms like Kaspersky, McAfee, Sophos, Symantec,
Trend Micro, and Webroot on the defensive and opened the door
for endpoint antimalware upstarts like Bromium, Cisco/Sourcefire,
Cylance, Crowdstrike, IBM, Invincea, Malwarebytes, and Triumfant.
No question that new threats and requirements are changing
the endpoint market and this is sure to disrupt the status quo.
That said, there is more to this story than technology alone.
Allow me to elaborate.
Endpoint security software was considered somewhat of a
security panacea in the past. Install AV on each PC, maintain a
steady diet of vulnerability scanning, patch management, and
signature updates and you were pretty well protected from the
flood of pedestrian adware, spyware, viruses, and worms.
This formula worked pretty well for many years, leading to a
set it and forget it mentality in many organizations. And since
AV software was part of standard PC configurations, endpoint
security management was delegated to junior IT operations per-
sonnel who owned PC provisioning and help desk support.
Endpoint Security Demands Organizational ChangesLarge organizations should delegate endpoint security to a group
dedicated to malware prevention and detection
CISOs must take
ownership of end-
point security and
designate a group of
specialists who own
endpoint security
controls as part of an
overall responsibility
for incident preven-
tion, detection, and
response.
COMPUTERWORLDIDG Enterprise iseGuide
of9 9
Alas, somewhere around 2007 the endpoint security land-
scape changed. Organized hackers got serious about attacks by
using stealthy malware, evasion techniques, rootkits, and zero-
day exploits. In response, endpoint security software vendors in-
troduced countermeasures like static/dynamic payload analysis,
file reputation services, and integrated cloud intelligence.
Yup, cybersecurity was going through a profound change as
malware and endpoint security vendors engaged in an accel-
erating cat and mouse technology game. Unfortunately, many
of the foot soldiers in this battle (i.e. the IT operations team)
were caught in the fog of war. In too many cases, they didnt
know about advanced malware or the new antimalware capabili-
ties baked into their traditional AV products. These folks simply
continued to deploy endpoint security in a default configuration,
rendering it less-and-less effective over time.
Regrettably, this situation still exists at many organizations. IT
operations handles endpoint security, deploys endpoint secu-
rity software in some minimal configuration, organizations get
breached, and pundits declare AV as dead.
This is a pathetic state of affairs, and it needs to change.
CISOs must take ownership of endpoint security and designate a
group of specialists who own endpoint security controls as part
of an overall responsibility for incident prevention, detection, and
response. This group should gain an understanding of endpoint
security requirements and product capabilities and then create a
plan to tailor endpoint security controls to mitigate risk on vari-
ous types of endpoint devices.
In summary, weve treated endpoint security as a PC provi-
sioning and IT operations task for too long. By doing so, we are
assigning endpoint security to staffers with the wrong skills and
we arent using our endpoint security tools correctly. I suggest
we fix this organizational issue before making radical changes to
our endpoint security technology strategies or throwing existing
endpoint security technologies under the proverbial bus.
Listennow
Valley Agricultural Upgrades
free podcast
listen to the podcast