8 Important Features You Need In An Endpoint Security Tool

From having the ability to remove agents and detect malicious scripting to probing the behavior of machines rather than signature models, here are eight things companies need in an endpoint security tool.

Eradicating Endpoint Threats

The growth of disruptive attacks such as ransomware and the migration of more persistent attackers to fileless techniques have ushered in a new age for endpoint security tools, according to Gartner. The shift from locally managed endpoint security tools to cloud-delivered products has reduced the maintenance burden for customers, particularly as it relates to staying on top of the latest releases, Gartner said.

The integration of endpoint detection and response with up-front protection has brought threat hunting, incident response and better detection capabilities based on behavior modeling rather than indicators of compromise, Gartner found. Plus, endpoint security tools are increasingly providing application and device control, vulnerability and configuration management to harden the environment, Gartner said.

As part of Cybersecurity Week 2020, CRN spoke with eight cybersecurity vendors and solution providers about what to look for when choosing an endpoint security tool. From having the ability to remove agents and detect malicious scripting to leveraging heuristics to examine the behavior of machines rather than signature models, here are eight things companies need in an endpoint security tool.

Heuristic-Based Approach To Protection

The number of signatures coming out has increased from hundreds per day at the time anti-virus software was first written to hundreds of thousands per day in 2010 to millions per day currently, according to McAfee Chief Information Officer Scott Howitt. Heuristics helps with stopping more complicated threats and doesn’t eat up as much memory on a customer’s machine, Howitt said.

Customers should ask the chief technology officer or sales engineer at an endpoint security vendor to explain the process that occurs when blocking a threat that comes into their environment, Howitt said. Heuristics is all about watching the behavior of machines and looking at processes to figure out through context whether or not the machine’s behavior makes sense in the absence of a virus, Howitt said.

A signature-based approach is effective at defending against commodity-based malware like botnets or phishing attacks that take a “spray and pray” approach of throwing out thousands of pieces of malware and hoping it finds one unsecured machine, he said. But for more customized and sophisticated cyberthreats, he said heuristics can help probe cyber hygiene and question abnormal privilege escalations.

Ability To Place And Remove Agents

The management of agents continues to be a challenge, and customers want to know what they’re able to get rid of when putting a new endpoint security tool down, according to Al Huger, Cisco Systems’ vice president of security platform and response. Managing multiple agents is costly, Huger said, and the proliferation of endpoints in recent years has become expensive for companies to manage and deploy.

Moreover, Huger said having additional agents typically results in more tickets for a customer’s internal or external IT support teams, which in turn also increases cost. Given that user experience and operational cost benefit from having fewer agents, Huger said endpoint security tools should be able to help an organization consolidate its IT footprint.

In addition, Huger urged organizations to find endpoint security tools that can do more than just anti-virus, breach detection or detection and response and actually deliver asset inventory or vulnerability assessments. These capabilities can help customers prioritize where the risk is greatest and preclude applications that are known to be vulnerable from being deployed to the endpoint, according to Huger.

Ability To Detect Malicious Scripting

Adversaries are no longer using old-school executable files and have instead decided to co-opt scripts like JavaScript, VBScript and Office Scripts that are also used by legitimate actors, according to Hal Lonas, chief technology officer of SMB and consumer for OpenText. Vendors must look at malware attempting to evade traditional protection technologies by launching evasive script attacks, Lonas said.

Endpoint security tools therefore need to make determinations beyond whether a file is good or bad and actually have visibility into the behavior that’s occurring on a particular machine, he said. Deciding whether a set of actions is benevolent or malicious can be very challenging since, for instance, many applications go through all the files in the directory and list them out in order to decrypt them.

Vendors simply can’t afford to hire enough threat researchers to detect all these nuances in behavior, and a labor-intensive approach to monitoring behavior won’t scale, Lonas said. Instead, he said endpoint security tools must leverage machine learning to assist with telemetry collection for scripts and develop a troubleshooting process for when something unrecognized turns up in a company’s environment.

Understanding Techniques Hackers Are Using

Hackers have increasingly leveraged a broader array of techniques in their attacks ranging from the manipulation of data through encryption or mass exfiltration to leveraging vulnerabilities in the code itself, according to Dan Schiappa, chief product officer at Sophos.

Organizations must rely on trusted processes to stay ahead of evolving tactics and detect and protect against advanced attacks before they cause damage, Schiappa said. Endpoint security tools should be on the lookout for different techniques that are typically used by hackers and offer companies the ability to whitelist the technique only if they use it for legitimate purposes, according to Schiappa.

Combining predictive technology with human intelligence can help with detecting activity or behavior that isn’t necessarily malicious but is still suspicious, according to Schiappa. Notably, Schiappa said a behavior-based approach can help with spotting triggers that suggest an adversary is preparing to attack the organization in question.

Ability To Vary Access Level By Application

Old-school VPN approaches connect users to the enterprise network and assume that all points are network-based, according to Nico Fischbach, global chief technology officer at Forcepoint. As a result, Fischbach said companies using VPN either must open up their entire network and assume all the risk that comes with that or restrict the network to applications that are being run on-premises.

VPN takes a point-to-point approach to security, Fischbach said, connecting users to the network. Conversely, Fischbach said a Zero Trust Network Access (ZTNA) approach allows for a more continuous policy where companies can provide remote access only to very specific applications and restrict access in real time if an application’s behavior is deemed to be risky.

ZTNA is much more application- and risk-driven since it doesn’t matter whether an application resides at corporate headquarters, in a data center or in a Software-as-a-Service environment, Fischbach said. The best way organizations can hide the complexity of remote access application is by using ZTNA, according to Fischbach.

Examine Behavior, Not Signature Models

Endpoint detection and response models are going to be very helpful in a world where attackers are already on the machine and not exploiting vulnerabilities, said Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy. A rise in malware attacks that look like code and ask users to run it have been a huge boon for defenses that look at behavior rather than signature-based models.

Endpoint detection and response is about detecting things that are acting funny rather than finding malicious files from static PEs or binaries, Kalember said. That has become more relevant since the point of initial compromise today is typically a user that’s been tricked into running malicious code on behalf of an attacker, according to Kalember.

Human adversaries are today involved more often than not in the attacks that matter, meaning that a detection- and response-oriented response will get companies further than focusing primarily on prevention, according to Kalember. And as organizations adopt multifactor authentication more broadly, Kalember expects that malware will be a popular way to get around it.

Ability To Remove Unnecessary Admin Rights

Many security vulnerabilities can be mitigated by removing admin rights, since if an actor lacks the privileges to drop a file in the victim’s ecosystem, it can’t carry out a ransomware attack, said Morey Haber, chief technology officer and chief information security officer at BeyondTrust. Given that anti-virus is table stakes for an endpoint security tool, Haber thinks that controlling admin rights comes next.

Removing admin rights is recognized as part of privileged access management (PAM) since every form of remote access is some form of privileged access, according to Morey. MSPs are doing remote access either to manage their own customers or are reselling remote access as a managed service to their customers, Morey said.

Some 88 percent of critical Microsoft vulnerabilities can be mitigated by removing admin rights, Morey said. And Morey said there’s no reason to use an on-premises endpoint security tool that requires an agent since cloud-based endpoint protection can automatically send logs and apply patches without requiring a VPN connection in the event the administrator is working remotely.

Regular Reporting On Threats Detected

Endpoint detection and response really provides visibility around and containment of tomorrow’s most pernicious threats, according to Hannah O’Donnell, director of sales at Collabrance. More traditional endpoint security defenses like antivirus and DNS are focused on waiting for current threats to strike and then reacting, O’Donnell said.

In contrast, endpoint detection and response assumes it’s not a matter of if but when an attack is going to happen, and takes a proactive approach to attempting to identify new infections. Customers should figure out what type of reporting they’re getting from an endpoint security tool both in terms of how regular the reporting is and what type of information is going to be provided, O’Donnell said.

This in turn allows MSPs to go in front of their customers on a regular basis and provide reporting around what they’re doing in the background beyond addressing help desk calls, according to O’Donnell. Detailed reporting helps customers feel like they’re getting value for their money, O’Donnell said.