SECURE BYTES E for End Point Security
Corporate network exposed to branch outlets and public internet are common end points for the network. Typical devices which get connected over such networks are mobile phones through Wi-Fi POD for office wireless networks, Laptops, desktops, printers.
For manufacturing companies, IOT devices connected to gather plant measurements or corporate facilities management using building management software to manage sensors for temperature, fire, humidity are common end point devices that we come across.
KRA For CISO and Cyber Security Team:
Magnitude of Enterprise risks for such scenarios is very large surface area available in terms of thousands of laptops, desktops used by corporate users as well as IOT devices PODs.
Problem is aggravated as Year 2020, within Pandemic and post pandemic period, enterprises have realigned their HR policy to Hybrid workstyle for employees where in employees are mandated to visit to the office mandatory for few weekdays and rest of the week work from home.
This situation increases more challenges for CISO and Cyber security team to put more controls.
End Point Security Controls:
Below describes end point security controls deployed to get 360-degree detection and prevention controls for end points.
Application Controls:
OS as well as Applications deployed on End point devices needs controls in terms of security patch level, anti-virus as well as anti-malware protection, file integrity checks to ensure all critical files on end point devices does not get compromised, application privilege depending on user profile and most important strong user authentication methodology such as 2F authentication.
Browser protection (Web content filtering):
Browser based application access is common now a days and it poses more problems with E-mail access where in user need to be protected from phishing mails diverting to compromised URL as well as web content filtering controls to avoid access of end point device user from prohibited websites.
Data Controls:
End point devices users access enterprise applications for business services and poise risks from insider frauds of data theft which needs access policies to be implemented to ensure all activities are logged related to data access as well as prevent from sending it out using drive sharing, ftp access and many more.
Device protection:
Laptops, desktops, mobile devices have external interfaces for connecting devices using USB port, Wi-Fi and LAN port to connect to any other network. End point devices need to be governed to ensure detection as well as prevention of unauthorized access to such data ports which may be governed by central intrusion detection and prevention hosts.
Network Controls
As described above, apart from above controls, users’ profile will allow different level of network access policies governed by central host to prevent unauthorized access to enterprise end point networks and prevent from risks of back door entry by malicious codes.
Incident Management for End Point devices:
The above controls can be implemented with different OEM end point security protection (EPP) products or single EPP OEM offering different modules but, most important feature expected from the products is to generate event notifications which can be integrated with SIEM (Security Information and Event Management) of enterprise.
EPP Architecture:
The Cyber Security team and CISO can explore below EPP Architecture depending on its enterprise IT landscape, budget as well as Enterprise IT security policies to evaluate various vendor’s EPP solutions for decision-making.
Client Server architecture:
Client server architecture consists of central intrusion detection and prevention server with various modules such as anti-virus and anti-malware protection module, file integrity module, device control modules and many more. These modules at server as well as client level are governed by security policies and configurations to implement end point security controls as described in above section.
It has the advantage that, end device on losing access to corporate networks also can work offline mode and executes detection and prevention controls. This approach comes with a trade off in terms of ?higher network and compute utilization.
Software as Service (SaaS) architecture:
SaaS architecture consists of central intrusion detection and prevention server on cloud with similar modules as in case of client server architecture. In SaaS mode of operation, modules work for both server and client (Typical scenario of Desktop as Service cloud offering, Citirix based deployment) . SaaS architecture works on heavy weight modules at server and light weight modules at client level.
Still clients are governed by server in terms of security policies and configurations to implement end point security controls as described in above section.
It has the advantage that, end device compute resource demands are less so, corporates can save CAPEX with thin DaaS client configuration and central controls for detection and prevention in more controlled way. This approach comes with a tradeoff in terms of ?expecting higher uptime of server and resources.
EPP Feature Matrix:
Enterprise can start with basic starting point EDR (End point Detection and Response) capabilities ?with limited features and modules in EPP as described below:
1.????? Prevention is the primary function of EPP as it eases centralized implementation of prevention controls across end point devices.
2.????? Detection is the heart of EPP as it complements prevention. It detects threats that have violated security controls. It helps to investigate incidents so that further remediation can be sought.
3.????? Enterprise Access Controls – EPP maintains enterprise-wide end point assets user and device profile wise network, file access, application, and user access control policies.
EPP investment can be further used by adding functionalities as described below.
1.????? Risk profiling of endpoint devices based on security controls mapped for user profiles and device profiles. Enterprise risk management eases as enterprise assets get risk wise inventory and further risk treatment for these profiles can be applied.
2.????? Enable Extended Detection and response (XDR) capabilities with identity protection, web content filtering, email protection, file integrity monitoring, AI enabled user activity behavior for advance proactive alerts, data loss prevention (DLP) and many more such add on modules.
3.????? EPP has opened opportunities for Anti-virus and Anti-malware OEMs to add XDR capabilities as toppings over the base product offering to protect investments of existing customers.
4.????? Proactive and managed security services players have further leverage EPP platforms to offer Managed Detection and Response (MDR), proactive detection of threats as well as forensic analysis of incidents violating preventive controls for effective and efficient response readiness.
With ?End point Protection Platform (EPP) is best suited to gain centralized end point controls as featured above and explore EPP OEMs based on Gartner’s Magic Quadrant for EPP as prescribed below. For more detailed report from Gartner, please visit the link.