Endpoint Security

Technology
A 360° View of the Buying Process
 It’s vital to secure all the various endpoints in your
organization against a constant bombardment of daily
threats. Learn how endpoint protection software can help
Contents block malicious network traffic while providing secure
Assessing the Business access to your sensitive business data.
Issue

Business Benefits
From Business Problem to Technical Solution
Technical Overview
From Business Problem to Technical Solution
Questions to Ask By Karen Scarfone

Vendors at a Glance
Assessing the Business Issue
Product Benefits and
Tradeoffs Most organizations today are facing a rapid increase in the number of client
devices—endpoints like desktops, laptops, smartphones and tablets. An
Sealing the Deal employee may have three or four endpoints that have been issued by the
organization, as well as one or more of their own personal devices. Multiply
these by the number of users in your organization and the sheer volume of
endpoints IT must manage becomes overwhelming. Each endpoint in your
organization represents multiple attack vectors against the organization’s
systems, networks, and most importantly, sensitive data. Organizations are
increasingly focused on safeguarding their sensitive data, such as customer
databases, patient health records, financial information, etc. At the same
time, users are demanding increased access to this sensitive data from their
organization-issued and personally owned endpoints.

It’s become even more important for organizations to protect endpoints that
access their network against numerous daily threats. A single data breach on
an endpoint—anything from a malware infection on a laptop to a lost
smartphone holding a sensitive database—can cost an organization millions
of dollars and seriously damage its reputation. According to a recent
Ponemon study, the average cost of a U.S. data breach in 2012 was $5.4
million. To prevent such incidents from occurring, composite software suites
known as endpoint protection software have been developed. These suites
use a combination of prevention and detection techniques to identify

Page 1 of 20
 malicious activity and treat it accordingly by blocking malicious network traffic
or preventing malicious software from being executed. Endpoint protection
software is also used to identify known vulnerabilities in endpoints, such as
Contents incorrect security configuration settings and missing patches for operating
systems and applications.
Assessing the Business
Issue Many of the technologies bundled within endpoint protection software have
been available as standalone products or in loosely bundled product suites
Business Benefits
for many years. Examples include antivirus software, host-based firewalls
Technical Overview (also known as personal firewalls), and host-based intrusion
detection/intrusion prevention software. What makes endpoint protection
Questions to Ask software different from standalone products or loose bundles is that the
endpoint protection software’s components are fully integrated into a single
Vendors at a Glance
product, with a single interface and management capability. Ideally, all the
Product Benefits and parts of endpoint protection software work together seamlessly. This creates
Tradeoffs a superior solution to using separate standalone products or loosely bundled
product suites, and attempts to integrate the individual components in an
Sealing the Deal
after-the-fact way.

The capabilities most often provided by endpoint protection software include:

 Antivirus software
 Application whitelisting
 Device control
 Endpoint data loss prevention (DLP)
 Enterprise mobile device management (MDM)
 Host-based firewall
 Host-based intrusion detection/prevention system
 Storage encryption
 Vulnerability assessment

Most endpoint protection software offers several, but not all, of these
capabilities. However, products are rapidly evolving to cover all of these
capabilities, as well as to prepare to add the next generation of security
capabilities to these products in the future.

Business Benefits
Even products that only offer some of the possible endpoint protection

Page 2 of 20
 software capabilities can still be very effective at stopping threats, which
ultimately means fewer successful attacks. Endpoint security has reached a
point where it’s basically become a necessity to use an integrated endpoint
Contents protection software suite instead of stovepiped standalone technologies.
Small businesses that have minimal security threats may do well with more
Assessing the Business lightweight solutions, such as those that focus on malware prevention and
Issue email based threats. Yet, larger enterprises are almost certain to need the
Business Benefits gamut of capabilities that endpoint protection software provides today, and
will provide in the foreseeable future.
Technical Overview
The business benefits of endpoint protection software can be organized into
Questions to Ask
the following categories: decreasing data breaches and other incidents,
Vendors at a Glance easing deployment of new security technologies, reducing costs and blocking
unwanted activity.
Product Benefits and
Tradeoffs Decrease Data Breaches and Other Incidents: Having a single integrated
Sealing the Deal product means endpoint protection software should provide more effective
and efficient prevention and detection capabilities than its standalone
counterparts would. This would lead to reduced opportunities for exploitation
and ultimately fewer data breaches and other incidents within an
organization. Prevention and detection is more efficient because the content
of interest—the Web request, email message, file write—is analyzed in many
ways in one session, not separately several times in succession. There is a
great deal of overhead involved in analysis—in parsing protocols, file
formats, and other ways that data is stored or transmitted. Using a fully
integrated product eliminates most of this overhead, allowing it to be incurred
once instead of several times for each piece of content.

Effectiveness is another important aspect of having a single integrated

product. Ideally, the various capabilities within a product can collaborate with
each other, particularly to identify unknown threats. Imagine that a new form
of malware, previously unseen, attempts to enter an endpoint. The antivirus
software may not be able to detect it on its own because it is primarily
signature-based, but the endpoint protection software may notice suspicious
attempts to transfer sensitive data to a known malicious website. This activity
might be detected by a combination of the host-based firewall, endpoint DLP

Page 3 of 20
 software, and application whitelisting (in monitoring mode). By correlating
security events seen by the various individual detection capabilities, the
endpoint protection software can identify malicious events that no single
Contents capability can properly recognize on its own.

Assessing the Business Another important facet of endpoint protection software is that it provides so
Issue many varied security capabilities. It provides a layered defense-in-depth
solution all on its own. Each capability that it provides is effective against
Business Benefits
different types of threats, so when an organization combines all of those
Technical Overview capabilities, it is addressing a much wider range of threats than any single
capability product could address on its own.
Questions to Ask
Ease Deployment of New Security Technologies: Having many
Vendors at a Glance
capabilities integrated into a single product can significantly ease deployment
Product Benefits and of new security technologies. Over time, endpoint protection software
Tradeoffs typically adds new capabilities; some of the most recent include endpoint
data loss prevention (DLP), application whitelisting and enterprise mobile
Sealing the Deal device management (MDM). Taking advantage of these emerging security
technologies does not require acquisition and deployment of a completely
new product, but rather simply configuring and enabling a new feature in the
existing endpoint protection software deployment.

With this, organizations can take advantage of new security capabilities

much more quickly and easily than was previously possible. This accelerates
the adoption of new security capabilities, allowing an organization to
potentially gain a competitive advantage against other organizations that are
slower adopters of endpoint security technologies.

Reduce Costs: Generally speaking, it’s going to be less expensive to buy

one product (endpoint protection software) than to buy all of its equivalent
components separately. This does not just include the software cost itself,
but also the infrastructure supporting the software. Assuming that the
endpoint protection software is fully integrated, in a smaller organization it
could run on a single server (more likely on two servers for redundancy).
Imagine how many separate servers might be needed if the software was
purchased as standalone components. In larger organizations, the solutions
will need to be scalable anyway, so an organization can simply deploy

Page 4 of 20
 another instance of the endpoint protection software server if it needs more
processing power. This is much simpler than having to monitor the
performance of several different server products and manage the scalability
Contents of each one separately.

Assessing the Business The reduction in labor from using an integrated solution may also be
Issue significant. Security administrators have a single management interface for
all of these disparate endpoint security capabilities instead of a separate
Business Benefits
interface for each of them. Typical maintenance processes such as applying
Technical Overview patches to the endpoint protection software should be significantly simpler
and faster with an integrated solution. Incident investigation will also be
Questions to Ask streamlined because there is a single interface for all of the events monitored
by the software.
Vendors at a Glance

Product Benefits and Block Unwanted Activity: Most data breaches occur because of inadvertent
Tradeoffs actions, not intentional behavior. Users, for example, may be in the habit of
copying important files onto a USB flash drive as backups, but they do not
Sealing the Deal realize that these USB flash drives are inherently insecure (not encrypted,
not requiring authentication before use, etc.) Copying sensitive data to a
flash drive may not be a direct data breach in and of itself, but it is a policy
violation (and quite possibly a regulatory violation, depending on the type of
data) and could eventually lead to a data breach, especially if the flash drive
is lost or stolen.

Endpoint protection software, primarily through its device control and DLP
capabilities, can detect and stop such “data leaks” before they occur, long
before a breach is possible. This reduces the sprawl of sensitive data, giving
the organization fewer instances to protect and to audit. Endpoint protection
software can even educate the user on what the nature of the policy violation
is, helping the user to understand what’s wrong and how it should be
addressed.

Page 5 of 20
 To properly evaluate endpoint protection software, you must
understand the diverse capabilities that are available and
how they will integrate into your environment. Learn the
Contents different options of endpoint protection software and how
each feature helps to detect and stop malicious behavior.
Assessing the Business
Issue RFP Technology Decisions
Business Benefits
RFP Technology Decisions
Technical Overview Karen Scarfone

Questions to Ask
Technical Overview
Vendors at a Glance
Endpoint protection software use a combination of techniques to detect and
Product Benefits and stop malicious behavior, but the types of techniques and capabilities vary.
Tradeoffs The capabilities most often provided by endpoint protection software include:

Sealing the Deal  Antivirus software

 Application whitelisting
 Device control
 Endpoint data loss prevention (DLP)
 Enterprise mobile device management (MDM)
 Host-based firewall
 Host-based intrusion detection/prevention system
 Storage encryption
 Vulnerability assessment

However, few endpoint protection software solutions provide all the

capabilities in this list. Endpoint protection software may also provide
application-specific security services, such as Web site filtering and antispam
protection.

Security Capabilities
Let’s look at the security capabilities that are most commonly provided by
endpoint protection software in more detail. Note that the extent to which
each of these capabilities is implemented may vary from product to product

Page 6 of 20
 (for example, endpoint DLP may be more rigorously implemented in one
product and storage encryption in another).

Contents Antivirus: This is the standard antivirus software that’s been available for
endpoints for many years. It is best suited to detect known instances of
Assessing the Business malware. Unfortunately, antivirus software, while still an important
Issue component of endpoint security, is not nearly as effective as it used to be
because of the highly customized and targeted nature of many of today’s
Business Benefits
malware threats. Symantec recently reported that less than 50% of malware
Technical Overview was detected by antivirus software in 2012. Antivirus software is primarily
signature-based, and you generally can’t use signatures for identifying the
Questions to Ask novel and unknown.

Vendors at a Glance
Application whitelisting: Application whitelisting is a feature that limits
Product Benefits and which applications may be installed and/or executed on an endpoint. It is only
Tradeoffs useful for environments that are able to tightly restrict what applications are
to be used while still providing the necessary services to their users.
Sealing the Deal However, if application whitelisting can be used in an environment on its user
endpoints, it can prevent the execution of known and unknown malware, as
well as attack tools and other malicious software. It can also prevent use of
applications with known vulnerabilities that could be exploited to access
sensitive data or otherwise gain unauthorized access to the endpoint.

Device control: Device control, sometimes referred to as port control, is

software that prevents unauthorized endpoint use of connected mobile
devices and removable media, most notably USB drives and CDs/DVDs.
Device control can prohibit all use of certain classes of mobile devices and/or
removable media. It can also more granularly limit what types of data may be
stored on mobile devices and removable media, often working in conjunction
with endpoint DLP technology (described below). Device control can help
prevent the spread of malware, as well as blocking the sprawl of sensitive
data to locations other than its origin.

Endpoint DLP: One of the newest components of endpoint protection

software, endpoint DLP, is intended to stop inadvertent and intentional
breaches of sensitive data, ranging from Social Security and credit card
numbers to proprietary intellectual property (e.g., blueprints and other

Page 7 of 20
 sensitive documents). Endpoint DLP monitors an endpoint’s storage to
identify sensitive data and monitors an endpoint’s use to identify actions
involving sensitive data, such as copying and pasting from a customer
Contents database to an email message. Endpoint DLP can run in a monitoring-only
mode that observes and logs policy violations, or in an enforcement mode
Assessing the Business that stops attempted policy violations from succeeding.
Issue
Enterprise MDM: Enterprise MDM software is geared toward controlling and
Business Benefits
protecting mobile devices, primarily smartphones and tablets but also laptops
Technical Overview in some cases. Enterprise mobile device management software traditionally
provides some of the other security capabilities that endpoint protection
Questions to Ask software does, including endpoint DLP, device control and storage
encryption. Think of enterprise MDM as a suite of security controls that
Vendors at a Glance
protects sensitive data on an endpoint. One of the most notable emerging
Product Benefits and features of enterprise MDM software is establishing a secure sandbox for an
Tradeoffs organization’s applications and data to be housed in. This helps to isolate it
from other threats and vulnerabilities on the endpoint.
Sealing the Deal
Host-based firewall: Host-based firewalls, also known as personal firewalls,
have been around almost as long as antivirus software. And like antivirus
software, they have lost effectiveness over the years as the nature of threats
has changed. Most of today’s threats are at the application layer, not the
network layer. While a host-based firewall still provides valuable protection to
endpoints—by blocking unwanted connection attempts—it doesn’t stop the
vast majority of threats against endpoints. Note that some host-based
firewalls have “application firewall” capabilities built-in that may provide some
additional protection for application-generated network traffic.

Host-based intrusion detection/prevention system: The functionality

provided by a host-based intrusion detection/prevention system (IDPS) can
vary greatly among implementations. Some analyze attempts to execute
code on the endpoint, some analyze the endpoint’s incoming and outgoing
network traffic, some monitor the endpoint’s file system and some analyze
the endpoint’s logs. Most IDPS perform a combination of two or more of
these techniques. The primary benefit of using host-based IDPS is to detect
unknown threats based on their suspicious or unusual behavior.

Page 8 of 20
 Storage encryption: The most common implemented form of storage
encryption for endpoint protection software is full disk encryption. Full disk
encryption completely encrypts the endpoint’s storage media (other than
Contents perhaps the boot sector) so that the data stored on the media cannot be
recovered when the endpoint has been powered off or is otherwise in an
Assessing the Business unauthenticated state. This protects against a data breach should the
Issue endpoint be lost or stolen. Some endpoint protection software also provides
Business Benefits forms of storage encryption other than full disk encryption, such as file or disk
encryption. These forms of encryption are active even when a host is fully
Technical Overview booted, and it only allows access to the sensitive data after proper
authentication has been provided.
Questions to Ask
Vulnerability assessment: The exact nature of vulnerability assessment
Vendors at a Glance
software varies among endpoint protection software, but the fundamental
Product Benefits and idea is that it detects known vulnerabilities in the endpoint, primarily its
Tradeoffs operating system and common applications (Web browser, email client, etc.)
The types of vulnerabilities it can detect may include missing patches,
Sealing the Deal
outdated software and misconfigured security settings. Vulnerability
assessment software generally has no capability to stop threats; rather, it can
notify users and system administrators of security problems so that they can
be addressed before exploitation occurs. Some vulnerability assessment
software can even make recommendations on how to address known
vulnerabilities.

Technical Architecture
The main technical architecture of an endpoint protection software solution
comprises one or more centralized management servers and agent software
installed onto each endpoint. Typically, this agent software is embedded into
the operating system so that it intercepts endpoint activity as it occurs,
permitting it to be blocked as needed. An example is integrating a host-based
firewall into the endpoint’s network stack so that all network activity has to go
through the host-based firewall. Achieving this level of integration
necessitates installing the agent software with administrative privileges.

The centralized management servers used for endpoint protection software

are typical of many security technologies. They are used for full lifecycle

Page 9 of 20
 management of the endpoint agent software, including agent deployment,
agent configuration (e.g., enterprise policy management), agent monitoring
(e.g., incident response, vulnerability response) and agent updating. Usually,
Contents the data collected by each endpoint is transmitted to the centralized servers
for processing, reporting and archival purposes.
Assessing the Business
Issue Because the centralized management servers are such a key component of
an endpoint protection software deployment, even the most basic
Business Benefits
implementation generally necessitates the installation of at least two servers.
Technical Overview This provides redundancy—should one server fail, the other server can keep
operating in its place. Sizable enterprises are likely to deploy more than two
Questions to Ask servers—for example, servers to support different geographic locations, or
several additional servers to support increased workloads.
Vendors at a Glance

Product Benefits and Questions to Ask Your Vendor

Tradeoffs You should ask these important questions in an endpoint protection software
evaluation:
Sealing the Deal

1. Which of the following features are built into your product? If any
features are provided by a third party (for example, an antivirus
vendor), indicate the vendor’s identity and the typical delay from the
release of a third-party update to its availability in your product.
o Antivirus
o Application whitelisting
o Data loss prevention (DLP)
o Device control
o Host-based firewall
o Host-based intrusion detection/prevention system
o Storage encryption
o Vulnerability assessment
2. What other features does your product provide that are not listed in
question 1 (for example, website filtering)?
3. Which of the following features provided by separate products can
be managed from your product?
o Antivirus
o Application whitelisting

Page 10 of 20
 o Data loss prevention (DLP)
o Device control
o Host-based firewall
Contents o Host-based intrusion detection/prevention system
o Storage encryption
Assessing the Business o Vulnerability assessment
Issue 4. For all the features from questions 1, 2, and 3 that you support, do
Business Benefits you have a single management console? If not, how many consoles
are there and which features does each console support?
Technical Overview 5. Does your product support mobile devices (smartphones, tablets,
etc.)? Does the mobile device support include built-in enterprise
Questions to Ask
mobile device management (MDM) functionality and/or integration
Vendors at a Glance with third-party enterprise MDM solutions?
6. For endpoints (including mobile devices, if supported), which
Product Benefits and operating systems and major operating system versions are
Tradeoffs supported? For each of these, what are the performance
Sealing the Deal requirements (CPU, memory, storage)?
7. Describe in terms of technical methods (signature-based, anomaly-
based, behavior-based, policy-based, etc.) how your solution detects
malware threats, both known and unknown (e.g., zero-day).
8. Which of the features from questions 1 and 2 need to be updated
frequently to retain their effectiveness? An example is updating
antivirus signatures to detect the latest malware threats. For each
feature that needs updates, how frequently are updates made
available? Are updates pushed or pulled to the endpoint? How often
are updates acquired (weekly, daily, hourly, etc.)?
9. Does your product work in a virtualized environment? If not, what
functionality is lost or what operational problems exist as compared
to non-virtualized environments?
10. How scalable is your solution? For example, if your product requires
the use of management servers, how many clients can be supported
by each management server?

Vendors at a Glance
This is a representative list of endpoint protection software vendors.

Page 11 of 20
  Arkoon Network Security
 AVG
 Beyond Trust
 CheckPoint Software
Contents  Eset
Assessing the Business  F-Secure
Issue  GFI Software
 IBM
Business Benefits  Kaspersky Lab
 LANDesk
Technical Overview  Lumension Security
 McAfee
Questions to Ask
 Panda Security
Vendors at a Glance  Sophos
 Symantec
Product Benefits and  Trend Micro
Tradeoffs

Sealing the Deal In order to protect your endpoints from threats, it is essential
to evaluate your potential endpoint security software
solution and its ability to integrate into your environment.

Decision Time

Decision Time
Karen Scarfone

Product Benefits and Tradeoffs

Although it’s critical to secure endpoints against today’s threats, an endpoint
protection software solution may not be the optimal choice for a particular
environment. Many organizations already have a significant investment, both
in terms of software and expertise, in their existing point solutions. This could
be antivirus software from one vendor and endpoint data loss prevention
(DLP) software from another vendor. And there are some distinct advantages

Page 12 of 20
 to using point solutions, such as being able to acquire the “best in breed”
solution for each security capability.

Another reason why endpoint protection software solutions may not be

Contents appropriate for an organization is that it may not be in a position to take full
advantage of what an endpoint protection software solution has to offer. For
Assessing the Business
Issue example, an organization’s security posture and limited resources might
preclude it from using endpoint DLP, enterprise mobile device management
Business Benefits (MDM), and some of the other newer capabilities that endpoint protection
software solutions support. So such an organization might be wasting
Technical Overview
significant money paying for endpoint protection software that they won’t be
Questions to Ask able to take full advantage of; purchasing and supporting just the needed
point solutions might be a better, much less expensive option.
Vendors at a Glance
What makes endpoint protection software solutions generally more attractive
Product Benefits and than point solutions is the integrated capabilities that they can provide. Note
Tradeoffs that “can” is the operative word here—some endpoint protection software
solutions comprise several point solutions loosely integrated with each other,
Sealing the Deal
bundled under a single name but really functioning as separate products.
This is not much of an improvement over just acquiring each of the point
solutions separately. Part of the evaluation of any prospective endpoint
protection software should be a careful examination of how well its respective
components are integrated. Ideally there should be a single interface for
managing all of them, and technical integration between related components
(for example, endpoint DLP and device control working together to prevent
the spread of sensitive data to removable media). If this integration is lacking,
such as a vendor purchasing or licensing other vendors’ products without
taking a holistic approach to implementing and integrating those products
with each other, it may be wise to investigate other endpoint protection
software solutions that are more highly integrated.

Whether an organization selects an endpoint protection software solution or

a set of point solutions, it is inevitable that incidents will occur. No security
solution is 100% effective, not even an endpoint protection software solution
with all the varied security capabilities it provides. Also, there are capabilities
that endpoint protection software lacks that are essential for endpoint
security, such as patch management. However, an endpoint protection
software solution is the single most effective endpoint security control of

Page 13 of 20
 those that are currently available. In combination with patch management
capabilities and application-specific security controls (e.g., antispam for
email, Web content filtering for Web browsing), endpoint protection software
Contents can stop most of today’s threats against endpoints.

What remains for organizations to deal with is twofold. Some incidents will
Assessing the Business
Issue occur because of user error, such as being tricked by a malicious email
message (e.g., spam, phishing). This is best dealt with by conducting training
Business Benefits and awareness activities for users to help them better understand security, to
know their roles and responsibilities, and to learn how they should act under
Technical Overview
various circumstances. Other incidents will happen not because of users, but
Questions to Ask because of shortcomings in the endpoint protection software itself. For
example, there may be a zero-day vulnerability in an endpoint, and an
Vendors at a Glance attacker may be able to exploit it using methods not readily detectable by the
endpoint protection software. This is more likely to be true if not all
Product Benefits and
Tradeoffs components of the endpoint protection software are deployed—perhaps if
application whitelisting is not being used.
Sealing the Deal
As a result, organizations need to give serious consideration to using all of
the available security capabilities that endpoint protection software can
provide. Implementing all of these capabilities at one time is generally not
reasonable, especially because some of the capabilities can require
significant fine-tuning to reduce false positives and negatives (endpoint DLP,
host-based IDPS, host-based firewalls, etc.) Deploying all the capabilities at
once and automatically stopping anything that’s identified as suspicious is a
recipe for disaster.

Instead, endpoint protection software should be deployed using a phased

approach, slowly increasing the spread and functionality over time to more
gently identify operational problems. Scalability is also a concern—the more
components of the endpoint protection software solution that are active, the
more resources necessary on both the endpoints and the management
servers (and the networks between them). Before selecting a solution, it is
prudent to do stress testing on real endpoints to see how much performance
may be impacted.

It’s not so much a question of whether your organization is ready for endpoint
protection software—virtually every endpoint needs to be running antivirus

Page 14 of 20
 software, a host-based firewall, and other capabilities available in endpoint
protection software. It’s more a question of whether a set of point solutions or
an integrated endpoint protection software solution is the way to go. One final
Contents consideration is the operating systems on which an organization’s endpoints
run. It may not be possible to find a single endpoint protection software
Assessing the Business solution that supports all of your organization’s operating system variants and
Issue versions. This may necessitate acquiring multiple endpoint protection
Business Benefits software solutions or updating/replacing endpoints to use supported
operating system versions. Neither of these are choices to be taken lightly;
Technical Overview they have serious repercussions.

Questions to Ask

Vendors at a Glance Sealing the Deal: Factors to Consider

1. Do you already have point solutions from different vendors
Product Benefits and
deployed?
Tradeoffs
Switching from point solutions to an integrated endpoint protection software
Sealing the Deal solution can be a major ordeal if your existing point solutions are from
multiple vendors. Switching solutions generally isn’t too problematic if you
are switching from vendor A’s standalone antivirus software to the same
vendor’s endpoint protection software that includes the same antivirus
product. However when multiple vendors are involved, odds are that the
organization will have to replace one or more of the point solutions with
completely different products. Again, this isn’t the end of the world, but it’s
going to require more testing, training, and overall effort than simply
switching from the standalone version of an application to the integrated
version of the same application. Alternately, an organization may decide to
keep one or two of its point solutions (e.g., full disk encryption software) and
not use those corresponding features offered by the endpoint protection
software.

2. Which security capabilities are built into your endpoint operating

systems?
Endpoint operating systems, such as Windows and Mac OS X, are
increasingly providing native support for a variety of endpoint security
capabilities. Examples include application whitelisting, device control, host-
based firewalls and storage encryption. These capabilities can be particularly

Page 15 of 20
 effective if the endpoints are part of a domain (e.g., Active Directory), which
allows them to be centrally managed. If several of the security capabilities
are already being provided through these means, acquiring an endpoint
Contents protection software solution may largely be unnecessary; instead, buying
point solutions for the missing capabilities may be the way to go.
Assessing the Business
Issue 3. Which security capabilities will you deploy first?
Business Benefits As previously mentioned, it’s recommended that an organization deploy
endpoint protection software in a phased approach, limiting both the number
Technical Overview of endpoints running the software and the number of security capabilities
being used initially. For the latter, the organization will need to choose which
Questions to Ask
capabilities will be deployed first. It might be the most fundamental
Vendors at a Glance capabilities, such as antivirus software and host-based firewalls, or it might
be the new features that don’t already exist in the environment, such as
Product Benefits and endpoint DLP or application whitelisting. Regardless of the reason for
Tradeoffs selecting certain capabilities, the organization should pay particular attention
Sealing the Deal to these capabilities when evaluating possible solutions to help support the
success of the initial deployment.

4. How will you secure your major applications?

Most endpoint protection software doesn’t provide application-specific
protections, such as anti-spam and Web content filtering. Because so many
attacks come through email or Web traffic, it is critical to ensure that these
security capabilities are present, either in the endpoint itself or on the
organization’s networks, such as anti-spam running on organization email
servers and Web security gateways running on internal networks. However, if
an organization’s endpoints are mobile—and odds are that some or most
are—then controls such as Web security gateways won’t help unless
external traffic from the endpoints is tunneled onto the organization’s network
so it can be examined there. In short, make sure that you’re looking at the
whole solution and not focusing on just a single piece of software when
considering application security.

5. Will you be deploying it to your mobile devices?

Endpoint protection software is increasingly supporting smartphones and
tablets. At the same time, smartphones and tablets keep becoming more like

Page 16 of 20
 laptops; for example, some of the Microsoft mobile devices run the same
version of the operating system as laptops do. It is becoming increasingly
important, especially for these devices with laptop-like operating systems, to
Contents protect them from the same threats that desktops and laptops face.
Unfortunately, at this time, the security controls available for mobile devices
Assessing the Business are still fairly immature. Before purchasing any endpoint protection software,
Issue if you’re planning on using it to support mobile devices, be sure to test its
Business Benefits mobile device support thoroughly. Additionally, consider whether a full-
fledged enterprise MDM solution would be more effective than an endpoint
Technical Overview protection software solution. Both classes of products have somewhat similar
capabilities, but enterprise MDM solutions are more likely to provide robust
Questions to Ask
support for mobile platforms.
Vendors at a Glance
6. What resources are required?
Product Benefits and Estimating how much effort will be needed to design, deploy, maintain and
Tradeoffs monitor endpoint protection software is very challenging because it has so
Sealing the Deal many different components, each of which involves its own level of effort.
There are several reasons for this, including the amount of tuning needed for
each component and the relationship each one has to the organization’s
policies. For example, deploying a host-based firewall may be relatively
straightforward because an organization’s policies permit all internally-
initiated communications and prohibit all externally-initiated communications
destined for internal endpoints. On the other hand, implementing endpoint
DLP may be extremely resource intensive because of the complexity of DLP
policies needed to implement the organization’s policies regarding the
handling of its sensitive data. DLP policies necessitate significant resources
not only to implement the policies, but also to monitor them over time and
continue to tune them to improve detection and prevention performance. An
important part of evaluating endpoint protection software is estimating the
level of effort that will be needed to support it, and ensuring that the
necessary qualified personnel are dedicated to the task.

Page 17 of 20
 About the Author
Karen Scarfone, Principal Consultant, Scarfone Cybersecurity

Contents Karen Scarfone is the Principal Consultant for Scarfone Cybersecurity in

Clifton, Virginia. She provides cybersecurity publication consulting services,
Assessing the Business
specializing in network and system security guidelines. Scarfone was
Issue
formerly a senior computer scientist for the National Institute of Standards
Business Benefits and Technology (NIST), where she oversaw the development of system and
network security publications for Federal civilian agencies and the public.
Technical Overview She has co-authored over 50 NIST Special Publications and Interagency
Questions to Ask Reports during the past ten years.

Vendors at a Glance

Product Benefits and

Tradeoffs

Sealing the Deal

Page 18 of 20
 Free resources for technology professionals
Contents TechTarget publishes targeted technology media that address your
need for information and resources for researching products,
Assessing the Business
Issue developing strategy and making cost-effective purchase decisions. Our
network of technology-specific Web sites gives you access to industry
Business Benefits experts, independent content and analysis and the Web’s largest library
of vendor-provided white papers, webcasts, podcasts, videos, virtual
Technical Overview
trade shows, research reports and more —drawing on the rich R&D
Questions to Ask resources of technology providers to address market trends,
challenges and solutions. Our live events and virtual seminars give you
Vendors at a Glance access to vendor neutral, expert commentary and advice on the issues
and challenges you face daily. Our social community IT Knowledge
Product Benefits and
Exchange allows you to share real world information in real time with
Tradeoffs
peers and experts.
Sealing the Deal
What makes TechTarget unique?
TechTarget is squarely focused on the enterprise IT space. Our team of
editors and network of industry experts provide the richest, most
relevant content to IT professionals and management. We leverage the
immediacy of the Web, the networking and face-to-face opportunities of
events and virtual events, and the ability to interact with peers—all to
create compelling and actionable information for enterprise IT
professionals across all industries and markets.

Related TechTarget Websites

Page 19 of 20