In a recent ESG research project, 315 security professionals working at enterprise organizations (i.e., more than 1,000 employees) were asked to identify their organizations’ endpoint security monitoring weaknesses. Thirty percent said they were unsure about, “applications installed on each device,” 19% had difficulty monitoring “downloads/execution of suspicious code,” 12% struggled when tracking, “suspicious/malicious network activity,” and 11% had a hard time tracking “current patch levels.”
Why is it so difficult to monitor endpoint activities? An old saying comes to mind: “Water, water, everywhere but not a drop to drink.” There are records about endpoints all over the place – asset databases, CMDBs, network monitoring tools, vulnerability scanners, patch management tools, etc. – but when security analysts need up-to-the-minute information for critical remediation activities, they have to scramble around through a myriad of management systems to retrieve it.
In a recent Market Landscape Report, ESG defined a new network security category called Endpoint Visibility, Access, and Security (EVAS). EVAS is actually a superset and evolution of Network Access Control (NAC) with greater functionality and intelligence.
The “V” in EVAS is one of the reasons why the EVAS market is on the rise. EVAS doesn’t replace any of the management tools cited above. What it does however is provide a security-centric view of endpoints. EVAS knows which mobile and PC endpoints are on the network at all times. EVAS knows the state of these assets (i.e., configurations, patches, ownership, applications, etc.). EVAS even knows about other types of assets like SCADA systems, health care devices, printers, etc. When security and IT operations want to know how many Windows XP systems are still running IE8, EVAS can provide the answer quickly. Otherwise the answer is out there with a whole lot of digging.
Bradford Networks, Forescout, Great Bay Software, and Promisec provide these EVAS capabilities. McAfee customers betting on multiple tools and ePO can probably gather this data quickly as well.
Okay, so EVAS can help CISOs track what’s out there on the network for risk management but how do you know if an asset has actually been compromised? This information isn’t nearly as accessible as security analysts have always relied on network monitoring tools for incident detection. Given the threat landscape, however, many security-conscious organizations are supplementing network monitoring with endpoint analytics. Note that this is also another driver for big data security analytics.
Why endpoint analytics? Regardless of the malware, it has to make alterations to the endpoint configuration to succeed. For example, malware often modifies registry keys, opens TCP ports, or creates a new directory in the file system. You can’t see many of these activities from the network alone, but you can if you collect and analyze them using specific algorithms built to detect system anomalies.
This category is often referred to as endpoint forensics, but I prefer endpoint security analytics as it is a bit less geeky. Vendors in this space include Guidance software, Mandiant, RSA Security, and Triumphant. Many of the new endpoint anti-malware solutions such as Bromium, Invincea, and Sourcefire also collect this type of data.
I’m convinced that EVAS and endpoint security analytics tools or services will go from “nice-to-have” to “gotta-have” over the next few years. Smart CISOs will plan accordingly.