Rethinking Current Endpoint Security Strategies Part 2: Prevention, Detection, and Response
Post on 14-Jan-2017
479 Views
Preview:
Transcript
.
1
Chris Sherman | Forrester Research, Senior AnalystGrant McDonald| Intel Security, Senior Product Manager
Rethinking Current Endpoint Security Strategies Part 2: Prevention, Detection and Response
Rethinking Current Endpoint Security Strategies Part 2:Prevention, Detection and Response
Chris Sherman, Analyst
September 2016
Advanced attacks are often multi-faceted..
1. Use social engineering or web/email attack to gain access to user endpoint
2. Use compromised endpoint to attack other machines behind the firewall.
3. Compromise the domain controller.
4. Masquerade as a privileged user to access source code management servers.
5. Exfiltrate core IP.
Domain controller
1
2
3
4
5
Friction?
› “Create friction for the attacker. Slow them down and make their job more difficult.”
› What about all the friction we create for ourselves?
› Most orgs don’t have the resources to automate their InfoSec processes.
What can you do?
› Invest in software development staff
› Prioritize vendors that integrate and automate between the endpoint and network layers
› Pay attention to vendors who see the need and are developing solutions.
Single-vendor ecosystems offer security benefits and reduced TCO
› Integrated policy engines
› Intelligence sharing
› Built-in orchestration
› Less impact to endpoint performance for end users
› Consistent user experience/interface for admin
› Packaging and suite discounts
© 2015 Forrester Research, Inc. Reproduction Prohibited 14
Base: 2163 business and technology decision-makers
Source: Forrester Research Business Technographics Security Survey, 2015
Orgs would seem to prefer best-of-breed point products over suite offerings…
62%
66%
67%
67%
68%
68%
71%
71%
71%
74%
76%
76%
77%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Vendor/provider ecosystem
Part of a suite or single-vendor portfolio
Certification to other security standards
Regulatory compliance capabilities
Integration across a single vendor's product portfolio
Price
Expected business outcome from implemention
Vendor's brand
Simplest manageability
Speed or ease of implementation
Integration with existing infrastructure
Vendor/provider expertise
Product/technology fit
How important were the following criteria in selecting security solutions?
Very important [4,5]
..although when
looking specifically at
endpoint security, only
38% and 43% of SMBs
and Enterprises,
respectively, prefer
best-of-breed point
products over suites
Prevention is shifting
› Traditional approaches to prevention will continue
› If you can prevent an action, why not?
› Prevention with threat intelligence
• Command and Control indicators should be used to prevent communications
Prevention begins and ends with attack surface reduction
Photo credit: Jan Stromme, Bloomberg Business
Benefits to prevention-focused technologies
› Often doesn’t require prior knowledge of the threat
› Offers superior 0-day malware and exploit protection
› Allows the attack surface to be restricted to a manageable level
› Ideally creates a cycle where detection informs prevention, augmenting the effectiveness of both
© 2016 Forrester Research, Inc. Reproduction Prohibited 19
The five primary endpoint threat prevention capabilities
Anti-malware
Application control
Patch management
Execution isolation
Application exploit prevention
© 2016 Forrester Research, Inc. Reproduction Prohibited 20
The five primary endpoint threat prevention capabilities
Anti-malware
Application control
Patch management
Execution isolation
Application exploit prevention
© 2016 Forrester Research, Inc. Reproduction Prohibited 21
The five primary endpoint threat prevention capabilities
Anti-malware
Application control
Patch management
Execution isolation
Application exploit prevention
© 2016 Forrester Research, Inc. Reproduction Prohibited 22
The five primary endpoint threat prevention capabilities
Anti-malware
Application control
Patch management
Execution isolation
Application exploit prevention
© 2016 Forrester Research, Inc. Reproduction Prohibited 23
The five primary endpoint threat prevention capabilities
Anti-malware
Application control
Patch management
Execution isolation
Application exploit prevention
Detection
› Detection is the only option when dealing with higher tier adversaries
› No single control is your breach detection system
› Your aggregate controls and your people are your breach detection system
Response
› Once you have identified malicious activity, how do you respond?
› Is your remediation a reimage?
› Time to containment and remediation will never improve without automated response
Five capabilities to look for in a EVC solution
› Real-time visibility into all running processes
› Automated response/integration with prevention tools
› Advanced pattern recognition (ex. machine learning, baselining)
› Inspection over user and process behavior
› Integration with SIEM/Security Analytics tools
Prevention
Detection
Control /
Remediation • Addresses attack surface
• Limits time spent on detection/response
• Doesn’t require frequent updates
Endpoint Security Requires A Balanced Approach
Prevention
Detection
Control /
Remediation • Addresses attack surface
• Limits time spent on detection/response
• Doesn’t require frequent updates
• Endpoint visibility and integration
• Catches what gets through
• Threat intelligence required
Endpoint Security Requires A Balanced Approach
Prevention
Detection
Control /
Remediation • Addresses attack surface
• Limits time spent on detection/response
• Doesn’t require frequent updates
• Endpoint visibility and integration
• Catches what gets through
• Threat intelligence required
• Automated/assisted remediation reduces friction
• Ensures policy compliance
• Operationalizes threat intelligence
Endpoint Security Requires A Balanced Approach
Recommendations
›Reduce your attack surface through a balance of prevention, detection, and remediation proficiency.
›Choose prevention technologies based on your risk appetite and impact to user experience.
› Look to expand your detection capabilities beyond malicious process identification and IOC identification
› Integrate endpoint security with network security for reduced operational friction.
.
37
The Threat Defense LifecycleA continuous defensive cycle
Detect - Advanced monitoring identifies anomalous, outlier behavior to perceive low-threshold attacks that would otherwise go unnoticed
Protect - Comprehensive prevention stops the most pervasive attack vectors while also disrupting never-before-seen techniques and payloads
Adapt - Apply insights immediately throughout a collaborative infrastructure
Correct - Facilitated triage and response provides prioritization and fluid investigation
37
.
38
Intelligent Endpoint Threat Defense
38
Evolve security by integrating protect, detect and correct
Outsmart AttackersIntegrated Threat
Defense
Discover and Respond Faster
Immediate Visibility
Drive EfficiencyIncrease Capacity
Reduce Complexity
.
39
Outsmart Attackers
39
With Integrated Counter Measures
Unified intelligence from Global, organizational, and 3rd-parties
Collaborative protect, detect and correct defenses act as a single adaptive system
Comprehensive coverage against the most pervasive threats
.
40
Discover and Respond Faster
40
Through Immediate Visibility and Correlated Actions
Deep, continuous visibility and proactive hunting
Prioritize incidents, score risks, and investigate real-time
Interactive response and automated correction
.
41
Drive Efficiency
41
Increase Capacity and Reduce Complexity
Act with precision and speed by executing across the entire organization
Streamline workflows and central visibility, management and automation
Easily evolve security through shared intelligence and an adaptive architecture
.
42
Intelligent Endpoint Threat Defense
Endpoint Detection and Response (EDR)
McAfee Active Response (MAR)
Threat Intelligence
McAfee ThreatIntelligence Exchange (TIE)
Web Protection
McAfee Web Gateway (via McAfee Client Proxy Agent)
Advanced Malware Detection
McAfee Advanced Threat Defense (ATD)
Management Platform
McAfee ePolicy Orchestrator (ePO)
Endpoint Protection
McAfee Endpoint Security 10
• Available with Dynamic Application Containment*
*Available with CEE suite
.
4343
Resources
Go to the Resources Area of this webcast console to access supporting documents.
For additional information: www.mcafee.com/endpoint
Chris Shermancsherman@forrester.com@ChrisShermanFR
Grant McDonaldgrant.mcdonald@intel.com@mcdonaldgrant
top related