Home > Audit, Compliance, InfoSec, Software > Security on endpoints – like laptops and blackberrys – delivers more value than intrusion prevention systems

Security on endpoints – like laptops and blackberrys – delivers more value than intrusion prevention systems

For the best part of ten years, my colleagues and I in the
industry analyst biz have been declaring the obsolescence of the monolithic
security perimeter. Securing the perimeter
is not enough – everyone knows that now – but it still baffles me that Clientless
Endpoint Security Management, or CESM, took so long to emerge as the obvious
centerpiece to a comprehensive security architecture.

Security directors and business unit managers complain to me
all the time that even after tremendous security expenditures over the years,
data still leaks out easily and security remains as incomplete and inconvenient
as ever. I think what these folks are
feeling is that security systems should not be intrusive, should not weigh down
PCs and laptops with memory hogging software, and should not inconvenience the
end user. At the same time, security
systems should protect against loss and maintain it self – acting as a watchdog
making sure all systems are running properly and securing effectively.

After all, data loss and interruptions to business
continuity are two areas that have proven to be most costly for
organizations. So, which technology will
best address the pain and while still being cost effective and future proof? I think CESM is the answer in most

CESM is straightforward because its clientless nature
immediately translates into increased productivity for the whole organization not
to mention its security and management features. Clientless means that administrators no
longer waste time chasing problems from endpoint to endpoint and no longer have
to take users off their machines to affect any remediation. All remediation is done from the CESM
management console minimizing PC downtime. Looking further at CESM technology shows a broad range of deep endpoint
inspection criteria and preemptive actions which may terminate a threat’s
activity before it becomes a major security breach. That’s the point – to give a heads up to
administrators of a potential threat so that they can close the hole before it
is exploited.

Compare CESM to intrusion prevention systems for a
moment. IPS technology is designed to
identify network based attacks, focusing on network anomalies such as malformed
packets or known network attack signatures. Even behavioral based IPS that learn
normal traffic patterns may confuse hostile traffic as legitimate and vice
versa resulting in a number of false positives. A hostile application could
wreak havoc galore on your computer while using legitimate network traffic to
collect information and spread.

You Don’t Always Get What You Pay For

IPS solutions need to have sensors deployed all over the
network, the more sensors deployed the more effective the solution. Each sensor adds to the cost of the IPS
solution so the more secure a network needs to be the more expensive the
solution becomes. These sensors are necessary for the IPS solution to see all
of the traffic needed to provide an effective answer to the problem. In
addition to this cost is the cost of the hardware needed for the IPS solution
which normally runs on very high end equipment to ensure performance. CESM on
the other hand has a single installation from where it is able to inspect and
identify the complete range of hostile threats that an IPS solution would not
see even with the maximum number of sensors deployed on the network. Examples of this are stealth applications
that may be hidden on an endpoint transmitting information at such low levels
over ordinary protocols that IPS will not identify as an anomaly. Another example is the use of unauthorized
storage devices or other peripherals attached to an endpoint which enables the
easy transfer of classified data. CESM
also acts as a platform for existing security clients such as anti-virus,
personal firewalls and even intrusion detection and prevention clients which
may be disabled intentionally or through human error. If a client is disabled for any reason the
CESM scan will identify the fault and attempt to repair it and bring the client
back to normal operation.

Cure the Cause, Not the Symptom

Furthermore, intrusion prevention systems are designed to
prevent network traffic – that means they are very good at stopping traffic but
they cannot go into the endpoint and eliminate processes and start-up commands,
uninstall applications or block hardware devices from being connected. The
remediation offered by IPS will not fix holes in the internal network

CESM’s clientless remediation is totally independent and
does not rely on any external product to effect its remediation capabilities.
The internal network is full of potential hazards that are caused by a myriad
of factors: users unaware of the impact of their actions; malicious users
intent on damaging the network; human error in configuring network devices; and
technical faults that go undetected. All
of these factors can open potential threats that grow into full security
breaches if they go unchecked. IPS is
not built to identify or repair these types of problems.

The Efficient and Effective Choice

Clientless endpoint security management is the
counterbalance to the perimeter firewall that we’ve been waiting for. Why we had to wait so long is a mystery to
me, but I’m not complaining. I just
happy to have a solution to recommend to my clients that gives them more
visibility and more control over the entire internal network – a solution that
exposes threats completely invisible to intrusion detection or prevention
systems. More to the point, CESM allows my
clients to ensure that their host-based security systems (personal firewalls,
intrusion detection, intrusion prevention, antivirus, etc.) are in fact
installed correctly and up to date. CESM
is one of the most cost effective security solutions on the market today.  Ready to run almost out of the box, CESM products
provide results with its very first inspection of the network and gives
administrators full control of their network endpoints and servers at their
fingertips. The new security perimeter
encompasses every PC, laptop, iPod, phone, and memory stick passing through or
near your network. CESM is the most
efficient way to manage it.

  1. Roland Dobbins
    July 18, 2007 at 11:20 pm

    Yes, all the normal host OS and application BCPs can be applied. But you can’t trust endpoints to self-report.
    The way to deal with this is to use a NetFlow-based anomaly-detection system like Arbor, Lancope, Mazu, Narus, or Q1 – they can detect botted/compromised hosts based upon network activity, often before the compromised host launches an outbound DDoS, starts sending spam, uploads a bunch of confidential data, or what-have-you.

  2. Dael
    July 19, 2007 at 10:21 am

    Thanks for very useful post. I’ve got a question. What are good examples of CESM mentioned above? I use Agnitum Outpost Security Suite on my laptop, it includes firewall, antivirus, anti-spyware, anti-banner, anti-spam, and it works fine! Is this an example of CESM. Or CESM is only corporate technology such as Symantec Endpoint Security?

  3. July 19, 2007 at 7:29 pm

    Symantec Endpoint Security is a heavy, client-based solution with a network-based scanning tool (the old BindView product). I expect Symantec to improve their CESM story. In the meantime Promisec would best define the category.
    And I disagree with the first commenter, Roland. I don’t think that monitoring traffic is the most efficient way to catch malicious activity. For example, those products would never catch me copying files to my iPod or phone.

  4. July 19, 2007 at 8:22 pm

    Once again – working for a tiny company – I run into issues with “overkill”. Stuff that large companies can buy for many machines are either too large or too expensive for us to use.
    One thing I’ve been trying to figure out (and perhaps just haven’t done enough good googling). Is information about protecting Blackberries. I’ve currently got a Treo – there are somethings I like, some I dislike, but I need that calendar!
    Anyhow, on my Treo I have Warden (software I purchased on my own) that will lock my Treo after a specified time of my choosing. If I lose it, I can send a text message to lock it OR lock it and wipe it.
    The Palm software is old and they don’t look to be upgrading it soon – I wouldn’t mind going with a Blackberry when I next get a phone, but I’d want to know I could do something similar. These are the kinds of things that are very difficult to find out – even reading the Blackberry sites. I’m assuming this is because most of their business is corporate and there are corporate solutions I may not have access to as a small user.
    But with smart phones I think they’ve become the weakest link – taking over the laptop slot – because it’s so easy to lose them and they carry so much information.

  5. Rob
    July 22, 2007 at 8:14 am

    This is just more network-centric security. I remember an editorial at Dark Reading a few months ago which said that it should all be about data-centric security and not about endpoint device security. Whoever wrote that was right.
    Does anyone care to explain how CESM does anything of value at the data file level?

  6. July 24, 2007 at 4:36 am

    You could ask the same question about a hundred other security expenditures, Rob. What do firewalls do at the data file level? Or intrusion detection? or single sign on?
    The point about CESM is that it is a cost effective (read, inexpensive) way to discover if your other security measures are doing their jobs, and identifying holes in your presumably complete security architecture.

  7. July 24, 2007 at 4:38 am

    Just to clarify my comment about Symantec, above. I said it was “heavy.” I meant heavy releative to CESM which does not even need a client to do its basic discovery. In fairness to Symantec, their newest version of Symantec Endpoint Security, known as Hamlet, sports a much reduced software footprint and higher performance than previous Symantec clients. It is getting better all the time.

  8. January 9, 2008 at 2:43 pm

    Companies invest hundreds of thousands or millions of dollars every year in IT security but somehow still find themselves open to security breaches or data leaks from within their own networks. Whether the cause is a rogue user or a technical fault or simply a failed installation, wide open back doors still appear to exist inside many networks. Agentless, rapid scan technologies make it extremely easy for companies to quickly inspect their endpoints and servers for any errors or alien components that may have found their way inside the corporate network. Because they are completely agentless there is no need to waste time installing software on every machine and results start coming in within minutes. I have not come across many solutions, agentless or otherwise that can comprehensively inspect users’ machines so quickly without impacting performance of the machines being inspected or the network bandwidth but there are some out there.
    CESM (clientless endpoint security management) technology by Promisec, is one example that is a complement for companies wishing to maximize their investment in security and to ensure its correct operation. The additional benefit it offers is that it will allow you to build a baseline so that you can identify any anomalies to that baseline and remove them if necessary with its remote right-click remediation. For a quick and easy way to manage your networked endpoints and servers try agentless offerings, they are fast and don’t chew up all your bandwidth, you certainly won’t be disappointed.

  9. August 8, 2013 at 11:15 pm

    Wonderful article! This is the type of info that
    are supposed to be shared across the internet. Shame on
    the seek engines for not positioning this publish higher! Come on over and
    visit my web site . Thanks =)

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: