1. /
  2. Confident Insights Newsletter/
  3. How to Choose the Right Endpoint Protection Solution for Your Organization

How to Choose the Right Endpoint Protection Solution for Your Organization

December 14, 2010

Summary

Staying ahead of emerging security threats and preventing information loss require continuous security diligence. Here are the most important areas to consider when evaluating today’s endpoint protection solutions.
Staying ahead of emerging security threats and preventing information loss require continuous security diligence. That means deploying proactive technologies that provide protection against sophisticated attacks that can evade traditional security measures, things such as rootkits, zero-day attacks, and constantly mutating spyware.
Is your endpoint protection solution up to the job?
Continue reading to gain insight into the most important areas to consider when evaluating today’s endpoint protection solutions.

Can the solution withstand today’s sophisticated attacks?

Over the past 10 years we’ve moved from mass-mailer worms written by “script kiddies” to gain notoriety to malware developed by criminal gangs to steal credit card information and peddle phony antivirus products.
Now we’re entering a new stage—that of cyber-espionage and cyber-sabotage.
Case in point: Stuxnet, an unprecedented malicious computer worm that appears to target Iran’s nuclear plants and can be modified to wreak havoc on industrial control systems around the world. Stuxnet was so skillfully designed that computer security specialists are almost certain it was created by a government and is a prime example of a new kind of clandestine digital warfare.
Ongoing analysis of Stuxnet by Symantec Security Response has revealed a total of four zero-day vulnerabilities being used by the threat. A threat using one zero-day vulnerability by itself is quite an event; a threat using four zero-day vulnerabilities is extraordinary.
Speaking recently before the Senate Homeland Security and Governmental Affairs Committee, Dean Turner, director of the Global Intelligence Network at Symantec, said the “real world implications of Stuxnet are beyond any threat we have seen in the past.” ¹
While the full extent of the fallout from Stuxnet remains to be determined, one thing is certain: more attacks of this kind are certain to follow. And that’s why innovative new security technology from Symantec that harnesses the “wisdom of crowds” will play an important role in defending against these kinds of threats.
Traditional protection requires security vendors to capture and analyze specific strains of malware before they can protect against them. In 2009 alone, Symantec discovered 240 million unique threat samples. These were discovered on an average of fewer than 20 computers each, and many were seen on just a single computer worldwide. This shift has made it nearly impossible to discover, analyze, and protect against every threat and places a significant burden on traditional approaches to malware detection.
Ubiquity from Symantec takes a fundamentally different approach. Ubiquity, which is a set of technologies that Symantec will deploy throughout its security product line, takes malware creators’ greatest strength—their ability to generate millions of unique threats—and turns it against them.
While attackers can easily mutate a malware file’s contents to make it invisible to traditional signatures, they have far less control over these crowd-based demographics. Based on advanced data mining techniques, Ubiquity can’t be fooled by mutating code or changing encryption, so threats are detected as they’re created.
Ubiquity is the only technology in the industry to use this approach.

Does the solution automatically enforce policies?

Here’s something else about Stuxnet that’s noteworthy: The original infection was most likely introduced by a removable drive—specifically, a USB stick. That’s why it’s important that your endpoint protection solution be able to auto-block programs loaded from such devices. And that underscores the need for powerful policy-based protection.
Administrators must be able to control what software enters their users’ environments based on easy-to-understand and easy-to-manage file polices that factor in file safety ratings, prevalence data, and discovery dates.
Bottom line: You need to be able to set and enforce security policies across the enterprise to protect your critical assets.

Does the solution have sufficient control features?

A robust endpoint protection solution should include proactive technologies that automatically analyze application behaviors and network communications to detect and block suspicious activities, as well as administrative control features that allow you to deny specific device and application activities deemed to be high risk for your organization. You should also be able to block specific actions based on the location of the user.
Application control allows administrators to control access to specific processes, files, and folders by users and other applications. It provides application analysis, process control, file and registry access control, and module and DLL control. It enables administrators to restrict certain activities deemed as suspicious or high risk.
Device control, meanwhile, determines which peripherals can be connected to a machine and how the peripherals are used. It locks down endpoints to prevent connections from thumb drives, CD burners, printers, and other USB devices. It prevents sensitive and confidential data from being extracted or stolen from endpoints (data leakage), and it prevents endpoints from being infected by viruses spread from peripheral devices.

Remember: All detection is not alike

More than ever before, there is a pressing need for new detection standards for today’s endpoint protection solutions. That’s because current standards are focused on the detection of already-known threats. But today’s threats, as we’ve seen, are a breed apart. They’re launched by websites and they execute immediately, so timeliness of detection is critical.
TruScan Proactive Threat Scan is a unique Symantec technology used to score both good and bad behaviors of unknown applications (i.e., zero-day threats), enhancing detection and reducing false positives without the need to create rule-based configurations. TruScan also helps lower the number of false positives.

The vital importance of real world testing

What applies to detection applies to testing as well. You need to be confident that your endpoint protection solution has been subjected to rigorous real world testing. Such testing is time- and resource-intensive. So look for independent software testing organizations that conduct a variety of tests.
For example, AV-Comparatives.org, in addition to its primary comparative tests of anti-virus programs, conducts false alarm tests, performance tests, removal tests, and “potentially unwanted application” tests. For its part, Dennis Technology Labs conducts anti-malware testing that exposes security products to a wide range of real world threats.
Bottom line: Base your decision on the results of plenty of dynamic, real world testing.

How to really test for performance

A bloated endpoint protection solution can have a serious impact on business productivity. Clearly, that makes performance a key issue. But how do you measure performance? The short answer: Look at numerous attributes that affect the user experience.
For example, in its latest roundup of the performance of enterprise security solutions, testing expert PassMark Software looked at 14 metrics of performance. Some observers have called it the most comprehensive set of tests ever for endpoint security performance.
For example, in its latest roundup of the performance of enterprise security solutions, testing expert PassMark Software looked at 14 metrics of performance. Some observers have called it the most comprehensive set of tests ever for endpoint security performance.
As reported on the Symantec Endpoint Security Blog: “PassMark’s tests are designed to reflect real world use cases and pain points enterprise and small business users commonly experience with endpoint security software. The tests include both intrinsic (e.g., scan, UI launch, installed footprint, install time, registry key count) and extrinsic (e.g., impact on file-copy, browsing, encoding/trans-coding media files) performance metrics and measure the impact on users’ normal use on a PC.”
PassMark ranked Symantec Endpoint Protection first in overall performance. Test results showed it performed the fastest Web browsing, executed scheduled scans in half the time as Kaspersky Lab, and consumed nearly 50% less idle processor usage as Trend Micro and McAfee.

Is the solution ‘future-proof’?

As you know, there are many new ways to improve productivity in the workplace using consumer technologies. These include everything from smart phones to Facebook to instant messaging. The bad news? Each of these new technologies adds multiple security risks.
Symantec’s approach is to “future-proof” its enterprise solutions. The idea is to help organizations embrace the “consumerization of IT” while enforcing governance, securing corporate data, and gaining visibility and control of all mobile platforms. Recently, Symantec added support for iPhone, iPad, and Android. That’s in addition to existing support for Windows Mobile, Symbian, and BlackBerry.
It’s an approach that enables employees to use their device of choice without putting corporate data at risk. And it’s an approach that encourages you to think beyond your current setup.

Conclusion

Today, thanks to threats such as Stuxnet, your endpoint protection solution must be able to protect against sophisticated, never-before-seen attacks that can evade traditional security measures. And regardless of whether those attacks come from a malicious insider or an outsider, you have to be confident that all of your endpoints will be protected. Symantec, a recently designated “Champion” for Endpoint Protection by Info-Tech Research Group in a comparative survey, can help boost that confidence by providing the most comprehensive, centrally managed endpoint security solution for businesses today.
¹ “Stuxnet Virus Could Target Many Industries,” New York Times, November 17, 2010

Back to Newsletter