According to recent CSI/FBI Computer Crime and Security Surveys, endpoint security is one of the “most critical computer security issues” that organizations face today. Yet many organizations continue to be complacent about the threats posed by misappropriated data and stolen devices. This article looks at some common endpoint security misperceptions as well as the results of recent endpoint security product comparison tests.
It’s a story that has become practically commonplace: An employee laptop containing personal information goes missing, and a company finds itself scrambling to recover. In June, for example, thieves made off with a laptop containing the employee names, social security numbers, and salary and bonus information of an undisclosed number of management-level workers at AT&T. In March, a government laptop housing the medical information of 2,500 patients enrolled in a National Institutes of Health study was stolen, potentially exposing personal data.
The impact of such events can’t be overstated. Consequences include financial loss from brand erosion, lost productivity, lost time, and non-compliance with regulatory requirements. On top of that, companies are often unprepared for what can happen next after sensitive data is lost.
Recently, Symantec’s CIO Digest
magazine compiled a list of the “seven deadly sins” of endpoint security. They’re bound to be of interest to security planners everywhere.
- Sin # 1: Assuming all endpoints are computers. There are also USB devices, removable storage, and MP3 players that connect to endpoints, each becoming the next endpoint in the chain.
- Sin # 2: Assuming you know the location of all endpoints. There could be an unauthorized, employee-owned mobile device, or a rogue Wi-Fi access point, connecting from a remote office. Systems must be in place that prohibit them from connecting to the network unless they meet endpoint policy requirements.
- Sin #3: Securing only the endpoint itself. Because an endpoint can become a tool for hackers and information thieves, the network must be protected against potential misuse of endpoints. That’s why multiple layers of security are required.
- Sin #4: Setting endpoint policies without using technology to enforce them. Employee reprimands and penalties aren’t enough. Technologies that make it impossible for an employee to use an endpoint in an unsecured manner are essential.
- Sin #5: Lax physical and technical security. It’s important to have a response plan for lost or stolen laptops or other handheld devices in case a thief or hacker should get past two-factor authentication. For example, some organizations require their employees by company policy to notify IT immediately if their portable device is lost or stolen. That way, IT can wipe the device’s data remotely via wireless, making it inaccessible.
- Sin #6: Missing policies around adding and retiring endpoints. Always set policies to secure endpoints before they are activated. As for retiring endpoints, whenever a piece of equipment is to be decommissioned, remove the computer name so that it can no longer log on to the network and wipe the machine for any corporate data.
- Sin #7: Weak management support. Without upper management’s support, IT can’t effectively enforce security policies. To gain that support, point out all the ways malware can get in and what is needed to block attacks and patch holes.
The bottom line: Security planners today must embrace a broader range of endpoint security solutions or else accept more risk. The need to do so was brought home recently with the release of the latest Symantec Internet Security Threat Report, covering the second half of 2007. According to the report, theft or loss of computer or other data-storage medium was the cause of the most data breaches that could lead to identity theft during the second half of 2007, accounting for 57% of the total.
Late last year, Symantec commissioned West Coast Labs, in Irvine, Calif., to perform a series of tests of Symantec Endpoint Protection 11.0
against competing security products. The tests were designed to focus on both performance impact and effectiveness when compared with the industry average against hard-to-counter threats – in this case, rootkits and rogue antispyware programs. The competitive products providing the industry average were: McAfee Total Protection ePolicy Orchestrator 4.0, Microsoft Forefront Client Security, Trend Micro OfficeScan 8.0, Kaspersky Anti Virus 6.0, SOPHOS Endpoint Security, and CA ITM r8.1.
- Detection rates: The focus of testing included detection and removal of rootkits and rogue antispyware programs (i.e., programs that purport to be genuine removal toolsets but either do nothing or infect the machine on which they are installed). West Coast Labs found that Symantec Endpoint Protection 11.0 “detected more rootkits than the industry average,” while its detection of rogue antispyware programs “far outstrips the industry average.”
- Overall performance: According to West Coast Labs, Symantec Endpoint Protection 11.0 “performed extremely well” against the industry average in the time taken to perform a default installation of Microsoft Office 2000, and the time taken to copy 10,000 files (totaling 1 gigabyte of data) from DVD to a local disk.
- Memory usage: West Coast Labs measured average memory use for an installation of Microsoft Office, a copy of 10,000 files totaling 1 gigabyte of data, a full scan of the hard drives, and a custom scan that included specific target directories, boot sector scans, and comparable disinfection methods. Symantec Endpoint Protection 11.0 “used less memory than the industry average in each scenario,” according to West Coast Labs.
- Network impact: Many vendors have built-in additional security functionality such as firewall and network inspection capabilities to their endpoint security solutions. These technologies can potentially have a negative impact on network performance. To assess the network lag, each product was tested on an isolated network using a 1 gigabit switch with the same large amount of data being downloaded and uploaded over both ftp and http. Symantec Endpoint Protection 11.0 downloads and uploads over ftp and http “were faster than the industry average.” In addition, West Coast Labs measured the amount of time taken to get updates from the Internet to an appropriate server and deployed to the endpoint clients. Here Symantec Endpoint Protection 11.0’s patching time was over four times faster than the industry average (67 vs. 276.86 seconds).
Staying ahead of emerging security threats and preventing information loss calls for continuous security diligence. That means deploying proactive technologies that automatically analyze application behaviors and network communications to detect and actively block attacks.
Symantec Endpoint Protection integrates antivirus, antispyware, desktop firewall, intrusion prevention, device and application control, and optional network access control capabilities. It also lets IT security managers monitor and protect all endpoints from a single management console. Symantec Endpoint Protection recognizes that, with a widening group of users tapping into corporate resources, the need to secure endpoints and ensure compliance with security policies can no longer be separated.