Can We Trust Endpoint Security ?


Endpoint security is an approach to network protection that requires each computing device on a corporate network to comply with certain standards before network access is granted. Endpoints can include PCs, laptops, smart phones, tablets and specialized equipment such as bar code readers or point of sale (POS) terminals.

Endpoint security systems work on a client/server model in which a centrally managed server or gateway hosts the security program and an accompanying client program is installed on each network device. When a client attempts to log onto the network, the server program validates user credentials and scans the device to make sure that it complies with defined corporate security policies before allowing access to the network.

When it comes to endpoint protection,  information security professionals believe that their existing security solutions are unable to prevent all endpoint infections, and that anti-virus solutions are ineffective against advanced targeted attacks. Overall, end-users are their biggest security concern.

“The reality today is that existing endpoint protection, such as anti-virus, is ineffective because it is based on an old-fashioned model of detecting and fixing attacks after they occur,” said Rahul Kashyap, chief security architect at Bromium, in a statement. “Sophisticated malware can easily evade detection to compromise endpoints, enabling cybercriminals to launch additional attacks that penetrate deeper into sensitive systems. Security professionals should explore a new paradigm of isolation-based protection to prevent these attacks.”

Saltzer’s and Schroeder’s design principles ( ) provides us with an opportunity to reflect on the protection mechanisms that we employ (as well as some principles that we may have forgotten about). Using these to examine AV’s effectiveness as a protection mechanism leads us to conclude that AV, as a protection mechanism, is a non-starter.

That does not mean that AV is completely useless — on the contrary, its utility as a warning or detection mechanism that primary protection mechanisms have failed is valuable — assuming of course that there is a mature security incident response plan and process in place (i.e. with proper post incident review (PIR), root cause analysis (RCA) and continual improvement process (CIP) mechanisms).

Unfortunately, many organisations employ AV as a primary endpoint defense against malware. But that is not all: their expectation of the technology is not only to protect, but to perform remediation as well. They “outsource” the PIR, RCA and CIP to the AV vendor. The folly of their approach is painfully visible as they float rudderless from one malware outbreak to the next.

There are many alternatives for endpoint security, such as Applocker, LUA, SEHOP, ASLR and DEP are all freely provided by Microsoft. So is removing users’ administrative rights (why did we ever give it to them in the first place?).

Other whitelisting technologies worthy of consideration are NAC (with remediation) and other endpoint compliance checking tools, as well as endpoint firewalls in default deny mode.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s