Ed Tittel: What to look for in endpoint management tools
Many endpoint management tools share common features, but there are more advanced functions IT can employ, too.
Though the individual features and functions that are available from various endpoint protection and management tools vary somewhat from one vendor to another, a basic subset of features is critical.
Antimalware protection: All endpoint protection and management products include at least signature-based antivirus detection, antiphishing capabilities and URL screening or blocking — sometimes called content filtering.
Policy-based endpoint management: This covers a range of possible applications for security policies based on role, device or user account, and may apply to device capabilities — such as enabling and disabling ports — data protection, access controls, security state assessment, network gatekeeping and quarantine, application controls and more.
Threat intelligence: All vendors in the endpoint protection game offer some form of threat intelligence, either from third-party providers, or a combination of third-party feeds with input from their own substantial user populations. Those user populations can be as large as half a billion users; McAfee, Kaspersky and Symantec all collect data from 400 million users or more.
Mobile device management: Endpoints include mobile devices such as smartphones and non-Windows tablets. Google’s Android and Apple’s iOS are the leading mobile operating systems in use. Modern endpoint protection systems embrace mobile devices running these OSes, as well as other less popular ones — such as Windows Mobile, BlackBerry and Symbian.
Virtual machine (VM) support: Modern endpoint protection tools invariably include per-VM capabilities in addition to host OSes.
File protection and encryption: For data in motion, encryption is more common than not in endpoint protection offerings. But an increasing number of endpoint protection tools offer file and storage device, or drive-level, encryption as well.
Patch, configuration and vulnerability management: Threats and vulnerabilities go hand in hand, so most endpoint protection tools also include various means for remediating vulnerabilities which includes patch or update management. An increasing number of vendors also offer security configuration management, which relies on regular snapshots of baseline configurations to establish known, secure configurations that you can use to scrutinize configuration changes for evidence of possible attack or compromise. Vulnerability management helps organizations prioritize vulnerabilities via risk assessment.
Asset management: This is also known as device and software inventory and management. Endpoint protection and management tools must detect devices as they appear on organizational networks and catalog their security state and contents. This not only supports patch, configuration and vulnerability management, but it also providers fodder for software policy assessment and enforcement, and it helps acquire and maintain information about software licenses that are available or in active use.
There are numerous features now showing up in endpoint protection and management systems that are a little closer to the bleeding edge of technology; they’re not as widely supported in leading tools. At least some of these will become more widespread over the next two to three years, and thus subject to migrating into the core functionality list:
Advanced security policies: in addition to policy controls, more tools are including geofencing and location aware policies, especially as they relate to data access both inside and outside corporate firewalls.
Endpoint detection and response: EDR is a complex collection of capabilities that usually incorporates patch, configuration and vulnerability management with workflow and tracking to detect, identify, prioritize and remediate security incidents or events in need of response. Automation plays a key role in EDR because zero-day threats often require immediate reaction, something best achieved through programmatic execution of proper remediation tools and techniques.
Suspect file analysis: When you can correlate access to malware, malicious payloads or information with unwanted security configuration changes, those items demand inspection, analysis and sometimes remediation. Such automated acquisition and handling is becoming increasingly common, especially in tools with EDR components or capabilities.
Sandboxing: Some endpoint protection systems include automated runtime isolation techniques for unknown or suspect files and executables to prevent attack or compromise.
Security context/reputation management: Through a variety of techniques, also often related to EDR, endpoint protection systems can establish security state profiles to put potential threats or configuration changes into a larger security context. This helps guide risk assessment and response prioritization.
Advanced system rollback/clean-up: Some systems track damaged or infected files and can replace them with clean versions from a security file repository. Other systems take regular endpoint snapshots and can use them selectively (file-by-file) or completely (rollback) to repair damaged or compromised systems. Microsoft, for example, does this in System Center from a “trusted cloud” file repository. LANDESK offers a reimaging capability to correct malware infections.
Hypervisor neutral scanning: With increasing use of virtualization, endpoint protection and management must support various stacks, containers and hypervisors.
Inventory attestation service: An elaboration on software inventory/asset management, this service provides information about the provenance and reputation for all executed files, suspect or otherwise.
These added wrinkles and capabilities are just the tip of an iceberg that reflects the evolving threat landscape, as well as the need for improved automation and extension of endpoint security monitoring, management and response. This is an area that promises to keep extending and elaborating to keep up with evolving threats, ongoing vulnerabilities and the relentless development of new technologies.