Anti-malware - What's new for enterprise endpoint protection?


We had been using the likes of Symantec and McAfee for several years to protect our enterprise endpoints ( Workstations, laptops etc.) which largely comprise of Microsoft products.

With office locations spread across countries served out of multiple data centres and 10K users, is there something new on the cloud or horizon, that we should consider for ease of manageability and a more holistic dashboard reporting? Also, there is imminent proliferation of BYODs and other mobility aspects.

This query is more of technology trends perspective rather than technical.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Peter WilsonITCommented:

Microsoft System Center 2012 Endpoint Protection provides an antimalware and security solution for the Microsoft platform. Central deployment, reporting and management. It manages/integrates with Windows Firewall so you can add those settings into the Policy as well. It has email alerting for trouble found.

We also have used ESET ERAC - it does centralize deploy/reporting/mgmt too.
Rich RumbleSecurity SamuraiCommented:
BYOD: I reference others opinions and articles in there.
The basics still are not being done, people keep throwing technology at problems that are not always technological. The cloud is nothing new, it's hosting on a useage and or hourly basis. There is nothing new in the cloud, it is hosting pure and simple. There may be new services in the cloud that weren't as easy as before, but I've yet to see anything new.
The cloud becomes a single point of failure if you use it's services exclusively, doing your own hosting is still viable and should still be done in 99% of the cases if you ask me.
Again, basics and old tenants of security still apply now, more than ever:
Principal of Least Privilege
Egress Filtering
Role Based access (You do not need a NGFW or UTM for this, it adds complexity in my exp)
AAA (Authentication, Authorization, Accounting)
KISS (Keep it simple stupid)
There are so many ways to apply the above for each person/organization, but those are the rules to live by. You can drown in information if you are not careful, and while you are panicking and looking all over for one thing, something is floating right behind you when you aren't looking.
We don't actually use AV on our M$ machines, and we don't run the best of the best 3rd party software, there is plenty already at your disposal that goes unused or unnoticed that people need to start looking into again. Our users are not admins, they have limited access based on their subnet and of course their user name. Our dedicated machines are restricted to their dedicated tasks (port 53 or dns servers, ports 25,110,995,587 for email servers, port 445 for file/print shares, ports 3389 to most machines from administration subnets). If you setup your network correctly, and administer your users rights accordingly and with prejudice, you don't need a lot of new fangled bleeding-edge stuffs.
Schuyler DorseyCommented:
The latest anti-malware trends are as follows:

1. Next generation firewalls. NFGWs allow you to control traffic based on identified applications as oppose to just IP and port. E.g. you can allow outbound port udp 123 traffic and the NGFW will scan that traffic and ensure it is NTP traffic as oppose to a malware phoning home. (Palo Alto's AVR report over the past year revealed that 99% of malware phones home on UDP ports and the firewall ID's it as "unknown-udp". With this information, plus NGFWs having web filtering, AV scanning and IPS, you great reduce the chance of malware entering your perimeter.

2. Advanced Malware Protection or AMP. There are several AMP devices available to address the signature based approach of traditional AV. AMP devices sit at your perimeter and monitor files going in and out. For exe's, scr, PDFs, Office files, Java files.. it will run those files in a Windows VM to monitor its behavior. If it determines the malware to be malicious, it adds the SHA1 hash of the file to its db and will block all subsequent attempts for that file to come through the firewall. In addition, the cloud is updated with found malicious files so if any AMP device of your brand finds a malicious file in the wild, the cloud is updated and then your device is updated with the SHA1 hash of that bad file within 30 minutes. (30 minutes vs. the standard 1-2 weeks for an AV vendor to release a signature).

3. Advanced Endpoint Protection. There are two big players in this arena, Cyvera and Bromium. Bromium installs a mini hypervisor on end user machines. When the open Office docs or browse the internet, each process is shoved into its own micro VM. So if a user browsers to a bad website and an exploit is delivered.. only that micro VM is exploited.. and the malware has zero access to the underlying OS. Once the browser tab is closed, the VM is zero'd out and the infection is thus, remediated.

Cyvera (recently purchased by Palo Alto Networks) is like Microsoft EMET on steroids. So instead of taking an IPS approach where there is a signature for EVERY exploit, it instead targets the methods of exploits. About 99% of malware and exploits use the same methods of exploitation.. and new methods are only added about 2-4 times a year. (so this endpoint protection only has to have 2-4 signature updates a year vs traditional H-IPS).
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Peter WilsonITCommented:
I forgot to mention that ESET ERAC has mobile apps which are also run and managed through the central console so all mobile devices are protected and managed.

For BYOD, MDM really sucks's way behind the times but out of all of them AirWatch seems to be the best. It has the ability to wipe corporate data exclusively leaving the personal data on the device.
Thomas Zucker-ScharffSolution GuideCommented:
For mobile you might want to look into MAM instead of MDM. There are many MAM solutions out there. (Mobile Application Management)
btanExec ConsultantCommented:
Microsoft recent release on EMET version (latest being 5.0) serves good baseline and improvement of defence. You may want to take  look as they touches isolated heap, enhanced export tbl protection, etc.

Endpoint badeline should not be lacking minimally the HIPS that include device and application control. Those of SEP and Mcafee has that but can be lacking the DPI aspect to tie to list of identity and isolation of apps running. Hence good to check on appl container from Bromium vSentry and  Farnoic Deepfreeze and AntiExecute.

 Also virtual apps on demand regardless of platform and going off thick client is another mover from virtual apps from likes of Microsoft vApps, Citrix Xenapps and VMWare Thinapps.

Breach detection is another domain to go into wrt to such advanced persistent threat occurences globally. It tends to be driven better from preventive at the organisation network critical segment entry cum exit points from like of FireEye,  Bluecoat, and more from NSS labs checks...but importantly it is the endpoint agent with forensic means doing live job acquisition such as memory grabbing and even indicator of compromise checks for signature files etc for rwal compromise and breach checks  to ascertain overall damages and streamline incident response in event of breach detected in critical servers...APT does vertical and laterally spread once penetration succeed into the targeted organisation.

The cyber kill chain is one area to guide whether at earliest the controls are capable to detect it. And lets not forget about data loss preventiin especially through fast adoptiin of BYOD and managed Cloud service with SaaS and Iaas as common trends. The federated identity based on OpenID Connect or SAML will be consideration for  endpoint to tie in identity as part of the intelligence DPI where applicable for attribute based and adaptive access control..

still good to check garnter endpoint security and look out for the new player offering capabilities

These products and features are typically centrally managed and ideally integrated by shared policies. Not all products in this analysis provide the same collection of features. In this analysis, we focused primarily on anti-malware effectiveness and performance, management capability, protection for non-Windows platforms (such as VMware, Macintosh, Linux, Microsoft Exchange and Microsoft SharePoint), MDM capability, application control, and vulnerability assessment. See the Completeness of Vision section below for more information.

DLP, MDM and vulnerability assessment are also evaluated in their own Magic Quadrant or MarketScope analyses (see the Gartner Recommended Reading section). In the longer term, portions of these markets will be subsumed by the EPP market, just as the personal firewall, host intrusion prevention, device control and anti-spyware markets have been subsumed by the EPP market in the past. EPP suites are a logical place for the convergence of these functions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Peter WilsonITCommented:
@Thomas Zucker-Scharff_ Do you have experience with MAM? If so, which one do you prefer?
Thomas Zucker-ScharffSolution GuideCommented:
not a lot of experience, but I like MAAS best as a vendor.  Are there specific apps you are looking at?  In terms of mail for android touchdown by nitrodesk is by far the best (especially if you are using exchange). There are a plethora of texting apps out there that are hipaa compliant - so therefore what you are looking for.  Don't forget that defeating MAM can be very easy if the environment is not locked down.
Peter WilsonITCommented:
I just looked into MAM (Apperian and some others)...they only offer a minute component of AirWatch provides in their MDM, which is App Locker - the ability to deploy apps in a quasi app store - not a complete solution by any means.

MAAS360 sucks too...what can you do that EAS natively can't already... look at info...great! Air Watch sucks too but the only reason I think they are marginally better is because you can remote view and remote control on Android devices. Pushing configurations comes with the territory and should be expected.

Touchdown is so 2006...blaaa. why? if you are using AirWatch or the like you have built-in security contexting so you can wipe corp data and leave personal.

I'm fed up with mobile solutions - the dev community has a lot to overcome IMO.

To date the only known security enforcement that I know of that can be deployed and managed centrally is ESET using ERAC/ERAS for mobile devices. And even at they I don't believe they can work with iPhone since Apple has been so ridiculously restrictive for developers.

All we need to do is figure out how to irradiate all iPhone/iPad devices and MDM will actually start to look appealing! Since there is no vision for the company any longer and market share has significantly dropped it's not too far off. LOL
Rich RumbleSecurity SamuraiCommented:
MobileIron is the leader if you ask me, but there are others that work well too. If you use Blackberries, their MDM software was the best. Apple is promising better things for enterprises in the future, but again reference my BYOD article above... I don't see many cases where vital company data needs to be on your mobile phone. Marketing data, sales forms and such, sure, but why let anyone have any more than that on a form-factor so impractical.
btanExec ConsultantCommented:
if you check this SmartPhone are totally open as there can be undocument interface and leaking info or data at rest can easily be access if physical access exist and owrse if the phone is jailbroken or rooted. this recent HOPE X sharing open up iPhone "secret". nonetheless, MDM is still a must and at best go supervised mode but it can become unfriendly, the MAM is also need to have for app isolation layered on top of the OS existing segregation already.

just some stats though there maybe newer ones,

for MAM I know there is Good Tech as well and under the evaluated product list for Aust Govt DSD, it got EAL4+ @
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.