?
Solved

Anti-malware - What's new for enterprise endpoint protection?

Posted on 2014-07-19
13
Medium Priority
?
239 Views
Last Modified: 2016-03-23
Hi

We had been using the likes of Symantec and McAfee for several years to protect our enterprise endpoints ( Workstations, laptops etc.) which largely comprise of Microsoft products.

With office locations spread across countries served out of multiple data centres and 10K users, is there something new on the cloud or horizon, that we should consider for ease of manageability and a more holistic dashboard reporting? Also, there is imminent proliferation of BYODs and other mobility aspects.

This query is more of technology trends perspective rather than technical.

TIA
0
Comment
Question by:fahim
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 2

Assisted Solution

by:Peter Wilson
Peter Wilson earned 500 total points
ID: 40207977
Hi

Microsoft System Center 2012 Endpoint Protection provides an antimalware and security solution for the Microsoft platform. Central deployment, reporting and management. It manages/integrates with Windows Firewall so you can add those settings into the Policy as well. It has email alerting for trouble found.

We also have used ESET ERAC - it does centralize deploy/reporting/mgmt too.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 40208004
BYOD: http://www.experts-exchange.com/Security/Misc/A_12736-Bring-Your-Own-Device-Security-NAC-MDM.html I reference others opinions and articles in there.
The basics still are not being done, people keep throwing technology at problems that are not always technological. The cloud is nothing new, it's hosting on a useage and or hourly basis. There is nothing new in the cloud, it is hosting pure and simple. There may be new services in the cloud that weren't as easy as before, but I've yet to see anything new.
The cloud becomes a single point of failure if you use it's services exclusively, doing your own hosting is still viable and should still be done in 99% of the cases if you ask me.
Again, basics and old tenants of security still apply now, more than ever:
Principal of Least Privilege
Egress Filtering
Role Based access (You do not need a NGFW or UTM for this, it adds complexity in my exp)
AAA (Authentication, Authorization, Accounting)
KISS (Keep it simple stupid)
There are so many ways to apply the above for each person/organization, but those are the rules to live by. You can drown in information if you are not careful, and while you are panicking and looking all over for one thing, something is floating right behind you when you aren't looking.
We don't actually use AV on our M$ machines, and we don't run the best of the best 3rd party software, there is plenty already at your disposal that goes unused or unnoticed that people need to start looking into again. Our users are not admins, they have limited access based on their subnet and of course their user name. Our dedicated machines are restricted to their dedicated tasks (port 53 or dns servers, ports 25,110,995,587 for email servers, port 445 for file/print shares, ports 3389 to most machines from administration subnets). If you setup your network correctly, and administer your users rights accordingly and with prejudice, you don't need a lot of new fangled bleeding-edge stuffs.
-rich
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 500 total points
ID: 40208047
The latest anti-malware trends are as follows:

1. Next generation firewalls. NFGWs allow you to control traffic based on identified applications as oppose to just IP and port. E.g. you can allow outbound port udp 123 traffic and the NGFW will scan that traffic and ensure it is NTP traffic as oppose to a malware phoning home. (Palo Alto's AVR report over the past year revealed that 99% of malware phones home on UDP ports and the firewall ID's it as "unknown-udp". With this information, plus NGFWs having web filtering, AV scanning and IPS, you great reduce the chance of malware entering your perimeter.

2. Advanced Malware Protection or AMP. There are several AMP devices available to address the signature based approach of traditional AV. AMP devices sit at your perimeter and monitor files going in and out. For exe's, scr, PDFs, Office files, Java files.. it will run those files in a Windows VM to monitor its behavior. If it determines the malware to be malicious, it adds the SHA1 hash of the file to its db and will block all subsequent attempts for that file to come through the firewall. In addition, the cloud is updated with found malicious files so if any AMP device of your brand finds a malicious file in the wild, the cloud is updated and then your device is updated with the SHA1 hash of that bad file within 30 minutes. (30 minutes vs. the standard 1-2 weeks for an AV vendor to release a signature).

3. Advanced Endpoint Protection. There are two big players in this arena, Cyvera and Bromium. Bromium installs a mini hypervisor on end user machines. When the open Office docs or browse the internet, each process is shoved into its own micro VM. So if a user browsers to a bad website and an exploit is delivered.. only that micro VM is exploited.. and the malware has zero access to the underlying OS. Once the browser tab is closed, the VM is zero'd out and the infection is thus, remediated.

Cyvera (recently purchased by Palo Alto Networks) is like Microsoft EMET on steroids. So instead of taking an IPS approach where there is a signature for EVERY exploit, it instead targets the methods of exploits. About 99% of malware and exploits use the same methods of exploitation.. and new methods are only added about 2-4 times a year. (so this endpoint protection only has to have 2-4 signature updates a year vs traditional H-IPS).
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 2

Expert Comment

by:Peter Wilson
ID: 40208050
I forgot to mention that ESET ERAC has mobile apps which are also run and managed through the central console so all mobile devices are protected and managed.

For BYOD, MDM really sucks IMO...it's way behind the times but out of all of them AirWatch seems to be the best. It has the ability to wipe corporate data exclusively leaving the personal data on the device.
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40208131
For mobile you might want to look into MAM instead of MDM. There are many MAM solutions out there. (Mobile Application Management)
0
 
LVL 65

Accepted Solution

by:
btan earned 500 total points
ID: 40208246
Microsoft recent release on EMET version (latest being 5.0) serves good baseline and improvement of defence. You may want to take  look as they touches isolated heap, enhanced export tbl protection, etc.

Endpoint badeline should not be lacking minimally the HIPS that include device and application control. Those of SEP and Mcafee has that but can be lacking the DPI aspect to tie to list of identity and isolation of apps running. Hence good to check on appl container from Bromium vSentry and  Farnoic Deepfreeze and AntiExecute.

 Also virtual apps on demand regardless of platform and going off thick client is another mover from virtual apps from likes of Microsoft vApps, Citrix Xenapps and VMWare Thinapps.

Breach detection is another domain to go into wrt to such advanced persistent threat occurences globally. It tends to be driven better from preventive at the organisation network critical segment entry cum exit points from like of FireEye,  Bluecoat, and more from NSS labs checks...but importantly it is the endpoint agent with forensic means doing live job acquisition such as memory grabbing and even indicator of compromise checks for signature files etc for rwal compromise and breach checks  to ascertain overall damages and streamline incident response in event of breach detected in critical servers...APT does vertical and laterally spread once penetration succeed into the targeted organisation.

The cyber kill chain is one area to guide whether at earliest the controls are capable to detect it. And lets not forget about data loss preventiin especially through fast adoptiin of BYOD and managed Cloud service with SaaS and Iaas as common trends. The federated identity based on OpenID Connect or SAML will be consideration for  endpoint to tie in identity as part of the intelligence DPI where applicable for attribute based and adaptive access control..

still good to check garnter endpoint security and look out for the new player offering capabilities
http://blogs.antivirussales.ca/en/blog/gartner-magic-quadrant-for-endpoint-protection-platforms/

These products and features are typically centrally managed and ideally integrated by shared policies. Not all products in this analysis provide the same collection of features. In this analysis, we focused primarily on anti-malware effectiveness and performance, management capability, protection for non-Windows platforms (such as VMware, Macintosh, Linux, Microsoft Exchange and Microsoft SharePoint), MDM capability, application control, and vulnerability assessment. See the Completeness of Vision section below for more information.

DLP, MDM and vulnerability assessment are also evaluated in their own Magic Quadrant or MarketScope analyses (see the Gartner Recommended Reading section). In the longer term, portions of these markets will be subsumed by the EPP market, just as the personal firewall, host intrusion prevention, device control and anti-spyware markets have been subsumed by the EPP market in the past. EPP suites are a logical place for the convergence of these functions.
0
 
LVL 2

Expert Comment

by:Peter Wilson
ID: 40210930
@Thomas Zucker-Scharff_ Do you have experience with MAM? If so, which one do you prefer?
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 40211512
not a lot of experience, but I like MAAS best as a vendor.  Are there specific apps you are looking at?  In terms of mail for android touchdown by nitrodesk is by far the best (especially if you are using exchange). There are a plethora of texting apps out there that are hipaa compliant - so therefore what you are looking for.  Don't forget that defeating MAM can be very easy if the environment is not locked down.
0
 
LVL 2

Expert Comment

by:Peter Wilson
ID: 40212625
I just looked into MAM (Apperian and some others)...they only offer a minute component of AirWatch provides in their MDM, which is App Locker - the ability to deploy apps in a quasi app store - not a complete solution by any means.

MAAS360 sucks too...what can you do that EAS natively can't already... look at info...great! Air Watch sucks too but the only reason I think they are marginally better is because you can remote view and remote control on Android devices. Pushing configurations comes with the territory and should be expected.

Touchdown is so 2006...blaaa. why? if you are using AirWatch or the like you have built-in security contexting so you can wipe corp data and leave personal.

I'm fed up with mobile solutions - the dev community has a lot to overcome IMO.

To date the only known security enforcement that I know of that can be deployed and managed centrally is ESET using ERAC/ERAS for mobile devices. And even at they I don't believe they can work with iPhone since Apple has been so ridiculously restrictive for developers. http://www.eset.com/us/business/

All we need to do is figure out how to irradiate all iPhone/iPad devices and MDM will actually start to look appealing! Since there is no vision for the company any longer and market share has significantly dropped it's not too far off. LOL
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40213082
MobileIron is the leader if you ask me, but there are others that work well too. If you use Blackberries, their MDM software was the best. Apple is promising better things for enterprises in the future, but again reference my BYOD article above... I don't see many cases where vital company data needs to be on your mobile phone. Marketing data, sales forms and such, sure, but why let anyone have any more than that on a form-factor so impractical.
-rich
0
 
LVL 65

Expert Comment

by:btan
ID: 40213188
if you check this SmartPhone are totally open as there can be undocument interface and leaking info or data at rest can easily be access if physical access exist and owrse if the phone is jailbroken or rooted. this recent HOPE X sharing open up iPhone "secret". nonetheless, MDM is still a must and at best go supervised mode but it can become unfriendly, the MAM is also need to have for app isolation layered on top of the OS existing segregation already.

http://arstechnica.com/security/2014/07/undocumented-ios-functions-allow-monitoring-of-personal-data-expert-says/

just some stats though there maybe newer ones,

http://mspmentor.net/mobile-device-management/mobile-application-management-vs-mobile-device-management

for MAM I know there is Good Tech as well and under the evaluated product list for Aust Govt DSD, it got EAL4+ @ http://www.asd.gov.au/infosec/epl/index.php
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question