Nothing frustrates users more than a slow or inconsistent desktop or application experience. It's understandable, but is a compromised user even worse than a nonproductive user? In an attempt to keep pace with today's changing threat landscape, security teams have armed their bunkers with an array of disparate endpoint security products. This is the situation that many companies are facing today: A battle to provide both a usable and secure end user computing environment.
Business leaders are striving to maximize user productivity. They want their time to be worry-free and without encumbrance. Concurrently, the IT department and security leaders are consistently being tasked with adding layers of security to prevent threats and mitigate risks.
Unfortunately in many cases, the protective benefits of security tools come at the cost of system performance. It's a catch-22 in many ways: The IT staff is trying to optimize for security and productivity, but reduced security and deteriorated productivity are both unacceptable outcomes.
The bottom line is that both security and performance should be given equal priority— which means as end user computing leaders define "acceptable user experience," information security leaders need to define their organization's "acceptable risk". Since data rarely has a fixed value, it's difficult to determine its value and therefor equally challenging to determine organizational risk appetite for data loss. But even more elusive is finding and maintaining the critical point at which minimum risk and maximum productivity overlap.
According to the Ponemon Research 2015 State of the Endpoint Report, the average enterprise endpoint has over 7 security agents on it. The most commonly deployed endpoint security agents are antivirus and firewall, followed by DLP, VPN, encryption, whitelisting, e-Discovery collectors, remediation tools, forensic tools, SIEM sensors, and so on.
Source: 2015 State of the Endpoint Report, Ponemon Research
A security policy that is too lax may result in inadequate protection, whereas one that overreaches often increases support issues and under-resourced endpoints that could grind end user productivity to a standstill.
Although end user computing and information security teams co-exist in the IT organization, the cyber-attack landscape has created a divide between them. End user computing leaders have begun implementing "agent rationalization" processes in order to curb the "agent creep" on employee desktops.
Source: Lakeside Software, average Windows desktop CPU resource consumption measured over a 60 day period
Lakeside Software community-sourced data validates some of this, because few security tools are developed with user experience in mind – they are focused on stopping the threat first, and reduction of impact on system performance second. Further, many agents conflict with each other as well as legitimate productivity applications – it's not unusual to see an antivirus agent misidentify a sanctioned application as a threat.
In many cases, these two IT groups within an organization are at odds. IT Security is worried about risks and threats, defining policies, and assessing the environment, while IT Operations areas—server admin, network admin, and end user computing—fret over availability and performance, keeping an environment stable, managing change, and not allowing anything in that to disrupt availability and performance. IT Security often drives policy and recommends and deploys new technologies rapidly in reaction to attacks and threats, sometimes forcing technology into the environment that may have management or performance issues. IT Operations is looking for technologies that have consolidated interfaces, administration, reporting, and workflows that won't cause foreign disruption to availability and performance. The most sensible approach is to have your IT Security team members address new threats and your IT Operations team members handle business systems.
Information security professionals have a few choices available in order to drive their organizations toward more mature security solutions. They can continue to deploy point solutions and then try to manage them separately, further driving the silo-fication of IT, or have IT operations collaboratively manage them. They can deploy point solutions and "rip and replace" them as they find more consolidated security solutions, or they can find a solution that ties into the IT operations workflow for assessing the state of endpoint devices and virtual desktops, and leveraging integrated security at multiple layers.
The first step toward comprehensive EUC security is to understand what software and hardware is in the environment. This includes, for example, validating that operating systems are patched because patching tools often "miss a few", and verifying that approved security controls are enabled, patched, and up to date. What good is antivirus without an updated signature file?
It's important to see all interactions between all managed devices and resources they access, because one cannot secure an endpoint or a virtual desktop without seeing what's connected and what software is running on those devices. Active protection requires purview across the entire end user computing portfolio, whether those are at the corporate site or in remote locations, online or offline, and maintaining that inventory in real-time, generating reports to show the security status at any moment with added capability to "rewind the tape" to the point of infection in order to assess and classify suspicious activity. Without such purpose-specific tools in place before a breach, gathering all the data necessary for an effective incident response could take weeks or months.
The value of forensics does not simply end at attack vector identification, kill chain analysis, remediation, and attribution. After an investigation has been completed, and the organization has fully recovered from the attack, IT teams should look to build better prevention and detection guided by data collected and correlated from the initial response to the attack. Reviewing the saved investigation should be a catalyst for building better prevention and detection customized for similar attacks moving forward.
Visibility remains the biggest endpoint risk management challenge. Traditional incident response solutions focus on collecting data after detection of a security event. This usually extends the time attackers are present in a compromised environment as security teams reactively attempt to collect data to enable their response. When reactively collecting data, one has no effective way to understand the root cause of an attack, especially if the attacker moved within the affected environment. Traditional security methods react to specific incidents instead of providing continuous monitoring and assessment. Implementing a solution that enables both continuous real-time and historical recording of every endpoint and virtual desktop in the end user computing environment provides a higher value activity log.
As a baseline of security, anti-malware software such as antivirus and anti-spyware which block or protect against specific threats continues to be a core component of good security best practices. These security applications are continually updated with new malware patterns to block known attacks. However, blacklisting is becoming less effective against the surging volume of new threats and is almost useless against targeted threats. There are basic controls which are easy to implement without detriment to end user experience: Blocking malicious sites, for example, is often a better preventative mechanism than antivirus because a "known bad" site is often updated to serve "fresh" malware that is less likely to be detected.
Many companies are bolstering their security armaments with non-signature based solutions such as application or site control and whitelisting in order to block all but specific applications and sites, or to block the use of any non-approved applications. In addition, malicious code defense should include other components such as alerts and reports on the persistence and execution of previously unseen or suspicious binaries. These can prove effective at "detecting the undetectable" when combined with irregular application behavior detection which, even in the absence of a recognized malware signature, is quickly becoming the most effective mechanism for detecting, or at the very least providing an evidence-based triage for identifying Advanced Persistent Threats that are often propagated via undetectable malware packages.
Lakeside Software offers industry-leading endpoint visibility by continuously recording and assessing the critical data necessary to enable multiple forms of threat prevention, build customized threat detection, know and respond at the moment of compromise, and shorten breach containment and remediation timeframes with automation and kill chain analysis. By continuously monitoring, interpolating, and assessing the relationships of every file execution, file modification, network connection, cross-process event and identifying and recording the execution of every binary, Lakeside SysTrack delivers instant answers to complex security questions.
Built on our patented DataMine technology, Lakeside SysTrack ensures you don't have to wait for remote employees to reconnect with your corporate network to maintain visibility—you get seamless and continuous endpoint visibility on or off the network. Imagine: Instant unfettered access to your organization's recorded history.
The Lakeside SysTrack agent has no discernable performance impact and is lightweight so you can easily deploy it to every endpoint, virtual desktop, server and POS system in your environment. Lakeside SysTrack scales to the largest of enterprises, giving your organization the ability to deploy hundreds of thousands of agents effortlessly with a patented amalgamated architecture that offers all the benefits of central administration and reporting without the traditional bandwidth impact of centralized collection. From one console, you can:
At the core of a continuous security life cycle must be visibility into all your endpoints so you can understand what's happening across your environment in real time. Many solutions claim to have "continuous" endpoint visibility, but these solutions are usually snapshots in time, delivered as scheduled scans for a specific indicator of a known attack. They miss pockets of time and can't fully "rewind the tape" to understand what happened. Until recently, standard practice among system administrators has been to monitor and record network traffic, but endpoints remained a blind spot. In order to stop attacks at the moment of execution, you need a solution that monitors, records, and actively assesses the state of every endpoint against the acceptable baseline — even while off the network.
SysTrack helps identify risky and potentially vulnerable assets at a moment's notice. Identifying non-compliant users, devices, OS, applications, and documents, and correlating that information with threat scoring algorithms to create a triage leads to a more rapid IT response. For example, when a critical vulnerability is identified, the security operations team can immediately identify all systems with software configurations representing the highest risks (i.e., deprecated OS, non-compliant usage, no antivirus updates, etc.).
SysTrack provides comprehensive controls that can help you achieve security compliance by detecting and enforcing security configurations. Policy controls support continuous enforcement of configuration baselines; report, remediate and confirm remediation of non-compliant endpoints in real time; and ensure a verified real-time view of all endpoints. This capability delivers meaningful, audit-ready information on the health and security of endpoints regardless of location, operating system, connection (including wired computers or intermittently connected mobile laptops), or applications installed. It helps consolidate and unify the compliance life cycle, reducing endpoint configuration and remediation times. Most importantly, SysTrack enables security teams to establish trust in your environment by auditing operating system and software state to ensure proper versions and patch levels.
Since signature-based detection is simply not effective against advanced threats, and the alternative — whitelisting or application control — is often too cumbersome and predisposed to false positives, Lakeside SysTrack has implemented mechanisms that catalog metadata, patterns, and system information and then impart trust to each of those items. Simply put, SysTrack alerts are driven by insights and actions that describe a system state as positive, negative, or neutral. Risk scoring distills application control and attack detection into an understandable and manageable task. Do you trust all the applications contained within your main software repository? If so, you can express that trust using a single policy. Do you automatically mistrust anything downloaded within a web browser? You can express that distrust via policy as well. If you prefer threat intelligence reports that rate a given binary file as suspicious, requiring further investigation, the SysTrack policy engine can also handle that situation – not only in the context of alerts, but also forensics. If you want a complete kill chain map of the aforementioned binary's behavior, including original arrival vector – it's one click away. Our platform is adaptive and configurable to the unique security DNA of your organization.
Many organizations use security information and event management (SIEM) systems to correlate the many sources of security information across the enterprise, looking for signs of attack. Because SysTrack was built to be an ecosystem-oriented platform from the ground up, our APIs make it easy to fully integrate our data and analysis with your SIEM thereby removing the endpoint "blind spot".
The power of a SIEM lies in the fact that it can collect, analyze and correlate events from a variety of sources. Traditionally these data feeds have been collected from network monitoring equipment and possibly logs of summary, high-level information from servers or other key hardware. We know that the value of a SIEM is increased significantly when it has access to a feed of threat-detection data from not only from datacenter and network components, but all endpoints within an organization. With the SysTrack endpoint data feed, you would gain the following benefits:
SysTrack enhances your SIEM with the capability to record all user, application, file and machine activity without impacting system performance and then make this data available in near-real-time.
Finding a security solution that serves the needs of both EUC and security teams can be a daunting task. Having spent the last 18 years exclusively focused on end user computing, many of our customers have driven us to augment our product's capabilities in order to enable them to provide a dynamic trust-based security solution that holds both protection and productivity in equal regard. In summary, here are the benefits our customers tell us differentiate our solution: