If you’re weighing your options for endpoint security solutions, there are many options out there. However, solutions vary greatly in terms of how effectively they can protect your network. I want to help you make the best decision possible, so here are some questions to ask before buying an endpoint security solution, and why they are important.
1) Does the solution employ Foundational Techniques (traditional), modern techniques (next-gen), or even a combination of both?
Solutions that have been around for a while, and rely on foundational techniques, are very effective against known threats. The issue is the inability of foundational techniques to effectively address unknown threats. As solutions have become more effective at combating known threats, hackers adapt at a rapid rate. This means it’s imperative to employ a next-gen solution that can respond to threats it has never encountered before, and utilize proven foundational tactics.
Foundational Techniques include signature-based detection of known malware, application lockdown to prevent malicious behaviors of applications, behavioral monitoring/host intrusion prevention system to protect computers from unidentified viruses and suspicious behavior, web protection for URL lookup and blocking of known malicious websites, web control for endpoint web filtering, and data loss prevention to prevent the last stages of attacks that initially go unnoticed.
Next-gen techniques are the other piece of the puzzle, giving you machine learning to detect both known and unknown malware without relying on signatures, anti-exploit technology to prevent attackers from using the tools and techniques they rely on in their attack chains, ransomware-specific solutions to prevent the malicious encryption of data, technology designed to prevent the theft of authentication passwords, privilege escalation, process protection to prevent the use of techniques like code cave and AtomBombing, endpoint detection and response for providing detailed information when hunting down evasive threats, and incident response/synchronized security to automatically respond to incidents and communicate with other security tools.
2) How does the solution detect unknown threats? Does it have machine learning capabilities?
Malware includes both known and never-before-seen threats. While it’s easy to address a known issue, it’s obviously another thing to fight a problem you don’t even know exists. It’s no surprise that many solutions struggle to detect unknown malware threats. It’s highly important to find a solution that fights unknown threats because they are far more common than known threats. Reports suggest approximately 400,000 pieces of unknown malware each day. The way you address unknown threats is to utilize machine learning.
3) If the solution does claim to utilize machine learning, what type of machine learning is used?
There are multiple methods of machine learning, including deep learning neural networks and clustering. Whatever the method, machine learning engines should be built to detect known and unknown malware, without relying on signatures. The advantage of machine learning is that it can detect malware that has never been seen before. You should be sure to evaluate the malware detection rate, false positive rate, and performance impact of any machine learning-based solution you consider.
4) What technology is deployed to prevent exploit-based and file-less attacks?
Not all attacks rely on malware. Exploit-based attacks take advantage of software bugs and vulnerabilities to gain access and control of your devices. Weaponized documents and malicious code hidden in legitimate programs and websites are common techniques used in these attacks. Other techniques include man-in-the-browser attacks, in which malware is used to infect a browser so attackers can view and manipulate traffic and use web traffic for malicious purposes. It is important to determine what capabilities your solution has for preventing such attacks.
5) Is the solution specifically designed to stop ransomware?
Ransomware is an extremely common threat. There are two primary types of ransomware, file encryptors, which encrypt the victim’s files and hold them for ransom, and disk encryptors, which lock up their entire hard drive or wipe it completely. Some solutions are specifically designed to prevent the malicious encryption of data by ransomware. Ransomware-specific solutions are also usually able to remediate impacted files.
6) Does the solution’s creator have third-party results that validate their approach?
Many endpoint security solution vendors make big claims about their products. It’s important that you can validate their claims and compare them to other solutions via a third-party evaluator. Some resources include MRG Effitas and their 360 Degree Assessment & Certification report, Gartner Magic Quadrant for Endpoint Protection Platforms, The Forrester Wave for Endpoint Security Suites, ESG Labs reviews, and AV-Comparatives Business Security Test, among others.
7) Can the solution ask detailed threat hunting and IT security operations questions?
Are you able to ask questions about what has happened in the past and what is happening now on your endpoints so you can detect active adversaries and maintain security hygiene? Some questions you may want to ask include:
- Are Processes trying to make a network connection with non-standard ports?
- Which devices have known vulnerabilities, unknown services, or unauthorized browser extensions?
- What is the scope and impact of security incidents?
- Have any attacks gone unnoticed?
- Are there any indicators of compromise across the network?
- Are we able to prioritize events for further investigation?
- Will we be able to accurately report on our organization’s security posture at any given moment?
8) What visibility is provided into attacks and can the solution respond automatically?
At a minimum, your endpoint security solution should provide insight into the incidents that occur to help you avoid future incidents. Ideally, though, they would automatically respond to issues without the need for analysis or manual intervention.
As cyber threats continue to grow in complexity and volume, it’s more important than ever to have an effective endpoint security solution in place. Its recommended having, an endpoint security solution that combines the best of traditional and next-gen techniques for security that is proven to be effective.
