Securosis Guide: 2015 Endpoint Security Trends

This post is part of a multi-part series about the Securosis Guide to the RSA Conference (download the RSAC-G PDF). Please scroll to the bottom for links to other posts in the series.

What Is Wrong With Endpoint Security?

What you'll see at the RSAC in terms of endpoint security is really more of the same. Advanced attacks blah, mobile devices blah blah, AV-vendor hatred blah blah blah. Just a lot of blah... But we are still recovering from the advanced attacker hangover, which made painfully clear that existing approaches to preventing malware just don't work. So a variety of alternatives have emerged to do it better. Check out our Advanced Endpoint and Server Protection paper to learn more about where the technology is going. None of these innovations has really hit the mainstream yet, so it looks like the status quo will prevail again in 2015. But the year of endpoint security disruption is coming—perhaps 2016 will be it...

White listing becomes Mission: POSsible
Since last year's RSAC many retailers have suffered high-profile breaches. But don't despair—if your favorite retailer hasn't yet sent you a disclosure notice, it will arrive with your new credit card just as soon as they discover the breach. And why are retailers so easy to pop? Mostly because many Point-of-Sale (POS) systems use modern operating systems like Embedded Windows XP. These devices are maintained using state-of-the-art configuration and patching infrastructures—except when they aren't. And they all have modern anti-malware protection, unless they don't have even ineffective signature-based AV. POS systems have been sitting ducks for years. Quack quack.

Clearly this isn't a really effective way to protect devices that capture credit cards and handle money, which happen to run on circa-1998 operating systems. So retailers and everyone else dealing with kiosks and POS systems has gotten the white listing bug, big-time. And this bug doesn't send customer data to carder exchanges in Eastern Europe.

What should you look for at the RSAC? Basically a rep who isn't taking an order from some other company.

Calling Dr. Quincy...
We highlighted a concept last year, which we call endpoint monitoring. It's a method for collecting detailed and granular telemetry from endpoints, to facilitate forensic investigation after a device compromise. As it turned out, that actually happened—our big research friends who shall not be named have dubbed this function ETDR (Endpoint Threat Detection and Response). And ETDR is pretty shiny nowadays.

As you tour the RSAC floor, pay attention to ease-of-use. The good news is that some of these ETDR products have been acquired by big companies, so they will have a bunch of demo pods in their huge booths. If you want to check out a startup you might have to wait—you can only fit so much in a 10' by 10' booth, and we expect these technologies to garner a lot of interest. And since the RSAC has outlawed booth babes (which we think is awesome), maybe the crowded booths will feature cool and innovative technology rather than spandex and leather.

While you are there you might want to poke around a bit, to figure out when your EDTR vendor will add prevention to their arsenal, so you can finally look at alternatives to EPP. Speaking of which...

Don't look behind the EPP curtain...
The death of endpoint protection suites has been greatly exaggerated. Which continues to piss us off, to be honest. In what other business can you be largely ineffective, cost too much, and slow down the entire system, and still sell a couple billion dollars worth of product annually? The answer is none, but the reason companies still spend money is compliance. If EPP was a horse we would have shot it a long time ago.

So what is going to stop the EPP hegemony? We need something that can protect devices and drive down costs, without killing endpoint performance. It will take a vendor with some cajones. Companies offering innovative solutions tend to be content positioning them as complimentary solution to EPP suites. Then they don't have to deal with things like signature engines (to keep QSAs who are stuck in 2006 happy) or full disk encryption.

Unfortunately cajones will be in short supply at the 2015 RSAC—even in a heavily male-dominated crowd. But at some point someone will muster up the courage to acknowledge the EPP emperor has been streaking through RSAC for 5 years, and finally offer a compelling package that satisfies compliance requirements.

Can you do us a favor on the show floor? Maybe drop some hints that you would be happy to divert the $500k you plan to spend renewing EPP this year to something that doesn't suck instead.

Mobility gets citizenship...
As we stated last year, managing mobile devices is quite the commodity now. The technology keeps flying off the shelves, and MDM vendors continue to pay lip service to security. But last year devices were not really integrated into the organization's controls and defenses. That has started to change. Thanks to a bunch of acquisitions, most MDM technology is now controlled by big IT shops, so we will start to see the first linkages between managing and protecting mobile devices, and the rest of infrastructure. Leverage is wonderful, especially now when we have such a severe skills gap in security.

Now that mobile devices are full citizens, what does that even mean? It means MDM environments are now expected to send alerts to the SIEM and integrate with the service/operations infrastructure. They need to speak enterprise language and play nice with other enterprise systems.

Even though there have been some high-profile mobile app problems (such as providing access to a hotel chain's customer database), there still isn't much focus on assessing apps and ensuring security before apps hit an app store. We don't get it. You might check out folks assessing mobile apps (mostly for privacy issues, rather than mobile malware) and report back to your developers so they can ignore you. Again.

IoT: Not so much
It wouldn't be an RSAC-G if we didn't do at least a little click baiting. Mostly just to annoy people who are hoping for all sorts of groundbreaking research on protecting the Internet of Things (IoT). At this point there doesn't seem to be much to protect. But it is another thing to secure, so you will see vendors talking about it. Though it is still a bit early to add IoT to your RSAC buzzword bingo drinking game.

At some point a researcher will do some kind of proof of concept showing how your Roomba is the great-great-great-great-grandfather of the T1000. Click-baiting achievement unlocked! With a gratuitous Terminator reference to boot. Win!

Check out other posts in the series: Introduction
Theme posts: Change; Internet of Things; Professionalism; Compliance; Big Data; Bonk; DevOps
Coverage Area Deep Dives: Overview; Endpoint Security; Network Security; IAM; Cloud Security; Data Security; Security Management;
Download your copy of RSAC-G

← View more Blogs

This document was retrieved from on Wed, 26 Oct 2016 20:59:58 -0400.
© 2016 EMC Corporation. All rights reserved.