“A good enough endpoint security approach is as good as no security at all to cover the Enterprise threat landscape”, says Vibin Shaju, Vice President, Solution Engineering EMEA at Trellix.
Having had a front-row seat to the endpoint security market evolution over the last two decades, Mr. Shaju shares his thoughts on what a good endpoint security platform looks like.
To build a robust endpoint security defense, I would suggest you take a modular approach which at a high level includes the:
- Prevention Sensors which can prevent known malicious files in real time by using signatures, access protection policies, exploit prevention content, memory protection, file reputation, and any other techniques which can take action on the fly.
- Advance Prevention Sensors which can do an advanced inspection – using Artificial Intelligence, Sandbox integration, Script analysis, etc. – and improve their learning over time. Some of this might not be in real-time, particularly if the threat is being seen in the environment for the first time. However, the sensors add protection, without user intervention, as soon as the engine realizes the threat is malicious, usually within seconds. Any learnings are also shared across the sensors, empowering them to block the threat, in real-time, the next time it is seen in the environment.
- Advanced Detection Sensors which are used by SOC teams to focus on strategic defense. The industry calls this EDR. SOC teams use these sensors to gather, summarize, and visualize evidence on demand or in a scheduled manner. Since the data in play is on a much larger scale here, the use of AI and Cloud is used extensively in its implementation. As an easy summary, these sensors can be extremely useful when an attack is in the active stage.
- Forensics Sensors which are used by the IR (Incident Response) team during a managed defense program to constantly analyze the live memory, attack behavior tactics, techniques, and procedures, in a combination of scheduled and automated methods. These sensors are highly effective in evidence collection also in post-incident analysis.
These sensors should be also backed up by strong Threat Intelligence, staying ahead of the evolving threat landscape to expose and reduce attack surfaces. If your business is spanned across physical, virtual, and cloud, it is key that the vendor of choice should provide a hybrid deployment and management architecture. Security vendors should not force you to change your business model, rather adapt to yours. Having multiple vendors for different services will not provide shared intelligence and a unified experience.
As is clear by now, each of these sensors has its own purpose but they have been used interchangeably creating confusion in the market. It is important to note that the sensors should be able to talk to each other and share and report information. Operating these as silos defeats the whole goal.
If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query.
Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.
Follow us to learn more
Let’s walk through the journey of digital transformation together.