When deciding how to augment your baseline AV protection on the endpoint, understand the benefits and operational characteristics of each approach you’re considering. Here are a few guidelines.
Recognizing that antivirus tools are not foolproof, enterprises augment such protections with other security controls. The options for covering the AV gap on the endpoint include second-opinion antivirus, exploit mitigation, application isolation/containment, application control/whitelisting, and anti-evasion. How can enterprises assess suitability of these safeguards and pick the approaches that are best-suited for their environment? Let’s take a look.
Avoid Replicating Existing Functionality
Though the concept of defense-in-depth is highly valuable for enterprise defenders, it’s hard to justify deploying multiple security technologies that significantly overlap with each other’s capabilities. Review the security features your operating system and baseline Endpoint Protection Platform (EPP) offers. Understand the strengths and weaknesses in these approaches, then add security layers that introduce meaningful benefits without replicating existing functionality.
For instance, if you’re considering adding a second AV agent, confirm that the new tool’s approach is truly different from capabilities your baseline AV software provides. Core capabilities of most antivirus solutions involve deciding whether to allow a program to run based on its resemblance to previously-seen malware. Although they might differ in the algorithms they use to make the decision, all AVs are subject to the limitations of malware detection grounded in prior knowledge of malicious patterns.
Similarly, exploit mitigation capabilities are increasingly incorporated by Microsoft into the core of Windows 10. EPP solutions offer additional exploit mitigation capabilities to strengthen the system’s ability to withstand attacks that take advantage of unpatched vulnerabilities. With these layers in place, it might be difficult to justify adding a layer whose value proposition is grounded in exploit mitigation, as you might quickly reach the point of diminishing returns.
Understand Your Staff’s Responsibilities
Some approaches to endpoint security are more burdensome to roll out and maintain than others. Understand what tasks your staff will need to perform to not only setup the solution initially, but also to ensure its effectiveness on an ongoing basis. In addition to tuning the tool’s configuration, your staff needs to be prepared to handle any escalations that result from the product’s false positives or other issues that interfere with business activities.
For example, when deploying an application isolation solution, which contains applications in a restricted environment, you will need to define the pathways through which the app is allowed to interact with corporate resources. A configuration that’s overly-ambitious will interfere with normal user activities. On the other hand, overly-permissive restrictions will weaken the technology’s ability to prevent infections. Striking the right balance requires not only an initial effort, but also ongoing oversight to keep up with application updates, new asset locations and evolving business needs.
Similarly, application control solutions require a significant time investment to build and maintain the whitelist of the programs authorized to run on the endpoint. Without a well-defined whitelist, the effectiveness of this approach to securing endpoints is drastically diminished. When preparing to deploy application whitelisting, be ready to handle urgent requests from users to authorize the ever-changing list of programs and their dependencies. As with application isolation, it’s challenging to achieve the perfect balance between a locked-down system and the need to support business requirements.
Evaluate Effects on System Performance
It’s not enough for the endpoint security technology to provide meaningful security benefits—it needs to accomplish this in a manner that doesn’t place undue stress on the system’s performance. This is especially important for the tool that augments baseline AV functionality, which already consumes resources. Evaluate the effect that the additional security layer has on the system’s performance in a configuration consistent with the intended deployment scenario. Be sure to account for both modern, as well as older, legacy systems.
Negative performance effects are often observed for security tools engaged in scanning files and processes, which is often a CPU and memory-intensive operation. Similarly, the architecture of some application isolation products leads to performance overhead due to network latency or local activity introspection. Sometimes rolling out a resource-intensive tool involves turning off some of its capabilities, which undermines the solution’s effectiveness at safeguarding the endpoint.
Questions for Considering an Endpoint Security Solution
When deciding how to augment your baseline antivirus protection, consider asking (and answering) the following questions related to the solution’s security benefits and real-world operational characteristics:
- Is it effective against threats that bypass your existing controls?
- How does its efficacy change in the face of evolving threats?
- Does it integrate with your current workflow and tools?
- Is it compatible with legacy and future systems?
- What is its endpoint performance penalty?
- How burdensome is the initial deployment?
- How involved are ongoing maintenance tasks?
Minerva’s Anti-Evasion Platform was designed with these questions in mind, so it can dramatically improve your ability to block attacks that bypass other security controls without taking on operational burdens and without overlapping with the security measures you already have in place. It offers an effective and practical way of augmenting the protection provided by baseline antivirus on the endpoint by preventing malware from misusing features of its environment to evade security tools. To discuss this in greater depth and see the approach in action, please contact us.