eGuide

COMPUTERWORLD

IDG Enterprise is

in partnership with

presents

Endpoint Security
Endpoint security continues to be one of the

are also essential to a comprehensive security

most effective ways for enterprises to secure

strategy, endpoint security remains a corner-

their IT systems. In the constant battle to

stone of protection.

keep up with new threats, IT departments need

In this eGuide, CSO and InfoWorld examine

to make sure their endpoints are properly

the latest trends in endpoint security. Read on to

protected and up to date with the most recent

learn how this important enterprise technology

software. While other security technologies

can help you better protect your organization.

predictions

analysis

opinion

Endpoint Security Trends for

2015: What Can We Expect?

Death of Antivirus Software

Greatly Exaggerated

Endpoint Security Demands

Organizational Changes

Many enterprise security attacks can

be prevented with a solid endpoint
security strategy

After years of predicted demise,

AV software continues to protect

Large organizations should

delegate endpoint security to a group
dedicated to malware prevention
and detection

eGuide

IDG Enterprise is

COMPUTERWORLD

Endpoint Security Trends for 2015:

What Can We Expect?
Many enterprise security attacks can be prevented with a solid
endpoint security strategy
BY KIM CRAWLEY, CSO | Endpoint security is definitely an ap-

BYOD R.I.P.?

proach that I favor. Keeping a network secure is an immense

As personal and business smartphone usage has exploded since

challenge that requires constant work and vigilance. Why intro-

about 2007, people who work in office environments carry their

duce a client or server to your network before making sure that

work home with them on the same devices they use to watch cat

the device is as security hardened as possible?

videos on YouTube, empty their wallets with Candy Crush Saga,

In my data center work experience, a very significant per-

and conduct their personal banking. Many of them even use their

centage of the major network vulnerabilities Ive had to fix were

phones to pay for stuff in malls and restaurants, thanks to NFC

caused by the introduction of poorly secured computers. Its a

payment apps such as Google Wallet and Apple Pay. Businesses

surprisingly common blunder.

will often allow BYOD (bring your own device), thinking that itll

Network-based information security attacks have been making

the news with increased frequency throughout 2014. Its even
gotten to a point where a lot of those incidents are being report-

increase productivity and save them money by not having to

purchase mobile devices for their employees.
But BYOD introduces a multitude of security problems to

ed in mainstream publications and websites. And you can bet

corporate networks, even when they dont contain a businesss

that for each incident that makes the news, there are possibly

sensitive data. The app payment, banking, and NFC payment

thousands more that we dont get to read about.

examples I cited are examples of how sensitive personal financial

A lot of these problems can be prevented with a solid end-

data may be on employees personal phones and tablets.

point security strategy. Are corporations and institutions going to

Also, mobile malware is an ever increasing risk.

get smarter about it? In the rapid pace of tech, how will endpoint

As consumers and businesses shift to using mobile devices

security implementation evolve in 2015? From my keen observa-

for a greater percentage of their daily activities, cybercriminals

tions of whats going on in the IT world, heres what I predict.

will place a larger emphasis on targeting these platforms - specif-

of

In my data center
work experience,
a very significant
percentage of the
major network
vulnerabilities Ive
had to fix were
caused by the
introduction of
poorly secured
computers. Its
a surprisingly
common blunder.

eGuide

IDG Enterprise is

ically Android and jailbroken iOS devices. Remote find, lock, and
wipe arent enough, said Mark Bermingham of Kaspersky Lab.
It also makes it far too complicated to thoroughly run a

COMPUTERWORLD

competent antivirus developers.

Currently, anomaly detection algorithms are much more sophisticated in IDS and IPS devices. They focus on network activ-

penetration test and security harden an offices network when so

ity rather than code. Antivirus developers are already researching

many employees own devices get connected to it. Attention em-

better ways to implement anomaly-detection in antivirus shields.

ployees! Give us all of your personal smartphones for 36 hours

so that we can test their security! Yeah, that will go over well.
So, in 2015, I believe that many businesses that have BYOD

False positives are going to be a huge problem, and therell

always be bugs in the system. Sandboxing suspicious packets
only sometimes works, and most sandboxing functions for such

policies will scrap them altogether. They may either switch to

purposes are limited to the Windows platform. But Im optimistic

CYOD (choose your own device thats completely administered

that there will be a lot of progress in anomaly-based malware

and controlled by an IT security policy) when smartphones and

detection research in 2015. As malware development gets ever

tablets are completely necessary for work, or eliminate work

more sophisticated (Stuxnet! Regin!), thatll be an absolute must.

done on mobile devices if its functionally possible. More and

more often, we may see USB ports in office PCs being carefully

less frequent!

Vendor reduction
The greater the number of vendors a business has to deal with

A different antivirus approach

for their firewalls, IPSs, and antivirus solutions, the more com-

Both consumer and enterprise antivirus software tends to work

plex a network administrators job is. Also, money spent on one

based on signatures. If antivirus developers constantly keep up

vendors product may take away funds for something else.

on the latest malware and crypters (programs used to help mal-

When IT departments find that expensive antivirus soft-

ware evade signature antivirus shields), their software will usu-

ware products are no more effective than inexpensive antivirus

ally do a great job of preventing some malware infections. But for

products, the temptation to switch antivirus vendors is perfectly

obvious reasons, signatures are useless for zero-day attacks.

understandable.

Signatures have been dying for quite a while. The sheer

Palo Alto Networks surveyed 555 of their customers. They

number of malware samples we see every day completely over-

asked Would you consider switching to free enterprise antivi-

whelms our ability to keep up with them, said F-Secures Mikko

rus in order to fund more advanced endpoint protection for your

H. Hypponen.

company? 44% of respondents said theyd either consider it, or

Antivirus software, both consumer and enterprise, will still use

signatures for many years to come. But anomaly-based malware
detection will become a greater component in the products of

of

free podcast

Increase
Field Service
Productivity

Itd make me so happy to hear zero-day attacks becoming

controlled so that employees cannot mount the file systems of

their personal devices to them.

Listennow

theyre already doing it.

If antivirus heavyweights like Symantec want to stay competitive in the enterprise, they may need to package their antivirus

listen to the
podcast

eGuide

IDG Enterprise is

COMPUTERWORLD

software licenses with other products that are applicable to

virus and firewalls in addition to IPS/IDS devices that contain

endpoint security more often, and cut license prices altogether.

antivirus software and hardware firewalls. Its such a great idea

Limiting license commitment duration may also help. If a corpo-

of mine, that its possible they may be considering that already.

ration is stuck in a three-year license, that doesnt make it easy

I just hope, for the sake of the industry, that they dont buy each

for them to switch to another vendor if they become dissatisfied

others companies.

with the performance of their current vendors product.

Another excellent idea is if network security appliance vendors like Cisco and Juniper Networks make deals with antivirus

I watch information security trends very closely, and I write about

a lot of my observations. So, by the time 2015 is over, well see how
correct or incorrect I am. But Im feeling pretty darn confident!

vendors like Kaspersky and Symantec. They could cooperate to

make packages for enterprise customers that include OS anti-

Kim Crawley is a Security Researcher for the InfoSec Institute.

Listennow
free podcast

Enhance Your
PC Refresh
listen to the
podcast

of

eGuide

IDG Enterprise is

COMPUTERWORLD

Death of Antivirus Software

Greatly Exaggerated
After years of predicted demise, AV software continues to protect
BY JOHN P. MELLO JR., CSO | An executive at a company whose

Kenyon added that blocking threats is only one part of anti-

name is synonymous with antivirus software raised eyebrows

viruss job in protecting systems. Its not just about stopping

last year when he pronounced the death of that form of system

things, he said. Its also about cleaning things and eradicating

protection. Nevertheless, while the effectiveness of that software

them from a system.

may have waned over the years, security experts say the pro-

But, he continued, If you asked, Is the current AV architec-

nouncement by Symantecs senior vice president for information

ture and capability the future of our industry? I would definitely

security Brian Dye was premature.

say, No, not in its current form, but I dont believe its dead.

Certainly the growth in sophistication of malware has made

Limiting the definition of antivirus to signature-based software

untenable the use of signature-based antivirus software as a

may be doing an injustice to the technology. AV is not defined

standalone source of protection for systems. More than half the

by signatures; it is defined by protection against malicious soft-

threats we stop arent stopped by our AV software, said Chandra

ware, said Randy Abrams, a research director at NSS Labs, an

Rangan, vice president for product marketing at Symantec.

independent testing service. Products that only protect against

Were trying to educate people, he added. Were saying that

if you just have signature-based antivirus, its not enough.

viruses and only with signatures have been dead since the 90s.
Malware fighting antivirus software continues to have value

If you asked,
Is the current AV
architecture and
capability the future
of our industry?
I would definitely say,
No, not in its current
form, but I dont
believe its dead.

While signature-based antivirus software alone doesnt pro-

in the enterprise, even as powerful new defense platforms come

Brian Kenyon

vide enough protection in todays threat landscape, its still mak-

online, like breach defense systems (BDS). These systems are

ing a significant contribution to system security. If you went to

designed to quickly detect and contain security breaches that ev-

chief technical strategist

Intel Security

any of the Fortune 1000 companies and said, Antivirus is dead;

ery enterprise has or will have experienced, Abrams explained.

remove it from all your systems, you would find a lot of security

Initially BDS products performed their role as described; how-

officers laughing at you, said Brian Kenyon, chief technical strat-

ever, IT personnel were left cleaning up the problem.

egist with Intel Security (formerly McAfee). The reality iseven

in its current formAV stops a lot of stuff today.

of

AV vendors began to seize on the opportunity and offer a

complete end-to-end solution, he continued. The result has

eGuide

IDG Enterprise is

COMPUTERWORLD

been that the pure play BDS vendors have had to add malware

morphic and Zero Day attacks, also popular among intruders.

detection and remediation functionality to their systems.

Both those methods exploit systems before signatures to combat

Pronouncing antiviruss death is nothing new. In 2006, for

example, Hurwitz & Associates released a report titled Anti-vi-

them are immediately available.

It takes security researchers days to detect new threats and

rus is dead. In it, analyst Robin Bloor maintained that antivirus

write new signatures, giving a polymorphic attack more than

would be replaced by tools that used whitelisting to wipe mal-

enough time to change its code, Banga said. When advanced

ware from the computing scene. Whitelisting is used effectively

attacks can be executed at a moments notice, the signatures to

today in some environments, but it has its drawbacks.

detect them are still days away.

White listing is a great solution for controlled environments,

Antivirus softwares inability to deal with sophisticated threats

like retail POS systems, manufacturing and health systems,

isnt the only criticism leveled at it in recent times. Last year,

Intels Kenyon said. You say what applications can run and

a researcher at Singapore-based COSEINC maintained many

anything outside that list fails to run so malware never activates.

antivirus programs contain vulnerabilities that actually make the

When whitelisting is brought to the consumer or end-user

corporate environment, its maintenance can be burdensome

systems theyre installed on more susceptible to attack.

Researcher Joxean Koret explained that antivirus engines typi-

because end-users are constantly adding apps to their devices.

cally run with the highest system privileges possible. Exploiting

Thats why we havent seen a huge amount of whitelisting in the

vulnerabilities in them will provide attackers with root or system

user environment, Kenyon noted.

access, he continued. Their attack surface is very large, because

Its been great on servers, great for data centers, great for

they must support a long list of file formats. To deal with all

controlled retail environments, but its been a challenge on your

those file types, the software uses file format parsers, which typi-

traditional desktop/laptop, he added.

cally have bugs.

Like apocalyptic prophets, though, antiviruss detractors

Nevertheless, Bromiums Banga noted, AV software may

continue to forecast the technologys demise. Brian Dye was

likely continue to serve consumers, who generally have less

correct, said Gaurav Banga, co-founder and CEO of endpoint

need for robust protection or the savvy to manage more featured

security vendor Bromium. AV is dead.

products.

Banga cited a survey his company conducted in June of 300

information security pros as evidence of dissatisfaction with
antivirus. A hefty number of the pros85 percentdont believe

However, he added, security-conscious organizations have

already started to transition away from AV solutions.
There are those, though, who maintain antivirus isnt as im-

that antivirus can stop targeted attacks, like Advanced Persistent

potent as its critics say it is. Jaeson Schultz, a threat researcher

Threats and spear phishing, which are a substantial part of the

with Cisco Systems Security Business Group, asserted that

current threat landscape.

antivirus software has evolved over the past five years to provide

Moreover, Banga argued, antivirus is ineffective against poly-

of

greater protection. Not only has antivirus software added more

eGuide

IDG Enterprise is

COMPUTERWORLD

heuristic functionalitywhich enables it to deal more effectively

he added. Many people still depend on anti-virus as an integral

with non-signature threatsbut it blocks an assortment of mal-

part of their multi-layered defense.

ware, such as rootkits, remote access trojans (RAT), keyloggers,

While its unlikely that dire assessments of antivirus software

spyware, adware, and even potentially unwanted applications. It

will go away, its also unlikely that those assessments will be

will even protect users against malware vectors like email, social

fulfilled any time soon. As Chris Doggett, managing director of

media and files transmitted via the web.

Kaspersky Lab North America, observed, Cyber attacks will

Without AV software as part of future securities, wed be

continue to grow in number and complexity, and AV software will

giving up the idea of protecting endpoints and mobile devices,

always be a part of the bigger security solution that is fighting

leaving millions of people at the mercy of cyber criminals.

against them for both users and organizations.

It is an arms race, Schultz said. As new avenues for exploitation arise, new counter-functionality is being built into AV software.
Certainly it is a bit hyperbolic to claim AV software is dead,

of

Without AV software as part of future securities, he continued,

wed be giving up the idea of protecting endpoints and mobile devices, leaving millions of people at the mercy of cyber criminals.

Listennow
free podcast

Mobile Device
Management
listen to the
podcast

eGuide

IDG Enterprise is

COMPUTERWORLD

Endpoint Security Demands

Organizational Changes
Large organizations should delegate endpoint security to a group
dedicated to malware prevention and detection
BY JON OLTSIK, NETWORK WORLD | Pity endpoint security software.

Wow, its no wonder why some have declared that endpoint

Venerable antivirus has gotten a bad reputation for being an ineffec-

security software is dead. Negative opinions like these have put

tive commodity product. This situation is illustrated by some recently

leading security firms like Kaspersky, McAfee, Sophos, Symantec,

published ESG research (note: I am an employee of ESG). Security

Trend Micro, and Webroot on the defensive and opened the door

professionals working at enterprise organizations (i.e. more than

for endpoint antimalware upstarts like Bromium, Cisco/Sourcefire,

1,000 employees) were given a series of statements and asked wheth-

Cylance, Crowdstrike, IBM, Invincea, Malwarebytes, and Triumfant.

er they agreed or disagreed with each. The research revealed that:

No question that new threats and requirements are changing

the endpoint market and this is sure to disrupt the status quo.

62% of respondents strongly agreed or agreed with

the statement: Endpoint security software is effective for
detecting/blocking older types of malware but is not effec-

Allow me to elaborate.
Endpoint security software was considered somewhat of a

tive for detecting/blocking zero day and/or polymorphic

security panacea in the past. Install AV on each PC, maintain a

malware commonly used for targeted attacks today.

steady diet of vulnerability scanning, patch management, and

52% of respondents strongly agreed or agreed with the

statement: Our continued use of traditional endpoint security software is driven by regulatory compliance requirements for the most part.
44% of respondents strongly agreed or agreed with

That said, there is more to this story than technology alone.

signature updates and you were pretty well protected from the
flood of pedestrian adware, spyware, viruses, and worms.
This formula worked pretty well for many years, leading to a
set it and forget it mentality in many organizations. And since
AV software was part of standard PC configurations, endpoint

the statement: Endpoint security software is a commodity

security management was delegated to junior IT operations per-

product with little measurable differences between brands.

sonnel who owned PC provisioning and help desk support.

of

CISOs must take

ownership of endpoint security and
designate a group of
specialists who own
endpoint security
controls as part of an
overall responsibility
for incident prevention, detection, and
response.

eGuide

IDG Enterprise is

Alas, somewhere around 2007 the endpoint security landscape changed. Organized hackers got serious about attacks by
using stealthy malware, evasion techniques, rootkits, and zero-

COMPUTERWORLD

rity software in some minimal configuration, organizations get

breached, and pundits declare AV as dead.
This is a pathetic state of affairs, and it needs to change.

day exploits. In response, endpoint security software vendors in-

CISOs must take ownership of endpoint security and designate a

troduced countermeasures like static/dynamic payload analysis,

group of specialists who own endpoint security controls as part

file reputation services, and integrated cloud intelligence.

of an overall responsibility for incident prevention, detection, and

Yup, cybersecurity was going through a profound change as

response. This group should gain an understanding of endpoint

malware and endpoint security vendors engaged in an accel-

security requirements and product capabilities and then create a

erating cat and mouse technology game. Unfortunately, many

plan to tailor endpoint security controls to mitigate risk on vari-

of the foot soldiers in this battle (i.e. the IT operations team)

ous types of endpoint devices.

were caught in the fog of war. In too many cases, they didnt

In summary, weve treated endpoint security as a PC provi-

know about advanced malware or the new antimalware capabili-

sioning and IT operations task for too long. By doing so, we are

ties baked into their traditional AV products. These folks simply

assigning endpoint security to staffers with the wrong skills and

continued to deploy endpoint security in a default configuration,

we arent using our endpoint security tools correctly. I suggest

rendering it less-and-less effective over time.

we fix this organizational issue before making radical changes to

Regrettably, this situation still exists at many organizations. IT

operations handles endpoint security, deploys endpoint secu-

of

our endpoint security technology strategies or throwing existing

endpoint security technologies under the proverbial bus.

Listennow
free podcast

Valley
Agricultural
Upgrades
listen to the
podcast