Endpoint Protection (EPP) for Business Forum

Ariel Lindenfeld
Sr. Director of Community
IT Central Station
Mar 27 2021

Let the community know what you think. Share your opinions now!

it_user400131evaluation of endpoint protection should look at what the product offers for prevention, detection and remediation. On prevention does the product provide basic exposure prevention, the ability to prevent the end users device from navigating to known malicious sites, or to insert an unauthorized external media (usb). Does the product prevent the execution of malware, either through heuristics matching, emulation, downlaod reputation or signatures. If exposed to malware does the product provide robust malicious action detection, run time behaviors, exploit detection, malicious command and control beaconing etc. Last the product needs to include robust remediation capabilities, not simply malware removal but the ability to understand the root cause of the threat and what led to the detection of malicious activity. With that last bit of information you should be able to scan the network for other similar indicators of compromise, so you can fully remediate the detected activity. Often malware today involves the exploit of running applications with no payload delivery, in these situations it is critical that the endpoint product can detect/block and take action on memory resident threats. It gets fairly complex, but the key evaluation criteria are what does it do to Prevent, Detect and Remediate malicious activity. Any vendor without a good story for all of this is just a point solution in the overall security posture for your company.
it_user762459Key points for me are speed, scale & reporting, and I generally classify my toolkit into these compartments.
J RiceBeing more advanced than a signature-based system. Its ability to detect lateral movement and not just remediate but prevent attacks before they start.
IT Central Station
Jan 13 2021

There are many cybersecurity tools available, but some aren't doing the job that they should be doing. 

What are some of the threats that may be associated with using 'fake' cybersecurity tools?

What can people do to ensure that they're using a tool that actually does what it says it does?

SimonClark Dan Doggendorf gave sound advice. Whilst some of the free or cheap platforms will provide valuable information and protection, your security strategy has to be layered. Understand what you want to protect and from whom. At some point you will need to spend money but how do you know where to spend it? There are over 5,000 security vendors to choose from. There is no silver bullet and throwing money at it won’t necessarily fix what you are at risk from but at the same time free products are free for a reason. If your organisation doesn’t have a large team of security experts to research the market and build labs then you need to get outside advice. Good Cyber-advisors will understand your business and network architecture therefore will ask the right questions to help you to navigate the plethora of vendors and find the ones that are right for where your business is now and where you intend it to be in the future. Large IT resellers will sell you what they have in their catalogues based on what you ask for and give a healthy discount too but that may not fix the specific risks your business is vulnerable to. A consultative approach is required for such critical decisions. By the way, there are free security products and services that I recommend.
Dan DoggendorfThe biggest threat is risks you think you have managed are not managed at all so you and your executive team have a completely false sense of security.  This is even worse than not having any tool in place.  With no tool in place, you at least know you have a vulnerability. There several ways to ensure a tool is doing what it is supposed to do. 1. Product Selection - when selecting a tool, do not focus on what a tool can do.  Focus on what you want the tool to do.  You drive the direction of the sales demo, not the sales team. 2. Product Implementation - use professional services to implement and configure the solution.  Your team should be right there with them as a knowledge transfer session but the professional who installs and configures the product every day should drive the install, not someone who wants to learn. 3. Trusted Partners - find yourself a trusted partner(s) who can help guide you.  This should consist of product testing labs partners, advisors who live and breathe the space daily, and resellers with a strong engineering team.
Javier MedinaYou should build a lab, try the tools and analyze the traffic and behavior with a traffic analizer like wireshark and any sandbox or edr that shows you what the tools do, but all this should be outside your production environment, use tools that has been released by the company provider and not third party downloads or unknown or untrusted sources.
IT Central Station
Nov 02 2020

With remote work having become the norm for many, what security should businesses have in place? Do you have suggestions of specific products that businesses should look at?

Philippe PanardieThere is not a single answer. In our company, we use only company devices for workers at home and VPN appropriate clients to control the internet flows towards our company firewall. A behavioral endpoint product is recommended. This product is likely to cooperate with your corporate signature-based antivirus. Any good product could be used in that way. We chose well known Israel products, combined with our standard US products, at that time.
Letsogile BaloiSecurity is a multi-layered problem and as always the human end is the weak layer Increasingly I believe the human layer-layer8 needs more attention. This requires getting the basics right. How are we allowing external devices into our networks? DO we own these devices? VPN Tunnels? Or are creating a virtual working place and focus on IAM?  This is BYOD on steroids and multiplies the attack zone. A line has to be drawn and a Trust Zone created. Traditional devices have native encryption so we allow them as trusted devices and use their native encryption. Then other policies are made. Does the employee have access to good internet(In Africa this is an issue) or do they have to go to a coffee shop or some such place? A good behavioral endpoint product will help. In some cases a company intranet. Microsoft teams are proving very accessible in Africa.
Omer MohammedWearing a mask while accessing your service is not a joke hardening tunneling protocols and uses the most updated one it's kind of like wearing masks.
IT Central Station

Why should businesses invest in endpoint security?

What tips do you have for businesses to ensure that they have the right endpoint security measures in place?

reviewer1257849The endpoint is the weakest link on the network Since we put in all the best security measures protecting the data, the users/endpoints have access to data directly, hence businesses should have the same level of security measures on the endpoints. 
IT Central Station

Which EPP provider does the best job at ransomware protection? Which provider is best at proactively defending against unknown threats?

Paresh MakwanaCylance: One of the fastest growing vendors in the Endpoint Security market, Cylance has built its reputation on the back of proactive and preventive antivirus technology based on artificial intelligence, machine learning, and algorithmic science. Headquartered in Irvine, California and with offices around the world, Cylance was founded by a team of security industry professionals and scientists with the goal to “redefine the endpoint standard of protection by preventing threats from ever executing.” Bottom Line: Cylance’s signatureless anti-malware provides an alternative to traditional, signature-based technology, and benefits from easy deployment and management, low-performance impact, and high detection rates against new threat variants. The company is a good pick for companies of all sizes looking to shore-up existing defenses, or for an alternative to traditional anti-malware. The most valuable feature is the ability to respond to zero-day and unknown threats. Cylance’s AI and Machine Learning ensures that all types of malware and PUP (Potential Unwanted Programs) are detected and your endpoint devices are fully protected, even with day zero threats.
Steve PenderSentinelOne is my recommended solution. The SentinelOne Endpoint Protection Platform (EPP) unifies prevention, detection, and response in a single purpose-built agent, powered by machine learning and automation. It is not reliant on hash signatures or an internet connection. SentinelOne provides prevention and detection of attacks across all major vectors and rapid elimination of threats with a fully automated real-time response without human intervention. SentinelOne can also detect and protect against zero-day, file less and lateral movement attacks. SentinelOne has not been breached and offers upto $1,000,000 warranty if it cannot roll back a ransomware attack. Please contact me at cybersec@global.co.za for more information, a demonstration, or a quote.
reviewer1272021There are several good ones and it depends on budget, integrations needed, staff levels, etc. Crowdstrike Falcon is great if you can afford it. Price reflects "set it and forget it" type of EPP. No need to hire FTE to manage it and comes with 24x7x365 SOC. If you can manage, SentinelOne offers great detections and incident response capabilities (it is really an EDR). S1 has a ransomware rollback feature in case it gets through initial detections (can restore encrypted files if needed) and provides up to 1 million in ransom costs to back up their confidence. If you are a Checkpoint shop and want to leverage some of their other features (Cloudguard SaaS, Endpoint Encryption, etc.) then their Sandblast agent also offers great detections and a rollback feature of their own. Palo Alto traps is decent if you are a PAN shop but can get heavy on admin overhead. Same with Cisco AMP. We do not sell traditional A/V anymore because of polymorphic threats and zero day. Must have behavioral analytics and anomaly detection capabilities.
Menachem D Pritzker
Director of Growth
IT Central Station

On July 15, 2020, several verified Twitter accounts with millions of followers were compromised in a cyberattack. Many of the hacked accounts we protected using two-factor authentication, which the hackers were somehow able to bypass.

Hacked accounts included Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffett, Kim Kardashian, and Kanye West, Benjamin Netanyahu, and several high profile tech companies, including Apple and Uber.

The hackers posted variation of a message asking follower to transfer thousands of dollars in Bitcoin, with the promise that double the donated amount would be returned.

How could Twitter have been better prepared for this? How do you rate their response?

Ken ShauretteFor some good information from a leading expert check out the webinar today 7/17 on Brighttalk by Alex Holden..... We have a lot of questions about the Twitter breach but not so many answers. I can tell you that similar cryptocurrency fraud campaigns are on-going on different social media platforms and on a different scale. Tomorrow (Friday) at 11 am CT on BrightTalk https://lnkd.in/eRuXaca We will discuss what we know about the breach and disturbing patterns that are emerging everywhere.
Ken ShauretteI like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  
Russell WebsterSpan of control, Solid RBAC, Privileged Access Management (PAM) 
IT Central Station

What is the difference between a compromise assessment and threat hunting? How do each contribute to Endpoint Protection?

Geoffrey PoerA Compromise Assessment (CA) is an active and generally scheduled engagement that is looking for malicious activity, undiscovered breaches, and threats. It generally is performed with a DIFFERENT set of security tools/services than what is being used by the team day today. Often they encompass active scanning and/or vulnerability assessments in addition to network and system analysis. The goal is to identify bad actors and initiate incident response and forensic plans. A common mistake happens when teams try to use this process to be the main component of the identification, containment, and forensics processes. In my experience, they should be considered separate to be effective. Threat Hunting (TH) is an ongoing process that leverages current datasets and tools to look at the data in a different way. TH comes in many forms, from manual searches looking for suspicious data to leveraging outlier and anomaly detection or other machine learning/advanced analytics. Really good threat hunting teams are able to take new Tactics, Techniques, and Procedures (TTPs) or Indicators of Compromise (IOCs) and specifically look for events, files, and/or behavior that would depict potential malicious activity specific to those TTPs or IOCs.  Generally, TH is a jump-off point to dig deeper into a dataset or system based on a good hypothesis with supporting data. If EPP was installed then it missed it. Both of these activities are looking for failures in a security process or tool. If EPP wasn't installed then the question is why and how do we get something deployed in the future (probably as part of the remediation phase of the incident response process) that would have identified or stopped the compromise/malicious activity.
Nikki WebbThreat hunting typically comes before a compromise assessment. Threat Hunting is looking for IOC’s or TTP’s being used within an environment to identify a compromise or potential compromise. Once identified you can then move to assessing the compromise.