Endpoint Security & Protection Software for Business

Dan Doggendorf gave sound advice.

Whilst some of the free or cheap platforms will provide valuable information and protection, your security strategy has to be layered. Understand what you want to protect and from whom. At some point you will need to spend money but how do you know where to spend it? There are over 5,000 security vendors to choose from.

There is no silver bullet and throwing money at it won’t necessarily fix what you are at risk from but at the same time free products are free for a reason.

If your organisation doesn’t have a large team of security experts to research the market and build labs then you need to get outside advice. Good Cyber-advisors will understand your business and network architecture therefore will ask the right questions to help you to navigate the plethora of vendors and find the ones that are right for where your business is now and where you intend it to be in the future.

Large IT resellers will sell you what they have in their catalogues based on what you ask for and give a healthy discount too but that may not fix the specific risks your business is vulnerable to. A consultative approach is required for such critical decisions.

By the way, there are free security products and services that I recommend.

Tools are not necessarily bogus. Sometimes they are just 'legacy' tools that have been around for too long and no longer fit the problem they were designed to solve, simply because IT infrastructure, organizational needs, and cybersecurity threat complexity have evolved. 

Refrain from free products

Delete products and traces of product after evaluation

Always know what you want from the cybersecurity solution. Can identify illegal operations of the products if different from its stipulated functions.

Work with recognised partners and solution providers

Download opensource from reputable sites

Open Source or Free products need proper management. Based on my experience I have found that many people who uses open source don't bother to patch them and attackers then utilize such loopholes.

One of the great example one client was using free vulnerability management plus IP scanner. And they got hit with ransomware. During the investigation I realise the attacker utilized the same tool to affect other devices on the network. The attack took his time at least 2 months unnoticed. 

One should 1st have details understanding of what he/she is looking to protect within environment as tool are specially designed for point solution. Single tool will not able to secure complete environment and you should not procure any solution without performing POC within your environment 

As there is possibility that tool which works for your peer organisation does not work in similar way for yours as each organisation has different components and workload/use case

You should build a lab, try the tools and analyze the traffic and behavior with a traffic analizer like wireshark and any sandbox or edr that shows you what the tools do, but all this should be outside your production environment, use tools that has been released by the company provider and not third party downloads or unknown or untrusted sources.

Bogus cybersecurity tools might bring about the data exfiltration, trojan horse 

There is not a single answer.

In our company, we use only company devices for workers at home and VPN appropriate clients to control the internet flows towards our company firewall.

A behavioral endpoint product is recommended. This product is likely to cooperate with your corporate signature-based antivirus.

Any good product could be used in that way. We chose well known Israel products, combined with our standard US products, at that time.

Wearing a mask while accessing your service is not a joke hardening tunneling protocols and uses the most updated one it's kind of like wearing masks.

Security is a multi-layered problem and as always the human end is the weak layer

Increasingly I believe the human layer-layer8 needs more attention. This requires getting the basics right. How are we allowing external devices into our networks? DO we own these devices? VPN Tunnels?

Or are creating a virtual working place and focus on IAM? 

This is BYOD on steroids and multiplies the attack zone. A line has to be drawn and a Trust Zone created. Traditional devices have native encryption so we allow them as trusted devices and use their native encryption. Then other policies are made. Does the employee have access to good internet(In Africa this is an issue) or do they have to go to a coffee shop or some such place? A good behavioral endpoint product will help. In some cases a company intranet. Microsoft teams are proving very accessible in Africa.

SentinelOne is my recommended solution.

The SentinelOne Endpoint Protection Platform (EPP) unifies prevention, detection, and response in a single purpose-built agent, powered by machine learning and automation. It is not reliant on hash signatures or an internet connection. SentinelOne provides prevention and detection of attacks across all major vectors and rapid elimination of threats with a fully automated real-time response without human intervention.

SentinelOne can also detect and protect against zero-day, file less and lateral movement attacks.

SentinelOne has not been breached and offers upto $1,000,000 warranty if it cannot roll back a ransomware attack.

Please contact me at cybersec@global.co.za for more information, a demonstration, or a quote.

OK a real tricky answer. There are so many out there now and all seem to have one or the other upper hand on the ransomware arena. It all depends on their back end system finally - How they analyse and how fast they analyse (even if in the wild) . And most importantly how fast u can get tech support - Try out Crowdstrike, Checkpoint, Sophos, McAfee, TrendMicro. Remember this - you need to be more specific with your actual physical scenario to get a better answer. This one is very generic in purpose.

Cortex XDR de Palo Alto Networks is the best solution in the market, because it has protection methods multiples, like are Local Machine Learning/IA, Static Analysis, Dynamic Analysis, Network Profiling, Baremetal, Exploits Protection (By technical or method, no by exploit), Kernel Protection, Behavior Anomaly Protection, etc. Best score in the Mitre att&ck Evaluation.

There are several good ones and it depends on budget, integrations needed, staff levels, etc. Crowdstrike Falcon is great if you can afford it. Price reflects "set it and forget it" type of EPP. No need to hire FTE to manage it and comes with 24x7x365 SOC. If you can manage, SentinelOne offers great detections and incident response capabilities (it is really an EDR). S1 has a ransomware rollback feature in case it gets through initial detections (can restore encrypted files if needed) and provides up to 1 million in ransom costs to back up their confidence. If you are a Checkpoint shop and want to leverage some of their other features (Cloudguard SaaS, Endpoint Encryption, etc.) then their Sandblast agent also offers great detections and a rollback feature of their own. Palo Alto traps is decent if you are a PAN shop but can get heavy on admin overhead. Same with Cisco AMP. We do not sell traditional A/V anymore because of polymorphic threats and zero day. Must have behavioral analytics and anomaly detection capabilities.

I like the potential for catching an unusual activity like that with our recently implemented endpoint detection tool, Cynet360.  It seems so far to have about the highest level of transparency into the endpoint with a 24x7x365 backing of monitoring.  

It's understood that internal tool probably shared by Internal Employee as RCA. The tool was used to reset associated Mail Address of account thereby Password Reset of Choice. In MFA of Identity related features, it's more secured on keeping it with associated Mobile Secure Pin or SoftCrypto Code in Future to avoid compromise at this moment is the lesson learned. 

The use of two factor authentication by Twitter

This is one of the Identity theft issue, which means some one hack your password or account and do activity which he she is not suppose to do. basic reason of hack of your identity or password is Social engineering. second reason is system has week privilege access management. If you have less control on admin id or privilege id then enter firm has to suffer along with the customer of that firm. For me the take away of this event is to protect privilege ID and you good PAM PIM tool with two factor and UBA included.  

Span of control, Solid RBAC, Privileged Access Management (PAM)