How to choose an endpoint security solution

Endpoint security has come a long way. What started as simple antivirus has evolved into something much greater. Along with greater functionality has come greater complexity, and greater need for requirements gathering and user acceptance testing, Jamie Graves, Co- Founder and CEO, Zonefox, explains.

Gone are the days where you could simply choose the endpoint security vendor with the highest detection rate. Here is a brief guide to help you understand the different endpoint security methodologies and how to select the right solution for your company:

Although there are several types of endpoint security solutions to choose from, these are the main contestants:

  • Traditional antivirus: the original crimefighter. Signature-based, this form of protection is good for detecting and stopping the known threat, but definitely needs backup.
  • Post-AV prevention: next-generation solutions that provide further protection by using whitelists or known-exploit behaviours to block malicious applications.
  • Endpoint monitoring and behavioural analysis: endpoint security solutions that monitor user activity and compare it with baselines and policies to be able to quickly alert when a user is doing something out of the ordinary.

What is the best type of endpoint security? It depends.

The real question is; which endpoint security solution is best for you? When you are looking at endpoint security solutions, the first thing you should be looking for is not the methodology for detection or protection. Initially, you need to determine which types of endpoint security solution will fit into your environment. Here are some discovery questions to ask:

  • Why do we need an endpoint security solution? Understanding how your business operates, and your current network security posture provides insight on which gaps you need to fill. Are you trying to prevent theft of client data, or are you more concerned with system corruption? Once you’ve identified the problem(s), you can look at the different solutions.
  • Which type of endpoint agent should we use? When performing duties that require maximum uptime and real-time decisions, you must have effective endpoint security. Using a lightweight agent to detect and analyse anomalous behaviour provides enhanced network- and host-based detection, more granular security alerts for security analysts, and decreased false positives. Endpoint security products rooted in the prevention realm will use signatures – either for blacklisting or whitelisting applications – in order to permit or deny applications and traffic on your systems. Determine whether you need one of these solutions, or a combination of both, to best suit your needs.
  • What are my success criteria? When performing proof of concept testing, most vendors will provide a list of success criteria based on how their solution should behave. However, you need your own success criteria as well. Using findings from a business impact analysis or controls from a standard such as PCI can provide useful success criteria. Once you have identified security gaps, make sure that any endpoint security solutions you consider meet your needs.

The next step is a demo and proof of concept testing. It is one thing to test out software to ensure that all of the functionality exists, but what if deploying the solution in your environment causes unforeseen breakdowns? Ask yourself:

  • Do we have the resources to support this solution? Some endpoint security solutions have a lightweight agent that is simple to deploy throughout your environment and manage centrally. Some require a lot of up-front configuration. Many require fairly consistent tuning to reduce false-positive results.
  • Will this solution make my life easier? Does the solution protect you from the bad stuff, while enabling the good stuff? If you are constantly creating exceptions for users, or require several user groups to avoid false positives and loss of production, the answer to this question is a resounding ‘no’. You want a solution that will keep users safe without impacting your business or adding overhead to your security team.
  • Does this solution impact day-to-day operations? You want to ensure that an endpoint security solution doesn’t negatively impact your day-to-day. It doesn’t matter if a solution has a 100% detection and prevention rate, if your users can’t do their jobs, the solution becomes a problem. Ensure that users with a wide range of duties and access test the solution before you make any decisions.

Selecting an endpoint security solution is no longer a trivial task. It may take digging, business impact analysis, and some proof of concept exercises, but finding the answer to the above questions will save you a lot of headaches in the long run. Implementation of an endpoint security solution need not be an arduous process; if you ask the right questions up front, choose a lightweight solution that can be easily deployed and monitored, and thoroughly test with your own success criteria, you will be better prepared to protect your users and assets.


Edited for web by Cecilia Rehn.