Having tested a number of
endpoint-security products and lectured to several audiences is still no
substitute for actually seeing what works in the field and what doesn’t. And while
the products are getting better, there are still no magic, one-size-fits-all
solutions. I wanted to share with you some of the things I have learned from my
visits.
Most of the vendors are very XP-centric, and some are only now just getting to supporting
that other Windows operating system that is finding its way onto desktops─you
know, Vista? And when it comes to non-Windows applications, such as Mac OS,
Linux and PDAs, most vendors are behind the times.
There are products, such as
StillSecure’s SateAccess, that support both agent and agentless operations, but
still many of the agentless products only provide a small subset of protection
that their Windows XP agents do. Of course, one solution is to just standardize
on XP SP2 for all your desktops.
Remediation measures are spotty, and in some cases non-existent. When your security
product finds a non-compliant endpoint, how do you get it fixed, and what does
the end user see? Do you shunt them off to a quarantined network, where they
can’t do much beyond updating their patch levels and browser protection? Or do
you block them entirely?
How you go about implementing this will affect your
support resources, which is why many of you have not gone whole-hog into 100%
remediation, even if it were available.
How you manage your entire security policies across
your enterprise can make or break
which product you end up purchasing. Some of the products require more or less
work to integrate with the firewalls, intrusion systems and other protective
measures you have in place.
In one situation, the corporation used its endpoint
strategy to control network access by tying in biometrics. When users
authenticate by swiping their fingerprints, they gain access to the network
resources and a fully encrypted local hard drive. (Seagate has a nice built-in
encryption to its hard drives that was being used in this case.)
Do you really need to protect everyone? Some of the shops I have seen implement their
endpoint software for just consultants, guests and others who aren’t on managed
desktops. Some have to protect everyone, such my alma mater, Union College. It largely depends on what your desktop population
is: the proportion of managed machines and the proportion of guest workers coming
in the front door.
The theory is that the managed desktop can be locked down
and you don’t have to worry as much with these systems as with the random PC
that walks in off the street, infected to the hilt. This can also apply to the
remediation measures you implement; you may want to start small here and work
your way up.
