Why Endpoint Security Is Still Tough

Having tested a number ofendpoint-security products and lectured to several audiences is still nosubstitute for actually seeing what works in the field and what doesn?t. And whilethe products are getting better, there are still no magic, one-size-fits-allsolutions. I wanted to share with you some of the things I have learned from myvisits.

Most of the vendors are very XP-centric, and some are only now just getting to supportingthat other Windows operating system that is finding its way onto desktops─youknow, Vista? And when it comes to non-Windows applications, such as Mac OS,Linux and PDAs, most vendors are behind the times.

There are products, such asStillSecure?s SateAccess, that support both agent and agentless operations, butstill many of the agentless products only provide a small subset of protectionthat their Windows XP agents do. Of course, one solution is to just standardizeon XP SP2 for all your desktops.

Remediation measures are spotty, and in some cases non-existent. When your securityproduct finds a non-compliant endpoint, how do you get it fixed, and what doesthe end user see? Do you shunt them off to a quarantined network, where theycan?t do much beyond updating their patch levels and browser protection? Or doyou block them entirely?

How you go about implementing this will affect yoursupport resources, which is why many of you have not gone whole-hog into 100%remediation, even if it were available.

How you manage your entire security policies acrossyour enterprise can make or breakwhich product you end up purchasing. Some of the products require more or lesswork to integrate with the firewalls, intrusion systems and other protectivemeasures you have in place.

In one situation, the corporation used its endpointstrategy to control network access by tying in biometrics. When usersauthenticate by swiping their fingerprints, they gain access to the networkresources and a fully encrypted local hard drive. (Seagate has a nice built-inencryption to its hard drives that was being used in this case.)

Do you really need to protect everyone? Some of the shops I have seen implement theirendpoint software for just consultants, guests and others who aren?t on manageddesktops. Some have to protect everyone, such my alma mater, Union College. It largely depends on what your desktop populationis: the proportion of managed machines and the proportion of guest workers comingin the front door.

The theory is that the managed desktop can be locked downand you don?t have to worry as much with these systems as with the random PCthat walks in off the street, infected to the hilt. This can also apply to theremediation measures you implement; you may want to start small here and workyour way up.