Having tested a number of endpoint security products and lectured to several audiences is still no substitute for actually seeing what works and what doesn’t in the field. And while the products are getting better, there are still no magic, one-size-fits-all solutions. I wanted to share with you some of the things that I have learned from my visits.
First off, most of the vendors are very XP-centric, and some are only now just getting to supporting that other Windows OS that is finding its way on to desktops, you know, Vista? And when it comes to non-Windows, such as Mac OS, Linux, and PDAs, most of the folks are still behind the times. There are products such as StillSecure’s SateAccess that supports both agent and agentless operations, but still many of the agentless products only provide a small subset of protection that their Windows XP agents do. Of course, one solution is to just standardize on XP SP2 for all your desktops, too.
Second, remediation measures are spotty, and in some cases non-existent. When your security product finds a non-compliant endpoint, how do you get it fixed and what does the end user see? Do you shunt them off to a quarantined network, where they can’t do much beyond update their patch levels and browser protection? Or do you block them entirely? How you go about implementing this will impact your support resources, which is why many of you have not gone whole-hog into 100% remediation, even if it were available.
Third, how you manage your entire security policies across your enterprise can make or break which product you end up purchasing. Some of the products require more or less work to integrate with the firewalls, intrusion systems, and other protective measures that you have in place. In one situation, the corporation used its endpoint strategy to control network access by tying in biometrics. When a user authenticates by swiping their fingerprint, they gain access to the network resources and a fully-encrypted local hard drive too. (Seagate has a very nice built-in encryption to their hard drives that was being used in this case.)
Fourth, do you really need to protect everyone? Some of the shops I have seen implement their endpoint software for just consultants, guests, and others that aren’t on managed desktops. Some have to protect everyone, such as on the college campus of my alma mater Union College. It largely depends on what your desktop population is: the proportion of managed machines, and the proportion of guest workers who are coming in the front door. The theory is that the managed desktop can be locked down and you don’t have to worry as much with these systems as with the random PC that walks in off the street, infected to the hilt. This can also apply to the remediation measures that you implement: you may want to start small here and work your way up too.