The IT Pro’s Guide to Simplified
Endpoint Security
How to reduce the complexity of securing your
organization’s endpoints—and make your life easier.
With proliferating laptops, smartphones and other endpoint
devices; multiplying third-party apps and productivity
tools, along with their associated vulnerabilities; and
escalating threats from polymorphic viruses,
botnets, SQL injections and other attacks,
endpoint security has never been
more challenging.
October 2011
WP-EN-10-17-11
The IT Pro’s Guide to Simplified Endpoint Security
Overview
ment consoles you need to worry about, stream-
“There is never any justification for things being
line the amount of agents that plague user devices,
complex when they could be simple.” So says Ed-
avoid lost time, resources and money, and make
ward de Bono, author, inventor, Nobel prize nomi-
your own life just a little bit easier.
nee and originator of the concept of lateral thinking.
That’s certainly true of endpoint security. There was
a time when endpoint security simply meant admonishing employees to use strong passwords on their
computer terminals. But those days are long gone.
With proliferating laptops, smartphones and other
endpoint devices; multiplying third-party apps and
productivity tools, along with their associated vulnerabilities; and escalating threats from polymorphic
viruses, botnets, SQL injections and other attacks,
endpoint security has never been more challenging.
As a result, you need to grapple every day with
a growing number of security applications and security-management consoles. Meanwhile, your users face degraded system performance from the
numerous antivirus (AV) programs, firewalls and
other security measures that sit on their devices.
That’s costing your entire organization time, money
and focus. And let’s face it: the more complex your
security, the weaker it’s going to be.
But the fact is all that endpoint-security complexity
is largely unnecessary. It’s possible to achieve true
defense-in-depth—with layers of patch management, application control, device control and AV—
without slow performance and complex management. By deploying the right security software and
techniques, you can slash the number of manage-
Endpoint Complexity, Agent Bloat
Endpoint security has become tougher quite simply because the endpoint environment has become
more dynamic and complex. For starters, there are
just more endpoints. Employees now have desktops, laptops, smartphones and other devices. And
those endpoints are no longer chained to a desk. Instead, they move around the enterprise and around
the world. All the while, they’re carrying more and
more data—about customers, products, financials,
strategy, competitive positioning, and more.
On top of that, employees increasingly rely on a
range of third-party and social-media apps to do
their jobs—and manage their personal lives. These
apps are downloaded onto endpoints, often without
strict centralized oversight, where they bring with
them security vulnerabilities that can’t be effectively mitigated with traditional approaches such as
Windows Server Update Services (WSUS).
Then there are the growing endpoint threats, from
sophisticated viruses, click-jacking, social engineering, and more. New threats, or new twists on
old ones, are commonplace and need to be assessed, addressed and brought under control. It’s
no wonder IT managers report that the areas with
the greatest increase in potential risk are desktops/
laptops and mobile/remote employees.1
1. Ponemon Institute, “State of Endpoint Risk,” 2010
1
The IT Pro’s Guide to Simplified Endpoint Security
The average endpoint today houses
three to five individual security agents.
Consoles Run Amok
Endpoint complexity doesn’t just mean more agents
on your endpoints. It also leads to more consoles for
So what do you do? If you’re like most security pros,
IT security professionals to manage.
you throw technology at the problem. (See Figure
1.) And now your endpoints carry the extra bur-
Today’s organizations have likely invested in a broad
den of individual agents for firewalls, anti-spyware,
range of endpoint-security products, including AV,
patch management, encryption, intrusion detection,
endpoint firewalls, application firewalls, patch man-
and at least one AV product, probably several. In
agement, encryption, intrusion detection, configura-
fact, the average endpoint today houses three to
tion management, vulnerability assessment, applica-
five individual security agents, and it’s not at all un-
tion whitelisting, network access control, data-loss
usual for an endpoint to be bloated with 10 agents.
prevention and removable-media control.
2
[Figure 1]
Common Technologies for Protecting and Managing Endpoints
Protect
Data
»» Full-disk encryption
Manage
»» Online backup/recovery
»» Endpoint device/port controls
»» Agent-based data-loss prevention
Applications
»» Application controls/application
whitelisting
»» Software distribution
»» Software inventory/usage management
»» Application virtualization
Networks
»» Personal firewalls
»» Intrusion detection/prevention
»» Network access control
Platforms
»» Antivirus
»» IT asset management
»» Anti-spyware
»» Configuration/change management
»» Patch management
»» Configuration/change management
Source: Aberdeen Group, “Endpoint Security, Endpoint Management,” 2009
IT organizations must grapple with a growing range of security and management solutions to keep control over their endpoints.
2. Ponemon Institute, “State of the Endpoint,” 2009
2
The IT Pro’s Guide to Simplified Endpoint Security
And each one of those point products can require you
It’s no surprise, then, that security pros increasing-
or your staff to access and monitor a separate man-
ly feel overwhelmed by the endpoint-security tools
agement console. In fact, the average organization
they need to keep track of. The result is discourag-
now grapples with three to five different consoles to
ing, if predictable: Only 38 percent of organizations
manage day-to-day endpoint-security functions.
say their endpoint security is well-managed, and
3
only 37 percent say they have the necessary resources to minimize endpoint risk. 4 (See Figure 2.)
[Figure 2]
Attributes about endpoint security
Agree = strongly agree and agree combined.
Disagree = unsure, disagree and strongly disagree combined.
Our IT and security personnel are qualified
to execute endpoint security operations.
51%
49%
New whitelisting technologies make it easier
to efficiently manage endpoint security risks.
42%
58%
Our IT endpoint risk management procedures
and policies are well documented.
41%
59%
IT executives are supportive of our
organization’s endpoint security operations.
41%
59%
Existing blacklisting technologies (anti-virus/anti-malware)
are effective in managing endpoint security risks.
39%
61%
Our endpoint security operations
are well managed.
38%
62%
We have ample resources to minimize IT
endpoint risk throughout our organization.
37%
63%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Source: Ponemon Institute, “State of Endpoint Risk,” December 2010
Organizations report that they lack sufficient resources to minimize endpoint risk, and that endpoint security remains poorly managed.
3. Ibid.
4. Ponemon Institute, “State of Endpoint Risk,” 2010
3
The IT Pro’s Guide to Simplified Endpoint Security
Diminishing Returns
»» Decreased productivity for users— But it’s not
The problems with too many agents and too many
just the IT department’s focus and productivity
consoles—that is, with unnecessary endpoint-se-
that’s at stake. Every new security agent
curity complexity—are manifold:
that gets tossed onto your users’ endpoints
delivers a performance hit to their machines.
»» Increased time demands for security pros—
The first and most obvious issue is the impact
Those degraded response times, while hard
on IT department time and resources. And
to measure in the aggregate, cost real dollars
make no mistake: “The burden for keeping
in lost productivity. They also lead to less
endpoint systems secure, compliant and
satisfied users. Users who are more likely to be
well-managed is nearly always a centralized
distracted from the job at hand and erode your
function shouldered by the IT group,”
organization’s strategic focus. And, incidentally,
according to “Endpoint Security, Endpoint
users who are more likely to call the helpdesk
Management,” an Aberdeen Group report.
with performance complaints, bringing the
issue full circle back to the IT department.
The fact is, there will always be new security
threats to learn about, plan for and deal with.
What’s worse, users then become more
And that’s where your attention should be,
apt to take endpoint security into their own
to ensure optimum protection and business
hands—clearly not the way to ensure efficient,
continuity for your organization. If your time
effective security across your organization.
is taken up with staying on top of multiple
Remarkably, 36 percent of endpoint devices
consoles for endpoint-security point products,
are managed by the user, not the enterprise.
your focus won’t be on more strategic issues.
And because a growing number of users have
more than one endpoint, there are 40 percent
more endpoints than end users. 5 Which means
there are lot of endpoints that aren’t wellmanaged from a security perspective.
5. Aberdeen Group Analyst Insight, 2011
Continued »
4
The IT Pro’s Guide to Simplified Endpoint Security
»
»» Rising costs— The result of increased time
Selling Endpoint Security
demands and decreased productivity is greater
It almost always comes down to cost. That’s true for business,
cost. In fact, 48 percent of companies report
it’s true for politics, and yes, it’s true for IT security. Security-
an increase in their IT organization’s operating
investment decisions are ultimately made by the business side
costs. The primary cost drivers are increasing
of the house. And educating business managers on the finer
helpdesk calls, reimaging of endpoints,
points of polymorphic malware and host-based intrusion pre-
consumption of IT-staff bandwidth, and lost
vention is probably a losing battle. But if you can appeal to the
employee productivity.6 (See Figure 3.)
purse strings, if you can take your case to the pocketbook,
then you have a much better chance of getting the financial
Those numbers aside, perhaps the bigger issue
support you need to ensure a strong security profile.
is that many costs associated with endpointsecurity complexity are largely unseen. Exactly
And the way to achieve that is by targeting endpoint-security
how much time, productivity and money are
complexity. Consider: The top three drivers of endpoint invest-
leaking away can be difficult to ascertain. And
ments are the increased mobility of sensitive information, user
you can’t manage what you can’t measure.
productivity, and security-related incidents such as data loss.
That’s according to “Endpoint Security, Endpoint Manage-
There’s also the expense for the point
ment,” an Aberdeen Group survey of managers, directors and
solutions you’re throwing at endpoint security.
executives on their approaches to endpoint protection.
The price tag for each product might seem
reasonable in the short term, but in the
At the same time, the top inhibitors of endpoint investments are
aggregate they can spell high total cost of
“the complexity of the typical endpoint environment and the
ownership (TCO). In fact, nearly one-half of
perceived complexity of current endpoint security,” Aberdeen
the TCO of every endpoint is now associated
reports. In other words, security concerns are key reasons for
with security management.7
endpoint investments. But the complexity of those endpoints,
and of the technologies for securing them, are the key reasons
»» Sinking security— But the biggest problem
is that the more complex and costly your
against making those investments.
endpoint security, the less effective it’s going
By focusing on reducing endpoint-security complexity, you can
to be. The more time it takes for security
not only reduce the TCO of protecting your endpoints. You can
managers to handle security, the more onerous
also provide clarity to management to gain their buy-in and
it is for users to keep their endpoints secure,
»
ensure you’re investing in the mechanisms that will keep your
the more company resources are strained, the
endpoints truly protected.
less time, focus and money will be available to
ensure your endpoints are truly protected.
6. Ponemon Institute, “State of Endpoint Risk,” 2010
7. Aberdeen Group, “Endpoint Security, Endpoint Management,” 2009
5
The IT Pro’s Guide to Simplified Endpoint Security
[Figure 3]
What are the main cost drivers to increasing IT operating expenses?
Source: Ponemon Institute, “State of Endpoint Risk,” December 2010
Endpoint complexity, increased demands on IT staff and decreased employee productivity are among the top drivers of IT costs.
The facts speak for themselves. Fully 98
But the toughest security challenge isn’t the vul-
percent of organizations experience at least
nerabilities, threats or attacks. The most vexing
one virus or malware network intrusion a year.
security issue organizations face is complexity. In
And 89 percent of organizations have lost
fact, 54 percent of IT security pros cite managing
sensitive data because of security incidents.
8
the complexity of security as their No. 1 challenge. 9
That’s despite the fact organizations are
investing more and more in endpoint security.
8. Ponemon Institute, “State of Endpoint Risk,” 2010
Continued »
9. Ibid
6
The IT Pro’s Guide to Simplified Endpoint Security
Simplify, Simplify, Simplify
“The best-in-class companies in the study are about
For a growing number of organizations, the solu-
11 percent more likely to strive for an integrated se-
tion to endpoint complexity—and to the associated
curity and management solution for all endpoints,
productivity, cost and security penalties—is to re-
as opposed to implementing endpoint security and
place their hodgepodge of point products with an
management solutions deemed most appropriate
integrated endpoint-security suite.
for the immediate problem at hand,” according to the
report. “This long-arching trend toward a platform
That’s the approach observed in an Aberdeen Group
approach, versus the perpetuation of existing, inde-
survey of managers, directors and executives re-
pendently managed silos, is another characteristic
sponsible for endpoint security. Results of the study
of the best-in-class that repeats itself consistently in
enabled Aberdeen to identify “best-in-class” orga-
the thread of Aberdeen’s IT security research.”
nizations—those that perform best in terms of IT
security incidents and management costs.
The top strategies driving endpoint investments
among these best-in-class organizations include
Best-in-class companies [are] more likely to strive for an integrated security and
management solution for all endpoints.
establishing and enforcing consistent endpoint policies and procedures; educating users on endpoint
security, compliance and management; moving toward common security solutions for all endpoints;
and augmenting existing endpoint security with
centralized management.10 (See Figure 4.)
[Figure 4]
Top Strategies Driving Current Endpoint Investments
60%
64%
Best-in-Class
64%
40%
20%
0%
Establish and
enforce consistent
policies and
procedures related
to endpoints
Educate end-users
about endpoint
security, compliance,
and management
policies and practices
36%
36%
Strive towards
common security
and management
solutions for all
endpoints
Augment existing
endpoint security
solutions with
centralized
management
Source: Aberdeen Group, “Endpoint Security, Endpoint Management,” 2009
Top endpoint-security strategies among “best-in-class” organizations include enforcing consistent policies, educating users, moving toward
common endpoint-security solutions, and adding centralized management.
10. Aberdeen Group, “Endpoint Security, Endpoint Management,” 2009
7
The IT Pro’s Guide to Simplified Endpoint Security
»
Lumension® Endpoint
Management and Security Suite
For starters, an effective suite solution should be
modular. That allows you to deploy only what you require today and then add functionality as your needs
Lumension® Endpoint Management and Security
change. And it should include an installation man-
Suite is a single, integrated endpoint security suite
ager , so you can quickly and easily deploy new ca-
designed to deliver best-in-class security func-
pabilities. That also affords you a level of scalability
tionality through a single-console, single-agent,
that even the most robust point products can’t match.
single-server platform. Its modular architecture
covers AV, patch management, configuration
Those modules should include everything you need
management, application control, device control,
to ensure strong endpoint security, including AV,
asset management and power management.
patch management, configuration management,
application control, device control, asset manage-
Also included is innovative “intelligent whitelisting,”
ment and power management. In fact, a good suite
which provides a high level of endpoint security
will deliver improved security compared to your old
and flexibility, reducing malware risks and costs
point products, while ensuring that the features and
without negatively affecting employee productivity.
functions are integrated and work together seamlessly. To that end, the solution should be built on a
Lumension ® Endpoint Management and Secu-
single back-end database, it should rely on a single,
rity Suite enables you to take control of your end-
modular agent at the endpoints, and it should be
points through an agile solution suite that simpli-
manageable from a single security console.
fies systems management, improves operational
visibility and delivers more effective security—all
That management console should give you true
while reducing endpoint complexity and TCO.
visibility into your endpoint-security posture and a
»
Finding the Suite Spot
single version of the truth. It should also allow rolebased access so that one console can be used by
multiple IT, security and compliance pros. That’s
in sharp contrast with a collection of consoles for
various point products or a “single” console that
Replacing point products with an integrated end-
actually saddles you with a different interface for
point security suite might sound like a daunting—
each security function.
and expensive—undertaking. But a well-designed
suite solution will make the transformation efficient
A good suite will enable the convergence of both se-
and cost-effective in the short term, and it will pay
curity and operations for your endpoints. Likewise,
off in stronger security dividends over time.
it should ensure unified workflows for endpoint as-
8
The IT Pro’s Guide to Simplified Endpoint Security
sessment, security management, incident response
endpoint per year through an integrated platform
and continuous improvement. And it should enable
and greater consolidation.11 (See Figure 5.)
shared visibility, policy and reporting management.
That lets you approach endpoint security from a stra-
But perhaps the biggest benefit of an integrated
tegic standpoint, rather than responding on an ad-
endpoint-security suite is consolidated security in-
hoc basis to new threats and unexpected incidents.
formation and visibility. The aggregation of formerly
disparate views enables you to achieve a complete
The advantages of an integrated solution are clear
understanding of your risk profile and drive toward a
and compelling:
stronger security profile. Ultimately, you gain the abil-
»» Fewer management consoles
ity to make your endpoint security cheaper and more
»» A lower number of endpoint agents
effective. And if it makes your life a little easier in the
»» A simplified interface
process, there’s certainly nothing wrong with that.
»» Decreased complexity
»» Increased visibility
Ready to take the next step? Access the free Inter-
»» Lower staff requirements
active Endpoint Security and Endpoint Operations
»» Reduced cost
Benchmark Assessment, developed by Aberdeen
»» Improved security
Group and sponsored by Lumension. In just a few
minutes, you’ll gain insight to identify the strate-
In fact, the potential for reduced cost alone is no-
gies, capabilities and technologies you need to
table: Organizations can save as much as $24 per
achieve best-in-class endpoint security.
[Figure 5]
Top Benefits of Integrated Endpoint Management Suite
Improved security
Reduced cost
Reduced staff requirements
Increased visbility
Simplified interface
Reduced complexity
Fewer endpoint agents
Fewer management consoles
0
Source: Ponemon Institute, “State of Endpoint Risk,” December 2009
10
20
30
40
Percent
50 60
The top benefits of an integrated endpoint management suite range from a reduced number of consoles and agents to a better overall security posture, according to a global survey of IT security pros.
11. Aberdeen Group, “Endpoint Security, Endpoint Management,” 2009
9
The IT Pro’s Guide to Simplified Endpoint Security
About Lumension Security, Inc.
Lumension Security, Inc., a global leader in operational endpoint management and security, develops, integrates and markets security software solutions that help businesses protect
their vital information and manage critical risk across network
and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success
by delivering a proven and award-winning solution portfolio that
includes Vulnerability Management, Endpoint Protection, Data
Protection, and Compliance and Risk Management offerings.
Lumension is known for providing world-class customer support
and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including
Florida, Texas, Luxembourg, the United Kingdom, Germany, Ireland, Spain, France, Australia, and Singapore. Lumension: IT
Secured. Success Optimized.™ More information can be found at
www.lumension.com.
Lumension, Lumension Patch and Remediation, Lumension
Vulnerability Management Solution, “IT Secured. Success
Optimized.”, and the Lumension logo are trademarks or
registered trademarks of Lumension Security, Inc. All other
trademarks are the property of their respective owners.
Global Headquarters
8660 East Hartford Drive, Suite 300
Scottsdale, AZ 85255 USA
phone: +1.888.725.7828
fax: +1.480.970.6323
www.lumension.com
Vulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management
10