Enterprise Organizations Need Continuous Monitoring Based Upon Endpoint Visibility, Access and Security Technology

© 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Overview

ESG Brief

Enterprise Organizations Need Continuous Monitoring Based Upon Endpoint Visibility, Access, and Security Technology

Date: December 2014 Author: Jon Oltsik, Senior Principal Analyst

Abstract: Cybersecurity is an increasingly complex and dangerous environment. Network threats are on the rise and enterprise organizations are experiencing data breaches all the time. These are well-known issues, but it may come as a surprise that many enterprise organizations still lack the right security monitoring tools necessary to address changing risks, adjust their defenses, or rush into incident detection and response. So what’s needed? Continuous monitoring based upon EVAS technologies. With real-time knowledge about endpoint security status and network activity, CISOs can get more proactive with risk management and greatly improve incident prevention, detection, and response.

Overview

Security professionals are growing increasingly concerned with the proliferation of dangerous cyber-threats as they relate to network security. In a 2014 ESG research report, 28% of security professionals working at enterprise organizations (i.e., more than 1,000 employees) indicated that they believe that network security is much more difficult than it was two years ago, while another 51% say that network security is somewhat more difficult than it was two years ago.1

Why is network security growing more cumbersome? ESG research points to two distinct trends. On one hand, security professionals point to elements of the threat landscape like sophisticated malware, targeted attacks, and malware volume. Alternatively, respondents indicate that network security is more difficult because of the proliferation of new devices, users, and network traffic (see Figure 1).2 In aggregate, network security problems have internal and external roots that must be addressed.

The Visibility Gap Exacerbates Security Issues

Given the state of the threat landscape, security professionals need the right resources, skills, and oversight for mitigating cyber-risks. This points to the growing requirement for continuous monitoring of endpoints on the network, which ESG defines as:

The process and technology used to detect compliance and risk issues associated with an organization's IT assets (i.e., applications, networks, endpoints, servers, etc.) in real time.

1 Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014. 2 Source: Ibid.

http://www.esg-global.com/research-reports/network-security-trends-in-the-era-of-cloud-and-mobile-computing/

ESG Brief: Enterprise Organizations Need Continuous Monitoring Based Upon EVAS 2


Figure 1. Factors That Have Made Network Security More Difficult Compared with Two Years Ago

Source: Enterprise Strategy Group, 2014.

Armed with continuous monitoring of endpoints, CISOs can assess security status across the enterprise and then use this information to fine-tune their security controls to maximize protection. Unfortunately, few organizations have the right level of network and security visibility necessary for true continuous monitoring of all endpoints. According to ESG research, only 22% of organizations claim to have an excellent level of visibility into their security status while 18% rate their organization’s level of network security visibility as fair or poor (see Figure 2).3 And even though 59% rate their visibility level as good, they are still relying on manual processes that are cumbersome and hard to keep up with—especially as the number of devices and users on the network grow. Rather than continuous monitoring, it seems that

3 Source: ESG Research Report, Security Management and Operations: Changes on the Horizon, July 2012.

12%

15%

17%

21%

23%

25%

25%

29%

32%

36%

38%

0% 10% 20% 30% 40%

My organization lacks the right level of cybersecurityknowledge and skills

My organization’s IT security department is understaffed

An increase in the “rogue” use of cloud computing services by employees and other users with legitimate access to the

network

An increase in the use of cloud computing services forcorporate use

An increase in network traffic

An increase in malware volume

An increase in the number of users with access to thenetwork

An increase in the number of mobile devices accessing thenetwork

An increase in the number of targeted attacks that maycircumvent traditional network security controls

An increase in the number of overall devices with access tothe network

An increase in sophisticated malware designed tocircumvent traditional network security controls

In your opinion, which of the following factors have made network security management and operations more difficult? (Percent of respondents, N=313, three responses accepted)

http://www.esg-global.com/research-reports/security-management-and-operations/



many enterprises are fraught with security blind spots and very manual efforts, limiting their ability to understand IT risk from moment to moment.

Figure 2. Level of Visibility of Security Status


Aside from general security visibility, ESG research points to troubling shortcomings with regard to monitoring the security status of PCs and laptops connected to enterprise networks. When asked to identify PC security monitoring weaknesses, 25% of organizations claim they have a weakness with regard to monitoring PC endpoints for download/execution of suspicious/malicious code, 20% of companies are weakest in terms of monitoring applications installed on each device, and 17% report that suspicious/malicious network activity is their weakest area of security monitoring for endpoint PCs (see Figure 3).4 The problem goes beyond PCs and laptops, however. Security issues can infiltrate any endpoint touching the network, including headless devices such as VoIP phones, printers, badge scanners, and any other corporate device that is online.

4 Source: ESG Research Report, Advanced Malware Detection and Protection Trends, September 2013.

1%

3%

15%

59%

22%

0% 10% 20% 30% 40% 50% 60% 70%

Don’t know

Poor. We collect and analyze some data but there are many areas where we don’t have strong visibility and we depend upon manual processes and analysis for

visibility into our security status.

Fair. We collect and analyze all of the data we can but there are some areas where we don’t have strong

visibility and we depend upon manual processes and analysis for visibility into our security status.

Good. We collect and analyze all of the necessary databut we depend upon manual processes and analysis for

visibility into our security status.

Excellent. We have set up the right data collection,analysis, and dashboards to have real-time visibility of

our security status.

Which of the following statements most accurately characterizes the level of visibility your organizations has of its security status? (Percent of respondents, N=315)

http://www.esg-global.com/research-reports/advanced-malware-detection-and-protection-trends/



Figure 3. Weakest Area of Security Monitoring for Endpoint PCs


The Need for Continuous Monitoring

Enterprise security teams are faced with an unnerving problem—they’re not really sure how many devices are connected to the network, or the security posture of these devices. Regrettably, security blind spots can prevent the security team from having visibility into the security state of endpoints on the network, which means enterprises can’t tell how vulnerable they are as threats change. The proliferation of mobile devices and the advent of the Internet of Things (IoT) just make matters worse. Without awareness of every single device connected to the network at all times, and the behavior of those devices (i.e., who is doing what, how, and where), IT can’t proactively adjust security controls—which means it can’t respond to changing IT risks quickly and accurately, or pick up on valuable information that could be used for incident response.

This lack of continuous monitoring of endpoints on the network is a contributing factor to the consistent parade of publicly disclosed data breaches. In the enterprise market alone, ESG research indicated in 2013 that 49% of enterprise organizations reported having experienced a successful malware attack in the previous 24 months (see Figure 4).5 In this instance, a successful malware attack is defined as a malware attack that compromises an IT asset resulting in some type of negative ramification such as data theft, system downtime, the need to image a system, etc.

5 Source: Ibid.

Downloads / execution of suspicious /

malicious code, 25%

Applications installed on each device, 20%

Suspicious / malicious network activity, 17%

Current patch levels, 14%

System changes, 11%

Operating system configuration, 8%

Other, 1%

Don’t know, 3%

With regard to endpoint PCs (i.e., desktops/laptops), in which area is your organization’s security monitoring the weakest? (Percent of respondents, N=315)



Figure 4. Pervasiveness of Successful Malware Attacks


Headline-worthy breaches include financial giant JP Morgan Chase, where 76 million households and 6 million small businesses were affected. The United States Post Office has also been hacked, and the personal data of 800,000 postal workers and 2.9 million customers was compromised. At Sunderland Healthcare Systems, stolen confidential medical information affected close to 400,000 people. And in the case of mega-retailer Target, 110 million customers had their personal data (i.e., names, addresses, and credit card numbers) stolen, leading to an extremely expensive breach—with Target reporting a hefty bill of $148 million.

Perhaps if these companies had better visibility into what was touching their networks, these breaches could have been avoided entirely or, at the very least, the damages minimized.

Enterprise Organizations Need Endpoint Visibility, Access, and Security (EVAS) to Mitigate Risk and Ensure Compliance

CISOs must face the fact that the current environment of sporadic security monitoring and visibility blind spots is a mismatch for addressing the increasingly dangerous threat landscape. So what’s needed? Enterprises must move toward end-to-end network visibility and continuous endpoint monitoring to detect changes, identify vulnerabilities, mitigate risk, and lower the network attack surface.

ESG believes that strong continuous monitoring depends upon a new type of security technology called endpoint visibility, access, and security (EVAS). EVAS is defined as follows:

Network security technologies that provide policy-based intelligence, enforcement, risk mitigation, and real-time monitoring of all network device access, configuration, and activities for any node attached to an IP network.

EVAS solutions are designed for continuous monitoring as they provide:

Endpoint profiling. EVAS is designed to monitor the status of all endpoints (i.e., PCs, servers, printers, mobile devices, IoT sensors and actuators, etc.) on the network. In fact, leading EVAS solutions capture and store this information for future use in compliance audits, security investigations, and policy assessments. EVAS systems regularly collect, process, and store endpoint-centric information such as system type, configuration, applications installed, patch levels, etc.

Continuous monitoring and situational awareness. Enterprises need real-time monitoring of all endpoints so they’re able to adjust security controls for prevention, detection, and response. In this scenario, security tactics can be guided by situational awareness rather than historical scans and audits. Security professionals

Yes, 49%

No, 47%

Don't know, 4%

Has your organization suffered a successful malware attack in the last 24 months? (Percent of respondents, N=315)



need knowledge beyond Windows-based PCs and servers, making it essential that EVAS systems can monitor the behavior of mobile devices, printers, medical devices, HVAC systems, IoT sensors and actuators, and identify and respond to malicious or suspicious behavior.

Granular network access and endpoint security controls. Organizations must be able to make decisions based on business and risk management parameters that include device type; configuration and user location; user role and activities; the security state of devices; and whether a device is managed or not in order to understand their security status and be able to take action.

Integration. Enterprises need to integrate EVAS data with other security technologies including SIEM platforms, MDM tools, firewall/VPN, identity management, vulnerability scanning, and advanced threat detection (ATD). With comprehensive security data integration as a foundation, CISOs can use continuous monitoring and mitigation capabilities to improve situational awareness, risk management, incident detection/response, and security automation.

With an EVAS solution deployed, CISOs will have a complete picture of the managed/unmanaged devices on the network and the security status of these devices. This information can help them create and enforce policies to minimize risk. Additionally, EVAS technologies provide a security-centric asset database of endpoint configurations. As ISVs release an emergency patch for specific software revisions, the security team can query EVAS repositories and generate an up-to-the-minute list of vulnerable systems on the network. Finally, EVAS solutions can help accelerate and improve incident response processes. When a malicious executable is discovered, advanced EVAS solutions will detect anomalous behavior and generate alarms to help the IR team pinpoint problems and expedite remediation activities.

In aggregate, EVAS solutions can provide a real-time picture of what’s happening on endpoints across the entire network. This intelligence can help enterprises improve incident prevention and fast-track incident detection and response.

Introducing Great Bay Software

EVAS is not just a vision, but rather an evolving market featuring a number of new vendors offering innovative products.

Great Bay Software is one such vendor providing an EVAS solution that can help organizations gain tighter control and comprehensive visibility into every single endpoint accessing the network. The Beacon product suite helps organizations improve network security because it can be used for device discovery/management, threat prevention/response, and device authentication. In this way, Great Bay aligns with the EVAS requirements. Furthermore, Great Bay provides reports and alerts to help organizations comply with government and industry regulations.

Aside from basic functionality, CISOs need products that can manage thousands of endpoints without bogging down the business. And given the global cybersecurity skills shortage, large organizations must also have security tools that are easy to deploy and use, and deliver near-term value. Great Bay designed its EVAS solution for scalability and ease of use, making it a good fit for the enterprise.

The Bigger Truth

Chinese military general Sun Tzu said, “If you know the enemy and know yourself, you need not fear the results of one hundred battles.” While it’s hard to know much about cyber-adversaries, enterprise organizations should know all they can about themselves. Unfortunately, they don’t have the right level of visibility into their networks or endpoints, which greatly limits their ability to defend themselves.

Bridging this gap demands a commitment to continuous monitoring because it provides real-time comprehensive data about enterprise security status and risk management changes. Armed with this intelligence, CISOs can react to new threats and vulnerabilities, fine-tune their defenses, and expedite processes around incident detection and response.

Great Bay Software offers an EVAS solution designed to address EVAS and security operations requirements at large organizations. Given this, enterprise CISOs may want to meet with Great Bay, discuss their network security strategies, and see if there is a potential fit.

http://greatbaysoftware.com/



The ESG brief was commissioned by Great Bay Software and is distributed under license from ESG. All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Business

Enterprise Organizations Need Continuous Monitoring Based Upon Endpoint Visibility, Access and Security Technology