Six Essentials to Total Endpoint Security

By adopting technology that takes a centralized, unified approach to critical endpoint security needs, businesses can ensure control of their endpoints.

Securing corporate endpoints is increasingly important in today’s business environment. As threats to endpoint devices continue to grow, long gone are the days when all you had to worry about were viruses and malware. Today, securing endpoint devices means accounting for new types of issues such as USB devices, outdated patches, more covert malware that includes rootkits, unauthorized programs, and threats involving remote endpoints like credential hijacking. Complicating matters is the increasing mobility of endpoint devices. Executives fly here. Managers drive there. Everyone is on the go, necessitating a security strategy that keeps mobile devices locked down and mobile data protected. Industry analysts estimate that between 1,500 to 3,000 laptops are stolen each day. And the number of companies reporting stolen laptops containing sensitive data increased 81 percent from 2005 to 2006, according to the Ponemon Institute 2006 study on data breaches. These figures do not even consider laptops lost in airports, taxis, or elsewhere.

While threats continue to increase, so do the number of endpoint security applications and management consoles used to stop them. It is not unusual for a typical enterprise PC to run separate security agents for antivirus, desktop firewall, anti-spyware, and file or disk encryption software, each centrally managed by a single-purpose console. The multi-agent approach makes it costly and time consuming for administrators to update, monitor, test, and manage security policy for these applications, including all the required software and signature updates. In addition, multiple agents can consume excessive CPU and memory resources, creating unpredictable or degraded system performance, often disrupting employee productivity and generating an abundance of low-priority helpdesk calls.

There is a better way. By adopting technology that takes a centralized, unified approach to addressing critical endpoint security needs, businesses can ensure control of their endpoints once and for all. Here are six endpoint security essentials for companies to shore up their defenses:

Mitigate malware
According to Kaspersky Labs, nearly 20,000 new malware outbreaks were reported from January to July 2007. Potentially, that means 20,000 new, hard-to-find endpoint security problems. These problems aren’t limited to viruses, rootkits, and proxies. Distributed denial of service attacks fall into this category, too. The best ways to limit these destructive processes are to block attacks with heuristic and behavioral-based antivirus and anti-spyware, complemented by effective program control, which is important to mitigating malware because not only can it block known malicious programs running on endpoint PCs, but it also can help control programs such as peer-to-peer file sharing applications that are increasingly targeted to compromise endpoint systems. However, controlling programs is often more easily said than done. With hundreds of thousands of programs on the Internet that could wind up on corporate PCs, defining and enforcing a security policy regarding which programs to allow or deny can be very time consuming. Therefore, an essential function of program control is the ability to automate most policy decisions, so IT staff does not have to spend time researching programs. Ideally, this is done via a knowledge base of known good and known malicious programs from which a best-practices policy on whether they should be allowed or denied can immediately be applied.

Protect data
With workers constantly on the go, lost equipment is an inevitable reality that should drive companies to deploy full-disk encryption and keep endpoint data locked down and secure. This practice not only secures corporate secrets, it keeps sensitive information completely protected in the event of loss. And this is even more important today with strong personal privacy laws now requiring disclosure of security breaches when personal information is breached. If a laptop is lost or stolen with a fully encrypted drive, companies can avoid disclosure of the breach, as well as damage related to corporate reputation if the news makes the headlines. Encrypting hard drives is not enough, though. Enterprises must also consider threats posed by removable media such as USB flash drives, iPods, and Bluetooth devices. First, these devices can carry viruses or other malware. Second, they can be an easy way for sensitive data to leak outside the business if not properly protected. Some of the best practices for endpoint security are to apply policy for both: controlling device access, scanning the content of allowed devices to ensure there are no viruses present, and encrypting data on these devices so the data remains protected.

Enforce endpoint policy compliance
Even if you have the best technologies to mitigate malware and secure data, endpoints can still be compromised if virus signatures or service patches are out of date. That's where network access control (NAC) comes in. This technology helps secure networked endpoints prior to allowing them network access. It does this by including preadmission endpoint security policy checks for endpoint devices to ensure that they meet the predefined security policy, such as having current antivirus software or the latest patches. If protection is adequate, access is granted. If not, the technology quarantines endpoints and facilitates remediation to help install the proper updates.

Enable secure remote access
With computing devices more mobile than ever, it's critical to lock down the connections by which users are logging into the corporate network. The very best endpoint security solutions incorporate this kind of secure remote access effortlessly—through the same interface with which users log in. The best approach here is a remote access agent—users log in once, and everything they do from then on occurs in a secure space. Storing credentials in this agent also makes it easy for users to access sites with different connectivity requirements. And there are other reasons to consider a solution that offers a remote access agent with essential endpoint security functions:

• Minimizing overall agent footprint, including CPU and memory utilization, to help ensure endpoint systems run smoothly
• Eliminating duplicate management tasks and engineering test cycles associated with software updates—standard for two or more agents
• Ensuring interoperability between remote access and NAC functions, helping streamline policy checks for remote users authenticating through a gateway

Streamline security management
On the back end, it's important to centralize endpoint security management so that administrators can use one console to configure endpoints, administer policies, monitor performance, and analyze data from the network as a whole. This isn't only about making life easier for administrators, it's also about reducing maintenance costs of managing and updating a multi-agent solution. Unification also helps improve security audit support by unifying, standardizing, and automating reporting functions. In best-case scenarios, administrators can even deploy baseline security policies using predefined policy templates.

Minimize end-user impact
Finally, even the most hardened and efficient endpoint security solutions shouldn’t sap bandwidth or processing power from other important end-user functions. With this in mind, the best strategies embrace centralized agents with small footprints and low memory utilization. Transparency in other areas is also important—ideally, an endpoint security solution should be so silent in its protection that users dont even see an icon in their system trays. For users, the bottom line is functionality and ease-of-use. For administrators, security should be paramount.

The Check Point approach
In addition to mastering these six endpoint security essentials, it's critical for administrators to keep their network security posture current. One way is to task specific personnel with the job of keeping tabs on the latest threats. An easier way is to use a service that charts threats and potential problems automatically. Check Point has a Security Research & Response team that handles both, reducing the resources and time needed to maintain endpoint security. What's more, a focused, professional effort improving security posture improves the quality of application-policy decisions while minimizing the need for end-user involvement. Today Check Point Endpoint Security remains the first and only single agent that combines all essential components for total security on the endpoint. This includes the highest-rated firewall, antivirus, anti-spyware, full disk encryption, media encryption with port protection, network access control (NAC), program control and VPN. This strong and complete endpoint security offering is complimented with a new distribution utility and Vista support, further simplifying custom installations and deployments across the enterprise and expanded platform support translating into lower TCO and greater flexibility respectively.