The five fallacies of endpoint security
A short guide to the endpoint puzzle.
If you still talk about something called “PC security” you are living dangerously in the past, or at least that is what the proponents of “endpoint security” would have you believe. Endpoints are now the sophisticated way of talking about keeping the working parts of a network secure, while the idea of “devices” or “PCs” is out.
Before dismissing this as another round of marketing jargon, consider this: the endpoint proponents might have a point. Perhaps old-world devices and PCs are not always a helpful lens through which to look at securing even quite basic networks.
People still turn up to conferences on endpoint security confused by the term, so here are some pointers to the term and why it might actually be quite useful. We’ve listed these as fallacies because the term still comes with the wrong baggage, and that’s where problems start. Be on the lookout for these fallacies. Why five? No reason. There might very well be more out there.
Endpoints are computers
Wrong. Endpoints can also be devices of almost any kind as long as they call on network resources in some way. Although PCs, laptops, PDAs and smartphones present the most obvious point of weakness on a network, they are not the only ones. Recent years has seen an extraordinary proliferation of unofficial devices that present new risks.
The most commonly-used example of an endpoint that is not a computer is probably the USB storage drive, though there are lots of others such as iPods, memory cards/readers, and even digital cameras that work in mass storage mode. They can be used to store confidential data, of course, moving it in and out of a network in ways that present information risks. Even when used legitimately, do people always encrypt the contents of these drives? Probably not.
The newest example of an endpoint with attitude is the U3 drive, an endpoint-on-an-endpoint if you like. It is identical to a conventional USB drive with one important exception – it can run specially compiled programs straight form the drive itself. Plug it in, run the executable, and then remove the U3. After using the host PC in a parasitic fashion, all traces that is was ever used to run software are removed without trace. We know of no nefarious use for U3 drives, and there might never be a nefarious use made of U3. But it dos mean that applications about which little is known can be run on a network even though they are not present on a PC.
Endpoint security is about securing the endpoint
This sounds a bit obvious, but it recent years have seen a subtle about-turn in how endpoints are viewed. Once, it was the endpoint (for instance a laptop) that was seen as needing to be secured using software such as desktop firewalls, anti-virus or anti-spyware. That is still the case. But that anxiety has been overtaken by the worry that the network might, conversely, need protecting from the endpoint. The endpoint is at risk and is also itself the risk.
Endpoints are always therefore devices
Arguably, endpoints can also be programs as well as physical devices if they are sitting on a client without permission. The best examples of this are P2P programs such as VoIp applications as they can be very hard to detect. But if left alone they can consume bandwith, offer their own software vulnerabilities and, not least, be used themselves to ship files into and information out of a network.
Controlling endpoints is best affected at the network layer
This is one way of approaching the issue. Extend the idea of perimeter control inside the network layer and use specialised hardware to firewall client traffic. This is potentially expensive and complicated, more so if the endpoints you are trying to monitor are ones you are not aware of such as P2P apps. There is a view that endpoint control should always involve something that either sits on a device or watches for their existence. The easiest place to stop a device connecting or a program running is on the PC or laptop itself.
What about systems such as Cisco’s NAC?
This is a great idea but it has one catch that will slow its adoption down – you have to throw out bits of your current network infrastructure and buy new ones from Cisco, or other NAV vendors. That’s a hell of a cost to solve the endpoint problem given that there are probably cheaper alternatives.
Whatever your perspective, prepare to spend money. Securing networks is not going to get any cheaper.