One Endpoint Agent to Rule Them All
December 16, 2014
As a significant part of my job, I regularly help customers architect and roadmap network, security and investigative technology solutions. At some point in this process, we always get down to the endpoint, looking at what functionality they need and which tools are right for the job. The problem is, there is a great big hole in the endpoint security and investigative space with dozens of vendors chipping away at it from all sides. No single product or vendor can meet the needs. And even if combining all the tools in existence were possible, some problems still would not be solved. I don’t want to elaborate too far on that subject, as it would take volumes.
Invariably, we end up with multiple endpoint agents in order to meet their needs. This cumulatively (or sometimes independently) has a side effect of over-utilizing endpoint resources or having unanticipated conflicts that bring the computer or its applications down.
The question is always asked: “Why isn’t there a vendor that creates a tool that does all of my security and investigative needs?” After all, no matter what functionality you’re talking about - endpoint antivirus, anti-malware, forensics, eDiscovery, DLP, application execution whitelisting, continuous monitoring, behavior analysis, application activity restriction, activity retrospection, IPS - most all of the tools are monitoring file I/O, process activity and network sockets.
This line of thought is generally followed by a few more questions, like: “Why is it that most vendors create a tool around a single workflow or a couple set of workflows?” “If they’re already shimmed in and invasively monitoring, why don’t they look for everything else that is important too?” The list of valid questions goes on…
There are likely many answers to these questions and most of them likely revolve around resources, time-to-market, profitability and other important business concepts - not to mention the fact that building such a multi-faceted monster is fraught with difficulty at every turn. Nonetheless, it is a worthy endeavor. Nobody is saying that they need to build it all at once. They could chip away at it.
If we’re looking for an ideal endpoint solution, it should at minimum provide the follow functionalities:
- Continuous monitoring of volatile data and activity
- Endpoint-based indexing of all data contained on hosts
- Distributed searching of endpoints and file stores
- Centralized access, searching and viewing of all collected content
- Behavioral analysis and anomaly detection
- Least prevalence identification
- Investigative ability not limited to the security perimeter
- Application restrictions to profiled, known good behavior
- Application whitelisting
- Patch management and policy configuration
- Antivirus/anti-malware capabilities
- Scanning for IOCs / YARA rules
- Full enterprise forensic capabilities
- Malicious activity containment
- Remediation capabilities (surgical and full)
So a better question is “Why isn’t building such a useful tool even on most security and investigative software companies’ roadmaps.” After all, if they add the functionality one workflow at a time, it seems entirely doable if architected properly. Moreover, with everyone searching, hoping and praying for a solution that can remove the stain of failed antivirus from their network and replace it with something that works, there should be a lot of motivation to do this.
The first company with a viable replacement for antivirus that actually identifies and stops viruses, worms, malware, intrusion attempts, malicious process injection, rootkits, etc. AND fills the AV compliance checkbox will quickly have companies switching to their solution. Further, if that solution can meet the other investigative needs mentioned above and replace another half dozen or more agents from the endpoint, they could easily corner the market. Who wouldn’t want that in their environment? I could sell that all day long…
Until then, we need to continue to solve the problem by combining disparate technologies to fill the gaps. Moreover, we need to be diligent about requesting what we want from security software manufacturers and giving them a clear picture of what we really want. The only way development teams will have the determination to accomplish a project this big is if it is supported by overwhelming public demand.