Skip to main content

One Endpoint Agent to Rule Them All

December 16, 2014

As a significant part of my job, I regularly help customers architect and roadmap network, security and investigative technology solutions. At some point in this process, we always get down to the endpoint, looking at what functionality they need and which tools are right for the job. The problem is, there is a great big hole in the endpoint security and investigative space with dozens of vendors chipping away at it from all sides. No single product or vendor can meet the needs. And even if combining all the tools in existence were possible, some problems still would not be solved. I don’t want to elaborate too far on that subject, as it would take volumes.

Invariably, we end up with multiple endpoint agents in order to meet their needs. This cumulatively (or sometimes independently) has a side effect of over-utilizing endpoint resources or having unanticipated conflicts that bring the computer or its applications down.

The question is always asked: “Why isn’t there a vendor that creates a tool that does all of my security and investigative needs?” After all, no matter what functionality you’re talking about - endpoint antivirus, anti-malware, forensics, eDiscovery, DLP, application execution whitelisting, continuous monitoring, behavior analysis, application activity restriction, activity retrospection, IPS - most all of the tools are monitoring file I/O, process activity and network sockets.

This line of thought is generally followed by a few more questions, like: “Why is it that most vendors create a tool around a single workflow or a couple set of workflows?” “If they’re already shimmed in and invasively monitoring, why don’t they look for everything else that is important too?” The list of valid questions goes on…

There are likely many answers to these questions and most of them likely revolve around resources, time-to-market, profitability and other important business concepts - not to mention the fact that building such a multi-faceted monster is fraught with difficulty at every turn. Nonetheless, it is a worthy endeavor. Nobody is saying that they need to build it all at once. They could chip away at it.

If we’re looking for an ideal endpoint solution, it should at minimum provide the follow functionalities:

  • Continuous monitoring of volatile data and activity
  • Endpoint-based indexing of all data contained on hosts
  • Distributed searching of endpoints and file stores
  • Centralized access, searching and viewing of all collected content
  • Behavioral analysis and anomaly detection
  • Least prevalence identification
  • Investigative ability not limited to the security perimeter
  • Application restrictions to profiled, known good behavior
  • Application whitelisting
  • Patch management and policy configuration
  • Antivirus/anti-malware capabilities
  • Scanning for IOCs / YARA rules
  • Full enterprise forensic capabilities
  • Malicious activity containment
  • Remediation capabilities (surgical and full)

So a better question is “Why isn’t building such a useful tool even on most security and investigative software companies’ roadmaps.” After all, if they add the functionality one workflow at a time, it seems entirely doable if architected properly. Moreover, with everyone searching, hoping and praying for a solution that can remove the stain of failed antivirus from their network and replace it with something that works, there should be a lot of motivation to do this.

The first company with a viable replacement for antivirus that actually identifies and stops viruses, worms, malware, intrusion attempts, malicious process injection, rootkits, etc. AND fills the AV compliance checkbox will quickly have companies switching to their solution. Further, if that solution can meet the other investigative needs mentioned above and replace another half dozen or more agents from the endpoint, they could easily corner the market. Who wouldn’t want that in their environment? I could sell that all day long…

Until then, we need to continue to solve the problem by combining disparate technologies to fill the gaps. Moreover, we need to be diligent about requesting what we want from security software manufacturers and giving them a clear picture of what we really want. The only way development teams will have the determination to accomplish a project this big is if it is supported by overwhelming public demand.

Related Blogs

December 19, 2013

CryptoLocker Prevention and Remediation Techniques

If you’re running Windows XP through Windows 8, chances are you've heard of CryptoLocker by now. If not, for some background, check out our previous 6...

See Details

March 05, 2015

Why do they call it DLP?

I always have to ask myself every time I hear the acronym “DLP.” Why do they call it that? There is no “prevention” in most DLP. It should be called D...

See Details

November 24, 2015

Making Your Endpoints Intelligent

As you have probably heard ad nauseam by now, security in the modern computing world is no longer about putting up a wall and preventing threats from ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

April 09, 2014

The Evolution of Malware and Security Compromise

Malware is evolving and changing at an unprecedented rate. The fact is that 95% of all organizations have been compromised, without their knowledge, i...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

June 14, 2017

Incident Management Plan Development

We have the experience and knowledge required to help your organization develop a strong incident management plan.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.