.

1

Chris Sherman | Forrester Research, Senior AnalystGrant McDonald| Intel Security, Senior Product Manager

Rethinking Current Endpoint Security Strategies Part 2: Prevention, Detection and Response

Rethinking Current Endpoint Security Strategies Part 2:Prevention, Detection and Response

Chris Sherman, Analyst

September 2016

This Much Is Clear: Traditional Endpoint Security Approaches Have Failed

We are hyper focused on the WRONG things

Organizations Must Refocus Their Endpoint Security Strategies

Expense in Depth

Return on Expense in Depth?

The Targeted-Attack Hierarchy Of Needs

Targeted-Attack Hierarchy Of Needs

Need No. 4: An Integrated Portfolio That Enables Orchestration

Advanced attacks are often multi-faceted..

1. Use social engineering or web/email attack to gain access to user endpoint

2. Use compromised endpoint to attack other machines behind the firewall.

3. Compromise the domain controller.

4. Masquerade as a privileged user to access source code management servers.

5. Exfiltrate core IP.

Domain controller

1

2

3

4

5

Friction?

› “Create friction for the attacker. Slow them down and make their job more difficult.”

› What about all the friction we create for ourselves?

› Most orgs don’t have the resources to automate their InfoSec processes.

What can you do?

› Invest in software development staff

› Prioritize vendors that integrate and automate between the endpoint and network layers

› Pay attention to vendors who see the need and are developing solutions.

Single-vendor ecosystems offer security benefits and reduced TCO

› Integrated policy engines

› Intelligence sharing

› Built-in orchestration

› Less impact to endpoint performance for end users

› Consistent user experience/interface for admin

› Packaging and suite discounts

© 2015 Forrester Research, Inc. Reproduction Prohibited 14

Base: 2163 business and technology decision-makers

Source: Forrester Research Business Technographics Security Survey, 2015

Orgs would seem to prefer best-of-breed point products over suite offerings…

62%

66%

67%

67%

68%

68%

71%

71%

71%

74%

76%

76%

77%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Vendor/provider ecosystem

Part of a suite or single-vendor portfolio

Certification to other security standards

Regulatory compliance capabilities

Integration across a single vendor's product portfolio

Price

Expected business outcome from implemention

Vendor's brand

Simplest manageability

Speed or ease of implementation

Integration with existing infrastructure

Vendor/provider expertise

Product/technology fit

How important were the following criteria in selecting security solutions?

Very important [4,5]

..although when

looking specifically at

endpoint security, only

38% and 43% of SMBs

and Enterprises,

respectively, prefer

best-of-breed point

products over suites

Targeted-Attack Hierarchy Of Needs

Need No. 5: Prevention

Prevention is shifting

› Traditional approaches to prevention will continue

› If you can prevent an action, why not?

› Prevention with threat intelligence

• Command and Control indicators should be used to prevent communications

Prevention begins and ends with attack surface reduction

Photo credit: Jan Stromme, Bloomberg Business

Benefits to prevention-focused technologies

› Often doesn’t require prior knowledge of the threat

› Offers superior 0-day malware and exploit protection

› Allows the attack surface to be restricted to a manageable level

› Ideally creates a cycle where detection informs prevention, augmenting the effectiveness of both

© 2016 Forrester Research, Inc. Reproduction Prohibited 19

The five primary endpoint threat prevention capabilities

Anti-malware

Application control

Patch management

Execution isolation

Application exploit prevention

© 2016 Forrester Research, Inc. Reproduction Prohibited 20

The five primary endpoint threat prevention capabilities

Anti-malware

Application control

Patch management

Execution isolation

Application exploit prevention

© 2016 Forrester Research, Inc. Reproduction Prohibited 21

The five primary endpoint threat prevention capabilities

Anti-malware

Application control

Patch management

Execution isolation

Application exploit prevention

© 2016 Forrester Research, Inc. Reproduction Prohibited 22

The five primary endpoint threat prevention capabilities

Anti-malware

Application control

Patch management

Execution isolation

Application exploit prevention

© 2016 Forrester Research, Inc. Reproduction Prohibited 23

The five primary endpoint threat prevention capabilities

Anti-malware

Application control

Patch management

Execution isolation

Application exploit prevention

Targeted-Attack Hierarchy Of Needs

Need No. 6: Detection & Response

Detection

› Detection is the only option when dealing with higher tier adversaries

› No single control is your breach detection system

› Your aggregate controls and your people are your breach detection system

Response

› Once you have identified malicious activity, how do you respond?

› Is your remediation a reimage?

› Time to containment and remediation will never improve without automated response

Adopting EVC is a top priority for security pros

Five capabilities to look for in a EVC solution

› Real-time visibility into all running processes

› Automated response/integration with prevention tools

› Advanced pattern recognition (ex. machine learning, baselining)

› Inspection over user and process behavior

› Integration with SIEM/Security Analytics tools

To be successful, an endpoint security strategy must balance prevention with detection

Prevention is far from dead..

Prevention

Detection

Control /

Remediation

Endpoint Security Requires A Balanced Approach

Prevention

Detection

Control /

Remediation • Addresses attack surface

• Limits time spent on detection/response

• Doesn’t require frequent updates

Endpoint Security Requires A Balanced Approach

Prevention

Detection

Control /

Remediation • Addresses attack surface

• Limits time spent on detection/response

• Doesn’t require frequent updates

• Endpoint visibility and integration

• Catches what gets through

• Threat intelligence required

Endpoint Security Requires A Balanced Approach

Prevention

Detection

Control /

Remediation • Addresses attack surface

• Limits time spent on detection/response

• Doesn’t require frequent updates

• Endpoint visibility and integration

• Catches what gets through

• Threat intelligence required

• Automated/assisted remediation reduces friction

• Ensures policy compliance

• Operationalizes threat intelligence

Endpoint Security Requires A Balanced Approach

Recommendations

›Reduce your attack surface through a balance of prevention, detection, and remediation proficiency.

›Choose prevention technologies based on your risk appetite and impact to user experience.

› Look to expand your detection capabilities beyond malicious process identification and IOC identification

› Integrate endpoint security with network security for reduced operational friction.

.

36

Integrated Protection, Detection and Correction

36

Grant McDonaldEndpoint Security Product Manager

.

37

The Threat Defense LifecycleA continuous defensive cycle

Detect - Advanced monitoring identifies anomalous, outlier behavior to perceive low-threshold attacks that would otherwise go unnoticed

Protect - Comprehensive prevention stops the most pervasive attack vectors while also disrupting never-before-seen techniques and payloads

Adapt - Apply insights immediately throughout a collaborative infrastructure

Correct - Facilitated triage and response provides prioritization and fluid investigation

37

.

38

Intelligent Endpoint Threat Defense

38

Evolve security by integrating protect, detect and correct

Outsmart AttackersIntegrated Threat

Defense

Discover and Respond Faster

Immediate Visibility

Drive EfficiencyIncrease Capacity

Reduce Complexity

.

39

Outsmart Attackers

39

With Integrated Counter Measures

Unified intelligence from Global, organizational, and 3rd-parties

Collaborative protect, detect and correct defenses act as a single adaptive system

Comprehensive coverage against the most pervasive threats

.

40

Discover and Respond Faster

40

Through Immediate Visibility and Correlated Actions

Deep, continuous visibility and proactive hunting

Prioritize incidents, score risks, and investigate real-time

Interactive response and automated correction

.

41

Drive Efficiency

41

Increase Capacity and Reduce Complexity

Act with precision and speed by executing across the entire organization

Streamline workflows and central visibility, management and automation

Easily evolve security through shared intelligence and an adaptive architecture

.

42

Intelligent Endpoint Threat Defense

Endpoint Detection and Response (EDR)

McAfee Active Response (MAR)

Threat Intelligence

McAfee ThreatIntelligence Exchange (TIE)

Web Protection

McAfee Web Gateway (via McAfee Client Proxy Agent)

Advanced Malware Detection

McAfee Advanced Threat Defense (ATD)

Management Platform

McAfee ePolicy Orchestrator (ePO)

Endpoint Protection

McAfee Endpoint Security 10

• Available with Dynamic Application Containment*

*Available with CEE suite

.

4343

Resources

Go to the Resources Area of this webcast console to access supporting documents.

For additional information: www.mcafee.com/endpoint

Chris Shermancsherman@forrester.com@ChrisShermanFR

Grant McDonaldgrant.mcdonald@intel.com@mcdonaldgrant