Buyer's guide: Belt and braces: covering all the endpoint

security angles August 2014

Bob Tarzey, Analyst and Director
bob.tarzey@quocirca.com, +44 7900 275517

Quocirca Comment: effective user end point security must address managed and
unmanaged device, this requires centralised as well as on device controls. The best
starting point it to focus on data.


Buyer's guide: Belt and braces:
covering all the endpoint security
angles August 2014
http://www.quocirca.com 2014 Quocirca Ltd

The question of how to "keep end user
computing secure" is complex due to the
proliferation of device types, the places users are
when they use them and the networks they
connect via.

Making matters worse is the issue of device
ownership, a recent Quocirca report, Getting to
grips with BYOD, shows that the majority of
organisations now accept user-owned devices
being used at some level for work purposes.

So, where to start with ensuring all end user
computing as secure as possible? A Chief
Information Security Officer (CISO) once told
Quocirca that their organisations starting point
was to regard all devices as potentially hostile,
regardless of ownership thats not a bad idea, a
good device once compromised can soon
become a bad one.

However, other considerations must also be
taken into account, in particular the degree of
control that can be asserted over a device.

Managed and unmanaged devices

Managed devices are those an organisation owns
and can do what it likes with even though the
custodian is one of its users. Applications can be
installed, software licence use is controlled and
punitive measures, such a device wiping, can be
taken out when devices are lost. A granular
approach is necessary. The measures taken for a
marketers laptop will be different to those
appropriate to a field service engineers mobile
device or a health workers tablet. Devices that
stay firmly behind the firewall, including virtual
desktops, will be treated differently to those than
never come home.

Unmanaged devices are those owned by
employees or users from third parties and are
harder to impose control over. In some cases,
permission may be sought to install software on
user-owned devices, so they are part-managed,
however, this cannot be open-ended as unknown
numbers of licences will be needed and the
chosen security measures may not be available
for all the device types and operating systems
required.

Data first

If controls are applied to data itself, then the
device is less important managed or
unmanaged. This requires that an organisation
has a good knowledge about its data assets, in
particular intellectual property (IP) and regulated
data. Achieving this is a core capability of some
of the product categories reviewed in this article.
These fall in to two main groups: centralised
controls and on-device controls.

For each, the level of protection that is applied to
data and the applicability of each control to



Buyer's guide: Belt and braces:
covering all the endpoint security
angles August 2014
http://www.quocirca.com 2014 Quocirca Ltd

managed and unmanaged devices are discussed.
No one technology or vendor provides all of the
protections a given organisation will require;
most will need a mix of approaches. As always
with information security, when it comes to end
user computing a layered approach is necessary
time to tighten the belt and pull up the braces.

Centralised controls
With centralised controls the aim is to protect
data and/or devices, often without the need for
any software to be installed on devices, when
this is the case such controls apply to both
managed and unmanaged devices.

Network access control (NAC)
NAC is primarily a network defence controlling
what devices have access. However, NAC has a
role to play in maintaining the hygiene of user
devices. Whenever a managed device attempts to
attach to the home network its security status can
be ascertained and necessary actions taken. NAC
products that can operate without pre-installed
agents can extend controls to unmanaged and
unknown devices. Vendors include the network
majors; Cisco, Juniper and Aruba and specialists
such as ForeScout, Bradford Networks and
Portnox. A 2013 Quocirca report, Next-
generation network access control, looked at
some of the real-world uses cases for NAC.

Data loss prevention (DLP)
DLP monitors data in transit over networks to
prevent it ending up where it should not be. The
primary aim is to prevent the theft and careless
usage of data. DLP also has a role to play when
it comes to end user computing, as rules can be
set for what users have the rights to access what
data from which devices and where. All the
leading DLP suppliers have been acquired by
larger security vendors including CA, Symantec,
Websense, EMC/RSA, McAfee and Trend
Micro.

Digital rights management (DRM)
DRM can apply controls to data even when it has
been copied to a users device. This is achieved
through linking access to an online policy server.
For example, a user may be able to read a
document on a device but not print it, forward it
or copy. A recent Quocirca report, What keeps
your CEO up at night? looks at the use of DRM
to prevent data misuse by insiders. Microsoft has
DRM capability embedded in several of its
products. A host of smaller vendors take a
broader end user-centric approach to DRM, such
as Fasoo and Verdasys.

End point management and mobile device
management (MDM)
For completeness it should be pointed out that
making sure the system and security software
installed on managed devices is kept up to date is
an essential part of securing end user computing.
This is the role of end point and mobile
management tools. This is especially important if
automated operating system updates are not
switched on.

Security information and event management
(SIEM)
SIEM is not an end point management
technology in itself. However, it does have two
important contributions to make. First, it allows
behaviour of applications and users on end
points to be reviewed in a broader context. For
example, two access requests by the same user
from different devices being made from widely
separated locations in a short space of time can
be identified as a potential issue. Second, many
end user security tools can provide a feed to
SIEM and forensics systems when investigations
are being made following an incident.

On-device controls
On-device controls are mainly applicable to
managed devices. In many cases devices are
compromised because they are lost or stolen.
When a device ends up in the wrong hands the
new owner will often just seek to reset and



Buyer's guide: Belt and braces:
covering all the endpoint security
angles August 2014
http://www.quocirca.com 2014 Quocirca Ltd

resell the device with little interest in the data
stored on it. However, asserting that this is likely
to be the case will not satisfy regulators when
sensitive data has been involved, better levels of
assurance are required.

Device access controls
One of the most obvious protections that can be
put in place is to require a password or stronger
level of authentication (such as a finger print) for
accessing a device. In differing ways, such
controls are built into operating systems and they
just need to be activated. However, a determined
thief will generally find their way around device
access controls.

Encryption
When centralised controls (or lack of them) have
permitted sensitive data to be stored on a device,
local encryption should be used to provide
protection. Encryption capabilities are embedded
in most operating systems. Symantec PGP,
SafeNet and others provide cross-system
support. Encryption keys are often linked to
device access controls, so if these are
compromised so is the data. Furthermore, when
the data is actually in use it is not protected, so
users can still copy it and forward and malware
writers often aim to get around encryption be
accessing data in use by memory scraping.
Encryption can be also turned against users;
ransom-ware encrypts data and demands a fee
for the key.

Traditional anti-malware
Random and opportunistic malware is still
finding its way on to many poorly protected
devices aiming to steal personal data, recruit to
botnets or extort a ransom. Traditional anti-
malware products from the major security
vendors and specialists such as Kaspersky,
Panda, AVG and Avast all help protect devices
from random malware, black listing known bad
stuff. As well as defending against malware,
many provide broader controls, for example
limiting the use of USB devices.

Advanced malware detection
Individual users are increasingly specifically
targeted as part of broader campaigns to infiltrate
organisations. Unique versions of malware may
be used that are hard to detect using the signature
based techniques of traditional anti-malware. So
many vendors have developed more
sophisticated capabilities such as detecting
malware-like behaviour. One approach is to test
anything suspicious in a sandbox; FireEye and
Trend Micro are two of the leaders in this area.

White listing
Why let anything run on a device unless it is
known to be good? That is the philosophy
behind white listing. Leading vendors include
Bit9, Lumension and, for Windows only,
Microsoft AppLocker. Where there is good
reason to limit user activity, for example on
point-of-sales devices and those of health
visitors and field service engineers, white listing
may make sense. For other users it will be too
restrictive.

Isolation
Another approach is to limit the resources a
program has access to, termed isolation. Here all
instances of applications run in their own virtual
machines. Authorised applications are only
granted access to the resources they need. Two
vendors have emerged in this space: Bromium
and Invincea. Another is Spikes Security,
specifically focusing on isolating a users web
browsing activity, one of the most common ways
for malware to end up on devices.

Containerisation and secure desktops
For mobile devices, especially user owned ones
where a level of management control has been
agreed by the user, it makes sense to partition a
part of the device for specific activity. This is the
essence of containerisation; the leading vendors



Buyer's guide: Belt and braces:
covering all the endpoint security
angles August 2014
http://www.quocirca.com 2014 Quocirca Ltd

include Good Technology and VMwares
AirWatch. Virtual desktop technology is also
being adapted for use on mobile devices, which
provides a similar level of protection. A final
approach is boot secure desktops from USB
devices using Windows to Go, Microsoft
certified suppliers include IronKey and Spyrus.

This article first appeared in Computer Weekly

http://www.computerweekly.com/feature/Belt-
and-braces-covering-all-the-endpoint-security-
angles






Buyer's guide: Belt and braces:
covering all the endpoint security
angles August 2014
http://www.quocirca.com 2014 Quocirca Ltd



About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology
and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the
views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-
world practitioners with first-hand experience of ITC delivery who continuously research and track the industry
and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption the personal and
political aspects of an organisations environment and the pressures of the need for demonstrable business value in
any implementation. This capability to uncover and report back on the end-user perceptions in the market enables
Quocirca to advise on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocircas
mission is to help organisations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise
that ITC holds for business. Quocircas clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC,
Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist
firms.

Full access to all of Quocircas public output (reports, articles, presentations, blogs
and videos) can be made at http://www.quocirca.com