Whitepaper Abstract This special report presents the critical Tenets of Endpoint Control to IT architects with recommended actions for enterprise security officers. Information in this report derives from Ogren Group research and interviews with enterprise security officers of global organizations. Traditional security measures are simply not effective in the modern attack climate. Endpoint control, driven by application whitelisting, now offers an attractive alternative to security suites comprised of recycled security components. The Tenets of Endpoint Control are introduced in this special report. Organizations adopting these tenets and deploying endpoint control solutions are realizing benefits in more effective defenses against attacks, greater end-user satisfaction with performance gains, and lower operating costs due to reductions in the value of attack signature streams.

1. The Tenets of Endpoint
Control
An Ogren Group Special Report
April 2008

2.
Enterprise IT is paying out large chunks of its security budget for signature –oriented endpoint security
products knowing that those approaches cannot protect the business against lost data from malicious
attacks. The question is not best‐of‐breed versus security suites, the question is why base the primary
defense of endpoint assets on technology that is decades old and is proven time and again to be
ineffective. Attackers develop targeted attacks, or modify well known attacks that have proven to be
effective for years, that signature approaches have no chance of detecting, blocking, or removing.
Endpoint control is a critical new approach for IT to manage the integrity of endpoints and to protect
confidential data. Traditional security measures, currently offered as security suites of commoditized
components, are simply not effective in the modern attack climate. Security functions within IT
organizations are often caught up in threat myopia, a condition where every threat to the technical
infrastructure needs to be analyzed, understood, and blocked at the edge of the network and again at
the endpoint. Security has always been a best‐of‐breed industry. Nobody wants to pay for a third‐rate
security product or pay for security products that do not work. Endpoint control, driven by application
whitelisting, now offers an attractive alternative to security suites comprised of recycled security
components.
Endpoint control focuses on the IT requirements to control endpoint configurations. Any unauthorized
modification of the configuration is automatically blocked. This effectively thwarts attacks that need a
host to execute, storage systems to hide, and network access to propagate. By controlling the endpoint,
IT efficiently denies attacks access to key elements on the endpoint. The critical ability to control
executables and network access is a model that scales strongly to enterprise levels and is effective at
stopping most types of attacks.
The Tenets of Endpoint Control are introduced in this special report. The tenets that IT is following are:
• Control what you know. It is much easier to control configurations and acceptable use policies;
it is impossible to control what an attacker might try.
• Control at the lowest possible level. Endpoint control solutions need to operate in the kernel
where they cannot be easily subverted and have visibility to all network, file, and processor
operations.
• Control transparently. Endpoint control solutions need to give performance back to the user,
and allow them to do their jobs without interruptions from the endpoint security software.
Organizations adopting these tenets and deploying endpoint control solutions are realizing benefits in
more effective defenses against attacks, greater end‐user satisfaction with performance gains, and
lower operating costs due to reductions in the value of attack signature streams. The heightened
resistance to execution of unauthorized programs, the prime symptom of an attack that needs to
execute to steal confidential data or cause damage, also reduces the amount of panic patch operations
and help desk calls that IT must manage.
Copyright 2008, The Ogren Group. All rights reserved. Page 2

3.
This special report, commissioned by CoreTrace, presents the critical Tenets of Endpoint Controls to IT
architects with recommended actions for enterprise security officers. Information in this report derives
from Ogren Group research and interviews with enterprise security officers of global organizations.
The Problems with Security Suites
The security industry is driving towards endpoint control solutions. IT is learning that it is much easier to
control what they know and understand than it is to try to control unknown attacks. Traditional security
vendors push signature‐based security suites to market to protect subscription revenue streams and to
give customers a “defense in depth” solution. However, these suites do not introduce new security
capabilities; there are no synergistic benefits.
However, these collections of commoditized defenses do not effectively detect and block attacks.
Exhibit 1 shows three attacks, NetSky, Bagle, and Mydoom that
all place executable images on the endpoint, and launching Why base endpoint defense on
these executables launches the attack. The futility of signature‐ old technology that is proven
based approaches is shown by the fact that NetSky and ineffective?
Mydoom have been around since 2004, yet they are thriving as
members of the top 10 of attacks in the wild as of March 2008.
Exhibit 1: Attacks can succeed without endpoint control
The problems with security suites are well understood and include:
• Attacks change faster than signature files. Attackers develop new attacks, or create variants of
existing attacks faster than security vendors can create signatures and antidotes; faster than IT
can distribute them to the community of endpoints. This leaves enterprises defenseless against
new targeted attacks. No matter how fast the security vendor is, they can never thwart an
attack before it is already in the wild.
Copyright 2008, The Ogren Group. All rights reserved. Page 3

4.
• The larger the list of attacks to scan, the more performance degrades. The blacklist of attacks is
increasing at a steady rate. Each day the security suite of signatures will take longer to scan
objects or, worse, omit aged signature checks to maintain performance on the endpoint. There
is no end to the demands of signature approaches.
• Enterprises pay large sums of money for security suite subscriptions. Subscription services for
receiving updates to security suite signature files are one of the larger expenses in the corporate
security budget, and they are an ongoing annual expense.
IT is implementing endpoint control solutions as a more scalable approach to preventing malware from
executing within the technical infrastructure. Configurations that are locked down have no allowances
for unauthorized software. With endpoint control malicious software cannot execute to steal confidential
data or disrupt business processes.
Tenet #1: Control what you know
IT knows what applications each endpoint should be executing and what network accesses should be
allowed to abide with corporate use policies. Rather than
embarking on the hopeless task of delineating all of the It is easier to control what is
negative actions that might occur, it is much easier to known than try to control
describe what you know and to define acceptable use unknown attacks.
policies. Endpoint control technology allows IT to define its
requirements with the knowledge that actions not complying with IT control policy, such as malicious
attacks, will be automatically blocked.
• Identify the acceptable technical environment. Positive whitelist approaches are fundamental
to endpoint control architectures. Application whitelists allow IT to describe desired
configuration and acceptable use policies for the endpoint. Any operation not aligned with this
policy – even day 0 attacks that are not well understood – are automatically blocked before
damage can occur. There are no false positives; if the operation has not been approved it is not
allowed to complete. This is the benefit of security without signatures in preventing loss of
confidential data from malicious attacks.
• Allow for differences among endpoints. Endpoint control solutions must take into account that
any two endpoint devices are seldom identical in configuration. For instance, a difference in
endpoint manufacturing dates may be reflected in slight variations in hardware, and resultant
versions of device drivers. Endpoint control needs to reside on each endpoint, inspect the device
to understand its specific configuration, and then lock down the endpoint according to the
dictates of IT control.
• Audit the end‐user and the endpoint. Endpoint control provides IT the ability to audit activity in
order to replay actions leading up to a policy violation, proactively help users in need of
assistance, and to document compliance with government and industry regulations. The audit
features of endpoint control allow IT to keep the system in tune, and to correct issues before
they become problems.
Copyright 2008, The Ogren Group. All rights reserved. Page 4

5.
Tenet #2: Control at the lowest level possible
Endpoint control solutions must operate at the lowest possible level. Positioning endpoint control
solutions in the kernel of the operating system provides operating benefits that cannot be achieved
when operating in user‐mode. The architectural positioning,
as shown in Exhibit 2, of endpoint control in the kernel Only security software that
allows the security software to block execution of functions in the kernel can reliably
unauthorized programs or use of the network that violates deliver the controls that IT requires.
security policies. This is a critical implementation decision.
Exhibit 2: Endpoint control executes at the lowest possible level
Only security software that functions in the kernel can reliably deliver the controls that IT requires.
• Inspect all operations. Only endpoint control software operating in the kernel can inspect and
correlate storage, network, and processor functions. Kernel‐mode security software is granted
visibility of the entire endpoint allowing the solution to inspect all operations to make optimal
decisions on behalf of IT.
• Isolate security from applications. IT can only control the endpoint if the security software
executes without interference of applications. This can only be achieved in the kernel, where
any operation to subvert IT controls from user‐mode applications can be detected and blocked.
Attack software executing in user mode cannot subvert the lower level endpoint control
solutions that are executing in the kernel.
• Block inappropriate activity from reaching applications. The only way to prevent inappropriate
executes from operating, or prevent I/O requests from violating corporate policy, is to intercede
between the application and the operating system. Endpoint control software can block
nefarious activity in the kernel – before that activity can affect the endpoint or work its way into
the kernel.
Copyright 2008, The Ogren Group. All rights reserved. Page 5

6.
Tenet #3: Control transparently
The acceptance of end‐users is critical to the success of an endpoint control program, whether that
endpoint is a desktop or a server. Controls that intrude upon the user experience will be rejected.
Security must be transparent to the end‐users, and not create administrative burdens to operations
staff.
• Preserve the user experiences. Endpoint control solutions are required to make allow/deny
decisions without interrupting the users of the endpoint. The users must not even know that IT
is controlling their endpoint configurations. Prompts, questions, and notifications should be kept
to a minimum.
• Insist on no performance degradation. Endpoint control, because it operates on the much
shorter whitelist than attack signature
approaches, returns processing power and Security must be transparent to
memory to business applications. End‐users
end‐users, and not create
are apt to disengage security suites to gain
time. Endpoint control technology needs to administrative burdens to
operate at better than 10 times the operational staff.
performance levels of signature approaches.
That gives IT greater effectiveness at stopping attacks while freeing more performance for
business applications.
• Keep administrative actions confidential. The security of communications between
administrative consoles and endpoints is an important ingredient in allowing IT to control
transparently. Mutual authentication, encrypted communications, and secure delivery of audit
information allow IT to control corporate endpoints without requiring end‐user participation in
the management of the device.
Conclusions
Traditional suites of software packaged by security vendors fall far short of the requirements for
protecting corporate endpoints. This is demonstrated every day by the failure of signature‐based
security to protect the business against data loss or disruption of services due to malicious code
executing on endpoints. Signature‐based approaches, common in suites of products such as anti‐virus,
anti‐spyware, intrusion prevention, data leakage prevention, and personal firewalls, cannot keep up
with the pace of new attacks nor have any chance of recognizing a new variant of a historically effective
attack.
IT would be better served by controlling their desktop and server infrastructure to detect and block
inappropriate actions before damage can be done. The tools are available today for IT to control
endpoints based on what people need to do their jobs. These tools are isolated from user‐mode
applications by integrating into the kernel.
Copyright 2008, The Ogren Group. All rights reserved. Page 6

7.
The tenets of endpoint control bear repeating:
• Control what you know
• Control at the lowest level possible
• Control transparently
Investigate endpoint control technology in a controlled datacenter environment. Deploy the products on
servers that require resistance to attacks, but cannot afford the performance penalties of signature
suites. Once you become comfortable with the effectiveness of endpoint control, plan to extend the
deployment to desktops and laptops.
You will find that these tenets of endpoint controls effectively protect against malicious code attacks,
allow IT resources to concentrate on aligning the technical infrastructure with dynamic business
requirements, and enhance end‐user experiences via increased performance. Increased control also
means that some day you will never have to pay for security signatures again.
The Ogren Group Special Report is published for the sole use of Ogren Group clients. It may not be duplicated, reproduced, or transmitted
in whole or in part without the express permission of the Ogren Group, 92 Robert Road, Stow, MA 01775. For more information, contact
the Ogren Group: info@ogrengroup.com. All rights reserved. All opinions and estimate herein constitute our judgment as of this date and
are subject to change without notice.
Copyright 2008, The Ogren Group. All rights reserved. Page 7