Whitepaper Abstract
This special report presents the critical Tenets of Endpoint Control to IT architects with recommended actions for enterprise security officers. Information in this report derives from Ogren Group research and interviews with enterprise security officers of global organizations.
Traditional security measures are simply not effective in the modern attack climate. Endpoint control, driven by application whitelisting, now offers an attractive alternative to security suites comprised of recycled security components. The Tenets of Endpoint Control are introduced in this special report. Organizations adopting these tenets and deploying endpoint control solutions are realizing benefits in more effective defenses against attacks, greater end-user satisfaction with performance gains, and lower operating costs due to reductions in the value of attack signature streams.
4. • The larger the list of attacks to scan, the more performance degrades. The blacklist of attacks is
increasing at a steady rate. Each day the security suite of signatures will take longer to scan
objects or, worse, omit aged signature checks to maintain performance on the endpoint. There
is no end to the demands of signature approaches.
• Enterprises pay large sums of money for security suite subscriptions. Subscription services for
receiving updates to security suite signature files are one of the larger expenses in the corporate
security budget, and they are an ongoing annual expense.
IT is implementing endpoint control solutions as a more scalable approach to preventing malware from
executing within the technical infrastructure. Configurations that are locked down have no allowances
for unauthorized software. With endpoint control malicious software cannot execute to steal confidential
data or disrupt business processes.
Tenet #1: Control what you know
IT knows what applications each endpoint should be executing and what network accesses should be
allowed to abide with corporate use policies. Rather than
embarking on the hopeless task of delineating all of the It is easier to control what is
negative actions that might occur, it is much easier to known than try to control
describe what you know and to define acceptable use unknown attacks.
policies. Endpoint control technology allows IT to define its
requirements with the knowledge that actions not complying with IT control policy, such as malicious
attacks, will be automatically blocked.
• Identify the acceptable technical environment. Positive whitelist approaches are fundamental
to endpoint control architectures. Application whitelists allow IT to describe desired
configuration and acceptable use policies for the endpoint. Any operation not aligned with this
policy – even day 0 attacks that are not well understood – are automatically blocked before
damage can occur. There are no false positives; if the operation has not been approved it is not
allowed to complete. This is the benefit of security without signatures in preventing loss of
confidential data from malicious attacks.
• Allow for differences among endpoints. Endpoint control solutions must take into account that
any two endpoint devices are seldom identical in configuration. For instance, a difference in
endpoint manufacturing dates may be reflected in slight variations in hardware, and resultant
versions of device drivers. Endpoint control needs to reside on each endpoint, inspect the device
to understand its specific configuration, and then lock down the endpoint according to the
dictates of IT control.
• Audit the end‐user and the endpoint. Endpoint control provides IT the ability to audit activity in
order to replay actions leading up to a policy violation, proactively help users in need of
assistance, and to document compliance with government and industry regulations. The audit
features of endpoint control allow IT to keep the system in tune, and to correct issues before
they become problems.
Copyright 2008, The Ogren Group. All rights reserved. Page 4
5.
Tenet #2: Control at the lowest level possible
Endpoint control solutions must operate at the lowest possible level. Positioning endpoint control
solutions in the kernel of the operating system provides operating benefits that cannot be achieved
when operating in user‐mode. The architectural positioning,
as shown in Exhibit 2, of endpoint control in the kernel Only security software that
allows the security software to block execution of functions in the kernel can reliably
unauthorized programs or use of the network that violates deliver the controls that IT requires.
security policies. This is a critical implementation decision.
Exhibit 2: Endpoint control executes at the lowest possible level
Only security software that functions in the kernel can reliably deliver the controls that IT requires.
• Inspect all operations. Only endpoint control software operating in the kernel can inspect and
correlate storage, network, and processor functions. Kernel‐mode security software is granted
visibility of the entire endpoint allowing the solution to inspect all operations to make optimal
decisions on behalf of IT.
• Isolate security from applications. IT can only control the endpoint if the security software
executes without interference of applications. This can only be achieved in the kernel, where
any operation to subvert IT controls from user‐mode applications can be detected and blocked.
Attack software executing in user mode cannot subvert the lower level endpoint control
solutions that are executing in the kernel.
• Block inappropriate activity from reaching applications. The only way to prevent inappropriate
executes from operating, or prevent I/O requests from violating corporate policy, is to intercede
between the application and the operating system. Endpoint control software can block
nefarious activity in the kernel – before that activity can affect the endpoint or work its way into
the kernel.
Copyright 2008, The Ogren Group. All rights reserved. Page 5
6.
Tenet #3: Control transparently
The acceptance of end‐users is critical to the success of an endpoint control program, whether that
endpoint is a desktop or a server. Controls that intrude upon the user experience will be rejected.
Security must be transparent to the end‐users, and not create administrative burdens to operations
staff.
• Preserve the user experiences. Endpoint control solutions are required to make allow/deny
decisions without interrupting the users of the endpoint. The users must not even know that IT
is controlling their endpoint configurations. Prompts, questions, and notifications should be kept
to a minimum.
• Insist on no performance degradation. Endpoint control, because it operates on the much
shorter whitelist than attack signature
approaches, returns processing power and Security must be transparent to
memory to business applications. End‐users
end‐users, and not create
are apt to disengage security suites to gain
time. Endpoint control technology needs to administrative burdens to
operate at better than 10 times the operational staff.
performance levels of signature approaches.
That gives IT greater effectiveness at stopping attacks while freeing more performance for
business applications.
• Keep administrative actions confidential. The security of communications between
administrative consoles and endpoints is an important ingredient in allowing IT to control
transparently. Mutual authentication, encrypted communications, and secure delivery of audit
information allow IT to control corporate endpoints without requiring end‐user participation in
the management of the device.
Conclusions
Traditional suites of software packaged by security vendors fall far short of the requirements for
protecting corporate endpoints. This is demonstrated every day by the failure of signature‐based
security to protect the business against data loss or disruption of services due to malicious code
executing on endpoints. Signature‐based approaches, common in suites of products such as anti‐virus,
anti‐spyware, intrusion prevention, data leakage prevention, and personal firewalls, cannot keep up
with the pace of new attacks nor have any chance of recognizing a new variant of a historically effective
attack.
IT would be better served by controlling their desktop and server infrastructure to detect and block
inappropriate actions before damage can be done. The tools are available today for IT to control
endpoints based on what people need to do their jobs. These tools are isolated from user‐mode
applications by integrating into the kernel.
Copyright 2008, The Ogren Group. All rights reserved. Page 6
7.
The tenets of endpoint control bear repeating:
• Control what you know
• Control at the lowest level possible
• Control transparently
Investigate endpoint control technology in a controlled datacenter environment. Deploy the products on
servers that require resistance to attacks, but cannot afford the performance penalties of signature
suites. Once you become comfortable with the effectiveness of endpoint control, plan to extend the
deployment to desktops and laptops.
You will find that these tenets of endpoint controls effectively protect against malicious code attacks,
allow IT resources to concentrate on aligning the technical infrastructure with dynamic business
requirements, and enhance end‐user experiences via increased performance. Increased control also
means that some day you will never have to pay for security signatures again.
The Ogren Group Special Report is published for the sole use of Ogren Group clients. It may not be duplicated, reproduced, or transmitted
in whole or in part without the express permission of the Ogren Group, 92 Robert Road, Stow, MA 01775. For more information, contact
the Ogren Group: info@ogrengroup.com. All rights reserved. All opinions and estimate herein constitute our judgment as of this date and
are subject to change without notice.
Copyright 2008, The Ogren Group. All rights reserved. Page 7