Busted: 3 Myths about Endpoint Visibility

Maintaining endpoint visibility with or without client agents is fundamental to any network or information security architecture. Regardless of processes, programs, or the number of devices and people, being able to monitor the endpoints containing and accessing your data is an important step in protecting your organization's intellectual property and bottom line. Unfortunately, there are security headwinds (or downright myths) implying that endpoint visibility is both troublesome and risky, even unnecessary or unwanted.

With the broad selection of endpoint monitoring tools available, some of these drawbacks are based in reality, while others are simply talking points used by one vendor to promote their own strategy at the expense of others. Here are three myths about endpoint visibility and why they don't apply to OPSWAT Gears:

The Three Myths:

Anton Chuvakin, a researcher at Gartner, is credited for coining the term "Endpoint Detection and Response" (EDR), and has strong views on the current state of the technology. His latest "reality check" for the antivirus community argues that:

  1. Agents cause problems, and nobody in the industry would prefer their EDR to rely on an agent because:
    "...your prospective customers will still hate you with a passion [only because some stupid fat agent killed their dear Excel or slowed the system to a crawl 5 years ago]. Of course, I am watching the attempts to create a decent "agentless EDR" with much elation …"
  2. There's no desire to perform audits, and believing so is unrealistic given:
    "...the fact that EDR tooling makes certain tasks (like checking what is running on all your machines, etc) easier, there is an implication that there is a desire to perform those tasks and that there is somebody to actually do those tasks…"
  3. Focus on the endpoint is just a trend, and is not feasible for a lot of companies.
    "...focus on the endpoint may be a trend, but it does not mean it is operationally feasible for a lot of companies." - Anton Chuvakin.

Ultimately, critics like Chuvakin believe that endpoint focus may just be a trend, isn't needed by IT administrators or organizations, and provides more risks and overhead than protection. Here is why they couldn't be more wrong:

MYTH 1: Agents cause problems

Firstly, just because an endpoint visibility solution uses an agent to check the security posture of an endpoint, does not make it inherently worse than an agentless solution. This distaste for agent-based solutions has been exaggerated and needs to be addressed.

A bad agent-based solution can be absolutely terrible, yes, but so can a bad agentless solution. Integrating a lightweight and well-built agent into your existing security infrastructure offers tremendous benefits over agentless solutions. Why? Because the agent benefits hinge on the architecture needs of the customer, not necessarily the capabilities of the software vendor. In fact, many "agentless" solutions are actually using the device's operating system as their agent, and are thereby limited in their detection abilities; leaving you and your network vulnerable to exploitation. Put it this way, if you are trying to assess whether the endpoint's operating system has been compromised, why would you trust that same operating system to tell the truth? That doesn't make any sense to us. It would be like asking a clinically insane person whether or not they're delusional; of course they're going to say "No", because if they knew they were crazy, they wouldn't had been deemed clinically insane in the first place. Same goes for infectious threats and operating systems. Asking an infected system to report on its own infection status is problematic. In order to conduct and maintain good endpoint visibility, solutions should perform their own inspections without total reliance on the operating system-provided APIs. This independent analysis would be a more accurate way to detect and prevent network infections.

Most importantly, having an agent means you, your team, and fellow coworkers can work remotely and be vetted by an endpoint visibility solution, before accessing the organization's VPN or SaaS applications. Mobility is increasing, even if BYOD adoption has an uncertain future. The professionals of our modern industries use an arsenal of cloud-based applications in order to communicate, design, or store the projects they're working on. From Google Drive and Evernote, to Salesforce and Box, many of the services we use are helpful because they provide mobility and flexibility. Having that freedom for you and your coworkers to work wherever, whenever, can be vital to your company culture. However, with increased mobility, comes an increase in the chance of malware infection. Imagine, for an instance, that when you go out with your laptop to a coffee shop or to a park, it is like taking your infant child through a lush rainforest. Yes, it can be relieving, beautiful and freeing, but it can also be frightening as there are also lots of hidden bacteria and threats all around you. With each "Public Wifi", or Starbucks lounge you connect your device to, you are entering a new area of the cyber-rainforest. With a layered approach to detect and prevent those threats, your baby (and this time I mean your latest Macbook Pro) will need to be secured during your jungle excursion, and vetted before it is ready to rejoin the ranks of your coworkers. With endpoint visibility solutions like OPSWAT Gears, you, your team, and fellow coworkers can be both free and secured.

You might be thinking, but what about the security risks of unmanaged devices? Guest devices without a designated administrator or software monitoring the health and status of a device presents a security risk, and before they are brought into a network of PII, the guest devices should be scanned. However, it is understandable that not all visiting guests will agree to install an agent on their beloved laptop. It's somewhat intrusive to be expected to download the software of a company when you're their guest, right? -- and that's why dissolvable agents have become popular for many enterprise applications, especially as a teleconferencing solution. We're not talking about antiquated Active-X or Java-based agents either. These are native applications that have been carefully designed and tested to provide on-demand users with the same experience as users of the installed application.

MYTH 2: There's no desire to perform audits

Secondly, some security product managers are actually arguing that there isn't really a need for program monitoring and auditing, as administrators are rarely empowered or expected to carry out such activities. This line of thinking paints IT administrators as reactionary employees, seeking nothing other than to avoid ridicule of crashed programs and servers. However, I would argue that IT administrators are aware of the importance of their role in protecting their organizations from crippling data breaches, take their vocation seriously, and will use all the tools within their reach to limit vulnerabilities without hindering productivity.

So how can a well-designed endpoint visibility and protection platform reconcile this difference in opinions? For starters, it needs to be much more than just visibility. It is trivial to build an application that collects a ton of data and simply dumps it in some database. These applications exist and are typically heavily marketed with big budgets, and quickly become shelfware for many organizations. No one wants to sort through gigabytes (or even terabytes) of data about their endpoints looking for some proverbial needle-in-a-haystack. Trust us, we don't like the sound of that either. Just look at what's happened with SIEM -- the golden child of security analytics has certainly helped certain organizations but more-so has kept systems integrators and analysts pockets lined with corporate dollars for implementation and management services. With OPSWAT Gears, you can test it out on twenty-five devices for free, and "free" certainly will not break the IT budget.

But how is Gears different? We focus on collecting relevant data and presenting only what is useful to the IT administrators. But what do IT admins really care about? They want the basics like antivirus presence, antivirus status, and disk encryption, but also want information regarding OS patches, passwords and lock screen status. These are just a few of the many features that are very important to administrators, and Gears offers these features for Linux, Android, Windows, and Mac devices. It is deceivingly complicated to collect device data in a reliable way across multiple operating systems, especially if you are dealing with unmanaged devices where these settings and software are mostly ad hoc, and can not be centrally managed. We're now on the fourth generation of our OESIS SDK, and have spent hundreds of man-hours addressing the challenge of making it easier to build Gears into your security architecture. OPSWAT Gears is uniquely positioned to take advantage of the administrator management experience by providing them with digestible information, and empowering them to focus on creating actionable policies without a complicated setup. We designed Gears to simplify endpoint security management, not complicate it.

MYTH 3: Focus on the endpoint is just a trend

Lastly, the feasibility and tangible benefits of endpoint visibility and security will directly determine whether endpoint-focus is just a trend, or simply part of the never-ending vacillation between "secure the network" and "secure the endpoint". Obviously, both agentless and agent-based approaches have merits, otherwise this argument would have been settled long ago. But here at OPSWAT, we feel there is room for both strategies, and an effective security defense should incorporate both. Agent or agentless security strategies are not mutually exclusive, the caveat being that neither should become such a management burden that the other suffers for attention. False alarms, false positives, endless logs of meaningless data and the like are a surefire way to kill any security initiative. Same goes for performance issues -- a bloated agent that slows down the endpoint will lead to enduser revolt, which then eventually creates IT dissatisfaction, and ultimately leading to product abandonment by the IT administrators themselves. Hello shelf!

When we design software at OPSWAT, we follow a few simple tenets, including "endusers should respect it" and "IT admins should love it". If your software or appliance doesn't satisfy those two basic (yet difficult to accomplish) criteria, then it is doomed to become shelfware. Big marketing dollars pushing sub-par software can give an entire product category a bad reputation. So try out OPSWAT Gears for free today for up to twenty-five devices, and see for yourself why you'll never shelve an OPSWAT product.

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.