The Endpoint Security Maturity Model (see picture below) can help you understand the four levels of Next-Generation Endpoint Security as well as answer a few important questions:
• Where is your endpoint security today? Most CISOs who look at this model conclude—with great concern—that they are at level one or level two, at best.
• Where would you like it to be? It’s generally accepted among industry experts that you need to be at level three or level four to adequately protect you organization in today’s cyber war.
In Level One, an organization is vulnerable. They have no visibility into what’s running or what’s happened on their endpoints. They rely on traditional antivirus for detection and prevention, which only stops “known-bad” files. Their only form of response is to reimage machines, which means they do not address root cause or scope and are likely to be reinfected frequently. Their endpoint security tools are siloed and not integrated.
In Level Two, an organization has reduced risk. They are using polling and scanning to get some endpoint visibility, but it’s limited. For detection, they’re using reputation or algorithmic data, which is an improvement over signatures. To improve prevention, they may do a number of things, including simple whitelisting and removing admin rights. When an incident happens, they have manual and reactive processes to determine root cause and scope. Their endpoint tools have some basic integration into a SIEM via alerts and logs.
In Level Three, an organization has a strong posture. They have real-time visibility and continuous recording into the state of their endpoints. Their detection uses threat intelligence, usually from one vendor, and they may use simple “indicators of compromise.” Their prevention has become proactive, because they determine what they want to ban rather than relying solely on third-party signatures. When they have to respond to an incident, they have automated mechanisms to determine root cause and scope. They are integrating their endpoint security with their network security and SIEM, so information can be better correlated and alerts triaged faster.
Level Four is the ultimate goal where an organization has the best protection. They have real-time visibility and recording of both endpoint state and activity (so they know, for example, when an endpoint is making an active connection to a malicious site or performing an unauthorized activity). Their detection is based on aggregating multiple sources of threat intelligence, and they are using patterns and behavior, not just simple indicators. They use the highest form of prevention, which is default-deny; and it is policy-based so it is low administration and customized for different users and machine types. When they respond to an incident, they can automatically terminate, contain the attack and perform remediation. They leverage open APIs to integrate their endpoint security with whatever they need.
As you map out what level you strive to attain, note that you may want to be at different levels for different assets or parts of your organization. For example, you might feel the need to be stronger in prevention on your servers than on your end-user systems, or you may feel the need to have more rapid response capabilities on your CEO’s machine than your receptionist’s. But you should attain at least Level Three everywhere; anything less is insufficient to stop and properly respond to advanced or targeted attacks.