Endpoint Security Essentials

So you finally managed to convince your management that that traditional pattern-based virusscanner is no longer going to cut it. You've got your next gen endpoint security product deployed across all of your endpoints. They're all happily reporting into your console. I trust you have setup a process to monitor incoming alerts, hell it might even be documented. Perhaps, if your employer is a cash cow, your endpoint security events are automatically fed into your expensive SIEM and, your SOC personnel is actually doing something useful with it. It's been a long road but you've finally reached the finish. Great job! Right?

Let me bring it to you unfiltered; you've just got the basics right.

The following guidelines are what I call the essentials. Get these right or you're better off doing something completely different like opening a book store, or collect plastic to save the planet from further collapse. Remember your security is as strong as your weakest link.

• Make sure your endpoint security product settings reflect your security policy. If you don't have a security policy tailored to the risk profile and business of the company and which you have diligently crafted, communicated and which is backed up by management, you're up for a fight. There will always be cases where end users want to act against policy. Make sure you have that policy to defend your stance and to withstand the pressure.
• Ensure you or the security team owns the endpoint security settings. Don't leave this in the hands of IT operations, or you'll end up with loads of exclusions, hell even an army of helpless disabled agents. Remember, when IT operations is trying to solve (performance) problems, the endpoint security product is always the scapegoat and the first one to be slaughtered. Remove the power from their hands. Make them come to you. If the endpoint security product is proven to be the culprit after a joint investigation, a temporary exception can be created (in your GRC system, right?) with a remediation plan. Just make sure you own the settings. Do the test and check the amount of exclusions and behold that army of zombies (disabled agents) you have dwelling around in your environment.
• Implement an automated process which periodically (i.e. on a daily basis) checks for endpoints missing your endpoint security product. Remember that your security is as strong as your weakest link. If you have not maximally deployed your endpoint security product, you are leaving holes in your defense. 100% coverage is the aim. That might not always be realistic but it should be the aim nonetheless. You can do this in a passive way by comparing an independent endpoint repository like Active Directory with the list of endpoints that have registered into your solution. Any gaps should be investigated and resolved. A more active way would be to scan your network and as such identify missing endpoints.
• The most advanced step is to prevent endpoints who don't have an active endpoint security agent from connecting to the network. If you manage to get this essential right, you are excelling. I assume this one to be rather utopic in a lot of environments today but if you get to this point, you have a watertight security control at your hands.

Getting these essentials right, will result in a reliable security control that will realistically augment your company's security posture. And that's exactly what our ambition as a CISO or IT Security Manager should be.

If I'm missing on any other essentials, do let me know. 

Hang in there.