If you want better and easier server protection than what you have now or have read about elsewhere, then you need something very different. You’ve come to the right place for a brief introduction to the application of zero-trust principles WITHIN the endpoint. If you’re not receptive to change and different paradigms, read no further.
Why zero trust? It is a departure from the detect & react paradigm you’ve known for over a decade. Annual growth in personnel and complexity of enterprise cyber defense programs for over a decade are the macro symptoms. On the micro side, the old paradigm is about the many forms of detection before an endpoint is compromised to after it is to after the intruder has moved laterally. AV and machine learning (ML) AV strive to quarantine the detected before compromise, behavior analytics (BA) tries to terminate what is detected later, one or more tools roll-back an endpoint to pre-compromise state following post-compromise detection, EDR, IDS, EUBA (entity user behavior analytics) listen for what was undetected, SIEM mines for the undetected, and threat hunters hunt for the undetected. At different states and different perspectives detect & react looks for good/bad and normal/abnormal. Every year it requires more personnel and more skills, which generates organizational entropy that requires more personnel to overcome.
How much of the above requires a continuous data flow (ML AV, EDR, VA, SIEM, EUBA, etc.) from the server to someplace? That equates to network exposure risks in a complex ecosystem where humans routinely make mistakes that hackers exploit. Sometimes all that detect & react impairs system performance, including the dreaded “I/O Storms” when all that detect & react data overwhelms the pipes.
If and when something malicious is detected on a server with a mission critical App, IT/Sec-Ops has almost not choice but to take it offline. Given how ineffective detecting before compromise is, that’s a harsh reaction.
AppGuard for server applies zero-trust WITHIN the endpoint avoid all of that detection waste. It’s about limiting what actions within the endpoint are allowed instead of having to explicitly recognize good/bad or normal/abnormal. In part, it’s about containment of all processes for all at-risk apps such that they cannot do harmful actions to the rest of the server as well as isolation such that the rest of the server cannot do harm to high-value Apps, or steal data/credentials from them. If this sounds like sandboxing, whitelisting, or HIPS, you are forgiven. Those are onerous, unforgiving tools. AppGuard’s zero-trust controls naturally adapt to change. Despite app updates and security patches every month, week, or day, your AppGuard policy for a Windows Server can run years without any update. These and other zero-trust controls can be applied to any App, unlike sandboxing or process virtualization. And, they work on any Windows Server endpoint regardless of whatever cloud hosting infrastructure or hardware may be beneath the surface.
The containment and isolation controls thwart pass-the-hash/ticket attacks without having to recognize or scan anything. Should another friendly endpoint without AppGuard be compromised, its attempts to execute remote code attacks would fail because of other zero-trust controls. These protections and all of AppGuard’s others have one thing in common. They will NOT slow your server down, if you can detect any impact at all.
You’re probably having to run custom or uncommon software that lacks vetting by an entire industry. It’s not a question of ‘if’ they’ll get exploited but ‘when’. Every endpoint security tool you’ve seen would enable you to quarantine or restart a server after anything malicious were detected. Would any of them allow it run DESPITE something malicious detected? With containment, isolation, and other zero-trust controls, AppGuard can enable you to safely run that mission critical App until its maintenance window.
I’m sure you have questions. I covered much with little detail. I hope I’ve persuaded you that AppGuard’s approach is different. And, I hope that you now at least suspect that it may indeed yield better protection with less IT/Sec-Ops. The more your explore the more you’ll be convinced.