More Endpoint Protection with Less

The Enterprise is Bloated with Cybersecurity Junk Food

US Data Breaches.png

Over the last decade, adversaries have been quite artful in managing to steal from the enterprise, mostly by compromising its poorly protected endpoints. Year after year, the adversaries and defenders add new tools and practices to their craft. The adversary simply discards one thing when something better exists. But for the enterprise, staying lean and fit is anything but easy. Yesterday’s hyped miracle technology is tomorrow’s sporadically used feature within an all-in-one widget that may or may not integrate with various other feature-dense tools. After the adversary changes tactics, the defender finds unravelling these knots with an undersized budget while under-staffed with under-skilled personnel equivalent to mending a torn shirt while riding a bucking bull. Fortunately, the jumbled mess falls to order after pulling on endpoint protection. Fixing that makes everything else easier, including getting rid of tools once thought indispensable.

More Breaches, More Cyber Spend



Enterprise IT/Sec-Ops has been growing more costly and complex every year for over a decade, and all indications point to more of the same for another. Coincidentally, the term “endpoint protection platform” (EPP) was coined about a decade ago, specifically 2007. The concept was simple. A single agent with a single management pane should simplify IT/Sec-Ops compared to that of many agents and panes. Whatever economies of consolidation that may have occurred were dwarfed by increased costs from EPP’s inadequate ‘protection’. Its failure has created a new endpoint agent market called endpoint detection and response (EDR), which has recently been officially declared a vital element of EPP.

Before looking beyond EPP to the other tools and tasks that strain IT/Sec-Ops budgets, there is a point that anyone concerned with securing endpoints should explore regarding the combining of multiple tools into a single binary. Without this perspective, one erroneously chooses the EPP with the longest list of features rather than the one with that produces the best results. How does the integration of any ONE cyber control with others make the others simpler? A quick example from AppGuard (not an EPP) concerns two different controls: application whitelisting and adaptive process conformance. The latter ensures at-risk applications cannot alter an endpoint’s system space. This means AppGuard’s whitelisting need only focus on user-space, simplifying it from 100,000’s of items to fewer than two dozen. With most EPP’s, there are little to no true synergies from combining multiple agents into one.

Beyond endpoint software, SIEM evolved to serve as the data warehouse for all sources of IT/Sec-Ops relevant data, including log events from endpoints. Overlapping network tools from the last decade such as next-generation firewalls, intrusion detection/prevention systems, and breach detection systems generate alert volumes that strongly correlate with employee endpoint usage. Ease of lateral movement from one endpoint to another until gaining domain admin has led to yet another category of tools called entity user behavior analytics. These technical tools and others make up much of what is becoming known as the ‘detect and react’ posture that pervades the enterprise IT/Sec-Ops space. A variety of remediation tools (re-imaging, clean-up, password management, key management, backup management, etc.) fill out the rest of the ‘detect and react’ workload.

SOC Top Challenges.png

Sadly, many experts see cybersecurity too much as a technology matter and too little as a people quagmire. The different technologies locking down, defending, monitoring, and restoring enterprise endpoints and networks require more and more people to operate every year. Then again, hype for machine learning and artificial intelligence at least tacitly acknowledges that current IT/Sec-Ops approaches are ineffective and unsustainable with available people resources.

Enterprise leaders cannot afford to bet solely on big data technologies reversing the IT/Sec-Ops trends, especially because the adversaries use them too. Instead, their quest for simpler more effective IT/Sec-Ops must base their decisions and tool selections on minimizing man-hours. Beneath this obvious point is the least known key to making IT/Sec-Ops simpler, lighter, and more effective: half or more of your IT/Sec-Ops man-hours correlate to what happens on your endpoints. A simple but crude way to begin to see this is to compare alert or incident volumes for ‘work days’ with those of ‘off days’, when employees are far less involved with their endpoints. A more methodical look can show statistically significant correlations for all of your IT/Sec-Ops work breakdown elements to the endpoint. These correlations identify many tools and tasks that consume massive payrolls of man-hours.

Let’s start with endpoint patch management. AppGuard effectively ‘contains’ any unpatched application, blocking harmful actions, allowing all others. This should not eliminate your patch management agent. But whatever tasks are usually disrupted/deferred to quickly test, deploy, and verify one or more urgent patches, need not be done any longer. There should also be fewer patches gone wrong because AppGuard buys testers the time to be methodic.

As for endpoint protection, AppGuard replaces any and all such tools except for regulatory mandated scanning. Most AppGuard customers satisfy this with Windows Defender or any free AV. An EPP, however, may include many different toolsets that require significant man-hours to configure and maintain. AppGuard can eliminate all hours spent by your IT/Sec-Ops on the following:

  • Application Whitelisting
  • Anti-Exploit / Memory Protection
  • Host-based Sandbox
  • Machine Learning Antivirus

IT/Sec-Ops for AppGuard is practically zero man-hours per month (not literally) compared to these tools. Typical AppGuard enterprise deployments run many months without ANY updates of any kind.

Now onto ‘detect and react’, let’s begin with alerts. Alerts fatigue is exhausting personnel and leaving much work undone. If only half of your alert volume were directly or indirectly driven by the endpoint, then AppGuard would free your personnel to investigate those un-investigated alerts, which would be mainly from your Internet-facing and internal mission-critical application servers, where the low frequency, headline news making impact breaches tend to occur.

Detect React Alerts Fatigue.png

After a few months or more of confidence building, following AppGuard deployment on your endpoints, you may decide your EDR agent is no longer necessary. By this time, your EDR alerts volume will not only plummet but your AppGuard log events running through your SIEM will reveal that AppGuard is blocking attacks before EDR can detect them. This was one well known EDR vendor’s excuse when our mutual customer asked the vendor why they were failing to detect a campaign of weaponized document attacks. Similarly, if you have SIEM endpoint agents deployed, you may question the value of continuing to use these too. Remember, EDR and SIEM agent deployments were necessitated by chronic, pervasive endpoint protection failures.

Around the same time, your cyber leadership will likely revisit the value of fully retaining a next-gen firewall, dedicated IDS/IPS, and/or breach detection system. Again, this depends on what you have and what proportion of your IT infrastructure consists of knowledge-worker activity.

Impact Cyber Skills Shortage.png

And the same will occur to you regarding your incident response and remediation resources. The most difficult decision encountered during this transition will be deciding what to do with all of those resources after endpoint incident volume has plummeted. 

With so many different resources free, with so much of your IT/Sec-Ops personnel no longer in constant pursuit of the next fire, your organization can pursue high level security maturity stratagems.  For example, if your alerts triage had been too overwhelmed, reactive, and out-of-tune, then you couldn’t afford to invest in a proper threat hunting capability. Many deferred capabilities become possible after endpoint protection becomes effective.