If the first new law of anti-malware is considered the "means", then this last law should be considered the ultimate "end". Security vendors have typically viewed endpoint protection as the be-all-end-all of malware defense. We respectfully disagree. Instead, we believe that protection is one element of a triumvirate that also needs to include improved visibility and ultimately increased control.
The rationale is straightforward. Compliance and regulatory considerations aside, organizations purchase anti-malware offerings for one primary reason: because they do not wish to get infected with malware. However, despite best efforts and despite installing endpoint protection suites that have won accolades from “independent” third-party reviews, enterprises still seem to get infected with malware. The explanation, which has been the elephant in the room for some time, is simply that no endpoint protection offering is 100% effective. Every vendor has missed threats and no technology will ever be impervious. Unfortunately, however, vendors generally try to sweep their imperfections under the rug. By failing to acknowledge any shortcomings, they also fail to provide any functionality for handling post-infection scenarios appropriately.
Some in the industry have gone as far as to say that there are two kinds of organizations: those that have been compromised and those that do not yet know that they have been compromised. Therefore, despite installing and correctly maintaining anti-malware software, organizations also need tools to aid them after an infection.
FireAMP includes capabilities for enabling enterprises to see which systems a given threat has touched (including “patient zero”), how those threats got onto the system, and what the threats might have done while on the system. With this information, enterprises can estimate the scope of an infection. Furthermore, enterprises are provided with actionable data against which to make adjustments to their IT infrastructure. Finally, enterprises can see comparative reports to evaluate themselves against the global installation base, so that any metrics can be understood in a broader context. In addition, FireAMP provide intra-organizational reporting, which allows an enterprise to determine how its different divisions compare to each other when it comes to malware infections. This type of information is useful in identifying potential zones of vulnerability and enables the implementation of more nuanced security policies that reflect the specific risks the enterprise faces (Law #4). These additional capabilities follow naturally from our data-driven approach. Furthermore, they continue to provide protection even after an infection (and because analysis happens in FireCloud, malware cannot tamper with the results).
FireAMP also embraces the other “new laws” of anti-malware. For example, it includes the more sophisticated protection lattice of our Immunet product (Law #2) and it leverages data across the community (Law #3). It also includes custom signatures, whitelists, and application control (Law #4). With these capabilities customers do not have to be solely reliant on vendors (as they have been in the past). Instead, they can be armed with the right data as well as the appropriate tools to act on that data.
When we conceived of the “New Laws of Anti-Malware”, the purpose was partly to put into writing our vision of how malware defense needed to evolve. With FireAMP, we have reached an important milestone in executing against this vision.
Endpoint security is an approach to network protection that requires each computing device on a corporate network to comply with certain standards before network access is granted.
ReplyDelete