Integrated Endpoint Security Architecture
In this article
By leveraging the power of the Advanced Technology Center (ATC), we develop resilient endpoint security architectures to drive mission sets for a myriad of customer needs. The goal is always to build capable solutions that are flexible enough to handle the complexities of heterogenous data networks and resilient enough to operate in a continuously changing, and sometimes contested, environment.
Endpoint security is becoming more complex. The fact that no two architectures are the same makes it extremely challenging to implement an end-to-end, comprehensive security solution. One of the most significant challenges our customers face is understanding the multitude of tools that are employed as part of a comprehensive security solution.
Typically, when multiple tools are employed, engineers spend too much time trying to figure out which alerts are valid, leading to alert fatigue. They also struggle to measure the effectiveness of these tools. Almost always, functional overlap exists between tools and solutions deployed, which leads to overspending and an increased reliance on vendor expertise to manage disjointed toolsets.
Operational risks are created wherever there is a gap in functional coverage caused by improper employment or lack of security product integration. These challenges are exacerbated by a reduction of endpoint performance due to operating multiple agents. There is also an increase in network communication that can cause network latency.
To help overcome these challenges, WWT provides customers a Security Tools Rationalization Workshop to help organizations develop an integrated framework that suits their particular needs.
WWT's approach to architecture development is comprised of five pillars. When properly coupled together, these pillars act as force multipliers, resulting in an integrated endpoint security architecture that embodies a full end-to-end security platform, rather than stove-piped or point solutions.
WWT's Integrated Endpoint Security Architecture Framework
1. Endpoint protection
New technologies exist today to extend traditional AV protection by using threat intelligence, machine learning and white/black listing. Organizations are starting to ask if they can replace traditional AV solutions with their new counterparts. Solutions generally play in three areas: NGAV, IR/Forensics and operational management. Endpoint protection is much more than traditional antivirus. It extends beyond malware detection and prevention. For maximum effectiveness, it must be integrated into the rest of the security platform.
2. Management platform
The ability to manage and execute functions from a central platform has become critically important as most large-scale organizations struggle with different technologies and processes. Most large-scale organizations employ more than 20 different security tools in their environment. This is a common, yet increasingly complex, model to manage that often leaves organizations concerned about effective and efficient performance. We believe a web-based management console that allows effective execution of processes such as inventorying assets (endpoints and software), identifying online users, validating configurations, identifying indicators of compromise (IOCs), executing automated change actions/responses, etc., is pivotal in any endpoint security architecture.
3. Data correlation and security analytics
Today's networks generate incredible amounts of useful data. Organizations need better ways to leverage the use of network and security data to inform decision making. We focus on going beyond centralized event management by using security analytics to correlate data and draw inferences on real or potential incidents. This not only includes traditional data sets (e.g. firewall logs), but extends into user behavior, physical security and a host of other data points.
Being able to present the operational status of an enterprise architecture is perhaps the most important of our architectural pillars. Typically, a status report displaying the appropriate amount of information for decision makers to function is the ultimate goal. The ability to have multiple dashboards with "drill-down" capabilities to get to more granular information can help decision makers constrained by time. The flexibility to develop information views quickly is highly recommended.
5. Security automation and orchestration
The list of security challenges organizations face continues to grow. They must now deal with
a shortage of security professionals, multiple point products with little or no integration, large volumes of security events, and attacks that are more advanced than ever. By incorporating the process of automating actions before or during an attack, organizations can reduce an attack's overall impact. Security automation is often overlooked by organizations that focus on point-products and/or stove-piped solutions. Incorporating security automation and orchestration improves time to detection and response. This is quickly becoming a best practice within industry-leading security operations centers.
For most organizations, the ability to demonstrate compliance to an assessment program directly correlates to the maturity of their cyber security program. The ability to rapidly take inventory and assess operational risk from configuration management, vulnerability assessment and operational procedures is how WWT builds its baseline. We have adapted an application of the Capability Maturity Model Integration (CMMI) to information security by which we measure security capabilities against an organization's ability to operate through threats and vulnerabilities.
We understand that no network is 100 percent secure, but we collaborate with our customers to understand their environment and move toward a multi-vendor architecture that creates an integrated security platform.
Endpoint security must be part of an overall security architecture and strategy. The result will be a level of protection that far exceeds anything a single point product can provide. WWT is committed to partnering with our customers to achieve this result.
Our workshop is designed to help customers further understand their current capabilities, identify any capability gaps and formulate comprehensive courses of action to ensure their IT infrastructure is operationally ready, regardless of emerging threats. WWT is a world-class technology integrator and we partner with industry-leading technology manufacturers to customize integrated solutions to support your mission needs.