Handing Over The Reins To Your Endpoint Solution

Recently, Symantec have released SEP 15 which is their cloud endpoint solution. SEP 15 allows you to manage all your Symantec endpoints using their centralized cloud portal.

Symantec introduced the cloud with 14.2 however this version is a hybrid solution. You still need an on premise SEPM that syncs with the Symantec cloud. You can still manage all policies through the cloud portal, but it must replicate on site. This is because the heartbeat is sent to the SEPM and not the cloud portal.

Symantec aren’t the first to offer a cloud solution though. It seems more and more security vendors are jumping on the cloud band wagon and offering their users the ability to manage their environment from a centralized cloud portal. 

Microsoft have their Defender ATP and Sophos have Central.
If you interested on how they stack up, here’s a useful link:
https://www.gartner.com/reviews/market/endpoint-protection-platforms

With these cloud solutions comes fancy new toys and potential money saving opportunities. All this seems like a no brainer but what do you lose?

For some, not much but for others, you lose certain controls. This could sound worrying at first but is handing over the reins the future?

If you have worked with enterprise AVs before you might be used to having full customization of your endpoint solution. This could be applying Host Integrity rules or manually entering ‘Hard coded controls’ just in case the signature/heuristic scan fails. This level of manual input can be useful, especially when new threats emerge. Configuring ADC rules to not allow known ransomware extensions can put your mind at ease when new variants surface.

Even if your endpoint has the signatures of these threats, if the agent is overrun or hindered, it’s traditionally scanning method could be bypassed. This is something I have witnessed myself. This is why hard coded application controls can often be a stronger solution or at least a backup. The endpoint doesn’t have to use its brain or match hashes. It simply follows a set rule and actions accordingly. Kind of like a basic ‘IF Then’ rule.

The problem with this is you must maintain it and keep it up to date. The other thing to keep in mind is that the rules are only as good as the engineer who is implementing them. You must be sure the person knows what they are doing. This isn’t just specific to ADC rule, this counts across the whole platform. Having all this manual input from different engineers could really break or weaker your AV if not done correctly.

If you do work in IT, especially in the security field, it will be no shock to hear that vendors first point of troubleshooting is to blame the Antivirus for everything. “You must lift this, this and that”. Their recommendation can be to exclude whole directories in order to fix the solution. This is often not required, and a simple exclusion based on the hash of the application could be all it takes. Lifting these file paths might not seem like much but what this basically does is stop your AV from touching any files within this path. To a malicious party, this is perfect. Vendors do publish what is “recommended” on their site so if a hacker has this information, they can tailor their attack around this. Knowing what you scan and don’t scan is a big advantage.

This is exactly why handing over the reins could be the future, after all you are paying for it. Why wouldn’t you expect the endpoint to be able to handle all of this. This could be why Microsoft have designed their ATP cloud the way they have. It is basically a virtual SOC that does all the leg work for you. If it does need your help, it will present you a full breakdown on what happened which in turn helps highlight what you need to do in order to resolve the incident.   

You shouldn’t need to worry about tailoring your AV to new and advanced threats, this is something they should be doing on their end. They have far more resource and capabilities than you. After all, all you really need nowadays is to have full visibility of your environment and to be made aware of any threats. This should be in the form of a timeline or breakdown report. This takes all the legwork out of it, so you can handle each threat more efficiently.  

That isn’t it. Because they are handling all of this on their end, they can often offer a greater range of services to you and even improve on the services you already have with them. If you are interested in whats out there, here are some solutions out there:

https://www.bitdefender.com/business/enterprise-products/elite-security.html

https://www.eset.com/uk/business/endpoint-protection-standard-cloud/

https://www.webroot.com/gb/en/business

Click to access endpoint-protection-en.pdf

https://www.microsoft.com/en-us/windowsforbusiness/windows-atp