While I’ve written and spoke a lot about the need for comprehensive, enforced endpoint management solutions to ensure all endpoints – Servers to Smartphones – protect enterprise information and data on a continual basis, many of these solutions (and specifically BigFix AKA IBM Endpoint Manager) provides a tremendous tactical tool at assessing and acting upon security intelligence information before common technologies like AV and IPS provide detection in the event of an advanced or targeted attack. In addition, solutions like this can be used to take customized actions that are often commonly desired at the leading edge of these kind of attacks.
Let me provide an example. Let’s say you learn of information about a new threat; this information could come from a wide variety of trusted sources – your own security analysts, those of your security vendors, trusted colleagues you work with in the security space – there are lots of sources for information like this and nearly all sophisticated attacks start in this manner. With a real-time (or close to real-time) endpoint management solution in place, you can quickly take that intelligence you gathered, turn that into content for the management system and rapidly determine what risk this represents to the enterprise. This can be expanded/extended to also take specific actions on endpoints that are found to be vulnerable to this threat. Your imagination here is really the boundary – apply a patch, turn off a service, close a port(s), gather specific files or remnants, distribute more advanced forensic tools to the vulnerable endpoint to allow a security analysts to provide an in-depth analysis of suspect endpoints are just examples of what is possible. The possibilities really are only bounded by technical creativity and the attack itself.
In this example, it is possible for this to begin executing ON YOUR ENDPOINTS nearly instantly and as all endpoints come on-line and get this new content, you’ll quickly get a very finite view of your enterprises vulnerability and subsequent risk to this attack, often well in advance to traditional detection methods providing detection or protection coverage. I emphasized the term above “on your endpoints” because this is fundamental to it’s usefulness and applicability in this use case. Unlike “outside in” scanning type solutions, an endpoint management solution such as BigFix/IBM Endpoint Manager actually executes the intelligence and any related action you’d desire locally inside the endpoint. This is very different from a scanning “query and respond” methodology that rely on presence of the endpoints within the corporate network while also introducing a degree of error that we commonly observe in scanning type solutions.
I’m aware of multiple enterprises using this technology as an invaluable new tool in their toolbox to assist in managing today’s increasingly complex attacks with great success so it really is something to consider when making endpoint management technology buying decisions. This need will only increase in the future.