ENDPOINT SECURITY RISK is on the rise, with the average cost of a successful attack about $300 per employee, according to a 2017 Ponemon Institute study. You can help save your clients from taking such a financial hit by shoring up their endpoint security. Here we walk through the fundamentals of patching and anti-malware, mobile device management (MDM), remote access hardening, device encryption, device discovery, internal scans, and voice over IP (VoIP) phones. For “extra credit” we include data loss prevention (DLP).
Patching and Anti-Malware
The vast majority of malware acts upon well-known vulnerabilities, often those that have been patched for months or years. Since we all know the importance of patching everything, why do we fail so often at this?
The simplest answer is that patching sucks. Between patches that fail to install properly and truly bad patches that can render endpoints unbootable (here’s looking at you, Microsoft), patching has become a damned if you do, damned if you don’t, experience. Few of us have the luxury of testing patches before deployment, so the best we can do is to read and then patch intelligently, review patch reports, remediate patch failures, and then rinse and repeat.
With millions of new attacks and variants to deal with every month, signature-based defenses are being strained to their limits, rendering traditional anti-malware solutions only marginally effective. Worse yet, most of us rely primarily on this technology both in the firewall and at the endpoints. So be sure to use more than one provider of signatures for your firewall and endpoints, and to monitor and track the performance of your AV clients.
And while many of us use integrated anti-malware in our RMM agents, pulling daily and weekly reports is still vital. As conventional anti-malware reaches its limits, non-signature-based anti-malware options from vendors such as Cylance Inc. (available standalone or in bundles at very attractive pricing through Solutions Granted Inc., of Woodbridge, Va.) are on the rise in the MSP community.
Mobile Device Management
A weak point for many of us is mobile device management. In addition to requiring both patching and anti-malware, mobile devices have their own unique requirements. Device partitioning and granular remote wipe (for the BYOD crowd), as well as other automated deployment and management needs, come to mind here. You must not forget how much more susceptible to loss and theft these devices are, and therefore, how much more important local full disc encryption is for them. Of course, this brings with it such delights as key management and recovery, among other challenges.
One of the most difficult parts of delivering MDM is conveying the need to your SMB clientele. Many of them simply don’t see phones and tablets as “computers” and thus don’t recognize the threat to their organization these devices may pose, especially if lost or stolen.
As with so much else, your job is to educate them first, with perhaps a bit of shock and awe thrown in. Find some online demonstrations of people using “found” phones and tablets to enter networks. Then seek out the right MDM solution that will give you the functionality you need at a price you can resell, or better yet, at one you can bundle into a package with other services. Many MSPs now use IBM MaaS360 (available through distributors such as Pax8) to handle MDM.
Hardening Remote Access
Your remote users who rely upon SSL VPN connectivity should be utilizing two-factor authentication by means of either a token device or, at the very least, one-time passwords to their cell phones. There are some very impressive and highly granular technologies for hardening remote access within reach of SMBs nowadays too. Dedicated SSL VPN appliances now offer “endpoint vetting” so that you can specify active, approved AV clients, updated patching, and other parameters before remote users connect. We are a SonicWall shop at my firm, but all of the big players offer varying but similar feature sets across their product lines.