The endpoint security service based on cloud is not mature enough to the enterprise Internal Security Service, how to successfully complete the cloud security service at the present stage when the experience and case are not enough? This is a problem that puzzles a lot of CSO.
The so-called win, in addition to their own needs to do a careful consideration, on the other hand, is to understand the supplier's products and services, the two-pronged approach to ensure that the cloud security services this bunker.
Three major precautions in cloud security: deployment, alerts and reports in the article, we have done a preliminary explanation, and this article will further uncover the supplier endpoint Security services in all kinds of deficiencies, for the enterprise to improve the security of cloud point to provide "knowledge" of the way, so that enterprise users in the choice of cloud services less detours. Based on the Tolly group's recently released prototype deployment mechanism experience report, it is still a service product from the top five well-known cloud service providers, the truth is as follows, give CSO a wake-up call, select the product must be in the following details dry:
Cloud point authorization needs to be clear
Some cloud point security services allow users to create multiple administrative users, and then delegate administrative work from different enterprise departments to specific administrators. Some security services even provide a "read-only" Administrator role designed to help managers ensure that their content does not change as they perform endpoint security monitoring.
But not all vendors can do this, and if everyone wants to delegate management responsibilities from different endpoint departments to different administrators, be sure to check with the service provider to see if this functionality is available. Of course, the most important thing is figuring out what admin controls the administrator can do with the endpoint client.
Cloud service policy configuration is missing
The rules followed by the endpoint run are usually defined by the policy configuration file. In the study, we tried to create a set of policies with the following attributes: Update the signature file every four hours, run a global scan every day, and exclude specific files/directories from the Anti-malware scan. Surprisingly, such basic policy configuration attributes cannot be implemented in all five cloud-point security services. For example, a service does not allow you to make any changes to the frequency of the signature file, nor does it allow you to set the scan exception. Another vendor's product sets the default policy to read-only, so all features that are not supported are implemented by creating a set of custom policies-that is the only way we can achieve these attributes requirements.
The task of the Anti-malware system is to detect and isolate the threat before it damages the endpoint. Under normal circumstances, the threat of quarantine review should be performed by the administrator. After the review process, the administrator will often remove the actual threat and the error alert results are released, so that a false report of the file will not be in the future scan again blocked. Surprisingly (please forgive us for being surprised), not all Anti-malware software in the Endpoint Security service that participates in the evaluation provides this functionality. Some are simply removing files that are all detected as viruses, and such rude solutions are likely to cause major problems for most businesses.
Similarly, we also looked at how administrators should handle files that were mistakenly reported as viruses and quarantined. Because some services do not provide alert content management at all, administrators simply cannot remedy the status of false positives. Only one product allows an administrator to automatically add a false positives item to the exception list, and several other products can only add exceptions manually, allowing the false positives to continue to function correctly. (although adding work is not complicated, if the number of false positives is large, it will obviously deplete the Administrator's time and effort.) )
As the last part of the research report, we looked at how to interact with a particular endpoint in a variety of ways.
On-demand scan triggers: If an endpoint has a suspicious behavior or a large number of threats, the security administrator will necessarily want to set up an on-demand scan triggering mechanism, so that changes are processed when such a situation occurs again. Surprisingly, one of the five evaluation services did not support this feature at all. The other items only allow on-demand triggering at the group level. Therefore, if a single endpoint is to be scanned, we must create a new group and assign the corresponding endpoint to the group before the scan trigger can be implemented. In view of this, we have to challenge the vendor: Why not provide an option to point to a single device? Under the existing scenario, it is almost impossible for an administrator to implement an automatic scan trigger without manual action.
Disable the Anti-malware feature temporarily: A program that needs to temporarily deactivate the antivirus feature to properly install is not too much, but a temporary halt to the Anti-malware scanning Tool does simplify the troubleshooting process for the endpoint. Therefore, the administrator would certainly like to be able to open and close the Anti-malware features on the endpoint at any time. However, the results were again disappointing, and only one of the five Evaluation Service objects met our requirements. In other services, the only way to deactivate a anti-malware scan is to completely uninstall it. This situation is likely to become a stumbling block for many large enterprise users operating processes.
Remote LAN Wakeup: The hibernate system will typically continue to use signed files that have expired and fail to update the operating system and application security patches in a timely manner. Since most systems perform these maintenance tasks automatically at startup, the wake mechanism of the hibernate system is also a very useful feature. The LAN Wake (WOL) feature sends a packet called "Magic Pack" to the LAN MAC address, triggering the computer's startup process and triggering the timing of each device in the network.
In our study of the five cloud Point service solution, only one provides WOL function. Other Anti-malware vendors may think this functionality is not positive for the threat detection process, but it does play an important role in detecting system status or ensuring that the system has the latest patches and virus signatures.
Although the traditional internal endpoint security products market is quite mature, but the cloud foundation of the same scheme is very green. Due to the lack of a large number of basic functions for mainstream vendors, enterprise users may need to compare the functionality in existing internal scenarios with the cloud-point service version one by one to identify the necessary but missing items. The good news is that cloud service providers can improve their products more easily and more frequently, so customer feedback should be quickly reflected in the solution-one of the biggest advantages of the cloud mechanism.