Endpoint Security, Part 5 of 5: A/V Alone is Not Enough

Every organization has deployed anti-virus/anti-malware solutions, but how much you have actually reduced your risk?

To recap what we’ve covered in this 5-part blog series, Aberdeen’s analysis and Monte Carlo modeling:

  • Confirms the high risk of unprotected endpoints
  • Demonstrates that endpoint protection really does reduce risk
  • Confirms that “free” endpoint protection (e.g., Microsoft) is better than no protection at all
  • Shows that in fact “free” endpoint protection is not really free — enterprise-class endpoint protection (e.g., McAfee) actually reduces risk by 60–70% compared to the “free” solution, even net of the incremental licensing cost

In Endpoint Security: Anti-Virus Alone is Not Enough, I wrote about the bigger picture of endpoint security — and found that while 100% of respondents have deployed an anti-virus / anti-malware solution, most organizations have also deployed one or more complementary endpoint security control as part of a defense-in-depth approach to protecting their users, systems, applications, and data. These include:

  • Endpoint protection (anti-virus / anti-malware)
  • Patch management
  • Configuration and change management
  • Intrusion prevention
  • Email and web security
  • Endpoint data encryption
  • Browser-based security (e.g., reputation)
  • Application whitelisting
  • User behavior (e.g., anti-phishing training)

The reason is that traditional, signature-based approaches to protecting against vulnerabilities, typified by anti-virus / anti-malware solutions — i.e., determining what is “good” by detecting and subtracting what is known to be “bad” — is increasingly being augmented by complementary endpoint security technologies, as part of a comprehensive, defense-in-depth approach.

What I found – in an analysis and comparison of companies whose endpoint security is based on anti-virus software alone, with companies whose endpoint security includes anti-virus and a mix of other complementary solutions – was that the annual business impact for the anti-virus-only group was actually about 1.5-times higher.

Part of this is due to the anti-virus-only group being less operationally efficient — i.e., the top performers generally tend to manage their security initiatives at higher scale and lower cost. Solution providers – such as McAfee – that integrate multiple endpoint security solutions under a comprehensive, integrated management platform also contribute to such operational efficiencies.

But the biggest difference was a result of the anti-virus-only group being less effective — i.e., the anti-virus-only group bore the burden of higher costs not avoided in comparison to companies who deployed greater defense-in-depth to reduce their risk.

Incorporating any of these additional controls into our Monte Carlo model would follow the same basic approach that we have been following so far — that is, starting with informed estimates for:

  • The likelihood of successful exploits, post-implementation of any additional controls
  • Any changes in the business impact as a result of implementation, e.g., a reduction in the time to respond, remediate, and recover from an incident based on improved operational capabilities
  • The incremental cost of implementing and supporting the additional controls

These extensions to the model are beyond the scope of this little 5-part series, but I do plan to continue developing these types of risk-based models in my research and publications going forward. I hope you’ll continue to find them useful!

FreeVsEnterprise_041814i smaller

One comment on “Endpoint Security, Part 5 of 5: A/V Alone is Not Enough

Leave a Comment

19 − 15 =