Enterprises are investing in different types of endpoint security products to secure their systems, but when technology doesn’t play well with each other, the systems are left unprotected.
Since there is no one-size-fits-all technology addressing the various security threats the enterprise has to defend against, security teams cobble together different products to get that coverage. Antivirus looks for malware, encryption tools protect the data, management platforms deploy patches, and application whitelisting and network access controls prevent unauthorized access. The assumption is that the web of defenses block most of the threats, so Absolute Software’s conclusion that 42 percent of endpoints are left unprotected at any given time is extremely unsettling.
Absolute Software analyzed one billion change events generated from six million devices over the course of one year from 12,000 organizations across North America and Europe to understand how security products coexist on the endpoint. Many security tools deploy agents on the endpoint and move the processing and analysis to cloud servers. The research focused on the behavior of the agents, and found that as more and more agents are installed on the endpoint, the system’s performance suffers and some agents stop working.
“When agents compete for device resources, some are starved while others feast,” said Absolute’s director of security strategy Josh Mayfield. “When starved, the agent fails.”
42 percent of endpoints are left unprotected at any given time.
Absolute found the average enterprise endpoint has 10 different agents. Even considering that endpoints need different types of protection, that is a lot of agents to have on a single machine, and make the systems harder to manage. Enterprises may think that they have the tools and controls in place to tackle the threats, when in reality, there are holes they don't even know about. For example, the analysis found that 21 percent of endpoints were missing antimalware protection because the agents were outdated or otherwise not working.
The research also found that 23 percent of the patching tools designed to remediate vulnerabilities in devices and software were broken or disabled. If the agents aren't working, those devices or applications are not getting patched.
Encryption tools are “regularly disabled, broken, or missing entirely,” Absolute said. On devices where the encryption agents stop working, 30 percent of the systems remain unencrypted for more than 60 days.
“The false sense of security they [agents] provide is probably enterprises’ biggest risk,” Mayfield said.
Conversely, there are overlaps, with several agents trying to perform the same tasks. Nine of the ten agents of the devices could be grouped into five technology categories: encryption, unified endpoint management (UEM), endpoint detection and response (EDR), endpoint protection platform (EPP)—which includes antivirus and antimalware—and virtual private network (VPN). The overlap in functionality makes agent collision even more likely, where agents compete for the same system resources. The agent that doesn’t get the resources doesn’t do its part in the endpoint’s protection.
“Whenever you see an agent conflict for resources, it is often the client/patch tool that is last in line and receives relatively little in return,” Mayfield said.
23 percent of the patching tools were broken or disabled
Almost one in five devices become unreachable due to client management tool failures, according to Absolute. If the agents for client management and patching tools don't get the system resources to communicate with the remote console or the central management server—because of port conflicts, for example—then the central server loses touch with those devices the agents are installed on, Mayfield said. The server doesn't know if the agent is not responding because the endpoint no longer exists or if there is a problem with the agent. The end result is that the device is no longer being managed, scanned, or patched.
The fact that some security tech don't always work well when another product is installed on the same device isn't going to surprise system administrators. IT teams are aware that sometimes agents get disabled on the endpoint and the user doesn't notice for days on end. Absolute's research quantifies the extent of the problem, and the impact agent collisions have on the endpoint.
The organizations we typically tout for being ‘sophisticated’ are actually the ones with the most severe endpoint entropy," Mayfield said, noting that sophistication in this context implies heavy investment in security tools. "These organizations with a boatload of controls, apps, and agents are actually increasing the frequency of collision.
This isn't a judgement on the quality of the security tech. "It is a natural and ordinary outcome from increasing the number of tools fighting it out in zero-sum competition," Mayfield said.
Even with the shift to network monitoring and cloud-based tools, the endpoint is still the most important part of enterprise defense because that is where the logs and change events are located. Security agents need to be resilient, in that it needs to be able to restart itself, or heal itself when it stops working, instead of waiting for administrators and users to notice.
"The resilient ones bounce back, they heal, they recover, and sometimes, they’re even resurrected from the dead," Mayfield said.
Absolute cited Morgan Stanley figures estimating global IT security spending of $128 billion by 2020, with endpoint security spending accounting for nearly a quarter of the total. That is a lot of money to be spending, especially if the software isn't working all the time.
“Increased security spending does not increase safety,” said Absolute’s CEO Christy Wyatt.