This hits right home with Network Box, as we do perimeter security and we cringe every time we hear AV companies making the case that moat defenses are a thing of the past. Indeed, if there was someone suffering in the fight against malware today, it’d be just those very companies owning the end point. Yes, the same ones who are telling you to ditch your gateway defenses.
I always like to draw a parallel with the real world; think of the perimeter defense as being the stone fort and moat surrounding your castle. Now, would you remove those and let your enemies through? Wouldn’t you rather stop them at the gate? Or, as far away from your gate as possible, for that matter?
From a stricter technical standpoint, several considerations must to be made:-
1- End point security is often at the mercy of the end user because it’s possible for an end user to turn it off or reconfigure it incorrectly. The IT department needs to set things up very carefully to avoid this. And even then, there are users who still manage to circumvent such measures.
2- As with every other security system, End Point security requires updates. If updates aren’t being correctly downloaded and installed, often there is little feedback (will the end user call the IT when he gets that pop up?).
3- The End Point security solution runs on the same platform it’s trying to defend and, consequently, suffers from identical vulnerabilities. Which means, it is, in itself, vulnerable. In fact, the first thing Trojans do when they start working is to take down the end point security, disarm it, and render it useless (assuming it was ever useful to begin with if it allowed Trojans in). Any Trojan that doesn’t do that wouldn’t likely be that dangerous anyway.
4- Performance is most often an issue (which irks end users). These End Point systems require a large amount of CPU to run, sometimes slowing down the user experience so much that the user ends up doing anything he can to disable that system. They are, in one word, intrusive!
5- Attacks are complex.
In general, we talk about blended threats. Therefore, trying to lay claim that one single technology can defend a network against all threats is pretentious, to say the least. For instance, if your users are browsing websites that are dangerous, the best defense is to stop them from doing so in the first place. This is called content (or web) filtering, and it’s best done centrally, at the gateway, as a proxy system, and not on every single workstation because the settings would be a nightmare to maintain.
IPS technology checks things inside a TCP/IP packet which AVs do not look for, as AVs scan/analyze entire files, and not single packets. Indeed, there are threats called network worms, which aren’t detectable by end point technologies because they are, essentially, threats of a different nature.
6- At Network Box we witness an average of 500,000 new threats every day. To put it clearly and bluntly, AV companies simply cannot_keep_up.
The sheer amount of data they must analyze to create protection is impossible to filter. New techniques are emerging, all of which can be categorized under the umbrella of real time behavior analysis. These are mostly cloud based mechanisms that attempt to correlate the presence of malware in traps with the same fingerprints seen on the workstations. As far as we can tell, no single AV company in the marketplace at the moment is actually able to keep up with the amount of threats they’re having to deal with.
So, the logical question is, how can they possibly claim that perimeter protection is dead? If anything, perimeter defense is more alive than ever, because it ensures updates are done, management is centralized under the strict control of the IT dept, the OS deployed are (most of the times) Linux or proprietary based and, as a result, not quite as vulnerable as Windows based systems (or at least the vulnerabilities are not as well known and exploited). There are many more advantages.
To make the case of how strongly I feel about this, I’m personally not running end point security on my computer. None. Why? Because I consider it useless and intrusive.
I’m always behind one of our devices, and I know my traffic is very well scanned ~ to the point that if our device misses something, I’m fairly confident my EP would miss it as well.