Next Generation Endpoint Security as an alternative to Security Patch Management

AUG 5, 2019 812.67 million malware infections were reported in 2018. In that year alone, Microsoft’s monthly “Patch Tuesday” security patches addressed 682 vulnerabilities. With the frequency and volume of new threats increasing, organizations will need to implement a patch management mechanism that can ensure that all servers and endpoints are not exposed to vulnerability exploits and are patched in a systematic and timely fashion. To do this, CIOs need to maintain their patching of servers and perform thorough regression testing before deploying the patches into their production environment. However, this method has 2 constraints:

  1. Organizations that have branches and systems in remote locations, where the Internet bandwidth is limited, an engineer may need to be sent to the site to install the patch manually – this requires downtime and is costly. Our analysis shows that such a procedure can take anywhere between 2-3 hours per device and would cost anywhere from USD 200 to USD 1000 per day, excluding lost revenue due to downtime.
  2. Further, organizations may find that it is impractical to send engineers to install patches in all their branches and turn around new patches in a monthly cadence. Failing to maintain the patches in such frequency not only increases the vulnerability of their IT solutions but in many cases, causes the organization not to meet data security standards such as PCI DSS.

Through collaboration with our partner, Rock Melon Ltd and VMWare Carbon Black Inc, we developed a Next generation Endpoint security solution for organisations that face such challenges. One such example is a regional oil and gas company that has a nationwide network of petrol stations in both major cities and rural areas. This oil company faced a dilemma: Spend millions of dollars a year to maintain the security patches in their Point-of-Sale (POS) devices or lose their PCI DSS certification, which would lead to a breach of contract with their payment providers and potential revoke of a license to operate in the country. The solution we developed was approved as a Compensating Control by a QSA where it removes the need for the organisation to install the security patches on a monthly basis.

Another oil and gas company had a far more challenging problem: Their operating system has reached its End-of-Life where Microsoft no longer supports nor issues security patches. As our endpoint security solution uses cloud reputation services, IT-based trust policies and multiple sources of threat intelligence, the solution ensures that only trusted and approved software is allowed to execute on an organization’s critical systems and endpoints even when the operating system that has reached End-of-Life. As a result, this oil and gas company avoided the need to spend millions of dollars to upgrade their operating system while still being protected from vulnerability exploits.

Our solution combines application whitelisting, file integrity monitoring, full-featured device control and memory/tamper protection that watches for behavioral indicators of malicious activity and conducts continuous recording of attack details to provide rich visibility into everything suspicious that attackers attempt to do. With such solutions, companies would be able to harden their new and legacy systems against all unwanted change, simplify the compliance process, and provide the best possible protection for payment systems at a large scale in distributed locations.

Contact us to discuss how our Next generation Endpoint security solutions can help you save security maintenance cost while protecting your critical applications.