Evaluating Elements of an Effective Endpoint Security Strategy

How can you ensure that your endpoint security selection and strategy is the best fit for your needs and not influenced by marketing hype?

One in every four organizations is looking to refine their endpoint security strategy in the next 12-18 months, according to a recent survey by ESG. This desire for change is surprising in an industry that has existed for more than two decades. Why, more than twenty years later, are organizations still constantly looking to refine their security strategy, which now includes finding a managed services provider that offers streamlined cost-effective security solutions?

The interest in new endpoint security controls is driven by several factors, including fear of breach or business disruption, desire to strengthen security strategy following a breach or malware incident (e.g., ransomware, phishing) development of an incident response program, consolidation of disparate security tools, migration to the cloud/SaaS, or organizational changes like a merger, acquisition, or new security leadership.

With an increasingly large number of endpoint security options to choose from, how do organizations ensure that their selection and overall strategy is the best fit for their needs and not influenced by marketing hype? To develop an effective endpoint security strategy, organizations should focus their research and evaluation process on the following five elements: endpoint detection and response, prevention, patching and vulnerability management, operational simplicity, and product evaluation.

Endpoint Detection and Response

The first critical element of an endpoint security strategy is the emerging area of endpoint detection and response (EDR). These solutions serve as a strategic tool for the security team and provide suspicious activity detection and containment, data search and investigation, threat hunting capabilities, and the ability to harden environments against future attacks.

With increasingly sophisticated and difficult to mitigate threats, no organization is 100 percent unbreachable. It is especially important to invest in EDR if an organization’s risk of targeted attacks is high. Organizations should also be aware that successful use of EDR demands the assistance of security specialists who are able to monitor, understand, and quickly act upon alerts. Less mature organizations with smaller staffs or budgets should consider managed service providers to harness the detection and response power of EDR.


Many organizations believe the “Sophisticated Attack Myth” — that attacks occur simply because the actor was too sophisticated for the organization’s security system to stop them. In reality, many of these attacks can be halted by strong prevention which should be a key pillar of any endpoint security strategy. While legacy AV solutions may no longer provide enough protection on their own, commercial-grade advanced multi-layered protection solutions are available to help. Consider partnering with a managed service provider that offers a solution that includes automatic detection and remediation of known and zero-day threats. Mature machine learning, memory protection, web-threat protection and automatic behavioral detection and response are the most important capabilities. 

Patching and Vulnerability Management

Patching is critical. 99 percent of intrusions are not zero-day attacks. Most bad actors rely on weaknesses in their target’s environment, such as software vulnerabilities. Attackers often closely monitor when vendors disclose vulnerabilities and use this window of opportunity to access an organization’s systems while they know their target is susceptible and likely has not yet implemented the patch.

Organizations with a mature patch management program should pay attention to legacy operating systems and applications. Organizations with a less mature strategy should partner with a managed service provider that focuses on expanding vulnerability and patch management programs to include third-party applications. Due to the time-sensitive nature of patching, it is important to prioritize tasks and alerts. Start by patching most commonly used applications like Windows, Office, browsers, Adobe and Java, which are known to frequently disclose vulnerabilities and release patches. Patching should be aggressive for end-user devices, and organizations may wish to automate patching for these systems.

Operational Simplicity

More products or agents do not necessarily mean more security. Often, they simply mean more overhead and interoperability issues. Consider partnering with a managed service provider that offers solutions with multiple capabilities in a single lightweight agent. Cloud-deployed (SaaS) solutions can also help to reduce an organization’s management burden and provide faster deployments and more security as systems are always on the most up to date version of the solution. Avoid products that are hard to manage or that generate too many alerts and false-positives.

Product Evaluation

The cybersecurity industry is a crowded place, making it challenging for organizations to assess which products will have the biggest impact and the best return on investment. Before purchasing a new solution, perform a thorough evaluation, including a proof of concept. Beware test environment results may be very impressive but may not show how the product will perform under the day-to-day requirements of your environment.

A good next step is to engage with a managed service provider equipped to measure the non-functional requirements of a solution such as threat detection efficacy, impact on system performance and false-positives. Organizations with limited budget and resources should refer to neutral third-party evaluations and ensure that the vendor has performed consistently well in multiple tests instead of a one-off test.