I’ve had several calls recently where clients are looking to switch their endpoint protection platform vendor from one provider to another because they’ve gotten infected and they believe that switching vendors will provide them better protection. The scenario is usually goes something like this: they are using vendor X, got infected, scanned the machine with a solution from vendor Y that detected and removed the issue. So, they want to switch to vendor Y.
Before getting into the pros and cons of switching vendors in my discussion with clients, I always check to make sure they are doing the basics right:
- Are the systems kept up to date with patches?
- Are we patching further up the application stack to include things like Adobe and other common desktop elements?
- Are users configured with standard user rights?
- Is traffic being filtered for malware at the edge between the user and the Internet – specifically email and web security gateways?
It’s a lot like having a problem with muddy carpets and wanting to switch vacuum cleaners to one that removes more of the mud. If you don’t start with the basics, you’ll still have a problem with muddy floors even after you switch vacuum cleaner providers.
Our focus should be on eliminating the root causes. How is the mud getting into the house to begin with? Why aren’t we removing the mud at the door? Do the users (kids) know to avoid playing in the mud? Even if mud gets in, why aren’t the carpets coated with Teflon?
The vacuum cleaner (and signature-based antimalware protection) only treats the symptoms, not the root cause. Switching vendors may make us feel better, but until we start tackling the root causes, we’ll still be getting infected… and mud on the carpets.