Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Does Protecting Desktops Require a Different Vendor/Product than Protecting Servers?

by Neil MacDonald  |  September 29, 2011  |  2 Comments

I’ve made it a point over the past 6 months to ask clients if they are combining their endpoint protection platform contracts across desktops, laptops and servers. In most cases (about 75%), the answer is yes – contracts are being combined in order to reduce complexity and costs.

Is protecting a desktop different than a laptop? Yes.

Is protecting a server different than a desktop or laptop? Yes

However, does this mean that we need a different vendor, product and console for each of these? Or, is it better to use a consistent set (palette) of controls to pick and choose from and just choose a different mix to protect different types of endpoints based on their needs? For example:

  • All desktops and laptops need AV. Some servers need AV (general purpose file servers) and most organizations require AV on all Windows servers by policy.
  • Application Control is more easily applied to servers which tend to be more static. However, some fixed desktop scenarios are well-suited to application control (e.g. call centers) and leading application control vendors are innovating in how they manage trusted change in desktop scenarios.
  • Host firewalling is important to both, but tends to be more valued on laptops that move out from behind perimeter protection. Servers in the data center behind fixed firewalls may not need this at all.
  • Deep packet inspection based host-based intrusion prevention (HIPS) is of value to both desktops and servers, but the ‘virtual patching’ capabilities of this style of protection tends to be more valued on servers that can’t be patched as frequently.
  • Rules-based HIPS tends to be used more on servers where rules about normal application behavior are more easily defined
  • Behavioral HIPS tends to be used more on laptops and desktops to augment traditional signature-based AV and protect from zero-day attacks because these devices routinely deal with arbitrary code. This isn’t as important on servers as they don’t routinely deal with arbitrary code and organizations don’t want to risk an occasional false positive.
  • Servers are great candidates for file integrity monitoring. Few desktops will use file integrity monitoring, but I’ve had clients with desktops that fell in scope of PCI where they used file integrity monitoring on their desktops.
  • Laptops are great candidates for full drive encryption, but some fixed desktop and server scenarios make sense for full drive encryption as well.

The set (palette) of controls is the same – AV, firewall, HIPS, FIM, application control, encryption, etc etc working together as a system. You pick and choose which controls are used and which policies are enforced based on the endpoint (desktop, laptop, server and increasingly mobile devices) and its usage scenarios. Think of the information security professional as an artist with a palette of colors/controls.

Do we need a different product/vendor/console for server security versus desktop security? Or a single product/vendor/console with the ability to pick and choose the appropriate controls and policies?

How does your organization handle this?

2 Comments »

Category: Beyond Anti-Virus Endpoint Protection Platform Next-generation Security Infrastructure     Tags: , , , , , , , ,

2 responses so far ↓

  • 1 Kris Tuttle   September 30, 2011 at 8:35 am

    From what I can tell many users of desktop and laptop computers are a giant security hole thanks to the ineffectiveness of antivirus tools to block software programs like keyloggers.

    There should be way more encryption going on in these environments including keystrokes and using out-of-band methods.

    I’m not a security expert but all these breaches and the inattention to laptop and desktop keylogging leaves me baffled.

    What am I missing?

  • 2 Neil MacDonald   October 5, 2011 at 9:34 am

    @Kris,

    Multiple issues here – one is to help shut down the vulnerability that the keystroke logger used to get installed. So the basics are important – patch management, config management, vulnerability assessment. Also, running users as standard user (not admins) helps significantly esp. with rootkits.
    http://blogs.gartner.com/neil_macdonald/2011/08/23/the-single-most-important-way-to-improve-endpoint-security/

    There are solutions that go beyond this – e.g Blue Gem, Trusteer, even McAfee DeepSafe (just announced)…

    Another approach is to peridically reset the OS back to a known good state to remove malware (requires changes in operational processes) see this
    http://blogs.gartner.com/neil_macdonald/2011/06/16/improving-security-by-killing-server-and-desktop-workloads/

    @nmacdona