Panel | It all starts with the Endpoint

You've already met two of our panel members, but I just ask them to briefly introduce yourselves again and just your opening statement on the topic of this discussion, which is, it all starts with the end point. Good.

So, thank you very much for allowing me to join later. My name is Lars Faustmann. I'm part of HP and I'm representing the digital services group for CEE, so for Central and Eastern Europe. And obviously for us at HP, end point security starts with hardware and goes to the operating and the software. And I'm looking forward for this panel discussion.

Hi again, Andy Aplin, the VP of Solutions Engineering for Netscope. So as I was explaining a little bit earlier about the zero trust model, when we talk about the end point, the way we see this is that data typically resides in one of two places now. So it's either going to be within the application or it's going to be on that end point. So we have to make sure that we've got control of both and obviously focus on that movement between the end point and the application. Hi everyone again. I'm Abhi and I would keep it simple because I took already a lot of time in the previous question.

If you see the title, it's really amazing, you know, it all starts with the end point. So all the good things, getting your access to the resource to do the work done, all the bad things, you know, having an attack and then distracting or disrupting your systems. And I always say, if identity is the gateway to the kingdom and then end point is the launchpad towards that kingdom. So in the context of work from anywhere though, I mean, are we all sort of more or less in agreement that the end point is where it all starts? Sure it is. Yeah. 100%. But it's not just the PC.

It's also a printer, for instance. Right. So there are many end points that we have and we need to manage them and need to secure them.

Yeah, I totally agree. It's all about enabling effective use of your workforce. The workforce is typically on the end point. So wherever they be working from, whether it be within the office or remotely, we spoke about hybrid working earlier and that flexibility to have a consistent approach to both security and access so that, you know, there is no weakness there when you actually try to enable these services. But now you've both spoken about the proliferation of end points.

I mean, now we've got so many more end points than we ever had before. I mean, is it realistic to have efficient security on these things? I believe it is getting there. So IOT is definitely on the radar of pretty much every organization now. It's understanding all of those devices. As Lars said, when you're talking about end points, it's not just the laptop. It can be the printers, the security cameras, anything that is on the network effectively with an IP address now. Internet of Things is something that is absolutely happening.

Giving visibility of that, checking the posture of those devices is something that is also critical. So I led with ZTNA, but I also mentioned that we deliver our technology as an SSE platform, the Secure Services Edge. So we can actually see visibly when these IOT devices start to need to do updates across the internet, understanding what they're doing, when they're doing it.

So again, it is about that end point and its access again. So is Zero Trust an effective way of actually dealing with this?

I mean, is this a good approach? Is this a good use case for Zero Trust? It's indeed a good use case because the work from home or work from anywhere is not going to go anywhere. So this is now a new norm, and Zero Trust typically allows us to go towards that direction. And the best thing with Zero Trust is we not only evaluate the identity, but we also evaluate the device. Is it compliant? Is it going with a managed device? So it's going with the recommendation or your security baseline, and then it's an end operation. So it's an identity and your device. It doesn't have to be an or.

So Zero Trust is going to play a major role in this whole area. Absolutely. I think we're all in violent agreement here that this Zero Trust approach is the only way forward because otherwise we start blaming employees for clicking some links.

You know, the world is so complex. We discussed hybrid. It's impossible, right? And we need to be able to put our workforce in a position that they can safely work without being frightened, you know, being dismissed everything a little day. So therefore, the Zero Trust for IT security is, for me, an essential approach.

Okay, but now the key question is you've got all these devices, all these users. How do you make sure that they are those users, that they are those devices? What's the best authentication methods that you've found?

I mean, you've done a practical implementation. Yeah. So even before going to the authentication method, I think what we need is basically to have a device repository. So we need to have whatever the devices in our organization, what are devices they're using, we need to mark them. And having a solid repository then allow, as I said, it needs to be an end operation, identity and device. And then device comes from a different number of checks. This would be my takeaway on that. Yeah. I'm with you on that. You're going to need your source of truth for the identity of the user.

I think that doesn't go away. People, you know, whether you're using biometric authentication on the device or simple username or password, obviously secondary authentication comes into play. There's going to be different aspects that allow you to build up the confidence of the user. And then on your device side, measuring those devices. We do see that Zero Trust, what we've been discussing, seems to be mostly focused about that trusted device, which is where you're going to give most privileges. But the world is moving away not just from using a trusted device.

There's going to be a clientless approach effectively, a BYOD device that also comes into play here. So you still have to do the user authentication irrespective of whether you trust the device or not. But if you are a trusted device, then clearly you will probably give more privileges to that user as part of that posture validation of the device and the user. And then you move into an untrusted device where you still want to give access, but you're going to give less access to that untrusted device in the Zero Trust model. Okay. That's great.

So then just moving away from the kind of authentication side of things to the wider security tool set, sort of what are the best security tools for protecting endpoints from things like malware, ransomware, and obviously phishing and other attacks? Maybe I take that, right?

We at HP, we are not so strong in the authorization, the authentication part. But from a wider perspective, what we do is we isolate, right? So we have in our Wolf Pro security solution, there's a virtual micro machine, which is basically isolates every task, every software, every web browser, every Microsoft application, and runs it in this little environment. And if there is a phishing threat, if there is a ransomware inside, you still work as usual, right? It does not impact any of your normal behavior, right?

But if there is an attack, you just close the window and you close the attack, right? So without affecting any of your operating system, any of your hardware, any of your firmware. So once you close it, you can simply rely on it. But when you close it, obviously, it still resides with the cyber forensic team who can later on analyze it, understand where the threat comes from, et cetera, right? But from a user perspective and from a data security perspective, it's gone. Yeah.

I know that there was a term we used to use about defense in depth, historically, where you would build many layers of security. I think seeing data in real time and addressing those threats in real time is obviously key. And then you have to have a set of engines that you're going to use to actually do that assessment. So you'll have your signature-based engines, your heuristic engines, and clearly your sandboxing capabilities. And every single vendor does take a similar approach.

What we've seen as a trend in behavior now is that for ourselves as an SSE provider, we take that traffic in real time. We understand precisely what the user is doing. We can do the application activity decoding. We can look at the instance of an application to know exactly where the user is going. And we have our own engines in line to look at those threats. But I don't think it should stop there. I think integrations into third-party tooling also plays its role.

So looking at the EDRs, those complementary technologies where you can exchange an IOC between multiple platforms so that you're building that defense in depth, but not in a traditional approach, in a more holistic way with the modern technologies that we have, where we can pass off and work collaboratively with other technologies to give you that second opinion. Okay. So the methods you've described now, though, is that still effective when they're off-site? I think it's also challenging for many organizations to monitor these devices when they're off-site. They buy other networks and so on.

And it's back to the work from anywhere, because it's not just work from home, so you don't have that kind of control. I don't know. I'll just start with Abhi. Yeah. So there are different challenges. And I'm not going to say anything related to vendor. I want to be a bit neutral.

So, yeah, there's always a challenge in knowing from where you're coming. But it all then goes back to how we are designing our solution. So it means we can, the same concept of defense in layer, we can just have this defense in layer depending upon from which location or from which device you are coming on. If it's an unknown device, but still you are trying to access, your identity has been validated, so you can have access to a very small subset of the systems until you are able to provide back on the back. And I will again go back to the basics.

We need to make sure that the users shouldn't have the admin access or any other access on their devices. So be lean as much as possible. And for the vendor part, I will hand it over to you guys. Thank you very much. Yes. So you can get a constant security posture, absolutely. When Gartner came out with the SSE Magic Quadrant, it was the collapsing of secure web gateway, CASB, ZTNA into one platform. And that automatically in itself says, right, we can address these key use cases that an organization will want to address.

And again, if I go back nine or ten years, Netscape is an organization we kind of led with saying, we'll put an endpoint agent on the device. So whether you're on prem or off prem, working remotely or in the office, you can have that agent active. And that sort of method still holds true today. But what we've seen is that organizations have now accepted the fact that an agent isn't a bad thing. It's actually a good thing. Because the processing is done in the cloud.

Now, it's not doing it on the endpoint. I think there was a lot of negativity about having that consistent ability to sort of enforce because you were doing too much on the endpoint, eating battery, eating resources. Now you're doing it in the cloud. The endpoint steering client does what it says. It steers the traffic. So you can provide that consistent posture for security. Thank you for leading the way here right through an agent. So historically, HP has as well something called Proactive Insights where we learn, like our smartwatch monitors the device, our smartwatch monitors our body.

We do have this. But I think there is the next level is what we call Workforce Experience. We want to integrate all the different tools that we have, monitoring our printers, our PCs, our smartphones. Bring it together and understanding the heartbeat of the device, understand how we can effectively manage them, and obviously have not just an inventory, but an AI-driven remediation tool, which allows IT admins to be fast and effective in remediating issues that are appearing across the fleet.

Okay, great. And just like that, we've torn through 20 minutes, can you believe? So I'm going to ask you for closing statements from you starting with Abhi.

Yeah, I will go back to my opening statement. So device is a launchpad now. So make sure to protect your launchpad and go towards the basic and make sure to start with the device inventory. And I think I'd like just to conclude with the fact that we see the consolidation of all security services in the cloud delivery model as the way to go. It's simplification, it's cost reduction, and it allows a consistent user experience and consistent protection for security. And for us as HP, the endpoint is the battle place for data, people, the internet, where we meet.

And obviously we need to have appropriate solutions, HP offers appropriate solutions to meet the challenges of the modern workforce in a hybrid world. So you all... That's great, thanks. You're all very quick and succinct. So we have got like a little bit of time for questions in the room. So come on, guys. You've got... And girls. You've got an experienced panel here who've done sort of real-world implementations of this stuff. So please take this opportunity to ask some questions.

Yes, great. Let me just grab your mic. Thanks. Thank you. I think it's all about, aside from the endpoint, it's all about the access policy, which builds a frame about everything. So what is your approach to define such access policies? Do you group applications in terms of security or how do you... What's your approach? Yeah. So who wants to answer? So we need to define the applications in the tiering model. So we need to define how critical it is of the application. The more critical the application is with those labels, the more rigorous test we need to do on that.

And as I said, when it comes to the endpoint, then we need to have an end statement. So we need to validate the identity and then validate the device. Does this device belong to this identity who is claiming? And after all those calculations, then we need to go with the sensitivity, how much level of access this application has. What is the sensitivity of that application? So depending upon that sensitivity, we need to adapt and require either more authentication or we can be a bit relaxed on that.

And I think what we see is that there's a best practices approach as well when you introduce policies in this way. So we typically find that there's a hierarchy to those policies. So your first point of protection is always going to be access control. If you deny access, then that's your ultimate policy. But that's not always going to be the right way to approach this. So we find that we talk about not just access control, we talk about adaptive control. This is where we start to include the activities of a user.

So allowing somebody to reach a service, but perhaps not upload or download, depending upon whether it's from a managed device or an unmanaged device, and perhaps introducing then context-aware data access. So then we understand precisely what the data is. And if we understand what the data is, then we'll make a decision against that as well. So you build your policies in layers to give you, I guess, your strictest aspect first to reduce the risk, and then you step it down to ensure that you're giving access, but in a safe manner.

Okay, great. Thanks. That brings us very nicely to time. Please show your appreciation for our panel. Thank you.