Where to Place Your Anti-Malware: Endpoint, Network or Cloud?

A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint anti-malware his company has been using is doing what it should.

Protection that follows the endpoint wherever it goes

Malware prevention and detection at the endpoint is a best practice every company should (and probably already does) follow. There are three main reasons to use endpoint agents:

1. Endpoints tend to move and leave the network, so even if you run network-based anti-malware, your endpoints are protected only when connecting to the network.
2. The way to infect the endpoint is not just via the network but also by plugging in a peripheral device (like a USB or camera) that the network doesn’t see.
3. None of the anti-malware solutions protect against all threats, and since they get constant signatures updates (for new known vulnerabilities), it can address threats after infection.

The disadvantages of an anti-malware agent on the endpoint include:

• The complexity involved with deployment
• Updates (clients and signatures)
• False positive investigation
• Performance impact on the machine
• Troubleshooting when it blocks legitimate business applications

In addition, most businesses use multiple platforms (different OSs, legacy solutions, services, appliances) that aren’t supported by most anti-malware vendors.

Inspecting traffic in motion before it hits the target

The biggest advantage of network-based anti-malware is that it inspects the traffic while it is in motion, before it hits the endpoint that is the actual target – an in-depth best practice for defense.

Network anti-malware is always connected and usually gets automatic signatures updates, which makes it more reliable and secure. In addition, they are platform agnostic, as they see all traffic, so any platform on the network is protected.

The downsides of network-based anti-malware are that endpoints are only protected when connected to the network, and that it’s blind to peripheral devices.

Cloud-based Anti-Malware: the network advantages without the box constraints

When using on-premise network anti-malware solutions, it usually runs on an appliance that already inspects the business traffic (next generation firewall, UTM, secure web gateway).

Enabling the anti-malware capabilities on that box introduces two challenges:

1. Capacity constraints: the anti-malware engine is a “heavy user” of computing and memory resources. This means that your appliance is now required to do a lot more processing on the same traffic load. The ability to grow (more users or traffic) is limited by the appliance capacity and can be extremely challenging if SSL traffic inspection is required.
2. Continued maintenance: the appliances’ software needs to be upgraded and patched. This means network downtime, compatibility testing, IT investment and need for skilled resources. The impact is heavier in a multi-site environment.

Cloud-based anti-malware overcomes appliance limitations, as all business traffic is inspected via a managed service in the cloud, regardless of location. This eliminates the need to deploy and configure appliances at each location. A cloud-based service is elastic, and the vendor is responsible to scale it to address customer traffic needs. It is also the vendor’s responsibility to make sure the service is always up and running and has the latest updates, so the customers no longer need to maintain the solution for optimal performance and effectiveness. Also, mobile users can dynamically connect to the service on the go, so they are always protected even when they are away from corporate locations.