Securing the Sum of Many Parts with Endpoint Management
AVX Corporation manufactures and supplies sensors, antennas, and other electronic components that make up phones, computers, medical devices, and more. For many years, the firm faced various company acquisitions, managed multiple facilities, and used numerous security systems.
Each acquisition and location brought with it a new—and separate—antivirus solution for that facility’s network. And when Zack Moody, CISSP, joined AVX as information security manager two years ago, he was tasked with facilitating a singular network security approach that could protect the organization’s 29 facilities in 16 countries.
“The job was much larger than AVX knew, but this was an opportunity I was willing to accept,” Moody says. “I wanted to create a program from scratch.”
Through his experience in both the private and public sectors, Moody says he knew there were many ways to approach the challenge at hand—either through a compliance or risk perspective.
“It was hard—there’s lots of noise from the compliance standpoint, but there was also a lot of risk to take into consideration,” Moody explains. “How do you find that balance? A good security professional is going to understand that as long as you’re implementing security correctly, compliance falls into place. It took a long time to figure out the business side, because AVX is such a massive organization and spread throughout the world.”
The first thing Moody did in the decision-making process was conduct a global security assessment to identify the biggest risks and gaps.
“For me, when I looked at what was the biggest risk, endpoints obviously came to mind,” he explains. “One way attackers enter your organization is typically with malware, so how does it get in? It’s either through a USB or email. And if it gets onto the machine, that’s where it’s going to execute from, so we have to strengthen that.”
The security assessment revealed that AVX’s facilities were running five or six different antivirus solutions worldwide. Moody says he knew that finding one effective solution that would stop malware execution at the endpoint was imperative for AVX’s systems.
“Throughout AVX facilities there were different price ranges, even with the same vendor, because people purchased things separately from the next facility,” Moody explains. “There was no central view into the influence, no central control—and if a fix or change needed to be pushed out, you’re not just pushing one patch, it was one patch to this vendor, one patch to another vendor.”
In Moody’s search for a standardized solution, he focused on the need for endpoint protection, detection, and response capabilities, which would provide multiple ways to handle malware threats. He also looked for something that would allow him to manage the system from one platform and provide the tools needed to actively detect threats.
AVX found its solution in SentinelOne’s Endpoint Protection Platform, which met the requirements through an all-in-one approach—there was no need to purchase different licenses or pieces of software, which many other competitors required, Moody notes.
“SentinelOne provides the capability of rolling back the operating system in case there is a ransomware system on a computer,” Moody notes. “There’s the argument that you shouldn’t have to have that, but for me it’s better to have, because you never know.”
Moody says he was also impressed by SentinelOne’s reliance on its customer base, which often informs what new features are developed—in fact, AVX played a part in SentinelOne’s development of its firewall and USB controls, he notes.
Implementation of the platform was seamless, Moody explains, and AVX ran the program in detect-only mode for the first two weeks so AVX could teach it what programs or actions to whitelist—including the legacy antivirus software that facilities had in place.
“During that period, we could see what they were identifying as good, bad, and ugly, and had the opportunity to compare it to what rules are currently in place with the existing antivirus systems the site was using,” Moody explains. “We could start whitelisting those known systems, so when we turn on the detect mode, there are fewer false positives.”
One challenge AVX faced was one many manufacturers are familiar with—the computers, programs, and code used in manufacturing are, as Moody puts it, “some of the oldest known to man” and don’t work well with newer endpoint solutions.
“Throwing SentinelOne on these systems, it’s going to pick up on older applications that may not be digitally signed or seem to appear malicious, but in reality are old applications that we’ve been using for years,” Moody says. “You can whitelist an application, but the good thing about SentinelOne is it will pick up on any strange activity that an application does, even though it’s whitelisted. It can still get blocked if it starts changing files or does something malicious.”
AVX implemented SentinelOne’s solution in June 2018, and the process took about six months because of the number of disparate and isolated systems throughout the organization, Moody explains.
But now that it’s up and running, it has streamlined the malware detection and response process. Previously, if an AVX employee encountered a potential malware issue with his or her computer, he or she would report it to the company’s IT department, which would investigate and run scans—often with the same software that didn’t detect the malware in the first place, Moody notes. Depending on the results of the scan, IT would reimage the computer and inform the security department of the potential breach. With the SentinelOne solution, security is the first to address a potential hack.
“There was a lot of wasted time with the legacy products,” Moody says. “So why not invest in tools that were going to be more proactive on the security side? They give the security team reach into those endpoints and free up our IT professionals. We need to be in control of what’s on our network and what’s happening. Business continues to go on, people can continue to work—the majority of the time, SentinelOne is taking care of things in the background and blocking what it needs to be blocking. But if something happens, we’ll be notified immediately, and we’ll have all the tools to react.”
Moody says that he is pleased with SentinelOne’s innovative approach to detecting and responding to malware.
“We wanted to get away from the traditional signature-based detection systems and go towards something more proactive to these threats,” he says. “It’s very important, especially in manufacturing where there’s so much machine code that is old or might change a lot. You have to make that decision—do I trust a company that built their entire organization off legacy antivirus, or a company that is fresh and inventive in today’s world and threat landscape? When I take a step back, we want someone who is going to be with us for the next 40 to 50 years and has a vision of threats today and beyond. I want someone new in the game, and for us, that was SentinelOne.”
For more information: Daniel Bernard, vice president, business and corporate development, SentinelOne, [email protected], 816.668.3472.