This topic has been one that I have been pondering for a long time
As a Managed Service Provider (MSP), this has evolved into a balancing act around providing the most effective security software solutions to protect client endpoints, networks and data while not making managed computers so slow that users become frustrated.
Layered security is a strategic approach to protect IT infrastructure, using multiple security measures to defend against various threats. Our approach includes:
Of course, there are numerous other measures in place, but the list above represents a toolset that operates onboard managed endpoints like computers and servers. Because they run on an endpoint, they also take up some of that endpoint’s computing resources. While each layer adds a significant level of protection, they also contribute to the overall consumption of system resources, potentially impacting performance.
Role: Antivirus software provides essential protection against viruses, malware, and other threats. It operates with real-time scanning and periodic full-system scans.
Impact: The real-time scanning feature monitors files and processes continuously, ensuring immediate threat detection. While this provides robust security, it can also consume CPU and memory resources, leading to slower system performance, especially during full system scans.
Role: EDR solutions offer advanced threat detection, investigation, and response capabilities. It collects and analyses data from endpoints (workstations, laptops and servers) to identify suspicious activities.
Impact: EDR systems perform deep analysis and require substantial processing power to detect and respond to threats in real time. This can lead to increased CPU usage and potential slowdowns, particularly during extensive data analysis and threat-hunting activities.
Role: SIEM systems collect and analyse security data from various sources to provide real-time event monitoring, threat detection, and incident response.
Impact: SIEM solutions process large volumes of data and generate alerts based on correlated events. This continuous data ingestion and analysis can significantly impact performance, particularly on systems with limited resources.
Role: Application whitelisting ensures that only approved applications can run on the system, blocking unauthorized or potentially harmful software.
Impact: Implementing application whitelisting requires constant monitoring and validation of running applications. While this enhances security, it can also result in increased CPU and memory usage as the system continuously checks application integrity.
Role: Vulnerability scanning identifies and assesses vulnerabilities in systems, applications, and networks to prevent exploitation.
Impact: Scanning can be resource-intensive, especially when scanning large networks or systems. Regular scans can cause temporary slowdowns as they thoroughly inspect system configurations and software for vulnerabilities. We generally offload this work to servers or a dedicated appliance within the customer’s premises to do this task.
Role: MXDR provides advanced threat detection, response, and remediation services, leveraging human expertise and automated tools to manage and respond to threats.
Impact: While MXDR enhances overall security posture, continuous monitoring and response activities can place additional load on system resources. This layer, integrated with EDR and SIEM, can further impact performance due to the high level of data processing and analysis required.
A good comparison is with firewalls. These devices have been in our businesses for years. Over this period, more, advanced functions have been added.
Firewalls are critical components of network security, designed to control the flow of traffic between trusted and untrusted networks. They are rated for certain performance levels, such as a throughput of 10 Gbps, which indicates the maximum amount of data they can handle under optimal conditions.
However, this rated throughput often represents a best-case scenario. In real-world applications, the performance of a firewall can significantly decrease when additional security features are activated, just like a workstation, laptop or server.
For instance, enabling Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) on a firewall can drastically reduce its throughput. A firewall rated at 10 Gbps may only achieve 1 Gbps when these features are turned on. This is because IDS/IPS require deep packet inspection, which is resource-intensive and slows down data processing.
(As a side note, this is why it’s expensive to provide a Firewall for Hyperfibre connections. Because New Zealand is more advanced in our connectivity, providing higher speeds, bigger, more expensive enterprise Firewalls are needed to provide the security and throughput for these faster connections).
Similarly, as we add more layers of security software to our endpoints, the cumulative effect can lead to noticeable slowdowns. Just as with firewalls, the more security features enabled, the greater the performance impact.
The combined use of antivirus, EDR, SIEM, application whitelisting, vulnerability scanning, and MXDR provides comprehensive security but also requires more system resources to be dedicated to security software.
Balancing security and performance is crucial. Before Layer3 implements any security solution for you, we ensure these best practices are followed:
While security measures are essential for protecting IT environments, they often come with a performance cost. By understanding the impact of each layer of security software and making informed decisions about configurations and resource allocation, it is possible to maintain a balance between security and performance. As cyber threats continue to evolve, so too must our strategies for protecting against them, ensuring that our systems remain both secure and efficient.