topic Re: Endpoint security for engineers' devices in Tech Talk

Endpoint security for engineers' devices

nttt — Tue, 18 Mar 2025 12:12:42 GMT

I am responsible for security measures at a manufacturing company. We have numerous software and hardware engineers on staff, and within our internal corporate network, we have:

Operating systems (recently released OS) that are not yet supported by endpoint security tools such as EDR tools,
Specialized devices (such as oscilloscopes) where endpoint security tools cannot be installed.

If anyone has experience in handling the security measures for such equipment, I would appreciate your insights.

Re: Endpoint security for engineers' devices

denbesten — Tue, 18 Mar 2025 20:57:01 GMT

Our problem is more the other end.... old devices. Our solution is a network segment that is (mostly) isolated from the rest of the corporate environment and have limited Internet access -- OS updates, software downloads, etc, but no general purpose web browsing. And, the are joined to a "special" Active directory domain that has limited trust.

The engineers may hate it, but they can read their email and browse the web on "standard" devices and reserve the "special" ones for the more sensitive activities.

Re: Endpoint security for engineers' devices

emb021 — Wed, 19 Mar 2025 13:54:24 GMT

I would echo @denbesten answer. We did the same at Motorola. Separate subnet for this equipment with strong access controls to limit access. Make use of a whitelisting tool as well.

You also need good inventory on these devices, and for those that eventually CAN have an EDR tool, make sure you know when this is available, so they can be updated.

Re: Endpoint security for engineers' devices

tatssa — Tue, 25 Mar 2025 09:56:53 GMT

@nttt wrote:
I am responsible for security measures at a manufacturing company. We have numerous software and hardware engineers on staff, and within our internal corporate network, we have:
Operating systems (recently released OS) that are not yet supported by endpoint security tools such as EDR tools,
Specialized devices (such as oscilloscopes) where endpoint security tools cannot be installed.
If anyone has experience in handling the security measures for such equipment, I would appreciate your insights.

Since traditional EDR tools won’t work in these cases, other steps can help. One option is network segmentation keeping these devices on separate VLANs with strict access controls to reduce risk. A Zero Trust approach is also useful, allowing only authorized users with the least necessary privileges.

Monitoring traffic with network-based security tools like IDS/IPS can help spot any suspicious activity. Even if full security software isn’t available, keeping systems updated is still important to reduce vulnerabilities. It’s also a good idea to limit internet access for these devices to prevent exposure to external threats.

If remote access is necessary, using a VPN with multi-factor authentication adds an extra layer of security. Lastly, making sure engineers are aware of security best practices can go a long way in preventing accidental risks.