Endpoint security is a market in transition with over 50 vendors vying for the same real estate, which entails either protecting one’s install base or displacing the incumbent, often by the means of a Trojan Horse. Recent research conducted by ESG indicates a dichotomy with respect to how organizations are adoption next gen endpoint security (NGES) controls, with some opting for advanced preventative controls and others for detection and response capabilities. But this isn’t because customers don’t prefer a single solution that provides all of the above—it’s because they’re dismissive of the advance controls from their existing AV vendor and don’t feel a next gen endpoint security platform exists.
Carbon Black’s acquisition of Confer marks an evolution in the next generation endpoint security market based on its plan to integrate this prevention technology into its cloud-delivered platform, which already covers the detect and response end of the spectrum. Here are few thoughts a double-click down.
- The Definition of a Platform: Many a vendor is touting a platform, so just what is a platform, anyway? First, a platform consolidates what, to date, have been disparate point tools that then ride on and share services from a common technology stack—agent\client\sensor, control plane, management interface, and intelligence sharing. In today’s API-driven, software-defined-everything world, platforms need to go beyond integrating their own tech by also being a point of integration for third-party tech. In the context of an NGES platform, this means integrations with network-based sensors and controls, user and entity behavioral analytics (UEBA) engines such those from Bay Dynamics, E8, Sqrrl, and Splunk, as well as threat intel and more.
- Product Packaging Matters: Some customers won’t be able to eat the whole platform enchilada at one sitting, but will find an advanced prevention control an appealing appetizer. Peer level products that sit on a platform make the entire next gen feature set available to a broader part of the market so that after reducing the attack surface area with an advanced prevention control, one can grow into, for example, response capabilities, potentially via an engagement with a managed security services provider (MSSP).
- Behavioral Versus Machine Learning. While these are not mutually exclusive approaches to detecting threats, the competitive narrative in the market makes it seem so. But customers don’t really care about what’s under the hood—they just want better efficacy AND efficiency. The right framing of the discussion is the desired outcome: protecting against the threat potpourri of malware and exploits, be they delivered as binaries or weaponized content—before, during, and after compromise—to prevent incidents from becoming breaches, and doing so without an onslaught of false positives.
- Cloud Delivered – Get Over It: Carbon Black and Confer, like Crowdstrike, employ a cloud-delivered platform for both the remedial (setting policy, reporting, managing exceptions) and advanced (threat analysis). But ESG research indicates that some organizations are still reluctant to embrace “from the cloud” security offerings, citing concerns around leaving bread crumbs in a multi-tenant service that could be used against them to execute an attack. We need to get over this objection. There are simply too many benefits of a cloud delivery model, including operational simplicity (no management servers to deploy and manage), the ability to perform advanced analytics across a large set of data points from millions of endpoints, and expedited contextual threat information shared across all customers, an approach Carbon Black calls collective defense.
- Separation from the Pack and the Formation of New Battle Lines: Cylance, Crowdstrike, SentinelOne, Invincea, and Carbon Black are beginning to pull away from the pack of venture-backed startups creating urgency for the others to gain traction and/or partner up.
- Next Gen Trojan Horse 2.0: Next gen firewalls (NGFW), being application aware (i.e., layer 7), were initially positioned as complementary to existing firewalls. But once inside the customers’ walls, the NGFW vendors made the case that they too could cover layers 2-4, obviating the need for the other vendor’s box. So too are these advanced preventative controls positioned as next gen AV (NGAV) looking to embrace and displace incumbent AV products. And speaking of NGFWs, Palo Alto Networks has been successfully cross pollinating their Traps endpoint security solution into their install base; a focused effort to sell Traps off-base could add another competitive wrinkle to the NGES market.
- The Definition of NGES: Next gen can be an ambiguous qualifier, to be sure. ESG defines next generation endpoint security (NGES) as endpoint security controls designed to prevent, detect, and respond to previously unseen exploits and malware. As the Trojan horse play is executed, this definition will need to be expanded to included seen and unseen threats across the compromise timeline.
It's worth pointing out that established brands that are often dismissed as “AV vendors” have already run this platform play by aggregating the last generation of endpoint security point tools (e.g., antivirus, anti-spam, personal firewalls, and more) into endpoint protection platforms (EPPs). Those same vendors still own much of the prime real estate and, in some cases, offer similar functionality as the “next gen” crowd—e.g., behavioral analysis, cloud-based analytics, and intel beyond a hash or URL. As this market plays out, Webroot, Trend Micro, Intel Security, and Symantec will be competing with one another and this set of emerging NGES market leaders that will try to turn the platform table against them. But we know the best widget doesn’t always win—account management and go-to-market execution will be essential to platform adoption, one control at a time.