When you mention endpoint security in conversation, it's not unusual to get some type of visceral response - eyes rolling, sighs, etc. Security professionals and the industry at large think of endpoint security as a commodity or "necessary evil." Some of my fellow analysts have gone so far to say that endpoint security as a category is dead (that's an old analyst trick for declaring that you've come up with some new model).
With all due respect, I disagree with these stereotypes. I just completed an ESG Market Landscape Report on endpoint security. After studying these products for several months, I believe that endpoint security is alive and well but in the midst of a major metamorphosis.
To be clear, my focus is on endpoint security as it relates to the commercial/enterprise market but some of the changes relate to SMB and consumer products as well. That said, endpoint security market and product transitions are most pronounced in the following areas:
- Enhanced protection. This is probably the aspect of endpoint security that is most scrutinized and criticized, which has opened the door to focused advanced malware specialists like Damballa, FireEye, and Invincia. The knock on endpoint security vendors is that static signatures are no longer adequate. True, but this assumes that traditional endpoint security vendors have nothing more to offer, which just isn't true. Most vendors supplement specific antivirus signatures with a plethora of other defenses including generic signatures (ex. Sophos), advanced heuristics (ex. ESET), kernel-level or even processor-level protection for root kits/boot kits (ex. McAfee) , and cloud-based updates for anti-malware, web threat protection, and reputation services (ex. Webroot). Like the advanced malware players, some endpoint security vendors like Check Point also open attachments in a virtual sandbox in search of malicious executables. Finally, many are providing browser defenses for protection against "drive by" malware. Finally, most products also now feature application controls. For example, Kaspersky provides white list/black list capabilities for applications that extend down to registry settings and system processes.
- Mobile support. Sorry, Microsoft, but an "endpoint" is no longer a Windows PC alone. The endpoint guys recognize that iPads, Androids, and perhaps Windows 8 mobile devices represent an opportunity to expand their footprint and preparing accordingly. Just this morning, Sophos announced the acquisition of DIALOGS, an MDM player. McAfee bought tenCube and Trust Digital. Symantec grabbed Nukona and Odyssey Software. While it's likely that endpoint security vendors will play here, it's a tough market to call at this point. Pure plays like Good Technology and Mobile Iron, networking vendors like Cisco and Juniper, and even wireless carriers are all looking for a piece of the pie. Nevertheless, mobile devices are changing the image of an "endpoint" and moving the endpoint security market.
- Management integration. As the saying goes, "a security endpoint is a well-managed endpoint." To use another colloquialism, "an ounce of prevention is worth a pound of cure." What I'm trying to say is that configuration management, change management, vulnerability scanning, and patching reduce the endpoint attack surface, making it harder for the bad guys. The Feds get this-think Federal Desktop Core Configuration (FDCC) and the Secure Content Automation Protocol (SCAP). Big vendors like IBM (with its acquisition of BigFix and Trend Micro partnership), McAfee (ePO), and Symantec (Symantec Endpoint Protection and Altiris) get this and are ahead of the market here. It's highly likely that CIOs will also realize these synergies, consolidate their IT organizations, and rationalize endpoint security and endpoint management tools.
Most endpoint security products also provide some data security protection like port controls and encryption (full disk or file-level). Encryption is generally not bundled into endpoint security software but I think it will be part of the package in the future.
In summary, endpoint security is expanding on several fronts: defense in depth, platform support, data security controls, and management. So do these products really offer better protection? I believe they do but there is one other interesting and somewhat ironic dynamic going on - IT and security professionals either aren't aware of new endpoint security functionality or they don't know how to use it. Thus, many endpoint security features remain dormant while security professionals and industry pundits complain that these products lack effectiveness.
You can read Jon's other blog entries at Insecure About Security.