The movement toward next-generation endpoint security has accelerated over the last few years for a simple reason – cybersecurity professionals aren’t happy with the efficacy of existing antivirus tools. This market demand has led to a wave of investment and innovation from vendors like Carbon Black, CrowdStrike, Cylance, Morphisec, SentinelOne, and many others.
New endpoint security technologies tended to come in one of two areas. Advanced prevention tools added new techniques for detecting malware that bypassed AV signatures. Many of these tools also contained anti-exploit technologies for detecting and blocking common memory exploits and/or attacks against common applications like browsers.
At the other end of the endpoint security continuum, some organizations had new requirements for endpoint detection and response (EDR). These tools monitor endpoint behavior and collect data which is then used for security analytics.
In the past, most organizations chose new tools for advanced prevention or EDR but not both. About 75% to 80% went with advanced prevention and the remainder chose EDR.
This purchasing and deployment behavior is changing however. According to ESG research, 87% of organizations have purchased or are planning to purchase a comprehensive endpoint security suite that contains both advanced prevention and EDR. Thus, endpoint security vendors must be a one-stop endpoint security shop if they want to compete for business.
Okay, so organizations want a comprehensive suite of endpoint security functionality, but what the heck does that mean? Based upon lots of research, “gotta have” endpoint security functionality includes:
- High-efficacy malware detection/blocking. This can be based upon layered endpoint security technologies (i.e., AV signatures, heuristics, IoC comparisons, etc.) or solely on machine learning algorithms--as long as it detects and blocks 90%+ pedestrian and zero-day file and fileless malware while maintaining a low false positive rate.
- Anti-exploit technologies. As previously described, this technology blocks in-memory and common application-layer attacks. Blocking ransomware comes to mind here. Note that anti-exploit technologies can be fairly geeky, so CISOs should look for options that are easy to configure and operate.
- EDR capabilities. CISOs should choose carefully here as there is a lot of product variation in EDR tools. Large organizations with advanced security analytics and SOC skills may want to collect, process, analyze, and retain all endpoint security data while less experienced organizations may only want EDR capabilities based upon other security alert “triggers.” EDR may also be an area where managed services are especially attractive for overwhelmed or under-staffed security departments. EDR is a requirement for endpoint security suites but organizations should approach EDR with eyes wide open – caveat emptor.
- A single endpoint agent. Leading products should be based upon a single, easy-to-deploy and operate agent. Some vendors may use several agents today with roadmap plans to consolidate to a single agent. Again, caveat emptor.
- Centralized management. All functionality should report into a centralized management system. For separation of duties, centralized management should support multi-factor authentication, customized views/dashboards, and role-based access control.
- Hybrid deployment options. Organizations should be able to pick and choose whether the endpoint security management plane lives on-premises, in the cloud, or is made up of a combination of both.
- Remediation capabilities. When an endpoint gets infected, security and IT operations need the ability to quarantine the system, delete registry keys, or terminate malicious processes. Endpoint security tools should make this an easy administrative task. Yes, some systems will still need to be reimaged, but endpoint security tools should provide ample remediation options that help greatly reduce the number of system reimages necessary.
A few other points:
- I’d classify everything else (i.e., asset management capabilities, application white listing, port controls, etc.) as “nice to have” functionality. These capabilities may be very important to some users and unimportant to others, so if you need them, seek out vendors that offer them.
- Asset management, vulnerability management, and patch management did not make my list of “gotta have” functionality but these capabilities are moving to endpoint security. This is an area to pay attention to.
- Yes, you need DLP and other types of file-level data security on endpoints. DLP doesn’t need to be part of an endpoint security suite but some organizations may find a single endpoint security/DLP solution attractive.
- Traditional endpoint security controls like full-disk encryption and firewalls have really migrated to the operating systems. As such, they don’t really need to be part of new endpoint security suites.
- Vendors may supplement endpoint security products with managed services. Some CISOs will find it attractive to own some endpoint security functionality themselves and outsource others.
- Some vendors participate in third-party testing while others eschew these tests, claiming that they no longer apply to new types of endpoint security technology. While third-party tests can provide objective metrics, I strongly suggest that organizations conduct their own detailed and diligent product testing. In other words, don’t rely on third-parties or let vendors take the lead on product testing. You’re on your own to make the best decision here.
Finally, endpoint security can be confusing. Organizations should approach any new endpoint security decisions with thorough research on the market, technologies, and vendors.