My colleagues Doug Cahill, Kyle Prigmore, and I just completed a research project on next-generation endpoint security (login required). But just what the heck is next-generation endpoint security? Cybersecurity professionals remain pretty confused around the answer to this question. For the purposes of its research project, ESG defined next-generation endpoint security as:
Endpoint security software controls designed to prevent, detect, and respond to previously unseen exploits and malware.
As part of this project, ESG interviewed dozens of organizations that were either supplementing or replacing traditional antivirus software on PCs of all kinds. I’ve written a few blogs about why these organizations were moving beyond AV alone, how they selected new endpoint security products, and some details about their testing and deployment methodologies. Aside from this technology overview however, I did come away with some strong theories about the next-generation endpoint security market in general.
It seems to me that the next-generation endpoint security market represents a disconnect between supply and demand. For example, ESG found that about 75% to 80% of enterprises were purchasing new tools for advanced threat prevention while the remaining 20% to 25% of the market opted for advanced detection and response tools (aka: EDR).
This raises an obvious question: is this purchasing behavior a function of an immature market that will consolidate over time? If so, it would be safe to assume that future innovation will lead to next-generation endpoint security product suites that span across advanced prevention, endpoint security controls, and advanced detection and response. This aggregation is actually already happening as several established vendors and startups alike offer one-stop-shop endpoint security products.
Over the next few years, ESG believes that the next-generation endpoint security market will proceed as follows:
- All-in-one suites will appeal to midmarket and small enterprise organizations. Many firms will start with advanced prevention products and then ease their way into detection and response. These organizations are most likely to opt for comprehensive next-generation endpoint security suites but this is far from a certainty. Given the resources and skills necessary for advanced detection and response activities, many cybersecurity professionals will outsource these processes to qualified service providers.
- Large enterprises will continue with a best-of-breed approach. Progressive global enterprise organizations are approaching next-generation endpoint security projects with very specific requirements, strong opinions, and explicit objectives. Next-generation endpoint security projects are also highly influenced by cybersecurity resources — organizations with resource constraints opt for advanced prevention while those with ample resources and strong security analytics skills lean toward advanced detection and response. Each of these characteristics pushes enterprises toward short-term, focused next-generation endpoint security projects rather than long-term endpoint security strategy.
- AV products may catch up. Traditional AV vendors are adding new security functionality to existing products and/or buying startups to add innovative software capabilities to their products. If these vendors can survive the onslaught of next-generation endpoint security startups and bolster their sales, service, and support accordingly, they may have an opportunity to usurp new functionality, just as they did in the past in areas like port controls, application controls, and anti-spyware. This second chance opportunity is once again most likely midmarket and small enterprise segments. Some organizations noted important criteria for judging AV vendors such as how regularly they provided product roadmap updates and how well they engaged in non-sales-related discussions. These and other factors could determine which AV vendors remain and which get replaced.
The market dynamics here really call for next-generation endpoint security product vendors to adopt sets of comprehensive and integrated modules. How? By offering independent next-generation endpoint security products (i.e., advanced prevention and advanced detection and response products) that can stand on their own or be combined to form integrated solutions with common command-and-control (i.e., configuration management, policy management, reporting, etc.).
Smart vendors will back these suites with well-crafted professional services to help customers evolve across the endpoint security continuum through phased projects supported by clear metrics of success. Finally, next-generation endpoint security vendors should create MSSP offerings on their own or with partners to meet the needs of a large percentage of organizations lacking the skills and resources necessary for more rigorous endpoint security controls and oversight.