Way back at the beginning of February, I wrote a blog titled, The Endpoint Security Continuum. In that blog, I described how enterprise organizations were now deploying next-generation endpoint security solutions along a continuum flanked by two poles: advanced prevention at one end and advanced detection and response at the other. I actually presented some research describing next-generation endpoint security a few weeks ago at this year’s RSA Security Conference (contact me if you'd like to see the slides from that session).
Now the biggest enterprise organizations are deploying new endpoint security tools for advanced prevention and advanced detection and response. That said however, these tend to be different tools, different projects, and in some cases, different decision-makers as well.
Given this dichotomy, ESG is seeing some pretty big differences in terms of endpoint security strategies. We estimate that about 75% to 80% of the market will address new endpoint security requirements with advanced prevention tools first before moving on to advanced detection and response. Alternatively, about 20% to 25% of large organizations will lead with advanced detection and response and use traditional AV and their own custom rule sets on the prevention side.
Why the market skew toward prevention? Because detection and response is a lot harder, requiring things like endpoint agents, data collection, distributed data management, advanced analytical skills, etc. Many organizations simply don’t have the skills or resources to pull this off. Furthermore, CISOs have a number of simultaneous balls in the air — endpoint security requirements, identity and access management improvements, cloud security concerns, etc. These security executives are looking across their workloads and making choices on where they can use technology to lighten their load quickly and where they need to work through people and process improvements to move the ball forward. Advanced prevention tools seem to fit the “quick hit” category.
So over the next two years or so, we will see prodigious growth in advanced prevention tool deployment. This market dynamic has several ramifications:
- Advanced prevention startups are in the right place and the right time. Yup, there are a lot of them, but firms like Cylance, Invincea, and SentinelOne that don’t require a lot of rule building are in the best position. Why? As I mentioned previously, CISOs want greater efficacy without a lot of additional work. Crowdstrike is also pushing hard to make sure that it plays in efficient advanced prevention and not just detection/response.
- AV vendors face threats and opportunities. The threat is pretty obvious — why pay for AV if some new advanced prevention solution is able to block pedestrian and sophisticated malware? While AV vendors should take this threat seriously, the skew toward advanced prevention gives them the best fighting chance to respond with solutions of their own. Intel Security, Symantec, and Trend are tightly integrating their endpoint AV solutions with network sandboxes, content security gateways (i.e. email and web security), and threat intelligence. Sophos has a similar strategy but it went one step farther and acquired SurfRight to fortify its offerings in prevention and detection/response. Smart move that other AV vendors may emulate over time.
- Detection/response leaders will bolster prevention solutions. Carbon Black already does this to some extent but I wouldn’t be surprised to see it grab a vendor like Malwarebytes or one of many Israeli startups in this area. Ditto for Cisco, Countertack, Fidelis, FireEye, Guidance Software, Palo Alto, RSA Security, etc.
- The bad guys ramp up attacks sans malware. As endpoint anti-malware improves, cyber-adversaries will simply bob and weave to avoid detection. Heck, they already do this — my security researcher friends tell me that around 70% to 80% of all cyber-attacks start with credential theft to gain “legitimate” access to endpoint devices. Ironically, the rush toward advanced prevention will ultimately accelerate deployment of advanced detection and response tools to help incident responders adapt as hacker tactics, techniques, and procedures (TTPs) change. Cat and mouse forever I guess.
- Growth in advanced detection and response services. CISOs face a real conundrum — they will ultimately need advanced detection and response capabilities but they continue to lack the skills and resources necessary for this area. Service providers to the rescue! Dell SecureWorks is already well established in this are with a service called “Red Cloak.” Carbon Black, Guidance, and RSA Security are actively partnering with MSSPs as well. I also expect Symantec to add endpoint ETDR services to its portfolio soon.
In the final analysis, strong endpoint security will require prevention, detection, and response, but enterprise organizations are taking a circuitous path to get there. Thus the endpoint security market will be extremely active for several years to come.