Back in 2007, ESG asked 206 IT enterprise security professionals to respond to the following statement: Endpoint security has become a commodity market with little difference between products. A majority (58%) of respondents either "strongly agreed" or "agreed" with this statement.
ESG will be conducting new research on endpoint security later in 2012 and will ask respondents similar types of questions. My guess is that the data will be quite similar to what it was 5 years ago. I understand this perspective, but if I were asked to respond to the statement above, I would "strongly disagree." In my humble opinion, endpoint security is actually going through a transformative period of strong innovation featuring:
- Layered defense. The best endpoint security software no longer relies on one-to-one antivirus signatures as its primary means of defense. Today's products feature an array of layered protection including malware family signatures, real-time code execution, advanced heuristics, and a cloud-centric feedback loop from actual users. Application controls are effective in decreasing endpoint attack surface while reputation services block bad IP addresses, URLs, and files. Some tools provide kernel-level , hypervisor-level, or even CPU-level protection to protect against rootkits/bootkits, and the top endpoint security software includes defenses against web threats and even 0-day vulnerability exploits.
- Infrastructure integration. Yes, this is also a component of defense-in-depth but I am seeing tighter integration between endpoint security software and other types of network- and cloud-based safeguards. For example, malware detection on an endpoint triggers a new IDS/IPS signature and firewall rule. I also believe that endpoint security tools will come standard with full-disk encryption capabilities while endpoint security management consoles will provide for key management.
- A user-centric design model. With BYOD and the proliferation of mobile devices, endpoint security will evolve into a user-centric design model. What this means is that endpoint security will be anchored by: 1) The role of the user, 2) The devices employed by the user, and 3) Business/security policies around access, entitlements, monitoring, and enforcement on a per device basis. Since mobile device security software is not nearly as prolific as it is with PCs, policy enforcement and malware detection/prevention will likely reside on the network.
These are not failsafe advances by any means as cyber criminals, hacktivists, and state-sponsored black hats will always find some holes but new tools. That said, endpoint security software from vendors like Check Point, Kaspersky, McAfee, Symantec, and Trend Micro are innovating in all of these areas. The goal here is to lower risk, not detect/block every malware variant ever created.
As a final comment, I am more concerned about best practices than I am about security technology. Endpoint security tools have lots of dials and knobs but does anyone really know how to adjust these appropriately to customize policies, bolster security enforcement, and lower risk for an individual organization? Not surprisingly, it may be that people are the weakest link in the security chain yet again.
You can read Jon's other blog entries at Insecure About Security.