Traditional and next-gen vendors offer suites for endpoint protection, detection, and response but what’s needed and will customers buy?
Yesterday, antivirus leader Symantec made a significant announcement about the latest version of its Symantec Endpoint Protection (SEP) product. The new version of SEP features a range of functionality including machine learning for threat prevention, endpoint detection and response (EDR) capabilities, deception technology, exploit protection, etc. – all based upon a common endpoint security agent.
Now Symantec isn’t alone in providing a comprehensive endpoint security suite. Traditional endpoint security vendors like McAfee and Trend Micro also offer a bundled full-function suite and so do next-generation players like Carbon Black, CrowdStrike, and Cylance.
Yup, the race is on and many vendors are pushing for the pole position. But while this market takes shape, I can think of two fundamental questions: Just what is an endpoint security suite, and is this really what customers want?
What is an endpoint security suite? A few years ago, my esteemed colleague, Doug Cahill, and I came up with the concept of an endpoint security continuum, a range of security defenses and monitoring capabilities including:
- Advanced prevention. Think of this as next-generation AV that includes innovation in machine learning for classification of file attributes. It can also include traditional controls like signatures, behavioral heuristics, reputation listing, etc. Once installed, advanced prevention controls are meant to block malware from infecting systems without the need for additional projects or operational overhead. As such, we estimate that up to 80% of organizations start here.
- Advanced detection/response. Since we came up with our continuum concept, this has come to be known as EDR in the market. This is really a security analytics/operations play whereby highly-trained security analysts monitor endpoint behavior, identify anomalous behavior, and then reimage endpoint systems or remediate specific issues. Advanced detection/response requires an experienced security team and is generally tightly coupled with other security analytics and operations (SIEM, network security analytics, threat intelligence analysis, etc.). About 20% of enterprises start here.
- Layered security controls. These controls sit between advanced prevention and detection/response tools and are designed to decrease the attack surface. Think of things like application controls, port controls, full-disk encryption, browser sandboxing, etc.
Since Doug and I did our original research on next-generation endpoint security technologies, we’ve come to some further conclusions about emerging endpoint security suites:
- It’s likely that new endpoint security suites will offer flexible product and services options. This is becoming increasingly important due to the persistent cybersecurity skills shortage. For example, many organizations will gladly install advanced prevention controls but may not have the skills necessary to handle advanced detection/response operations themselves. The best tools will contain product and service options ranging from 100% on premises, to SaaS, to staff augmentation, to full managed services.
- Some suites will cover only PCs and servers while others will extend to mobile devices. It’s likely that mobile coverage will be a requirement over time but many enterprise organizations won’t get around to this for another 12 to 24 months.
- Different vendors will offer different mixes of layered security controls so CISOs should make a list of what they want and then write RFIs/RFPs with these controls as requirements.
- We’ll see a similar pattern with data security – some vendors won’t offer anything while others will provide things like full-disk encryption, file encryption, DLP, etc. Caveat emptor.
- Some vendors will likely cross the line between endpoint security technologies and endpoint management technologies (i.e. asset management, configuration management, patch management, etc.). While this makes logical sense to me, many organizations separate these functions so these tools may not be a fit.
- Symantec deserves credit for its single agent design as this is where the industry is headed. Most vendors won’t have a single agent yet so CISOs should assess when each vendor will get there and how much operational overhead they will encounter in the meantime.
As for my second question, it seems like endpoint security suites will proliferate over the next few years. In a recent research project, ESG asked 385 security professionals the following question, “As new endpoint security requirements arise and your organization considers new endpoint security controls, which of the following choices do you think would be most attractive to your organization?” The results were quite interesting, as 44% of respondents said they would choose a comprehensive endpoint security suite from a “next-generation” vendor, 43% said they would choose a comprehensive endpoint security suite from a single established vendor, 8% said they would choose an assortment of endpoint security technologies from different vendors, and 3% said they would choose an assortment of endpoint security technologies from vendors that establish technical partnerships for integration. So, suites win but vendor definition around traditional or next-generation remains somewhat murky.
In conclusion: 1) Endpoint security suites are emerging though vendor offerings will vary, and 2) Customers will buy endpoint security suites though they aren’t sure from whom, and 3) Winning vendors will position themselves as having the proven track record of a traditional endpoint security vendor and the innovation of a next-generation endpoint security vendor.