Cutting through the Next Generation Endpoint Noise
Next Generation Endpoint Security Heating Up –
How We Got Here
“Hey did you know that antivirus isn’t
effective against advanced threats?”
“No s#7%! Really!”
When you talk about how we got here, you’ve got to talk about antivirus. So there we did it!
It’s clear that the market for endpoint security is heating up again. If you look at the pendulum of security technology adoption it tends to follow a pattern. Attacks evolve driving a need for evolution and innovation of cyber defenses. New security technologies emerge and are adopted. Typically solutions that can be deployed less invasively on the network are adopted first. Ultimately, there comes a realization that coverage on both network and the endpoint are required. Rinse, lather, repeat.
The last two years have been marked by a significant increase in cyberattacks leading to the era of the “advanced threat.” I say this with a dose of sarcasm because threats are not always advanced. However, whether advanced or not, they’re bypassing existing security controls many of which continue to rely on outdated, signature-based detection.
Network Sandbox – First Evolution of Advanced Threat Protection
Many advanced threats begin their life compromising users and endpoints. The initial approach to defending against these threats was the adoption of network-based sandbox solutions, with FireEye being the “gold standard” here.
Coverage on both network and the endpoint are required.
Many advanced threats begin their life compromising users and endpoints. The initial approach to defending against these threats was the adoption of network-based sandbox solutions, with FireEye being the “gold standard” here.
Network sandbox solutions were an easy way to address the inadequacies of traditional signature-based solutions on both the network (IDS/IPS) and the endpoints (traditional AV). Since sandboxing has largely been deployed on the network this may raise a question of how it works with endpoints. Despite sitting on the network, network sandbox solutions are essentially armies of virtual machines that attempt to emulate (may not be accurate in the pure technical sense but you get my drift!) end user environments.
Network sandboxing was very effective at providing organizations with visibility into threats bypassing existing controls and is one important component of advanced threat protection. However, it’s clearly not a silver bullet. As is often the case, attackers have gotten smarter and can plan for ways to evade new defenses like network sandboxing. Proving once again, there are no silver bullets in security!
Advanced Threat Protection Requires Comprehensive Approach
Importantly, over the last 12 months it seems that security organizations have increasingly realized that advanced threat protection requires a comprehensive array of security capabilities that cover both networks and endpoints. Based on our conversations with industry research firm Gartner, it appears they are also seeing the same trend. In thinking about advanced threat protection (or defense), I continue to think that Gartner’s Five Styles of Advanced Threat Defense remains an excellent framework.
As many organizations are looking to find and stop threats before they do damage, I believe the current focus remains in the Real-Time/Near-Real-Time section of the matrix. As indicated earlier, the first wave was network sandbox (Payload Analysis). The current wave now gaining increasing momentum is Endpoint Behavior Analysis. Network traffic analysis has been around for a while but has also experienced renewed interest and hence why Cisco acquired Lancope.
Interestingly, Enterprise Security Group (ESG) analyst, Jon Oltsik, echoes this in a recent blog (“Network Security Sandboxes Driving Next-Generation Endpoint Security”(link is external))
Some specific points include:
- “From about 2012 through 2014, many enterprises evaluated and deployed network-based anti-malware gateways on their networks. Once implemented, it wasn’t at all unusual for these devices to ‘light up like a Christmas tree.’ In other words, anti-malware gateway devices presented security analysts with conclusive evidence that hidden malware and malicious network traffic were actually all over their networks — bots, command-and-control traffic, encrypted traffic, etc.”
- “Now security professionals understood at the time that traditional antivirus software was no match for targeted attacks and APTs, but this was more of an intellectual conclusion. Once they deployed network-based anti-malware gateways however, theory gave way to reality. All of a sudden, security analysts were able to provide CISOs with alarming reports and real data revealing the scope of the endpoint security problem on their own networks.”
- “The cybersecurity chickens had come home to roost. CISOs realized that network-based anti-malware gateways were only part of a next-generation solution and that they had to do more to protect endpoints themselves.”
Cutting Through the Noise
While the market for next-generation endpoint security is heating up, it’s certainly a crowded and noisy market. This is creating challenges for security organizations to “cut through the noise.” Back in mid-December, I published a blog “How Do I Choose an Endpoint Security Solution?” This represented an initial step to help educate security organizations on the next generation endpoint security market based on great work by 451 Research analyst Adrian Sanabria. If you haven’t read it, I would encourage you to check it out as it represents a good foundation for what’s to come. (Hexis eBook coming soon: Five Fundamental Building Blocks of an Endpoint Security Solution.)
Since that blog, we’ve seen more industry analyst research published on next generation endpoint security, including Gartner updating its Market Guide for Endpoint Detection and Response and 451 Research published its Endpoint Security Market Map 2015.
Through the rest of this blog series, I plan to provide some thoughts and key takeaways from these reports starting with Gartner’s Market Guide for Endpoint Detection and Response.
- See more at: https://www.hexiscyber.com/news/hot-topics/cutting-through-next-generation-endpoint-noise#sthash.boK0c0E0.dpuf
For a copy of Gartner's Market Guide for Endpoint Detection and Response go to: https://go2.hexiscyber.com/l/50652/2016-01-05/5cgjxg