The global cybersecurity skills shortage won’t ease anytime soon. In fact, there’s ample evidence to suggest things are getting worse (more on this point soon). So, what can organizations do to bridge the skills gap? Rely on service providers for help.
Now, in the past, few organizations considered managed security services for endpoint security. Why? Endpoint security translated to antivirus, so organizations purchased software from a leading vendor (i.e. Kaspersky, McAfee, Sophos, Symantec, Trend Micro, Webroot, etc.), installed the software on their PCs, and then tasked the IT operations staff with the day-to-day care and feeding of AV. In other words, AV software was as close to a “set it and forget it” technology as you could get.
This situation changed quite a bit over the past few years, however, due to things like targeted attacks, fileless malware, and ransomware, and the stalwarts of the industry have largely responded well. That said, VCs and other technology companies have also stepped in and responded to changing requirements with new technologies for threat prevention, detection, and response.
The combination of new threats and innovation changed endpoint security technologies into a defense-in-depth architecture composed of multiple products requiring resources and skills for day-to-day operations.
Since many organizations don’t have the right level of skills and resources for new endpoint security requirements, they are naturally turning toward managed security service providers (MSSPs) for help. According to ESG research, 50 percent of organizations surveyed are using an MSSP for some aspect of endpoint security today, 23 percent plan to use an MSSP for endpoint security within the next 24 months, and 12 percent are interested in doing so sometime in the future.
Types of managed endpoint security services organizations want
Which types of managed endpoint security services are organizations using or interested in using?
- Data loss prevention (DLP) or enterprise risk management (ERM) — 38 percent are using or plan to use these types of services. This interest is likely driven by the impending GDPR deadline in May 2018. Good news for Digital Guardian and others.
- Advanced anti-malware/anti-threat — 37 percent are using or plan to use these services. So, these companies either can’t or aren’t willing to make the transition from turnkey AV software to new types of technologies for threat and exploit prevention. FireEye as a service comes to mind, while Webroot is working with multiple MSP partners to capitalize on this opportunity.
- Endpoint detection and response (EDR) — 35 percent are using or plan to use managed services for this. This is no surprise, as EDR requires some advanced analytics skills and a well-organized SOC. CrowdStrike has a bullseye on this opportunity, but others, such as Carbon Black, Cybereason, and Morphick, are also considering, building, or delivering managed EDR.
- Threat hunting — 25 percent are using or plan to use managed services for this. Again, this is a discipline that requires experience and skills. Endgame plays here, along with SecureWorks and Trustwave.
Many of the vendors mentioned offer multiple services, not just those I highlighted.
Given the changes in endpoint security requirements and the trend toward managed services, I believe that leading endpoint security technologies will feature three dimensions:
- Endpoint security functionality options like threat prevention, DLP, EDR, managed threat hunting, etc.
- A consumption model for all endpoint security functionality that ranges from on-premises, to staff augmentation, to full managed services.
- Central command and control for configuration management, policy management, monitoring, etc. across all functionality and all consumption models.
Large organizations will then pick and choose the functionality they need and the consumption model that is most appropriate for different locations. Then they'll manage the whole enchilada with a central staff of compliance, IT operations, risk, and security folks. For example, a large organization may deploy layers of endpoint security software at their corporate headquarters but select managed security options for remote locations. They will then configure and operate everything from a central portal.
It’s clear to me that few organizations have the resources or desire to take on every necessary security task themselves anymore. That means they will look for partners who can takeover pedestrian security tasks, or they will supplement on-site activities in areas requiring advanced skills. Endpoint security services fit both descriptions, so they will likely grow significantly this year and beyond.