What’s the Endpoint of Endpoint Security?

If youve ever watched youth soccer, you instantly understand the term swarm ball. In many ways, security marketing isnt so different from youth soccer. Vendors swarm toward the ballthe jargon that will resonate with buyersand then have a mad battle to control it, only to have the ball squirt out in another direction, whereupon they all swarm that way. Recently, the ball was compliance solutions, until the swarm caught up and jarred that around, and eventually it kicked out to where the vendors swarm now: endpoint security.

From the perspective of journalists who get dozens of pitches a day (or is it thousands?), the onset of the term endpoint security felt almost coordinated, as if a memo about some focus group results was distributed late one night, and the next morning, all the vendors had effortlessly injected endpoint security into their spiels. Of course, defining the term was harder than just using it. When we asked, we got as many definitions as answers. In one case, a VP of marketing gave two definitions. Presumably, when with customers, he uses the one thats more likely to extract money from that mark. (The mark: Thats you, the buyer of endpoint security solutions.)

At a ballpark level, endpoint security seems to mean security related to PCs and laptops, points at the end of a network. But some vendors suggested that it could encompass some security appliances at the server level too. Others added cell phones and BlackBerrys to the mix, and USB dongles. Those are endpoints too, right? But they want a modifier to encompass all this, so here comes dynamic endpoint security. Stu, the vendor sales and marketing guy, would say, Yes, Mr. CISO, lots of companies do endpoint security, but do they do dynamic endpoint security like us?

Now come some companies using the term to describe policy enforced against client devices, defining what those devices can and cannot do on the network. In some cases, these products intervene with the endpoints to prevent transactions. In other words, its not about securing endpoints, but rather securing your network from the endpoints. Endpoint security, then, becomes a less offensive substitute term for surveillance and behavior monitoring and control. Or, if you will, its a compliance solution. But compliance solutions are soooo 2005.

OK, but generally, we can say that endpoint security refers to security around clients, right? Not so fast, fella. As this is being written, a PR pitch arrives in the old inbox for On Demand Endpoint Clientless Security. Um, what?

It appears the swarm has caught up to this one too.

Deconstructing Jargonendpoint security is jargon, and jargon is spin

Look,

So we work with it, with our grain of salt, but at the same time, its useful to deconstruct jargon because, while it doesnt say much honestly about what it purports to represent, it says a lot about those using it.

Endpoint security, for example, doesnt carry the baggage of older, more specific terms for products that did zilch to dam a rather steady and torrential flow of security failures. Antivirus sounds positively antediluvian. Intrusion detection implies theres already been an intrusion, and intrusion prevention sounds an awful lot like a quixotic epithet for a firewall. In one way or another, all of these products and others (patch management and antispam come to mind) are associated with failure, management burden and, of course, money spent. And for what? Endpoint security, on the other hand, might comprise some of these products (along with others) while carrying none of the negative connotations of those products.

Another development that may have led to the rise of endpoint babble is vendor consolidation. As large players gobble up the products of smaller players, they find themselves with a pile of tools in serious need of branding. Say, Stu, what can we call it when we sell these eight different tools together as a solution?

Finally, theres a more manipulative progenitor of new jargon: the analyst community. White papers, market reports and mystical squares can get crowded, and the big vendors often dominate them. But what if there were more squares & ? No no, Stu says. We dont belong in the same category as BehemothCo, because they do IPS, and were more of a dynamic endpoint security solutions provider. Magically, a new quadrant is born, and Stus company is rocking in that one, according to an analyst report. (Or, do the analysts themselves create these new categories to attract new clients?). At any rate, jargon like endpoint security can be cynically thought of as man-made ponds custom built to please some school of fish.

And its worth going back again to endpoint securitys vagueness. When you think of it, its bold to call something intrusion detection. Because what if it doesnt? Endpoint security, on the other hand, doesnt promise to do anything, so it cant really fail. And judging by a conversation with one endpoint security solutions provider (it used to be an antivirus company, but if you say that its liable to cause convulsing), things are getting vaguer still. I asked him what jargon might be coming next now that the swarm has caught up to the ball again. He mentioned security for PUAsjargon unappetizingly pronounced Pooh-ahs. It stands for potentially unwanted applications. Hows that for equivocal? Since every application on the planet except for two or three is a PUA, soon youre going to need a robust PUA solution! Look, everythings a threat. Just keep buying stuff.

Just Semantics, Right?

I can anticipate one reaction to my sportive dig at vendors: Stu would say, Look, Mr. Cynical, this is just semantics. We have to call products something, so why not focus on the positive? Would you have the soda companies call their product category Cavity-Causing Beverages? Its just marketing. Whats your problem?

I respectfully disagree. The words we use, in many ways, show what we are. And that matters in an information security industry that profits not from fixing the problem but from perpetuating it; thats slow to adapt to new and converged threats; that attacks the problem at its frayed edges, implicitly indicting end users instead of addressing the inherent flaws at the core of infrastructure; thats happy to sell post-facto bandages instead of creating a culture of preventive health. In an industry like that, words like endpoint security speak volumes.

They just dont say anything.

What do you understand endpoint security to mean? Let me know at sberinato@cxo.com, and in a future column Ill print a list of the definitions.