• United States



Contributing Writer

Network Security Sandboxes Driving Next-Generation Endpoint Security

Jan 15, 20163 mins
Data and Information SecurityEndpoint ProtectionNetwork Security

Anti-malware gateways are driving next-generation endpoint security implementation and antivirus replacements at large organizations.

Remember advanced persistent threats (APTs)? This term originated within the United States Air Force around 2006.  In my opinion, it gained more widespread recognition after the Google “Operation Aurora” data breach first disclosed in 2010.  This cyber-attack is attributed to groups associated with China’s People’s Liberation Army and impacted organizations like Adobe Systems, Juniper Networks, Northrop Grumman, Symantec, and Yahoo in addition to Google.

APT visibility got another boost in 2013 when Mandiant released its now famous APT1 report documenting several cyber-attacks emanating from a PLA group known as Unit 61398.

Driven by a wave of APT attacks and detailed threat intelligence, enterprise organizations doubled-down on threat prevention and detection technologies.  Most of them started by deploying advanced anti-malware gateways (aka: “network sandboxes”) from vendors like Blue Coat, Check Point, Cisco, FireEye, Fortinet, Lastline, Palo Alto Networks, and Trend Micro.  According to ESG research, 34% of enterprise organizations have deployed network-based anti-malware gateways “extensively” while another 46% have deployed network-based anti-malware gateways “somewhat” (note: I am an ESG employee).

With this in mind, I’ve discovered an interesting relationship between network-based anti-malware gateways and next-generation endpoint security as part of an extensive ESG research project. 

From about 2012 through 2014, many enterprises evaluated and deployed network-based anti-malware gateways on their networks.  Once implemented, it wasn’t at all unusual for these devices to “light up like a Christmas tree.”  In other words, anti-malware gateway devices presented security analysts with conclusive evidence that hidden malware and malicious network traffic was actually all over their networks – bots, command-and-control traffic, encrypted traffic, etc. 

Now security professionals understood at the time that traditional antivirus software was no match for targeted attacks and APTs, but this was more of an intellectual conclusion.  Once they deployed network-based anti-malware gateways however, theory gave way to reality.  All of a sudden, security analysts were able to provide CISOs with alarming reports and real data revealing the scope of the endpoint security problem on their own networks. 

The cybersecurity chickens had come home to roost.  CISOs realized that network-based anti-malware gateways were only part of a next-generation solution and that they had to do more to protect endpoints themselves. 

From a cybersecurity market perspective, this trend makes a lot of sense.  The Google Aurora attack led to APT awareness and the need to take action.  This drove network-based anti-malware gateway deployment (and the FireEye IPO) in the 2012-2014 timeframe.  Network-based anti-malware gateway deployment led to widespread exposure of antivirus weaknesses resulting in a wave of next-generation endpoint security deployment as well as industry innovation and funding (i.e. Bit9 + Carbon Black, Countertack, CrowdStrike, Cylance, Invincea, SentinelOne, etc.). 

Based upon these trends and my research, I believe that 2016 will be a big year for next-generation endpoint security on both the demand and supply side.  In the meantime, I’ll be presenting the results of ESG’s next-generation endpoint security research at the RSA Security Conference, on Thursday March 3.

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author