Network Security Sandboxes Driving Next-Generation Endpoint Security

Remember advanced persistent threats (APTs)? This term originated within the United States Air Force around 2006.  In my opinion, it gained more widespread recognition after the Google “Operation Aurora” data breach first disclosed in 2010.  This cyber-attack is attributed to groups associated with China’s People’s Liberation Army and impacted organizations like Adobe Systems, Juniper Networks, Northrop Grumman, Symantec, and Yahoo in addition to Google.

APT visibility got another boost in 2013 when Mandiant released its now famous APT1 report documenting several cyber-attacks emanating from a PLA group known as Unit 61398.

Driven by a wave of APT attacks and detailed threat intelligence, enterprise organizations doubled-down on threat prevention and detection technologies.  Most of them started by deploying advanced anti-malware gateways (aka: “network sandboxes”) from vendors like Blue Coat, Check Point, Cisco, FireEye, Fortinet, Lastline, Palo Alto Networks, and Trend Micro.  According to ESG research, 34% of enterprise organizations have deployed network-based anti-malware gateways “extensively” while another 46% have deployed network-based anti-malware gateways “somewhat” (note: I am an ESG employee).

With this in mind, I’ve discovered an interesting relationship between network-based anti-malware gateways and next-generation endpoint security as part of an extensive ESG research project. 

From about 2012 through 2014, many enterprises evaluated and deployed network-based anti-malware gateways on their networks.  Once implemented, it wasn’t at all unusual for these devices to “light up like a Christmas tree.”  In other words, anti-malware gateway devices presented security analysts with conclusive evidence that hidden malware and malicious network traffic was actually all over their networks – bots, command-and-control traffic, encrypted traffic, etc. 

Now security professionals understood at the time that traditional antivirus software was no match for targeted attacks and APTs, but this was more of an intellectual conclusion.  Once they deployed network-based anti-malware gateways however, theory gave way to reality.  All of a sudden, security analysts were able to provide CISOs with alarming reports and real data revealing the scope of the endpoint security problem on their own networks. 

The cybersecurity chickens had come home to roost.  CISOs realized that network-based anti-malware gateways were only part of a next-generation solution and that they had to do more to protect endpoints themselves. 

From a cybersecurity market perspective, this trend makes a lot of sense.  The Google Aurora attack led to APT awareness and the need to take action.  This drove network-based anti-malware gateway deployment (and the FireEye IPO) in the 2012-2014 timeframe.  Network-based anti-malware gateway deployment led to widespread exposure of antivirus weaknesses resulting in a wave of next-generation endpoint security deployment as well as industry innovation and funding (i.e. Bit9 + Carbon Black, Countertack, CrowdStrike, Cylance, Invincea, SentinelOne, etc.). 

Based upon these trends and my research, I believe that 2016 will be a big year for next-generation endpoint security on both the demand and supply side.  In the meantime, I’ll be presenting the results of ESG’s next-generation endpoint security research at the RSA Security Conference, on Thursday March 3.