The Endpoint Security Continuum

My colleague Doug Cahill and I are knee-deep into a research project on next-generation endpoint security. As part of this project, we are relying on real-world experience, so we’ve interviewed dozens of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) who have already deployed new types of endpoint security software.

Now, all of the organizations we interviewed are already running antivirus tools, but day-to-day responsibilities are often delegated to an IT operations team rather than the infosec staff. So organizations are at somewhat of a disadvantage because they delegated it to an IT generalist team. Still, many of the organizations we’ve interviewed have turned on all of their AV’s advanced features, and are still being compromised.

So what happens next? Enterprises are deploying next-generation endpoint security solutions along a continuum flanked by two poles:

1. Advanced prevention. Many organizations are overwhelmed by all of their security tasks and simply want a better endpoint security mousetrap than their existing AV. These firms are opting for solutions from vendors like Confer, Crowdstrike, Cylance, and Invincea that have better detection efficacy than traditional antivirus software. Organizations opting for advanced prevention are looking to “stop the bleeding” by preventing a higher percentage of attacks and addressing the daily grind of system re-imaging. These firms are also most likely to replace AV with a next-generation endpoint security tool. 
2. Advanced detection and response. At the opposite extreme, well-resourced and highly-skilled organizations are instrumenting endpoints with forensic capture capabilities from vendors like Carbon Black, Countertack, Guidance Software, and RSA. These firms no longer think of endpoint security as independent, but rather as part of the overall IR process rather (note: See my recent blog titled the incident response “fab 5” for more details). They are also willing to work with (and stick with) their AV vendors. 

So prevention sits at one end, while detection and response sits at the other. What makes this a continuum is the multitude of actions that happen in between these poles. Organizations are slowly moving forward with a whole bunch of additional security controls, like application whitelisting, browser sandboxing, endpoint firewall rules, attribute-based access controls, etc. These supplementary endpoint controls are intended to decrease the attack surface. 

Based upon our research, organizations are gravitating toward one end of the continuum or the other by moving forward with advanced prevention or detection/response bandwagon. These polar projects are getting funded and seem to be where all the activity (and money) is. Once new endpoint security programs are established, CISOs steadily move on to implement additional endpoint security controls, but this can require analysis, testing, and gradual implementation over time. 

Want to know more about next-generation endpoint security? I’ll be presenting our findings at the RSA Security conference on Thursday March 3. Hope to see you there.