My colleague Doug Cahill and I are knee-deep into a research project on next-generation endpoint security. As part of this project, we are relying on real-world experience, so we\u2019ve interviewed dozens of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) who have already deployed new types of endpoint security software.Now, all of the organizations we interviewed are already running antivirus tools, but day-to-day responsibilities are often delegated to an IT operations team rather than the infosec staff. So organizations are at somewhat of a disadvantage because they delegated it to an IT generalist team. Still, many of the organizations we\u2019ve interviewed have turned on all of their AV\u2019s advanced features, and are still being compromised.So what happens next? Enterprises are deploying next-generation endpoint security solutions along a continuum flanked by two poles:Advanced prevention.\u00a0Many organizations are overwhelmed by all of their security tasks and simply want a better endpoint security mousetrap than their existing AV. These firms are opting for solutions from vendors like Confer, Crowdstrike, Cylance, and Invincea that have better detection efficacy than traditional antivirus software. Organizations opting for advanced prevention are looking to \u201cstop the bleeding\u201d by preventing a higher percentage of attacks and addressing the daily grind of system re-imaging. These firms are also most likely to replace AV with a next-generation endpoint security tool.\u00a0Advanced detection and response.\u00a0At the opposite extreme, well-resourced and highly-skilled organizations are instrumenting endpoints with forensic capture capabilities from vendors like Carbon Black, Countertack, Guidance Software, and RSA. These firms no longer think of endpoint security as independent, but rather as part of the overall IR process rather (note: See my recent blog titled\u00a0the incident response \u201cfab 5\u201d for more details). They are also willing to work with (and stick with) their AV vendors.\u00a0So prevention sits at one end, while detection and response sits at the other. What makes this a continuum is the multitude of actions that happen in between these poles. Organizations are slowly moving forward with a whole bunch of additional security controls, like application whitelisting, browser sandboxing, endpoint firewall rules, attribute-based access controls, etc. These supplementary endpoint controls are intended to decrease the attack surface.\u00a0Based upon our research, organizations are gravitating toward one end of the continuum or the other by moving forward with advanced prevention or detection\/response bandwagon. These polar projects are getting funded and seem to be where all the activity (and money) is. Once new endpoint security programs are established, CISOs steadily move on to implement additional endpoint security controls, but this can require analysis, testing, and gradual implementation over time.\u00a0Want to know more about next-generation endpoint security? I\u2019ll be presenting our findings at the RSA Security conference on Thursday March 3. Hope to see you there.