Endpoint security in 2017

Just a few years ago, there were about 6 to 10 well regarded AV vendors that dominated the market. Fast forward to 2017, and my colleague Doug Cahill and I are currently tracking around 50 endpoint security vendors. 

Why has this market changed so much in such a short timeframe? New types of targeted threats regularly circumvented signature-based AV software over the past few years. This weakness led to system compromises, data breaches and panicky CISOs in search of AV alternatives. This in turn persuaded the fat cats on Sand Hill Road to throw VC dollars at anything that hinted at endpoint security innovation.

OK, I get the need for more than signature-based AV, but there simply isn’t room in the market for 50 endpoint security vendors. Thus, it’s safe to assume we’ll see a lot of M&A activity and outright business failures this year. 

Endpoint security trends for 2017

Aside from the financial wrangling within the endpoint security market, I expect several other endpoint security trends in 2017:

1. More comprehensive suites. At ESG, we’ve defined an endpoint security continuum with advanced prevention tools on one side and advanced detection and response (aka EDR) on the other. In between these two poles are additional security controls, such as white listing/black listing applications, sandboxing browsers and isolation technologies.

Over the past few years, new endpoint security vendors used to come at the continuum from one end or the other. Cylance was equated with advanced prevention, while Carbon Black competed for EDR dollars. In 2017, leading endpoint security newbies will offer the whole enchilada. Cylance is adding EDR capabilities, Carbon Black bought Confer for prevention, CrowdStrike is doubling down on prevention rules, and Invincea is expanding its offering. These (and other) vendors want all past and future endpoint security dollars, not just a slice.

2. The return of the incumbents. As of this writing, most if not all the traditional AV vendors have new product suites designed to compete with the next-generation endpoint security crowd. Feature sets include machine learning, isolation technologies, and EDR. If incumbents can prove they have competitive offerings, they will shed the “legacy vendor” label and start to push back on the start-ups.

3. Machine learning vs. defense-in-depth. This is bound to be a battle royale in 2017. All leading endpoint security tools will feature machine learning algorithms for pre-execution threat prevention. Some will anchor their product designs to machine learning algorithms, while others will add machine learning as a layer of defense along with signatures, behavioral heuristics, file reputation scoring, etc. Which alternative is best? It really depends upon the types of threats that evolve over the next few years. While each side will crow about their superiority, the market will ultimately decide what it wants.

4. The rise of EDR. Endpoint detection and response tools have been limited to the large enterprise market alone. This is changing, however. In 2017, we’ll see EDR products and services go down market. We’ll also see EDR analytics start to subsume some SIEM functionality for security investigations and hunting activities. Carbon Black is the king of the EDR hill, but vendors such as Countertack, CrowdStrike, Cybereason, Endgame and even Guidance Software will make this market more interesting this year. 

5. Integration. This isn’t exactly new, but we will still hear more about endpoint security integration with network security and security analytics. This is where Cisco, Check Point, Fidelis, FireEye, Palo Alto Networks and RSA play. 

6. More new names. While I firmly believe endpoint security will consolidate, I’m also hearing some newish names, such as Comodo, Dell (both Dell and SecureWorks) and Ziften. Oh, and I fully expect a half dozen new endpoint security vendors from Israel—IDF and Unit 8200 folks seem especially adept in this area. 

7. More services. Some vendors will push on a cloud-based management plane, while others will be willing to outsource the whole endpoint security kit and caboodle.  Both models will grow precipitously this year. 

There will be a lot of endpoint security buzz at next month’s RSA Security Conference from old and new players. Those that have products and strategies that align with the points above will be most successful.