RSA Conference 2017: Endpoint security in the spotlight

As the calendar shifts from January to February, cybersecurity professionals are gearing up for the RSA Security Conference in a few short weeks. Remarkably, the management team is expecting more than 50,000 attendees this year. 

So, what can we expect from RSA 2017? Well, cybersecurity is being driven by dangerous threats, digital transformation and the need for massive scalability. This means innovation and change in just about every aspect of cybersecurity technology, so I plan to write a few posts about my expectations for the RSA Conference. I’ll start with this one about endpoint security.

To be clear, endpoint security should no longer be defined as antivirus software. No disrespect to tried-and-true AV, but endpoint security now spans a continuum that includes advanced prevention technologies, endpoint security controls and advanced detection/response tools. My colleague Doug Cahill and I are currently tracking more than 50 endpoint security vendors, demonstrating just how much activity there is today.

Here’s a brief list of some endpoint security activities I anticipate at RSA:

1. The return of the incumbents. RSA 2016 featured a newish category called next-generation endpoint security. The innuendo here was that traditional vendors such as Kaspersky, McAfee, Sophos, Symantec, and Trend Micro were yesterday’s news, anchored to inefficient AV signatures that didn’t really work. Well, over the past 12 months, incumbent vendors have released new products with advanced prevention, detection and response functionality of their own. As incumbent vendors trumpet new revisions, their pitch at RSA will be simple: What’s old is new again, so why fix what ain’t broken? 

2. Next-generation endpoint security suites. ESG did some research on endpoint security in 2016 and found that many enterprise organizations were layering multiple security tools on each endpoint. They’d start with traditional AV and layer on things such as machine learning prevention tools, application controls or endpoint detection/response (EDR) resulting in a complex environment with multiple endpoint agents on each system and multiple management consoles for endpoint security oversight.

It’s likely that this messy endpoint security infrastructure will consolidate over the next 12 to 18 months as enterprise organizations replace multiple point tools with full-function suites. The 2017 RSA Conference will serve as a coming-out party with a plethora of vendors pushing their one-size-fits-all products and suites.

3. Machine learning vs. defense-in-depth. Next-generation endpoint security vendors profess a paradigm shift in endpoint security with machine learning algorithms usurping the need for outmoded AV signatures, file reputation lists and behavioral heuristics. Traditional vendors see this talk as blasphemy. Yes, artificial intelligence (AI) is worthwhile, but they insist that AI functionality should be viewed as a complementary additional layer of defense. 

So, who’s correct—the AI innovators or the layered defense traditionalists? Well, I for one, don’t believe there is a right answer here. The best endpoint security products will prevent and detect a much higher percent of cyber attacks and demonstrate low false-positive rates without impacting system performance. How you get there is fairly arbitrary in my view, but I look forward to a spirited debate at RSA from both camps.

4. The name game. Remember I mentioned 50-plus endpoint security vendors? Aside from us analyst types, few people can name more than a half dozen. Since the endpoint security market is a land grab, get ready to hear from the other 40 or so vendors at the Moscone Center. Some of these vendors are brand-new, some come to the endpoint market from other areas of security, and some are simply trying to make sure they’re included in the conversation. Look for vendors such as Barkly, Cisco, Comodo, Digital Guardian, FireEye, Invincea, Palo Alto Networks, SentinelOne, Ziften, etc. to turn up the volume on their endpoint security strategies. 

5. EDR comes of age. Endpoint security analytics systems have been a niche in the past, as they required advanced skills to deploy and operate. While this is still true to some extent, most enterprise organizations now understand the value of EDR and the tools are becoming easier to use. Carbon Black is still the standard bearer in this market, appearing on every RFI/RFP, but others—including CounterTack, CrowdStrike, Cybereason, Endgame and Guidance software—are making waves. Others will join the party because EDR is bolted onto every other endpoint security suite.

6. Endpoint security meets cloud control planes and services. Like just about every other cybersecurity area, endpoint security is getting more complicated, demanding more skills and resources. Facing the reality of a pervasive cybersecurity skills shortage, a growing list of CISOs are willing to delegate some or all aspects of endpoint security to others. That means more and more cloud-based control planes replacing onsite servers and a growing list of endpoint security MSSPs. Product and services vendors will make sure to pitch endpoint alternatives (cloud management and services options) all over RSA in an attempt to appeal to organizations looking for endpoint security help.

Finally, endpoint security is no longer a stand-alone security domain, so I expect vendors to crow about open APIs, ecosystem partners and integration use cases for network security and security operations. 

More soon about other expectations for RSA.