Endpoint detection and response is coming – in one form or another

A few years ago (2016), my esteemed colleague Doug Cahill and I spoke with 30 enterprise organizations about their endpoint security requirements and strategies. Based upon these discussions, we came up with a concept called the endpoint security continuum. 

On one end of the continuum lies advanced threat prevention. This software is sometimes referred to as “next-generation AV” because it uses technologies such as machine learning and threat intelligence integration to improve the threat prevention capabilities of traditional AV products.

The other end of the continuum features advanced detection and response, which the industry has since dubbed endpoint detection and response (EDR). Rather than block exploits and malware, EDR focuses on monitoring endpoints to detect suspicious activities and capture data for forensic and security investigations.

At the time, Doug and I reached a few conclusions:

1. 75 to 80 percent of the market would lean toward advanced prevention, while 20 to 25 percent of organizations would focus on EDR. The bias toward advanced prevention was because few organizations had the technical chops or resources for a complex EDR project.
2. Eventually, vendors would seek to bridge the endpoint security continuum by offering product suites that span from advanced prevention to EDR. When this happened, organizations would buy the whole enchilada. 

Fast forward to 2018, and I’m happy to say that our hypotheses are playing out — sort of. According to ESG research:

• 87 percent of organizations plan to buy a comprehensive endpoint security suite that covers the entire endpoint security continuum from advanced prevention to EDR.
• When asked to identify the most attractive functionality of a comprehensive endpoint security suite, 28 percent of cybersecurity professionals said EDR. This was the highest percentage of any potential response. So, after advanced prevention capabilities, EDR is becoming a requirement.

So, next-generation AV products will bundle in EDR and offer the whole thing as a comprehensive endpoint security suite, right? Well, kind of. It’s true that most organizations want EDR functionality, but it’s also true that a large percentage of these organizations still don’t have the skills and resources for a full-blown EDR deployment.

3 types of EDR products 

Given this market reality, Doug and I believe that EDR will undergo market segmentation and end up with categories such as these:

• Enterprise EDR. These products will collect, process and analyze all endpoint activity. Furthermore, enterprise EDR will be anchored by on-premises infrastructure (i.e. collectors, servers, storage, etc.). This will remain a niche market (around 20 to 25 percent), focused on large organizations in regulated and highly secure industries.
• EDR light. In this model, EDR will be “trigger-based.” When a behavioral analytics, SIEM, or UEBA rule fires, EDR light will start collecting behavioral data on suspected systems. This is like the way some organizations use PCAP technologies today. EDR light will be especially attractive to organizations building a security operations and analytics platform architecture (SOAPA), as endpoint security data will support other analytics. Many enterprise and mid-market organizations (40 to 50 percent of the market) will choose this option.
• Managed EDR. This is sort of a “tweener” for organizations that want full (or close to full) EDR but don’t have the skills or resources to pull it off. The managed EDR market will further evolve into subsegments. Some service providers will focus only on detection, while some will push all the way to response and remediation. Some will offer managed EDR as part of a larger managed detection and response (MDR) offering. Some will delve into managed threat hunting. All in all, 25 to 40 percent of the market will go for some form of managed EDR. 

It’s also likely that some product and service providers will offer a full menu of options ranging from products to fully managed services. These hybrid offerings will appeal to large global organizations that need various capabilities in different locations. 

Rather than default to a product, security managers really need to assess their needs, resources, and skills before making an EDR decision. There will be a lot of options to choose from, so CISOs must choose wisely.