The movement toward next-generation endpoint security has accelerated over the last few years for a simple reason: Cybersecurity professionals aren\u2019t happy with the efficacy of existing antivirus tools.This market demand has led to a wave of investment and innovation from vendors such as Carbon Black, CrowdStrike, Cybereason, Cylance, Morphisec, and SentinelOne.New endpoint security technologies tended to come in one of two areas. Advanced prevention tools added new techniques for detecting malware that bypassed AV signatures. Many of these tools also contained anti-exploit technologies for detecting and blocking common memory exploits and\/or attacks against common applications like browsers.At the other end of the endpoint security continuum, some organizations had new requirements for endpoint detection and response (EDR). These tools monitor endpoint behavior and collect data, which is then used for security analytics.\u00a0In the past, most organizations chose new tools for advanced prevention or EDR but not both. About 75 to 80 percent went with advanced prevention, and the remainder chose EDR.\u00a0This purchasing and deployment behavior is changing, however. According to ESG research, 87 percent of organizations have purchased or are planning to purchase a comprehensive endpoint security suite that contains both advanced prevention and EDR. (Note: I am an ESG employee.) Thus, endpoint security vendors must be a one-stop endpoint security shop if they want to compete for business.7 must-have endpoint security functionsOK, so organizations want a comprehensive suite of endpoint security functionality, but what the heck does that mean? Based upon lots of research, \u201cmust-have\u201d endpoint security functionality includes:High-efficacy malware detection\/blocking. This can be based upon layered endpoint security technologies (i.e. AV signatures, heuristics, IoC comparisons, etc.) or solely on machine learning algorithms \u2014 as long as it detects and blocks 90 percent-plus pedestrian and zero-day file and fileless malware while maintaining a low false positive rate.Anti-exploit technologies. As previously described, this technology blocks in memory and common application-layer attacks. Blocking ransomware comes to mind here. Note that anti-exploit technologies can be fairly geeky, so CISOs should look for options that are easy to configure and operate.EDR capabilities. CISOs should choose carefully here, as there is a lot of product variation in EDR tools. Large organizations with advanced security analytics and SOC skills may want to collect, process, analyze, and retain all endpoint security data, while less experienced organizations may only want EDR capabilities based upon other security alert \u201ctriggers.\u201d EDR may also be an area where managed services are especially attractive for overwhelmed or under-staffed security departments. EDR is a requirement for endpoint security suites, but organizations should approach EDR with eyes wide open \u2014 caveat emptor.\u00a0A single endpoint agent. Leading products should be based upon a single, easy-to-deploy and operate agent. Some vendors may use several agents today with roadmap plans to consolidate to a single agent. Again, caveat emptor.Centralized management. All functionality should report into a centralized management system. For separation of duties, centralized management should support multi-factor authentication, customized views\/dashboards, and role-based access control.Hybrid deployment options. Organizations should be able to pick and choose whether the endpoint security management plane lives on premises, in the cloud, or is made up of a combination of both.Remediation capabilities. When an endpoint gets infected, security and IT operations need the ability to quarantine the system, delete registry keys, or terminate malicious processes. Endpoint security tools should make this an easy administrative task. Yes, some systems will still need to be reimaged, but endpoint security tools should provide ample remediation options that help greatly reduce the number of system reimages necessary.\u00a0 \u00a0A few other points:I\u2019d classify everything else (i.e. asset management capabilities, application white listing, port controls, etc.) as \u201cnice to have\u201d functionality. These capabilities may be very important to some users and unimportant to others, so if you need them, seek out vendors that offer them.Asset management, vulnerability management, and patch management did not make my list of \u201cgotta have\u201d functionality, but these capabilities are moving to endpoint security. Pay attention to this area.\u00a0Yes, you need DLP and other types of file-level data security on endpoints. DLP doesn\u2019t need to be part of an endpoint security suite, but some organizations may find a single endpoint security\/DLP solution attractive.\u00a0Traditional endpoint security controls, such as full-disk encryption and firewalls, have really migrated to the operating systems. As such, they don\u2019t really need to be part of new endpoint security suites.\u00a0Vendors may supplement endpoint security products with managed services. Some CISOs will find it attractive to own some endpoint security functionality themselves and to outsource others.Some vendors participate in third-party testing, while others eschew these tests, claiming they no longer apply to new types of endpoint security technology. While third-party tests can provide objective metrics, I strongly suggest organizations conduct their own detailed and diligent product testing. In other words, don\u2019t rely on third parties or let vendors take the lead on product testing.\u00a0 You\u2019re on your own to make the best decision here.\u00a0Finally, endpoint security can be confusing. Organizations should approach any new endpoint security decisions with thorough research on the market, technologies, and vendors.