10:30 AM
Doug Cahill
Doug Cahill
Connect Directly
E-Mail vvv

Navigating Next-Gen Endpoint Security: A Buyers Journey

Organizations will face a market in a state of transition as they evaluate information security solutions from both new and established vendors.

After Operation Aurora in 2009, “we’ll catch it on the wire” was an oft-heard phrase reflecting a network-centric orientation to security and the concession that signature-based antivirus was ineffective against never-seen-before components of an advanced persistent threat, the behavior of which the industry now frames in the context of the cybersecurity kill chain.

The incessant rate of attacks against the increasingly mobile and multi-device operator of endpoints (whose human gullibility is the vulnerability that makes spear phishing and drive-by downloads serially successful) is such that many organizations are now revisiting their endpoint security strategies -- both products and processes.

But executing upon this imperative in a market rife with confusion and ripe for consolidation is not a small thing. Enterprise Strategy Group (ESG) has conducted interviews with dozens of enterprises that have navigated this market in transition en route to improving their endpoint security postures. What can we learn from those that have made the journey? Have they, in fact, reached their destination? Here’s a summary of our findings, which will be presented at this year’s RSA conference in March.

It starts with operational efficiency

In a holistic security methodology, prevention, detection, and response are not mutually exclusive concepts; they work in concert with prevention controls employed to reduce the attack surface area and with detection and response controls to deal with the inevitable introduction of the new and unknown. But some organizations simply do not have the resources nor the expertise to utilize detection and response solutions, and often opt for greater prevention efficacy, as measured not only in a reduction in malware detected by network-based sandboxes but also in fewer calls to the help desk. Operational efficiency is a critical success factor for all companies refreshing their endpoint security solution sets, especially those with fewer resources.

Add layers of prevention

Advanced prevention controls include containerization, binary runtime inspection, and application control. Some organizations that seek improved prevention effectiveness layer such controls by keeping signature-based antivirus in place for the more pedestrian viruses while also deploying an advanced control for advanced malware. Customers with an Enterprise License Agreement (ELA) with Microsoft may utilize Security Essentials as their antivirus engine and reallocate budget to an advanced anti-malware product.

Another layered prevention model is to employ antivirus to address the “known bad,” and application control for a default-deny approach of only allowing known good, an approach well suited for systems with little to no drift, but one that does require some care and feeding to create group-specific whitelists.

For large organizations, proactive monitoring

The second approach is one typically put in play by larger organizations that do have the resources, as well as the skill sets, to view prevention as simply reducing the attack surface and employing an endpoint detection and response solution (EDR) to proactively monitor system activity. Since the detection method of EDR products is fundamentally rooted in determining anomalous and potentially malicious deviations from a norm, the first step for users of these products is to determine what is normal. Establishing a baseline requires a contextual understanding of one’s own environment (i.e., what is normal) and then a period of suppressing alarms and cultivating rules to essentially train the EDR solution to alert at a higher level of fidelity, thus optimizing the signal:noise ratio so security analysts are not triaging an onslaught of false positives.

A prevent, detect and respond spectrum of starting points

These approaches are not mutually exclusive, and as ESG research has discovered, each one is typically a starting point at one end of the spectrum. Nearly all enterprises have plans to further secure their endpoints by applying additional controls to complete the prevent-detect-respond continuum. But while ESG research highlights the fact that customers prefer an endpoint security suite that aggregates prevention, detection, and response functionality from a single vendor, enterprises will also purchase and deploy point tools to protect their highest-value targets.

Another option for adding detection and response to the endpoint mix is for organizations without the resources to operate such a solution to engage with a managed security services provider (MSSP). Also on the radar screen of next steps is integration with analytics platforms for correlation and with network security controls to expedite detection, reduce dwell time, and terminate communication with a command-and-control server.

The new focus on protecting end users, and their multitude of endpoints, is indicative of an evolution from the old network-centric security model to one that is also host-centric across endpoints, server workloads, and IoT devices. Where customers start is largely a function of resources and skills, based on a balance between detection efficacy and operational efficiency. As the endpoint security industry goes through its transition, we can learn much from those who are at least part of the way along on their journey. 

More on this topic:


Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Doug Cahill is a senior analyst covering cybersecurity at Enterprise Strategy Group drawing upon more than 25 years of industry experience across a broad range of cloud, host, and network-based products and markets. Prior to joining ESG, Doug held executive leadership ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.