05:30 PM
Connect Directly

The Rebirth Of Endpoint Security

A slew of startups and veteran security firms are moving toward proactive and adaptive detection and mitigation for securing the endpoint. But few enterprises are ready to pull the antivirus plug.

Endpoint security is undergoing a major renaissance with a new generation of products and services that flip the equation from the antivirus software mantra of prevention to the more pragmatic -- and realistic -- tactic of detection and incident response at the user device.

A wave of next-generation endpoint security startups have come out of stealth in the past year or two including Cybereason, enSilo, Hexis, SentinelOne, Tanium, Triumfant, and Ziften. Venture capital firms are all over this space, too:  endpoint security startup Tanium is now valued at a whopping $3.5 billion, topping all venture-backed cybersecurity firms worldwide. Tanium, which boasts Target, Visa, NASDAQ, and Verizon among its customers, tipped the scales last month when it secured an additional $120 million in VC from TPG, Institutional Venture Partners, T. Rowe Price, and Andreessen Horowitz.

The startups join existing security firms that focus on various approaches to advanced endpoint protection such as Bromium, Cisco Systems, Cylance, CrowdStrike, Mandiant, Bit9/Carbon Black, CounterTack, ForeScout, Invincea, and Palo Alto Networks, RSA Security, Tripwire, and others.

"This is is clearly a pretty hot market from a VC perspective. There's a lot of money flowing in from a lot of new startups," says Peter Firstbrook, a vice president at Gartner. Firstbrook is tracking more than 30 vendors now in the so-called endpoint detection and response (EDR) security space, and in the past 12 months, EDR startups have raised $322 million, he says.

Traditional AV and endpoint security giants such as Intel Security/McAfee, Symantec, Kaspersky Lab, and Sophos, which have been augmenting their AV platforms with features aimed at detecting unknown threats, aren't sitting idly by; they are expected to join the EDR generation with offerings of their own. According to Gartner, the only major endpoint security platform vendor with an official EDR offering to date is Trend Micro.

The endpoint remains the most attractive and soft target for cyber criminals and cyber espionage actors to get inside the door of their targets. There's a treasure trove of intelligence about the attack at the endpoint, and EDR tools take advantage of that by gathering and storing that information in response to an attack and as intel to thwart future ones.

"You want to get to the endpoint because it's the ultimate source of the truth," says Kevin Mandia, founder of Mandiant and president of FireEye.

Mandia says endpoint security tools should detect what antivirus misses and also provide forensics information if an attacker gets in. "Ultimately, it needs to prevent something from happening but … if something bad happens, it can secure and lock down your data," he says.

Antivirus may be dead in the water when it comes to stopping advanced threats, but the signature-based endpoint defense is still living and breathing on Windows desktops all over the world. AV will remain part of the equation for the everyday run-of-the-mill malware that just won't go away, experts say.

EDR adoption is still the exception, too. Consider this: the traditional AV market is $3.5 billion in revenue, with some 400 million seats, while around 5,000 companies--only about 250,000 endpoints overall--are running EDR today, according to the latest numbers from Gartner.

Gartner estimates the EDR market will hit $130 million in revenues this year, with the biggest share of the pie going to the established security vendors like Cisco, FireEye, and Tripwire, for example. Look for the EDR market to double in 2016, by Gartner's estimates.

Some 80 percent of endpoint protection platforms will include user activity monitoring and forensics capabilities associated with EDR by 2018, according to Gartner. Just 5% did so as of 2013.

"A lot of customers are looking for an additional solution for their endpoint. They don't feel like their existing endpoint protection vendors protect them. They are allocating some budget for AV and HIPS [host intrusion prevention systems]. Whitelisting is the second generation," Firstbrook says.

EDR does everything from detect unpatched bugs and suspicious events on the endpoint to isolate, investigate, and remediate it and share attack intelligence with the rest of the network when incidents occur. But adoption remains a rarity today and typically in the early stages, according to Firstbrook. "They are trials mostly."  

The organizations buying EDR products are doing so mainly to augment their existing traditional endpoint security and not replacing it. Most organizations are wedded to their AV for now for compliance reasons or other requirements, says Chris Sherman, an analyst with Forrester Research. Sherman says many enterprises ultimately will go with either free or lightweight AV layered with the newer endpoint security technologies.

Take the Council Rock School District in Pennsylvania, which runs Ziften's EDR software but also kept its Trend Micro AV enterprise solution. "You've got to augment it [AV] and have additional layers," says Matthew J. Frederickson, director of IT for the school system, which has 13,000 users and some 5,500 endpoints plus tablets.

The school system's tools caught, isolated, and cleaned up a botnet infection that hit one of its machines recently. Frederickson says he noticed an odd IP address, and then consulted with his Lancope StealthWatch network monitoring system and found the IP was a spoofed address tied to a botnet infection on a machine in one of his elementary school computer labs. "I was able remediate it and took like five minutes. That blew my mind," he says. It would normally take about a week or so to find and fix a botnet infection with only traditional security tools, he says, and likely only after the school noticed a network slowdown from the botnet traffic.

Tipping Point

The tipping point toward the evolution of endpoint security away from pure blacklisting and signature-based technology was the series of massive and high-profile attacks over the past few years of big-name brands like Target, Home Depot and Sony, security experts say. "Security is something of a board-level decision at this point. No CIO or CISO wants to explain why it was breached and how they should have prevented it. There's a mindset change in that," says Josh Applebaum, vice president of product strategy at Ziften Technologies, an EDR startup. "Before, continuous monitoring was [just] a buzzword."

"A lot of things were slipping through the cracks [with AV] because there are a lot of behaviors that are not known as good or bad. We saw the need to see everything" with a lightweight footprint, Applebaum says. "Home Depot didn't even deploy all of its AV to all endpoints because of the heavyweight aspect of it."

Many organizations don't want to deal with the daunting task--and the cost--of revamping the security of their desktops and other endpoints. The newer products are lightweight -- such as sensors--that sit at the kernel and run as an operating system service and don't have the baggage of a heavy client package like AV has had.

Surescripts, a nationwide health information network that connects pharmacies, hospitals, and physician practices, in the first two months of its deployment of Invincea's software detected and blocked a Cryptolocker ransomware attack. Paul Calatayud, CISO of Surescripts, says he added the extra endpoint protection layer to protect insiders from becoming a conduit for an attack on the site. "Endpoints are getting compromised, and their credentials get stolen. Then they become an insider threat," he says. 

But in the end, the "R" in EDR might be the key to selling organizations on these tools. "IR and 

Continued on Page 2

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/11/2016 | 6:08:55 PM
Reference to reports cited
Where can I find reference(s) to the report(s) from which the data is cited? I followed some of the links, but couldn't locate any reference.


User Rank: Apprentice
11/6/2015 | 12:35:22 PM
Intel Security's New Strategy and EDR Update

Great article! Keep an eye out for how Intel Security's new strategy around the "Threat Defense Life Cycle" (protect/detect/correct) will be the model to truly give our customers a fighting chance against targeted sophisticated attacks. McAfee Active Response is the EDR technology being released here in Q4 from Intel Security which is a vital piece of the detect/correct piece of the equation. Please reach out for more information to keep readers informed.




Adam Faeder
User Rank: Guru
10/22/2015 | 3:10:52 PM
EDR Market Sizing
Gartner's estimate of # of endpoints with EDR (250k) is at least 1 order of magnitude low. 
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.