Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Doug Cahill
Doug Cahill
Connect Directly
E-Mail vvv

Navigating Next-Gen Endpoint Security: A Buyer’s Journey

Organizations will face a market in a state of transition as they evaluate information security solutions from both new and established vendors.

After Operation Aurora in 2009, “we’ll catch it on the wire” was an oft-heard phrase reflecting a network-centric orientation to security and the concession that signature-based antivirus was ineffective against never-seen-before components of an advanced persistent threat, the behavior of which the industry now frames in the context of the cybersecurity kill chain.

The incessant rate of attacks against the increasingly mobile and multi-device operator of endpoints (whose human gullibility is the vulnerability that makes spear phishing and drive-by downloads serially successful) is such that many organizations are now revisiting their endpoint security strategies -- both products and processes.

But executing upon this imperative in a market rife with confusion and ripe for consolidation is not a small thing. Enterprise Strategy Group (ESG) has conducted interviews with dozens of enterprises that have navigated this market in transition en route to improving their endpoint security postures. What can we learn from those that have made the journey? Have they, in fact, reached their destination? Here’s a summary of our findings, which will be presented at this year’s RSA conference in March.

It starts with operational efficiency

In a holistic security methodology, prevention, detection, and response are not mutually exclusive concepts; they work in concert with prevention controls employed to reduce the attack surface area and with detection and response controls to deal with the inevitable introduction of the new and unknown. But some organizations simply do not have the resources nor the expertise to utilize detection and response solutions, and often opt for greater prevention efficacy, as measured not only in a reduction in malware detected by network-based sandboxes but also in fewer calls to the help desk. Operational efficiency is a critical success factor for all companies refreshing their endpoint security solution sets, especially those with fewer resources.

Add layers of prevention

Advanced prevention controls include containerization, binary runtime inspection, and application control. Some organizations that seek improved prevention effectiveness layer such controls by keeping signature-based antivirus in place for the more pedestrian viruses while also deploying an advanced control for advanced malware. Customers with an Enterprise License Agreement (ELA) with Microsoft may utilize Security Essentials as their antivirus engine and reallocate budget to an advanced anti-malware product.

Another layered prevention model is to employ antivirus to address the “known bad,” and application control for a default-deny approach of only allowing known good, an approach well suited for systems with little to no drift, but one that does require some care and feeding to create group-specific whitelists.

For large organizations, proactive monitoring

The second approach is one typically put in play by larger organizations that do have the resources, as well as the skill sets, to view prevention as simply reducing the attack surface and employing an endpoint detection and response solution (EDR) to proactively monitor system activity. Since the detection method of EDR products is fundamentally rooted in determining anomalous and potentially malicious deviations from a norm, the first step for users of these products is to determine what is normal. Establishing a baseline requires a contextual understanding of one’s own environment (i.e., what is normal) and then a period of suppressing alarms and cultivating rules to essentially train the EDR solution to alert at a higher level of fidelity, thus optimizing the signal:noise ratio so security analysts are not triaging an onslaught of false positives.

A prevent, detect and respond spectrum of starting points

These approaches are not mutually exclusive, and as ESG research has discovered, each one is typically a starting point at one end of the spectrum. Nearly all enterprises have plans to further secure their endpoints by applying additional controls to complete the prevent-detect-respond continuum. But while ESG research highlights the fact that customers prefer an endpoint security suite that aggregates prevention, detection, and response functionality from a single vendor, enterprises will also purchase and deploy point tools to protect their highest-value targets.

Another option for adding detection and response to the endpoint mix is for organizations without the resources to operate such a solution to engage with a managed security services provider (MSSP). Also on the radar screen of next steps is integration with analytics platforms for correlation and with network security controls to expedite detection, reduce dwell time, and terminate communication with a command-and-control server.

The new focus on protecting end users, and their multitude of endpoints, is indicative of an evolution from the old network-centric security model to one that is also host-centric across endpoints, server workloads, and IoT devices. Where customers start is largely a function of resources and skills, based on a balance between detection efficacy and operational efficiency. As the endpoint security industry goes through its transition, we can learn much from those who are at least part of the way along on their journey. 

More on this topic:


Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Doug Cahill is a senior analyst covering cybersecurity at Enterprise Strategy Group drawing upon more than 25 years of industry experience across a broad range of cloud, host, and network-based products and markets. Prior to joining ESG, Doug held executive leadership ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it mak...
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform a...
PUBLISHED: 2021-04-15
Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.
PUBLISHED: 2021-04-15
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has be...
PUBLISHED: 2021-04-15
The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to ...