and forensics are hard. Skillsets are in short supply, and that challenge isn't going anywhere, " says Ryan Kazanciyan, chief security architect with Tanium. "So we are able to democratize that and lower the barrier to the existing skills without outsourcing or building a team of malware and reverse-engineering and forensics expert teams."
Kazanciyan, who previously worked for Mandiant in its IR practice, says the IR and forensics feature lets you "push play" and retrace the attacker's footsteps and activity. "It definitely reduces a lot of effort for analysis and helps you capture evidence you might not otherwise keep on its own [from an endpoint], such as an IP address it connected to and why," he says.
There's also the race to clean up an infected machine. "How many man hours does it take to complete an investigation? I might expect a skilled analyst to take 40 hours on a single system" manually, he says. "With this technology, it can take minutes or an hour," he says.
A New Look For The Olde Guarde
Security analysts expect Symantec to pony up with a next-generation endpoint security offering of its own. Samir Kapuria, vice president and general manager of cyber security services at Symantec, says the recent sale of its Veritas storage company has allowed Symantec to double down on its security heritage. It's admittedly tough to shake image as an endpoint antivirus company, he notes, but "the new Symantec" is not just about the endpoint.
"It's so much more than the endpoint. [The endpoint] is a very important part of protection, but we're looking at the whole thing holistically. That's the new Symantec," Kapuria says. Symantec has some 175 million endpoints worldwide that phone home attacks as well as some 57 million attack sensors, he says, and that massive amount of data provides the company with "a unique asset," he says.
"We have the opportunity to harness that information with more modern technical capabilities" such as big data analytics, he says.
The security giant plans to roll out several new products and services in the next two quarters surrounding its emerging Unified Security Analytics platform. Look for new incident response, remediation, and other next-gen features to come from Symantec, which also plans to "keep the good stuff" from its AV protection functions, he says.
"We look at the surface area of an enterprise. That spans from the endpoint to mobile to the cloud to the data center--the whole gamut," he says. "We've moved to an integrated approach. An organization shouldn't have to worry if it's an endpoint, mobile or cloud app when they're thinking about threat protection ... What we're ushering in now is looking at it holistically," he says.
Intel's McAfee Security unit is undergoing a similar metamorphosis when it comes to endpoint security. Candace Worley, senior vice president and general manager of endpoint security at Intel Security, who has been with McAfee for 15 years, says she's watched the evolution from AV to host IPS to personal firewalls, and now, with mobile and home workers changing the game.
"AV will have a tertiary role at best going forward," Worley says. "It's a solution that does the janitorial work … it reduces significantly the amount of malware noise in the organization, and then you can focus on the unknown [threats]."
McAfee's recently released Threat Intelligence Exchange, like Symantec's Unified Security Analytics, is also an integrated approach to security that provides threat protection on the fly based on intel developments, and operates across the network, gateways, and endpoints. "It delivers a more IR-orchestrated response to malware," Worley says. "It works with our endpoint product."
Worley dismisses the AV company identity image at McAfee. "We haven't been an AV company since 2003," she says. McAfee back then added the host IPS to the desktop, and later, application control, DLP, and monitoring. "We moved to more of a cloud approach that allows visibility, security, and reporting on those devices."
Intel Security/McAfee is planning announcements in the EDR space next week, according to Edward Metcalf, director of product and solutions for the company.
Security analysts say among traditional AV vendors, Trend Micro is furthest along the curve to a new generation of EDR.
Raimund Genes, CTO, Trend Micro, says he prefers calling it an evolution in endpoint security rather than a new generation. "Whitelisting, heuristics, endpoint sensors, stateful inspection, firewall" features all part of Trend Micro's offering in addition to its traditional, baseline technology. "I'm really getting tired of Symantec saying AV is dead. Switch it [AV] off and see if an enterprise could survive" without it, he says.
Some key elements of a modern endpoint security product, he says, are manageability and usability. And "it's the human behavior, not the endpoint" that's at the root of it, he says.
EDR has some maturing to do, for sure. Look for large endpoint security vendors to buy some of the smaller players in the next three- to five years to expand their portfolios into EDR, Forrester's Sherman says.
Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.