Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

The Rebirth Of Endpoint Security

A slew of startups and veteran security firms are moving toward proactive and adaptive detection and mitigation for securing the endpoint. But few enterprises are ready to pull the antivirus plug.

Endpoint security is undergoing a major renaissance with a new generation of products and services that flip the equation from the antivirus software mantra of prevention to the more pragmatic -- and realistic -- tactic of detection and incident response at the user device.

A wave of next-generation endpoint security startups have come out of stealth in the past year or two including Cybereason, enSilo, Hexis, SentinelOne, Tanium, Triumfant, and Ziften. Venture capital firms are all over this space, too:  endpoint security startup Tanium is now valued at a whopping $3.5 billion, topping all venture-backed cybersecurity firms worldwide. Tanium, which boasts Target, Visa, NASDAQ, and Verizon among its customers, tipped the scales last month when it secured an additional $120 million in VC from TPG, Institutional Venture Partners, T. Rowe Price, and Andreessen Horowitz.

The startups join existing security firms that focus on various approaches to advanced endpoint protection such as Bromium, Cisco Systems, Cylance, CrowdStrike, Mandiant, Bit9/Carbon Black, CounterTack, ForeScout, Invincea, and Palo Alto Networks, RSA Security, Tripwire, and others.

"This is is clearly a pretty hot market from a VC perspective. There's a lot of money flowing in from a lot of new startups," says Peter Firstbrook, a vice president at Gartner. Firstbrook is tracking more than 30 vendors now in the so-called endpoint detection and response (EDR) security space, and in the past 12 months, EDR startups have raised $322 million, he says.

Traditional AV and endpoint security giants such as Intel Security/McAfee, Symantec, Kaspersky Lab, and Sophos, which have been augmenting their AV platforms with features aimed at detecting unknown threats, aren't sitting idly by; they are expected to join the EDR generation with offerings of their own. According to Gartner, the only major endpoint security platform vendor with an official EDR offering to date is Trend Micro.

The endpoint remains the most attractive and soft target for cyber criminals and cyber espionage actors to get inside the door of their targets. There's a treasure trove of intelligence about the attack at the endpoint, and EDR tools take advantage of that by gathering and storing that information in response to an attack and as intel to thwart future ones.

"You want to get to the endpoint because it's the ultimate source of the truth," says Kevin Mandia, founder of Mandiant and president of FireEye.

Mandia says endpoint security tools should detect what antivirus misses and also provide forensics information if an attacker gets in. "Ultimately, it needs to prevent something from happening but … if something bad happens, it can secure and lock down your data," he says.

Antivirus may be dead in the water when it comes to stopping advanced threats, but the signature-based endpoint defense is still living and breathing on Windows desktops all over the world. AV will remain part of the equation for the everyday run-of-the-mill malware that just won't go away, experts say.

EDR adoption is still the exception, too. Consider this: the traditional AV market is $3.5 billion in revenue, with some 400 million seats, while around 5,000 companies--only about 250,000 endpoints overall--are running EDR today, according to the latest numbers from Gartner.

Gartner estimates the EDR market will hit $130 million in revenues this year, with the biggest share of the pie going to the established security vendors like Cisco, FireEye, and Tripwire, for example. Look for the EDR market to double in 2016, by Gartner's estimates.

Some 80 percent of endpoint protection platforms will include user activity monitoring and forensics capabilities associated with EDR by 2018, according to Gartner. Just 5% did so as of 2013.

"A lot of customers are looking for an additional solution for their endpoint. They don't feel like their existing endpoint protection vendors protect them. They are allocating some budget for AV and HIPS [host intrusion prevention systems]. Whitelisting is the second generation," Firstbrook says.

EDR does everything from detect unpatched bugs and suspicious events on the endpoint to isolate, investigate, and remediate it and share attack intelligence with the rest of the network when incidents occur. But adoption remains a rarity today and typically in the early stages, according to Firstbrook. "They are trials mostly."  

The organizations buying EDR products are doing so mainly to augment their existing traditional endpoint security and not replacing it. Most organizations are wedded to their AV for now for compliance reasons or other requirements, says Chris Sherman, an analyst with Forrester Research. Sherman says many enterprises ultimately will go with either free or lightweight AV layered with the newer endpoint security technologies.

Take the Council Rock School District in Pennsylvania, which runs Ziften's EDR software but also kept its Trend Micro AV enterprise solution. "You've got to augment it [AV] and have additional layers," says Matthew J. Frederickson, director of IT for the school system, which has 13,000 users and some 5,500 endpoints plus tablets.

The school system's tools caught, isolated, and cleaned up a botnet infection that hit one of its machines recently. Frederickson says he noticed an odd IP address, and then consulted with his Lancope StealthWatch network monitoring system and found the IP was a spoofed address tied to a botnet infection on a machine in one of his elementary school computer labs. "I was able remediate it and took like five minutes. That blew my mind," he says. It would normally take about a week or so to find and fix a botnet infection with only traditional security tools, he says, and likely only after the school noticed a network slowdown from the botnet traffic.

Tipping Point

The tipping point toward the evolution of endpoint security away from pure blacklisting and signature-based technology was the series of massive and high-profile attacks over the past few years of big-name brands like Target, Home Depot and Sony, security experts say. "Security is something of a board-level decision at this point. No CIO or CISO wants to explain why it was breached and how they should have prevented it. There's a mindset change in that," says Josh Applebaum, vice president of product strategy at Ziften Technologies, an EDR startup. "Before, continuous monitoring was [just] a buzzword."

"A lot of things were slipping through the cracks [with AV] because there are a lot of behaviors that are not known as good or bad. We saw the need to see everything" with a lightweight footprint, Applebaum says. "Home Depot didn't even deploy all of its AV to all endpoints because of the heavyweight aspect of it."

Many organizations don't want to deal with the daunting task--and the cost--of revamping the security of their desktops and other endpoints. The newer products are lightweight -- such as sensors--that sit at the kernel and run as an operating system service and don't have the baggage of a heavy client package like AV has had.

Surescripts, a nationwide health information network that connects pharmacies, hospitals, and physician practices, in the first two months of its deployment of Invincea's software detected and blocked a Cryptolocker ransomware attack. Paul Calatayud, CISO of Surescripts, says he added the extra endpoint protection layer to protect insiders from becoming a conduit for an attack on the site. "Endpoints are getting compromised, and their credentials get stolen. Then they become an insider threat," he says. 

But in the end, the "R" in EDR might be the key to selling organizations on these tools. "IR and 

Continued on Page 2

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/11/2016 | 6:08:55 PM
Reference to reports cited
Where can I find reference(s) to the report(s) from which the data is cited? I followed some of the links, but couldn't locate any reference.


User Rank: Apprentice
11/6/2015 | 12:35:22 PM
Intel Security's New Strategy and EDR Update

Great article! Keep an eye out for how Intel Security's new strategy around the "Threat Defense Life Cycle" (protect/detect/correct) will be the model to truly give our customers a fighting chance against targeted sophisticated attacks. McAfee Active Response is the EDR technology being released here in Q4 from Intel Security which is a vital piece of the detect/correct piece of the equation. Please reach out for more information to keep readers informed.




Adam Faeder
User Rank: Guru
10/22/2015 | 3:10:52 PM
EDR Market Sizing
Gartner's estimate of # of endpoints with EDR (250k) is at least 1 order of magnitude low. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.