Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

The Rebirth Of Endpoint Security

A slew of startups and veteran security firms are moving toward proactive and adaptive detection and mitigation for securing the endpoint. But few enterprises are ready to pull the antivirus plug.

and forensics are hard. Skillsets are in short supply, and that challenge isn't going anywhere, " says Ryan Kazanciyan, chief security architect with Tanium. "So we are able to democratize that and lower the barrier to the existing skills without outsourcing or building a team of malware and reverse-engineering and forensics expert teams."

Kazanciyan, who previously worked for Mandiant in its IR practice, says the IR and forensics feature lets you "push play" and retrace the attacker's footsteps and activity. "It definitely reduces a lot of effort for analysis and helps you capture evidence you might not otherwise keep on its own [from an endpoint], such as an IP address it connected to and why," he says.

There's also the race to clean up an infected machine. "How many man hours does it take to complete an investigation? I might expect a skilled analyst to take 40 hours on a single system" manually, he says. "With this technology, it can take minutes or an hour," he says.

A New Look For The Olde Guarde

Security analysts expect Symantec to pony up with a next-generation endpoint security offering of its own. Samir Kapuria, vice president and general manager of cyber security services at Symantec, says the recent sale of its Veritas storage company has allowed Symantec to double down on its security heritage. It's admittedly tough to shake image as an endpoint antivirus company, he notes, but "the new Symantec" is not just about the endpoint.

"It's so much more than the endpoint. [The endpoint] is a very important part of protection, but we're looking at the whole thing holistically. That's the new Symantec," Kapuria says. Symantec has some 175 million endpoints worldwide that phone home attacks as well as some 57 million attack sensors, he says, and that massive amount of data provides the company with "a unique asset," he says.  

"We have the opportunity to harness that information with more modern technical capabilities" such as big data analytics, he says.

The security giant plans to roll out several new products and services in the next two quarters surrounding its emerging Unified Security Analytics platform. Look for new incident response, remediation, and other next-gen features to come from Symantec, which also plans to "keep the good stuff" from its AV protection functions, he says.

"We look at the surface area of an enterprise. That spans from the endpoint to mobile to the cloud to the data center--the whole gamut," he says. "We've moved to an integrated approach. An organization shouldn't have to worry if it's an endpoint, mobile or cloud app when they're thinking about threat protection ... What we're ushering in now is looking at it holistically," he says.

Intel's McAfee Security unit is undergoing a similar metamorphosis when it comes to endpoint security. Candace Worley, senior vice president and general manager of endpoint security at Intel Security, who has been with McAfee for 15 years, says she's watched the evolution from AV to host IPS to personal firewalls, and now, with mobile and home workers changing the game.

"AV will have a tertiary role at best going forward," Worley says. "It's a solution that does the janitorial work … it reduces significantly the amount of malware noise in the organization, and then you can focus on the unknown [threats]."

McAfee's recently released Threat Intelligence Exchange, like Symantec's Unified Security Analytics, is also an integrated approach to security that provides threat protection on the fly based on intel developments, and operates across the network, gateways, and endpoints. "It delivers a more IR-orchestrated response to malware," Worley says. "It works with our endpoint product."

Worley dismisses the AV company identity image at McAfee. "We haven't been an AV company since 2003," she says. McAfee back then added the host IPS to the desktop, and later, application control, DLP, and monitoring. "We moved to more of a cloud approach that allows visibility, security, and reporting on those devices."

Intel Security/McAfee is planning announcements in the EDR space next week, according to Edward Metcalf, director of product and solutions for the company.

Security analysts say among traditional AV vendors, Trend Micro is furthest along the curve to a new generation of EDR.

Raimund Genes, CTO, Trend Micro, says he prefers calling it an evolution in endpoint security rather than a new generation. "Whitelisting, heuristics, endpoint sensors, stateful inspection, firewall" features all part of Trend Micro's offering in addition to its traditional, baseline technology. "I'm really getting tired of Symantec saying AV is dead. Switch it [AV] off and see if an enterprise could survive" without it, he says.

Some key elements of a modern endpoint security product, he says, are manageability and usability. And "it's the human behavior, not the endpoint" that's at the root of it, he says.

EDR has some maturing to do, for sure. Look for large endpoint security vendors to buy some of the smaller players in the next three- to five years to expand their portfolios into EDR, Forrester's Sherman says.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/11/2016 | 6:08:55 PM
Reference to reports cited
Where can I find reference(s) to the report(s) from which the data is cited? I followed some of the links, but couldn't locate any reference.


User Rank: Apprentice
11/6/2015 | 12:35:22 PM
Intel Security's New Strategy and EDR Update

Great article! Keep an eye out for how Intel Security's new strategy around the "Threat Defense Life Cycle" (protect/detect/correct) will be the model to truly give our customers a fighting chance against targeted sophisticated attacks. McAfee Active Response is the EDR technology being released here in Q4 from Intel Security which is a vital piece of the detect/correct piece of the equation. Please reach out for more information to keep readers informed.




Adam Faeder
User Rank: Guru
10/22/2015 | 3:10:52 PM
EDR Market Sizing
Gartner's estimate of # of endpoints with EDR (250k) is at least 1 order of magnitude low. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...