Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

The Rebirth Of Endpoint Security

A slew of startups and veteran security firms are moving toward proactive and adaptive detection and mitigation for securing the endpoint. But few enterprises are ready to pull the antivirus plug.

and forensics are hard. Skillsets are in short supply, and that challenge isn't going anywhere, " says Ryan Kazanciyan, chief security architect with Tanium. "So we are able to democratize that and lower the barrier to the existing skills without outsourcing or building a team of malware and reverse-engineering and forensics expert teams."

Kazanciyan, who previously worked for Mandiant in its IR practice, says the IR and forensics feature lets you "push play" and retrace the attacker's footsteps and activity. "It definitely reduces a lot of effort for analysis and helps you capture evidence you might not otherwise keep on its own [from an endpoint], such as an IP address it connected to and why," he says.

There's also the race to clean up an infected machine. "How many man hours does it take to complete an investigation? I might expect a skilled analyst to take 40 hours on a single system" manually, he says. "With this technology, it can take minutes or an hour," he says.

A New Look For The Olde Guarde

Security analysts expect Symantec to pony up with a next-generation endpoint security offering of its own. Samir Kapuria, vice president and general manager of cyber security services at Symantec, says the recent sale of its Veritas storage company has allowed Symantec to double down on its security heritage. It's admittedly tough to shake image as an endpoint antivirus company, he notes, but "the new Symantec" is not just about the endpoint.

"It's so much more than the endpoint. [The endpoint] is a very important part of protection, but we're looking at the whole thing holistically. That's the new Symantec," Kapuria says. Symantec has some 175 million endpoints worldwide that phone home attacks as well as some 57 million attack sensors, he says, and that massive amount of data provides the company with "a unique asset," he says.  

"We have the opportunity to harness that information with more modern technical capabilities" such as big data analytics, he says.

The security giant plans to roll out several new products and services in the next two quarters surrounding its emerging Unified Security Analytics platform. Look for new incident response, remediation, and other next-gen features to come from Symantec, which also plans to "keep the good stuff" from its AV protection functions, he says.

"We look at the surface area of an enterprise. That spans from the endpoint to mobile to the cloud to the data center--the whole gamut," he says. "We've moved to an integrated approach. An organization shouldn't have to worry if it's an endpoint, mobile or cloud app when they're thinking about threat protection ... What we're ushering in now is looking at it holistically," he says.

Intel's McAfee Security unit is undergoing a similar metamorphosis when it comes to endpoint security. Candace Worley, senior vice president and general manager of endpoint security at Intel Security, who has been with McAfee for 15 years, says she's watched the evolution from AV to host IPS to personal firewalls, and now, with mobile and home workers changing the game.

"AV will have a tertiary role at best going forward," Worley says. "It's a solution that does the janitorial work … it reduces significantly the amount of malware noise in the organization, and then you can focus on the unknown [threats]."

McAfee's recently released Threat Intelligence Exchange, like Symantec's Unified Security Analytics, is also an integrated approach to security that provides threat protection on the fly based on intel developments, and operates across the network, gateways, and endpoints. "It delivers a more IR-orchestrated response to malware," Worley says. "It works with our endpoint product."

Worley dismisses the AV company identity image at McAfee. "We haven't been an AV company since 2003," she says. McAfee back then added the host IPS to the desktop, and later, application control, DLP, and monitoring. "We moved to more of a cloud approach that allows visibility, security, and reporting on those devices."

Intel Security/McAfee is planning announcements in the EDR space next week, according to Edward Metcalf, director of product and solutions for the company.

Security analysts say among traditional AV vendors, Trend Micro is furthest along the curve to a new generation of EDR.

Raimund Genes, CTO, Trend Micro, says he prefers calling it an evolution in endpoint security rather than a new generation. "Whitelisting, heuristics, endpoint sensors, stateful inspection, firewall" features all part of Trend Micro's offering in addition to its traditional, baseline technology. "I'm really getting tired of Symantec saying AV is dead. Switch it [AV] off and see if an enterprise could survive" without it, he says.

Some key elements of a modern endpoint security product, he says, are manageability and usability. And "it's the human behavior, not the endpoint" that's at the root of it, he says.

EDR has some maturing to do, for sure. Look for large endpoint security vendors to buy some of the smaller players in the next three- to five years to expand their portfolios into EDR, Forrester's Sherman says.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/11/2016 | 6:08:55 PM
Reference to reports cited
Where can I find reference(s) to the report(s) from which the data is cited? I followed some of the links, but couldn't locate any reference.


User Rank: Apprentice
11/6/2015 | 12:35:22 PM
Intel Security's New Strategy and EDR Update

Great article! Keep an eye out for how Intel Security's new strategy around the "Threat Defense Life Cycle" (protect/detect/correct) will be the model to truly give our customers a fighting chance against targeted sophisticated attacks. McAfee Active Response is the EDR technology being released here in Q4 from Intel Security which is a vital piece of the detect/correct piece of the equation. Please reach out for more information to keep readers informed.




Adam Faeder
User Rank: Guru
10/22/2015 | 3:10:52 PM
EDR Market Sizing
Gartner's estimate of # of endpoints with EDR (250k) is at least 1 order of magnitude low. 
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.