Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

The Rebirth Of Endpoint Security

A slew of startups and veteran security firms are moving toward proactive and adaptive detection and mitigation for securing the endpoint. But few enterprises are ready to pull the antivirus plug.

Endpoint security is undergoing a major renaissance with a new generation of products and services that flip the equation from the antivirus software mantra of prevention to the more pragmatic -- and realistic -- tactic of detection and incident response at the user device.

A wave of next-generation endpoint security startups have come out of stealth in the past year or two including Cybereason, enSilo, Hexis, SentinelOne, Tanium, Triumfant, and Ziften. Venture capital firms are all over this space, too:  endpoint security startup Tanium is now valued at a whopping $3.5 billion, topping all venture-backed cybersecurity firms worldwide. Tanium, which boasts Target, Visa, NASDAQ, and Verizon among its customers, tipped the scales last month when it secured an additional $120 million in VC from TPG, Institutional Venture Partners, T. Rowe Price, and Andreessen Horowitz.

The startups join existing security firms that focus on various approaches to advanced endpoint protection such as Bromium, Cisco Systems, Cylance, CrowdStrike, Mandiant, Bit9/Carbon Black, CounterTack, ForeScout, Invincea, and Palo Alto Networks, RSA Security, Tripwire, and others.

"This is is clearly a pretty hot market from a VC perspective. There's a lot of money flowing in from a lot of new startups," says Peter Firstbrook, a vice president at Gartner. Firstbrook is tracking more than 30 vendors now in the so-called endpoint detection and response (EDR) security space, and in the past 12 months, EDR startups have raised $322 million, he says.

Traditional AV and endpoint security giants such as Intel Security/McAfee, Symantec, Kaspersky Lab, and Sophos, which have been augmenting their AV platforms with features aimed at detecting unknown threats, aren't sitting idly by; they are expected to join the EDR generation with offerings of their own. According to Gartner, the only major endpoint security platform vendor with an official EDR offering to date is Trend Micro.

The endpoint remains the most attractive and soft target for cyber criminals and cyber espionage actors to get inside the door of their targets. There's a treasure trove of intelligence about the attack at the endpoint, and EDR tools take advantage of that by gathering and storing that information in response to an attack and as intel to thwart future ones.

"You want to get to the endpoint because it's the ultimate source of the truth," says Kevin Mandia, founder of Mandiant and president of FireEye.

Mandia says endpoint security tools should detect what antivirus misses and also provide forensics information if an attacker gets in. "Ultimately, it needs to prevent something from happening but … if something bad happens, it can secure and lock down your data," he says.

Antivirus may be dead in the water when it comes to stopping advanced threats, but the signature-based endpoint defense is still living and breathing on Windows desktops all over the world. AV will remain part of the equation for the everyday run-of-the-mill malware that just won't go away, experts say.

EDR adoption is still the exception, too. Consider this: the traditional AV market is $3.5 billion in revenue, with some 400 million seats, while around 5,000 companies--only about 250,000 endpoints overall--are running EDR today, according to the latest numbers from Gartner.

Gartner estimates the EDR market will hit $130 million in revenues this year, with the biggest share of the pie going to the established security vendors like Cisco, FireEye, and Tripwire, for example. Look for the EDR market to double in 2016, by Gartner's estimates.

Some 80 percent of endpoint protection platforms will include user activity monitoring and forensics capabilities associated with EDR by 2018, according to Gartner. Just 5% did so as of 2013.

"A lot of customers are looking for an additional solution for their endpoint. They don't feel like their existing endpoint protection vendors protect them. They are allocating some budget for AV and HIPS [host intrusion prevention systems]. Whitelisting is the second generation," Firstbrook says.

EDR does everything from detect unpatched bugs and suspicious events on the endpoint to isolate, investigate, and remediate it and share attack intelligence with the rest of the network when incidents occur. But adoption remains a rarity today and typically in the early stages, according to Firstbrook. "They are trials mostly."  

The organizations buying EDR products are doing so mainly to augment their existing traditional endpoint security and not replacing it. Most organizations are wedded to their AV for now for compliance reasons or other requirements, says Chris Sherman, an analyst with Forrester Research. Sherman says many enterprises ultimately will go with either free or lightweight AV layered with the newer endpoint security technologies.

Take the Council Rock School District in Pennsylvania, which runs Ziften's EDR software but also kept its Trend Micro AV enterprise solution. "You've got to augment it [AV] and have additional layers," says Matthew J. Frederickson, director of IT for the school system, which has 13,000 users and some 5,500 endpoints plus tablets.

The school system's tools caught, isolated, and cleaned up a botnet infection that hit one of its machines recently. Frederickson says he noticed an odd IP address, and then consulted with his Lancope StealthWatch network monitoring system and found the IP was a spoofed address tied to a botnet infection on a machine in one of his elementary school computer labs. "I was able remediate it and took like five minutes. That blew my mind," he says. It would normally take about a week or so to find and fix a botnet infection with only traditional security tools, he says, and likely only after the school noticed a network slowdown from the botnet traffic.

Tipping Point

The tipping point toward the evolution of endpoint security away from pure blacklisting and signature-based technology was the series of massive and high-profile attacks over the past few years of big-name brands like Target, Home Depot and Sony, security experts say. "Security is something of a board-level decision at this point. No CIO or CISO wants to explain why it was breached and how they should have prevented it. There's a mindset change in that," says Josh Applebaum, vice president of product strategy at Ziften Technologies, an EDR startup. "Before, continuous monitoring was [just] a buzzword."

"A lot of things were slipping through the cracks [with AV] because there are a lot of behaviors that are not known as good or bad. We saw the need to see everything" with a lightweight footprint, Applebaum says. "Home Depot didn't even deploy all of its AV to all endpoints because of the heavyweight aspect of it."

Many organizations don't want to deal with the daunting task--and the cost--of revamping the security of their desktops and other endpoints. The newer products are lightweight -- such as sensors--that sit at the kernel and run as an operating system service and don't have the baggage of a heavy client package like AV has had.

Surescripts, a nationwide health information network that connects pharmacies, hospitals, and physician practices, in the first two months of its deployment of Invincea's software detected and blocked a Cryptolocker ransomware attack. Paul Calatayud, CISO of Surescripts, says he added the extra endpoint protection layer to protect insiders from becoming a conduit for an attack on the site. "Endpoints are getting compromised, and their credentials get stolen. Then they become an insider threat," he says. 

But in the end, the "R" in EDR might be the key to selling organizations on these tools. "IR and 

Continued on Page 2

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/11/2016 | 6:08:55 PM
Reference to reports cited
Where can I find reference(s) to the report(s) from which the data is cited? I followed some of the links, but couldn't locate any reference.


User Rank: Apprentice
11/6/2015 | 12:35:22 PM
Intel Security's New Strategy and EDR Update

Great article! Keep an eye out for how Intel Security's new strategy around the "Threat Defense Life Cycle" (protect/detect/correct) will be the model to truly give our customers a fighting chance against targeted sophisticated attacks. McAfee Active Response is the EDR technology being released here in Q4 from Intel Security which is a vital piece of the detect/correct piece of the equation. Please reach out for more information to keep readers informed.




Adam Faeder
User Rank: Guru
10/22/2015 | 3:10:52 PM
EDR Market Sizing
Gartner's estimate of # of endpoints with EDR (250k) is at least 1 order of magnitude low. 
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.