Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

The Rebirth Of Endpoint Security

A slew of startups and veteran security firms are moving toward proactive and adaptive detection and mitigation for securing the endpoint. But few enterprises are ready to pull the antivirus plug.

and forensics are hard. Skillsets are in short supply, and that challenge isn't going anywhere, " says Ryan Kazanciyan, chief security architect with Tanium. "So we are able to democratize that and lower the barrier to the existing skills without outsourcing or building a team of malware and reverse-engineering and forensics expert teams."

Kazanciyan, who previously worked for Mandiant in its IR practice, says the IR and forensics feature lets you "push play" and retrace the attacker's footsteps and activity. "It definitely reduces a lot of effort for analysis and helps you capture evidence you might not otherwise keep on its own [from an endpoint], such as an IP address it connected to and why," he says.

There's also the race to clean up an infected machine. "How many man hours does it take to complete an investigation? I might expect a skilled analyst to take 40 hours on a single system" manually, he says. "With this technology, it can take minutes or an hour," he says.

A New Look For The Olde Guarde

Security analysts expect Symantec to pony up with a next-generation endpoint security offering of its own. Samir Kapuria, vice president and general manager of cyber security services at Symantec, says the recent sale of its Veritas storage company has allowed Symantec to double down on its security heritage. It's admittedly tough to shake image as an endpoint antivirus company, he notes, but "the new Symantec" is not just about the endpoint.

"It's so much more than the endpoint. [The endpoint] is a very important part of protection, but we're looking at the whole thing holistically. That's the new Symantec," Kapuria says. Symantec has some 175 million endpoints worldwide that phone home attacks as well as some 57 million attack sensors, he says, and that massive amount of data provides the company with "a unique asset," he says.  

"We have the opportunity to harness that information with more modern technical capabilities" such as big data analytics, he says.

The security giant plans to roll out several new products and services in the next two quarters surrounding its emerging Unified Security Analytics platform. Look for new incident response, remediation, and other next-gen features to come from Symantec, which also plans to "keep the good stuff" from its AV protection functions, he says.

"We look at the surface area of an enterprise. That spans from the endpoint to mobile to the cloud to the data center--the whole gamut," he says. "We've moved to an integrated approach. An organization shouldn't have to worry if it's an endpoint, mobile or cloud app when they're thinking about threat protection ... What we're ushering in now is looking at it holistically," he says.

Intel's McAfee Security unit is undergoing a similar metamorphosis when it comes to endpoint security. Candace Worley, senior vice president and general manager of endpoint security at Intel Security, who has been with McAfee for 15 years, says she's watched the evolution from AV to host IPS to personal firewalls, and now, with mobile and home workers changing the game.

"AV will have a tertiary role at best going forward," Worley says. "It's a solution that does the janitorial work … it reduces significantly the amount of malware noise in the organization, and then you can focus on the unknown [threats]."

McAfee's recently released Threat Intelligence Exchange, like Symantec's Unified Security Analytics, is also an integrated approach to security that provides threat protection on the fly based on intel developments, and operates across the network, gateways, and endpoints. "It delivers a more IR-orchestrated response to malware," Worley says. "It works with our endpoint product."

Worley dismisses the AV company identity image at McAfee. "We haven't been an AV company since 2003," she says. McAfee back then added the host IPS to the desktop, and later, application control, DLP, and monitoring. "We moved to more of a cloud approach that allows visibility, security, and reporting on those devices."

Intel Security/McAfee is planning announcements in the EDR space next week, according to Edward Metcalf, director of product and solutions for the company.

Security analysts say among traditional AV vendors, Trend Micro is furthest along the curve to a new generation of EDR.

Raimund Genes, CTO, Trend Micro, says he prefers calling it an evolution in endpoint security rather than a new generation. "Whitelisting, heuristics, endpoint sensors, stateful inspection, firewall" features all part of Trend Micro's offering in addition to its traditional, baseline technology. "I'm really getting tired of Symantec saying AV is dead. Switch it [AV] off and see if an enterprise could survive" without it, he says.

Some key elements of a modern endpoint security product, he says, are manageability and usability. And "it's the human behavior, not the endpoint" that's at the root of it, he says.

EDR has some maturing to do, for sure. Look for large endpoint security vendors to buy some of the smaller players in the next three- to five years to expand their portfolios into EDR, Forrester's Sherman says.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

2 of 2
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Guru
10/22/2015 | 3:10:52 PM
EDR Market Sizing
Gartner's estimate of # of endpoints with EDR (250k) is at least 1 order of magnitude low. 
User Rank: Apprentice
11/6/2015 | 12:35:22 PM
Intel Security's New Strategy and EDR Update

Great article! Keep an eye out for how Intel Security's new strategy around the "Threat Defense Life Cycle" (protect/detect/correct) will be the model to truly give our customers a fighting chance against targeted sophisticated attacks. McAfee Active Response is the EDR technology being released here in Q4 from Intel Security which is a vital piece of the detect/correct piece of the equation. Please reach out for more information to keep readers informed.




Adam Faeder
User Rank: Apprentice
3/11/2016 | 6:08:55 PM
Reference to reports cited
Where can I find reference(s) to the report(s) from which the data is cited? I followed some of the links, but couldn't locate any reference.


Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.