Endpoint security is undergoing a major renaissance with a new generation of products and services that flip the equation from the antivirus software mantra of prevention to the more pragmatic -- and realistic -- tactic of detection and incident response at the user device.
A wave of next-generation endpoint security startups have come out of stealth in the past year or two including Cybereason, enSilo, Hexis, SentinelOne, Tanium, Triumfant, and Ziften. Venture capital firms are all over this space, too: endpoint security startup Tanium is now valued at a whopping $3.5 billion, topping all venture-backed cybersecurity firms worldwide. Tanium, which boasts Target, Visa, NASDAQ, and Verizon among its customers, tipped the scales last month when it secured an additional $120 million in VC from TPG, Institutional Venture Partners, T. Rowe Price, and Andreessen Horowitz.
The startups join existing security firms that focus on various approaches to advanced endpoint protection such as Bromium, Cisco Systems, Cylance, CrowdStrike, Mandiant, Bit9/Carbon Black, CounterTack, ForeScout, Invincea, and Palo Alto Networks, RSA Security, Tripwire, and others.
"This is is clearly a pretty hot market from a VC perspective. There's a lot of money flowing in from a lot of new startups," says Peter Firstbrook, a vice president at Gartner. Firstbrook is tracking more than 30 vendors now in the so-called endpoint detection and response (EDR) security space, and in the past 12 months, EDR startups have raised $322 million, he says.
Traditional AV and endpoint security giants such as Intel Security/McAfee, Symantec, Kaspersky Lab, and Sophos, which have been augmenting their AV platforms with features aimed at detecting unknown threats, aren't sitting idly by; they are expected to join the EDR generation with offerings of their own. According to Gartner, the only major endpoint security platform vendor with an official EDR offering to date is Trend Micro.
The endpoint remains the most attractive and soft target for cyber criminals and cyber espionage actors to get inside the door of their targets. There's a treasure trove of intelligence about the attack at the endpoint, and EDR tools take advantage of that by gathering and storing that information in response to an attack and as intel to thwart future ones.
"You want to get to the endpoint because it's the ultimate source of the truth," says Kevin Mandia, founder of Mandiant and president of FireEye.
Mandia says endpoint security tools should detect what antivirus misses and also provide forensics information if an attacker gets in. "Ultimately, it needs to prevent something from happening but … if something bad happens, it can secure and lock down your data," he says.
Antivirus may be dead in the water when it comes to stopping advanced threats, but the signature-based endpoint defense is still living and breathing on Windows desktops all over the world. AV will remain part of the equation for the everyday run-of-the-mill malware that just won't go away, experts say.
EDR adoption is still the exception, too. Consider this: the traditional AV market is $3.5 billion in revenue, with some 400 million seats, while around 5,000 companies--only about 250,000 endpoints overall--are running EDR today, according to the latest numbers from Gartner.
Gartner estimates the EDR market will hit $130 million in revenues this year, with the biggest share of the pie going to the established security vendors like Cisco, FireEye, and Tripwire, for example. Look for the EDR market to double in 2016, by Gartner's estimates.
Some 80 percent of endpoint protection platforms will include user activity monitoring and forensics capabilities associated with EDR by 2018, according to Gartner. Just 5% did so as of 2013.
"A lot of customers are looking for an additional solution for their endpoint. They don't feel like their existing endpoint protection vendors protect them. They are allocating some budget for AV and HIPS [host intrusion prevention systems]. Whitelisting is the second generation," Firstbrook says.
EDR does everything from detect unpatched bugs and suspicious events on the endpoint to isolate, investigate, and remediate it and share attack intelligence with the rest of the network when incidents occur. But adoption remains a rarity today and typically in the early stages, according to Firstbrook. "They are trials mostly."
The organizations buying EDR products are doing so mainly to augment their existing traditional endpoint security and not replacing it. Most organizations are wedded to their AV for now for compliance reasons or other requirements, says Chris Sherman, an analyst with Forrester Research. Sherman says many enterprises ultimately will go with either free or lightweight AV layered with the newer endpoint security technologies.
Take the Council Rock School District in Pennsylvania, which runs Ziften's EDR software but also kept its Trend Micro AV enterprise solution. "You've got to augment it [AV] and have additional layers," says Matthew J. Frederickson, director of IT for the school system, which has 13,000 users and some 5,500 endpoints plus tablets.
The school system's tools caught, isolated, and cleaned up a botnet infection that hit one of its machines recently. Frederickson says he noticed an odd IP address, and then consulted with his Lancope StealthWatch network monitoring system and found the IP was a spoofed address tied to a botnet infection on a machine in one of his elementary school computer labs. "I was able remediate it and took like five minutes. That blew my mind," he says. It would normally take about a week or so to find and fix a botnet infection with only traditional security tools, he says, and likely only after the school noticed a network slowdown from the botnet traffic.
The tipping point toward the evolution of endpoint security away from pure blacklisting and signature-based technology was the series of massive and high-profile attacks over the past few years of big-name brands like Target, Home Depot and Sony, security experts say. "Security is something of a board-level decision at this point. No CIO or CISO wants to explain why it was breached and how they should have prevented it. There's a mindset change in that," says Josh Applebaum, vice president of product strategy at Ziften Technologies, an EDR startup. "Before, continuous monitoring was [just] a buzzword."
"A lot of things were slipping through the cracks [with AV] because there are a lot of behaviors that are not known as good or bad. We saw the need to see everything" with a lightweight footprint, Applebaum says. "Home Depot didn't even deploy all of its AV to all endpoints because of the heavyweight aspect of it."
Many organizations don't want to deal with the daunting task--and the cost--of revamping the security of their desktops and other endpoints. The newer products are lightweight -- such as sensors--that sit at the kernel and run as an operating system service and don't have the baggage of a heavy client package like AV has had.
Surescripts, a nationwide health information network that connects pharmacies, hospitals, and physician practices, in the first two months of its deployment of Invincea's software detected and blocked a Cryptolocker ransomware attack. Paul Calatayud, CISO of Surescripts, says he added the extra endpoint protection layer to protect insiders from becoming a conduit for an attack on the site. "Endpoints are getting compromised, and their credentials get stolen. Then they become an insider threat," he says.
But in the end, the "R" in EDR might be the key to selling organizations on these tools. "IR and
and forensics are hard. Skillsets are in short supply, and that challenge isn't going anywhere, " says Ryan Kazanciyan, chief security architect with Tanium. "So we are able to democratize that and lower the barrier to the existing skills without outsourcing or building a team of malware and reverse-engineering and forensics expert teams."
Kazanciyan, who previously worked for Mandiant in its IR practice, says the IR and forensics feature lets you "push play" and retrace the attacker's footsteps and activity. "It definitely reduces a lot of effort for analysis and helps you capture evidence you might not otherwise keep on its own [from an endpoint], such as an IP address it connected to and why," he says.
There's also the race to clean up an infected machine. "How many man hours does it take to complete an investigation? I might expect a skilled analyst to take 40 hours on a single system" manually, he says. "With this technology, it can take minutes or an hour," he says.
A New Look For The Olde Guarde
Security analysts expect Symantec to pony up with a next-generation endpoint security offering of its own. Samir Kapuria, vice president and general manager of cyber security services at Symantec, says the recent sale of its Veritas storage company has allowed Symantec to double down on its security heritage. It's admittedly tough to shake image as an endpoint antivirus company, he notes, but "the new Symantec" is not just about the endpoint.
"It's so much more than the endpoint. [The endpoint] is a very important part of protection, but we're looking at the whole thing holistically. That's the new Symantec," Kapuria says. Symantec has some 175 million endpoints worldwide that phone home attacks as well as some 57 million attack sensors, he says, and that massive amount of data provides the company with "a unique asset," he says.
"We have the opportunity to harness that information with more modern technical capabilities" such as big data analytics, he says.
The security giant plans to roll out several new products and services in the next two quarters surrounding its emerging Unified Security Analytics platform. Look for new incident response, remediation, and other next-gen features to come from Symantec, which also plans to "keep the good stuff" from its AV protection functions, he says.
"We look at the surface area of an enterprise. That spans from the endpoint to mobile to the cloud to the data center--the whole gamut," he says. "We've moved to an integrated approach. An organization shouldn't have to worry if it's an endpoint, mobile or cloud app when they're thinking about threat protection ... What we're ushering in now is looking at it holistically," he says.
Intel's McAfee Security unit is undergoing a similar metamorphosis when it comes to endpoint security. Candace Worley, senior vice president and general manager of endpoint security at Intel Security, who has been with McAfee for 15 years, says she's watched the evolution from AV to host IPS to personal firewalls, and now, with mobile and home workers changing the game.
"AV will have a tertiary role at best going forward," Worley says. "It's a solution that does the janitorial work … it reduces significantly the amount of malware noise in the organization, and then you can focus on the unknown [threats]."
McAfee's recently released Threat Intelligence Exchange, like Symantec's Unified Security Analytics, is also an integrated approach to security that provides threat protection on the fly based on intel developments, and operates across the network, gateways, and endpoints. "It delivers a more IR-orchestrated response to malware," Worley says. "It works with our endpoint product."
Worley dismisses the AV company identity image at McAfee. "We haven't been an AV company since 2003," she says. McAfee back then added the host IPS to the desktop, and later, application control, DLP, and monitoring. "We moved to more of a cloud approach that allows visibility, security, and reporting on those devices."
Intel Security/McAfee is planning announcements in the EDR space next week, according to Edward Metcalf, director of product and solutions for the company.
Security analysts say among traditional AV vendors, Trend Micro is furthest along the curve to a new generation of EDR.
Raimund Genes, CTO, Trend Micro, says he prefers calling it an evolution in endpoint security rather than a new generation. "Whitelisting, heuristics, endpoint sensors, stateful inspection, firewall" features all part of Trend Micro's offering in addition to its traditional, baseline technology. "I'm really getting tired of Symantec saying AV is dead. Switch it [AV] off and see if an enterprise could survive" without it, he says.
Some key elements of a modern endpoint security product, he says, are manageability and usability. And "it's the human behavior, not the endpoint" that's at the root of it, he says.
EDR has some maturing to do, for sure. Look for large endpoint security vendors to buy some of the smaller players in the next three- to five years to expand their portfolios into EDR, Forrester's Sherman says.
Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio