The Continuing Evolution of Endpoint Security
By Andrew Roberts, Chief Cybersecurity Strategist, cStor and MicroAge
Endpoint security continues to be one of the most fundamental and important parts of everyone’s cybersecurity program. Every organization has some type of endpoint protection, and there are few other product types where that is true, especially in cybersecurity.
Protecting our endpoints used to be easy. As the threat landscape continues to evolve and become more complex, so do endpoint protection platforms. The ongoing transformation in this space is one of the most interesting in the cybersecurity market. Let’s look at how endpoint security has changed over time and where it’s headed.
In simpler times, all you needed for endpoint protection was signature-based antivirus software that recognized malicious files and blocked them. Those days are long gone. Signature-based antivirus products became homogenized and commoditized, where there was little variation between products and the only real differentiation was the price. Cybercriminals easily created ways to easily circumvent all the old antivirus technologies.
This ushered in a new era in endpoint security, where next-generation antivirus manufacturers formed two distinct camps – Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR) products.
EPP manufacturers believed that the best way to protect endpoints was the preventative approach – identify malware and block it from executing before it does any harm. They built new technologies to recognize malware without the need for constantly updating signature files. The most successful of these products relied heavily on artificial intelligence (AI) and machine learning (ML) to find malicious code and block it. This approach was a vast improvement over signature-based technologies, achieving advertised success rates of well over 99%.
EDR manufacturers took a different approach. They believed that some malware was always going to get through. They developed solutions that quickly identify infected endpoints and take immediate corrective action to stop the spread and minimize the impact.
While both tactics brought significant technological advances, neither was a complete solution. EDR platforms still needed some sort of prevention, or they would spend all their time reacting. EPP solutions that blocked 99.99% of threats would still miss 100 of every million malicious files. Response capabilities were required.
Both factions recognized their shortcomings and acted, creating a third generation of products. EPP products added detection and response capabilities, and EDR products added prevention capabilities. The EDR name stuck; we now had advanced EDR solutions that prevent, detect, and respond.
These advanced EDR solutions brought new challenges. They were complex and difficult to manage. Many organizations were dissatisfied with the results because they didn’t have the resources to fully manage the solution. Staffing shortages, especially in cybersecurity, only made things worse. The market demanded more.
Enter the Managed EDR solutions. Manufacturers hired teams of people to take the burden of management off their clients’ shoulders. This was the shortest-lived of all the iterations. Managed EDR wasn’t enough. Clients liked the service, but many were also required to have monitored security information and event management (SIEM) to watch the rest of the environment, and that was missing from the Managed EDR solutions.
It didn’t take long for manufacturers to make the adjustment and add a full SIEM to their offerings, making them true Managed Detection and Response (MDR) services that competed in the crowded Managed Security Operations Center (SOC) space.
As we continue to watch this very interesting market, we can expect to see further consolidation between the traditional Managed SOC providers and new MDR solutions born from endpoint protection platforms. The Managed SOC space was already crowded, and consolidation has begun. Those EDR manufacturers didn’t all build MDR capabilities. Some of them acquired Managed SOC providers to get the job done. The consolidations won’t stop there.
Navigating the Waters
With new technologies emerging at an amazing pace, choosing a solution can be difficult. It’s best to work with a partner that can help you find the best solution to fit your current and future needs. A good partner will have knowledge of available endpoint security solutions and not jump too quickly into product demonstrations. They should be willing to spend time with you to identify all your needs and wants first. Once the true requirements are uncovered, product selection becomes much easier, and you will be more comfortable with your decision.