- Jon Oltsik, Enterprise Strategy Group
Many organizations realize that they are up against new types of threats and they can no longer rely on status quo processes and technology defenses. Part of the challenge is that endpoint devices connecting to enterprise networks have moved beyond PCs and servers to include Apple MacBooks, tablets and smartphones.
Given the emerging demand for new layered security technologies, the once-dormant endpoint security market is now flush with venture capital investment, mergers and acquisitions, and rapid innovation.
Given the emerging demand for new layered security technologies, the once-dormant endpoint security market is now flush with venture capital investment, mergers and acquisitions, and rapid innovation. Intel announced in January that it would rebrand longstanding antivirus powerhouse McAfee, which it acquired in 2010, to Intel Security and give away its mobile security software. Symantec has continued its long history of acquisitions with three in 2012, including two mobile security companies, Nukona and Odyssey Software.
Security professionals can now choose among a number of new endpoint security products that bake-in firewall, intrusion detection, behavioral blocking and anti-spyware, but the broadening of the market has led to confusion. How did endpoint security software suddenly get so complicated? And what's the best strategy to mitigate endpoint risk going forward?
Early layer of defense
Traditional endpoint security software (aka antivirus) addressed Windows and Linux endpoints and servers. With the introduction of the Mosaic browser and World Wide Web in the mid-1990s, organizations all over the world connected internal networks to the Internet. This newfound connectivity led to e-commerce sales, tighter supply chain management and improved communications, but it also introduced security vulnerabilities and malware. Remember the Melissa and ILOVEYOU viruses that replicated by using Microsoft Outlook address books? Or the SQL Slammer worm that attacked Windows 2000 systems?
To address these risks, CIOs made the decision to install antivirus software on PCs and servers. This seemed so logical that industry and government regulations such as the Federal Information Security Management Act, the Health Insurance Portability Accountability Act and Health Information Technology for Economic and Clinical Health Act, and the Payment Card Industry Data Security Standard soon made endpoint security software a regulatory compliance requirement. Not surprisingly, endpoint security software became ubiquitous; it was installed on Windows and Linux endpoints and servers, creating a $4 billion-plus market dominated by a vendor hegemony of Kaspersky Lab, McAfee, Sophos, Symantec and Trend Micro.
Endpoint security in transition
Antivirus software wasn't perfect, but it did supplement network security controls such as antivirus gateways, intrusion detection and intrusion prevention systems, and Web threat management appliances. It offered an additional layer of malware defense directly on host computers. This combination provided "good enough" security for years, but a number of factors are altering this tried-and-true endpoint security recipe.
ESG research indicates 51% of organizations say they will add new layers of endpoint security to protect against zero-day threats and polymorphic/ metamorphic malware as part of their security strategy moving forward.
The threat landscape is growing increasingly dangerous. According to Enterprise Strategy Group's (ESG's) research, 30% of the North American enterprise security professionals surveyed believe the overall malware landscape is "much worse" than it was two years ago, while another 37% said the overall malware landscape is "somewhat worse." Why? Malware threats have grown in volume and sophistication as cyberadversaries are more organized and collaborative than they were in the past. Security professionals are also painfully aware of recent targeted attacks aimed at specific organizations -- Adobe Systems, The New York Times and Target. They often wonder, "Is my organization next?"
Endpoint security is no longer limited to Windows PCs. Over the past few years, many companies have opened the IT doors to alternative endpoint devices such as MacBooks, tablets and smartphones. Mobile devices have become a business requirement. ESG research indicates that 32% of the 242 North American enterprise security professionals surveyed consider mobile devices "critical" for supporting business processes and employee productivity while another 55% consider mobile devices "very important." As more of these alternative computing devices connect to enterprise networks, security professionals want common tools for enforcing endpoint security policies across all types of endpoints.
Traditional endpoint security is falling behind. Endpoint security software vendors have supplemented their traditional signature-based defenses but targeted attacks and sophisticated malware continue to circumvent traditional security controls and compromise host computers. Additionally, endpoint security software remains firmly planted in the PC domain. Many firms now have separate IT and security groups, as well as discrete mobile device management tools for smartphone and tablet administration, operations and security.
All these factors affect the protection traditional endpoint security tools offer. ESG research indicates that security professionals are growing increasingly cynical about the efficacy of traditional endpoint security software defenses. (See "Security Professionals Skeptical of Endpoint Security Software.")
New endpoint security tools have arrived
Many enterprises can no longer rely on status quo technology defenses. This is driving growth in spending on antimalware tools. ESG research indicates that 74% of North American enterprise organizations surveyed have increased their security budgets "significantly" or "somewhat" over the past few years in direct response to malware threats such as advanced persistent threats, hacktivism and targeted attacks.
Aside from a general security budget increase, changes are coming for endpoint security as well. ESG research indicates 51% of organizations say they will add new layers of endpoint security to protect against zero-day threats and polymorphic/metamorphic malware as part of their security strategy moving forward.
Given the emerging demand for layered security solutions, rapid innovation is occurring in the endpoint security market. Security professionals will find a number of new endpoint security products from vendors such as Bit9, Bromium, Cisco Systems, Cylance, Guidance Software, McAfee, Symantec, Trend Micro and Triumfant in the following areas:
- Incident prevention. Rather than rely on signatures alone, new incident-prevention technologies now include more heuristics, security intelligence feeds and newly designed scanning engines. Some products apply intelligent whitelisting and blacklisting functionality while others focus solely on browser-based exploits by sandboxing connections and blocking software execution from the underlying operating system.
- Incident detection. Products in this area tend to proxy connections and use a combination of sandboxing, malware analytics and threat intelligence to dig into suspicious email attachments, URLs and content. Some vendors have taken a different approach, using mathematical calculations and statistics to analyze files across thousands of parameters to assess risk or determine whether these files are actually malicious or not.
- Incident response. Some vendors provide analytic tools that capture sequential endpoint alterations, such as registry changes, file downloads, network connections and in-memory processes. When malware is detected, these details can help the security team pinpoint problems, assess which nodes have been affected and remediate systems without reimaging them.
Security professionals skeptical of endpoint security software
Antivirus software has been the veritable poster boy of endpoint security since companies first connected their internal networks to the Internet in the mid-1990s, but this is no longer the case. In a recent research survey, Enterprise Strategy Group asked security professionals whether they agreed or disagreed with a series of statements about endpoint security (Figure 1). As it turns out, many have grown increasingly skeptical about antivirus software's efficacy or the difference between one product and another. The research reveals that of those surveyed:
- 62% strongly agree or agree with the statement "Host-based security software is effective for detecting/blocking older types of malware, but it is not effective for detecting zero-day and/or polymorphic malware commonly used for targeted attacks today."
- 52% strongly agree or agree with the statement "Our continued use of traditional host-based security software (i.e., antivirus) is driven by regulatory requirements for the most part."
- 44% strongly agree or agree with the statement "Host-based security software is a commodity product with little measurable differences between products."
- 36% strongly agree or agree with the statement "Commercial host-based security software is more or less the same as free security software."
In most cases, new types of incident prevention, detection and response products remain focused on Windows PCs, but endpoint security vendors recognize that this is no longer enough. As a result, the majority of these security tools will support Macs and mobile devices in the near future.
Security professionals don't know where to turn
Endpoint security used to be synonymous with antivirus software, but now security professionals have abundant other choices to either replace or supplement prevailing safeguards. Ironically, ESG believes that the sudden onset of new endpoint-security technologies has only led to massive confusion. Many security professionals are unfamiliar with emerging endpoint-security technologies and remain unclear about which ones can best address new requirements.
CISOs face a difficult situation. They certainly want to allocate enough time for research and testing so they can make the right endpoint security decisions, but lengthy delays only increase IT risk. So what should be done? Security managers should implement a pragmatic and well-orchestrated plan that includes the following steps:
- Assess current processes and defenses. Endpoint security software may be a minor problem if the security and IT operations teams aren't performing vulnerability scans or applying software patches in a timely and consistent manner. If these fundamental tasks are broken, new security tools will amount to little more than a "Band-Aid on a bullet hole."
- Decrease the endpoint attack surface. There are a few easy and effective things to do here. For example, deploying endpoints with secure configurations seems obvious, but ESG sees many organizations forgoing this best practice to cope with the scale of bring your own device. This is a Faustian compromise at best. Additionally, PC users should not be given administrator roles in almost all cases. Finally, it makes sense to use whitelisting or network access controls to limit what users can do on endpoints and corporate networks. These can be simple but valuable adjustments.
- Dial-up endpoint security protection. Antivirus software often comes with multiple types of protection options. In the past, IT teams eschewed maximum protection, believing that it would interfere with endpoint usability or performance, but this is no longer the case because of better security software and faster PC processors. This maximum setting can help lower risk.
- Start with incident prevention and move on from there. Incident prevention, detection and response should be seen as a succession of steps for increasing endpoint security. Incident prevention should be applied first as it can address existing vulnerabilities. Furthermore, incident prevention is generally performed by the technology itself with little need for additional security staff, skills or resources. Once incident prevention is in place, CISOs should assess whether they have the right in-house assets for detection and response because each of these requires more advanced security skills (i.e., security analytics, investigations and forensics). Organizations with these properties in place should invest in upfront planning to make sure that incident detection and response technologies align with proper processes and training. Firms lacking these resources should look for managed security service providers that can help them bridge these gaps.
- Strive for continuous monitoring and situational awareness. As the old saying goes, "You can't manage what you can't measure." The same concept applies to endpoint security. The more you know about endpoint state, changes and behavior, the faster you can detect and remediate security problems.
The bigger truth
Organizations face a dangerous threat landscape that demands new endpoint security controls and oversight. As a result, the entire endpoint security market is in a state of flux as traditional antivirus leaders face increasing competition from an onslaught of competitors pitching new incident prevention, detection and response products and services.
While this transition will affect market share and vendor profits, security professionals face their own quagmire as they sort through new threats and security safeguards to figure out what they should do to mitigate endpoint risks. ESG recommends an aggressive yet pragmatic plan that tightens existing processes and tools, and then moves on to add new security controls and more thorough endpoint security oversight over time.
About the author:
Jon Oltsik is a senior principal analyst at Enterprise Strategy Group and the founder of the firm's information security and networking services. Follow him on Twitter @joltsik.
Send comments on this article to firstname.lastname@example.org.