The RSA Conference was an interesting experience, particularly for those in the endpoint security market, or those attempting to break into this emerging market. It seems everyone at this point has some type of endpoint play, regardless of their technology heritage, or prior security focus.
It was at the America’s Growth Capital conference, a simultaneous gathering of investors and security types, that perhaps one of the more interesting panels took place, albeit, the final panel session of the day. With 1 billion endpoints in need of help, its clear this is the hottest market across the broadening security industry.
Entitled, 'Next-Generation Endpoint,' the panel, moderated by IBM, included a solid group of panelistsassembled by AGC, featuring:
- Neal Creighton, CEO, CounterTack
- Dan Ross, President & CEO, Promisec
- Dick Williams, CEO, Webroot
- Jim Brennan, IBM Security Systems
- Marcin Kleczynski, CEO, Malwarebytes
The panel started out with a discussion about 50% useless information, efficacy or key functionality coming from antivirus products. This was interesting because it’s an easy way to characterize why companies like CounterTack are in business, essentially, due to a lack of innovation in endpoint security technology. It was referenced that the solution is to predict, protect, fully automate and then ultimately block threats, from the customer perspective. But not necessarily to just replace A/V, as some in the market are claiming they are doing.
With respect to taking a different approach to endpoint security, Jim Brennan of IBM stated that breaches are going to happen. But from his perspective, "where we get into trouble, is when we lean too far one way than the other with respect to detection r prevention. In his eyes, there has to be a balance and if there isn’t, its a disservice to customers. $800M being spent in this broader market, and the problems still exist. Supplemental budget spending isn’t the answer."
The next big question was: What data do we want from the endpoint? What is it we expect an endpoint solution to do? What’s the new ‘real deal?” (a very good question to qualify next-gen endpoint security technologies)
According to CounterTack CEO Neal Creighton, “A determined attacker will infect you. The nature of behaviors are really behaviors over time. You can look at malicious activities through the lens of false positives, but what does that do you for you? We focus heavily on manipulations of the OS, what’s normal activity, what’s not. The concept of dwell time is important too, because they get past tools on the endpoint. If you can shut it down, economically, its not feasible for attackers to continue on. Its all about tracking behaviors over time.”
According to Dan Ross, “Its all about change in processes, change in files. It’s the ability to see where that plays out over the entire network. Look at how widespread it is, and how long they are inside their systems.“
Dick Williams agreed, that you need intelligence in real-time, and you need to relate it to known behaviors - not just gather information at the endpoint. He also recommended that you have to look at everything associated with that file. “You have to look at all these things in context. “
According to Jim Brennan, the point of integration is critical. “The enterprise wants to buy best of breed, or so they think, and it’s a comfort zone thing, relative to selecting legacy vendors over emerging vendors. If you have someone doing IR, they don’t just want endpoint data. The point of integration is what customers need, relative to the endpoint. Its all about automated workflow integration.”
Malwarebytes CEO Marcin Kleczynski stated that “You need to collect the right data vs the quantity of data you collect in order to make a difference. Everyone agrees that signatures don’t work. But to get enough of that behavior, you need some time to be able to pull that.“
Another key question posed to the panel was around advanced threats. What should our focus be? What are the ways we can start convincing executives to act?
Malwarebytes stated that “No company will buy their entire security tools from one vendor. Exploits are the next big thing. That is the threat that should scare everyone. These threats don’t require any user intervention. No organization can patch fast enough.”
According to IBM, “It’s a scenario of advanced vs non-advanced. Customers think they already have it. The market is spending a ton of money for results that are unclear. Fundamentally, we’re in a short runway, everyone is acknowledging this is an issue, but it will be a shift of the spend.“
Dick Williams focused on the bad guys. “Exploits, APT’s, it doesn’t matter. The bad guys are smart, and they have no customers to worry about. They focus on compromising assets, and will stop at nothing. Our industry is about efficacy. We shouldn’t get hung up on artificial categorizations.”
Promisec argued that “its all about what makes the buyer’s job easier. Its all about brand damage. That is the motivation factor, like in IR, its about the issue, but then who else might be exposed to that threat. And can I do something about it?”
CounterTack’s Neal Creighton wrapped up it succinctly and convincingly. “What is an advanced threat? It’s a person, its not a thing. Malware, or not malware, it doesn’t matter. Endpoint technology widely deployed doesn’t see any of this. The sooner we can look to more innovative technology, the better. The advanced nature of attackers is driving everything. The grid. Financial systems. Yes advanced threats are a major driver.”
In summary, its clear that there are major challenges relative to protecting the endpoint, and the industry is figuring out the best way to attack that problem – which is, no one is hacking networks to remain on the network.
The definitive target of advanced attacks is the corporate endpoint. There are 1 billion reasons to push an innovative path to restoring endpoint integrity: a record 40,000 people at the RSA Conference and AGC agree, as do a multitude of investors who are looking for the next big thing.