After spending two days at the Gartner Security & Risk Summit in DC this week, a few very interesting topics stood out. (I’ll post more on specific talks from the events later)
First, as if RSA and InfoSec Europe weren’t enough to prove this, its clear that easily 50% of cybersecurity vendors are starting to tell an endpoint story - whether they can actually collect valuable, actionable system-level data or not – they are saying they can.
Second, a trend I validated with attendees and peers, is that there’s customer confusion more broadly in the endpoint security market. Enterprise security is all about cutting through the clutter and static to mitigate the damage from real threats.
Yet, there are simply too many vendors with an endpoint story without the merit to back it up, without customers and without the ability to scale.
Third, a number of forces are impacting organizations at the endpoint, and certain key topics were addressed across at least two keynotes, and a number of other sessions:
- The Internet of Things – yeah, OK, I get it, stuff connected to the Internet becomes more susceptible to attacks, when connections aren’t secure, when apps are poorly integrated or developed and when those connections run through endpoints that probably live in a state of continuous compromise. But is my wearable really that much of an enterprise security concern? Well, I think the answer now is yes, because it too, can be considered an endpoint device.
- Analytics – Potentially 80% of vendors are citing analytics, or Big Data, or both, as part of a larger offering. Its true, analytics have become a fundamental component of pretty much any security tool or platform on the market. They serve as the centerpiece of Gartner’s Adaptive Security Architecture model (along with Continuous Monitoring), as authored by Neil MacDonald and Peter Firstbrook. The big question posed by multiple analysts however, was, from the CISO’s perspective, how are you using analytics to make my job or my team’s job better, or more simplified?
- Prevention vs Detection – yes this debate rages on. It’s a unique debate that forces organizations to re-think their security strategy, and determine what is more helpful. Simply trying to prevent threats from infiltrating, and potentially executing, or detecting indicators, getting more information about what it is, what it can potentially execute, what impact it can have, or has had, and options (manual or automated) for how you might remediate it. Its Gartner’s position, across multiple analysts, that less money needs to be spent on prevention (as a stand-alone technology) and that the market has to move toward rapid detection and response technology. Most endpoint security vendors are part of this shift.
The first panel of the day on Monday featured a discussion on Endpoint Detection and Response, hosted by Gartner analyst Lawrence Pingree, featuring panelists Neal Creighton, CEO of CounterTack, and other vendors including Digital Guardian, Bit9, LightCyber and Cylance.
The panel kicked off with the question of whether or not antivirus is dead - a fair way to begin. Answers included:
- Threats are getting through, you can’t detect it until it detonates. You’ll see the merging of capabilities over the next few years, and potentially, EDR will move out to A/V, and A/V vendors might be jumping into EDR, but it will be harder for them to develop EDR capabilities organically.
- A/V is becoming marginalized. For malicious binaries, that concept is gone. You have to statically or dynamically analyze endpoint threats – its just a much better approach than keeping a list of known bad signatures.
- Lots of techniques are relatively the same and with A/V, you are looking for a statically defined signature. Kernel call. Network call. Attackers can circumvent these. Something else needs to look for anomalous behavior and that’s why this market exists.
- Big Data – you have to be integrated on a Big Data structure, you won’t get the level of scale you need to effectively and quickly deal with threats that might be pervasive across your network.
- There’s a lot of sorting out what an EDR solution will do, so you have to get closer to the point of risk. Visibility provides a lot of options for operators.
- Moving to the endpoint is interesting because people understand fundamentally that if you don’t know what’s on your endpoint, you are already compromised. EDR is going to have to understand how it all provides value to customers. A/V’s structural market IS dead.
- Analytics is a key trend– once you put that sensor on an endpoint, the fidelity of that information is transformed. The question folks are trying to answer is what are you doing with this data?
- The ability to observe and respond to true behaviors – not compromise indicators – will be the technology advantage that will catapult this market. Indicators are important, but it’s the combination of relating the events together.
Last word on this panel - - an audience poll during the session around “being wary of deploying another agent onto machines” showed that out of the 250 or so folks in attendance, that legacy reticence has pretty much faded. Interesting.
The last presentation I’ll comment on is Neil MacDonald’s review of his Adaptive Security Architecture talk. A few notes worth sharing:
From his seat, he’s urging a new security mindset predicated on the fact that the industry has been viewed through binaries – and that has to change. The new way we should adjust our thinking to is truly continuous monitoring, and continuous verification to follow that.
This would lead into the belief with this model, which is not new this year, that monitoring and analytics are the core of the platform. Detection and response capabilities are more important than blocking and prevention – direct from Gartner. These models and concepts from Gartner have never been more applicable, relative to modern-day endpoint security.
Its their belief that the old approach of knowing what badness looks like, then going to look for badness in system – is fundamentally flawed, and the two elements of contextual awareness and operator visibility are driving the next-generation endpoint security industry forward.