After a period of stagnation, endpoint security is experiencing a rebirth with many new products appearing on the market. Companies are responding by boosting endpoint security budgets, which will increase by five to 10 percent in 2016, said Forrester principal analyst Rick Holland.
“Endpoint security is undergoing a major renaissance with a new generation of products and services that flip the equation from the antivirus software mantra of prevention to the more pragmatic -- and realistic -- tactic of detection and incident response at the user device,” said Dark Reading’s Kelly Jackson Higgins, in her article describing the shift of the endpoint market from antivirus to endpoint detection and response platforms and the plethora of emerging players in this category.
However, “buyers are overwhelmed by all these choices, finding it difficult to differentiate between vendors,” said Holland. “You want to make the right choice. Whether you’re looking to complement your traditional antivirus, or if you’d like to move completely off the antivirus wagon, you need to know the right set of criteria to be able to judge the fit of the various platforms.”
To help enterprises navigate the selection process, last week Forrester and Cybereason held a webinar on what to look at when considering a next-generation endpoint product.
In this blog post, we’ll give an overview of the five most important factors to consider when deciding on a platform that’s right for you. In the coming weeks, we’ll publish blogs delving further into each topic.
Prevention is insufficient - you must fall back to detection
While prevention is important, it shouldn’t be the only component in an organization’s security plan. Motivated hackers will find a way into your organization, even if you’ve implemented security products like firewalls and antivirus software. Companies need to make detection a key component of their defensive plans. Next-generation endpoint solutions, also called endpoint detection and response (EDR) tools, were developed for this purpose: augmenting an organization’s prevention program by adding the ability to detect a breach that bypasses traditional protection tools.
The impact on the endpoint must be tested
We opened by debunking the myth that agents operating in the kernel provide superior visibility than products operating in the user space. “I have seen both approaches taken,” Holland said.
However, whether the endpoint agent is running on user space or kernel mode has a significant impact on the endpoint. The fact is solutions operating in the kernel can slowdown a computer’s performance or even crash a machine, among other issues. This can have a major impact on any broad scale deployment.
Cybereason’s platform operates in the user space but provides kernel-level visibility into all the activity occurring on an endpoint.
Data collection: Why size doesn’t necessarily matter
Most next-generation endpoint solutions are equipped with big data collection capabilities to help enterprises amass as much information as possible. However, simply gathering more data isn’t the best route to securing an organization. Security analysts are overwhelmed with threat intelligence and struggling to figure out which alerts pose the most risk. There’s great value in the ability to make sense of the data, automate threat detection and use machine intelligence to eliminate false alerts and prioritize threats.
Look beyond the malware
Holland addressed the evolving threat landscape, noting that adversaries are moving away from malware and using legitimate methods to attack a company. For example, some attackers acquire log-in credentials to access a system, escalate them and spread in the network without using any malicious code. In cases when legitimate activity is used to access a system, a security program wouldn’t flag this behavior as malicious.
Companies, therefore, need to look beyond malware and obtain the ability to spot malicious behaviors that not necessarily involve a malicious code. There is a great need to view the complete picture of an attack. Looking at the malicious operations, or malops, as a whole allows a company to completely shut down an attack and terminate and stop them from persisting.
Data visualization makes the difference
Finally, the importance of the user interface cannot be overestimated. Enterprise employees expect nowadays to get a user experience at work that resembles the one they get when using consumer apps used in their personal lives.
Security products, though, are lagging in this area, Holland said. They tend to show information in bits and bytes instead of telling the attack’s story. And with a dearth of qualified security talent, enterprises need as much help as possible to clearly see the security threats their organization faces.
Companies should look for endpoint products with an interface that displays information in a format that’s easy to understand and act upon.