How Do I Choose an Endpoint Security Solution?

Recently, we hosted a webinar with 451 Research Analyst Adrian Sanabria (@sawaba) on “Cutting Through the Noise of Next Generation Endpoint Security.” At Hexis, we are seeing increased interest in next generation endpoint security solutions. At the same time, we see security organizations facing the challenge of navigating a crowded and noisy market in terms of vendors and approaches. We wanted to provide some information from the webinar to help security organizations cut through this noise. 
Here are some of our key takeaways.

Next Generation Endpoint Security Solutions Drivers are Clear

What’s very clear about the topic of next generation endpoint security is the driver behind the need. Traditional antivirus (AV) solutions are ineffective at catching unknown threats. Arguably, traditional AV solutions have become less effective at catching known threats as well, but we’ll leave that topic for another day.

The initial vector of many advanced threats is the endpoint. As such, organizations are starting to realize a huge security visibility gap exists, driving the need for next generation endpoint security solutions to improve visibility and ultimately to prevent, detect and respond to cyber threats.

Not all Next Generation Endpoint Solutions are Equal, but So Many Approaches Make it a Confusing Landscape

In the webinar, Adrian explains that 451 Research is currently tracking more than 60 Endpoint Security vendors and segmenting them into five areas:

• Post-AV Prevention (whitelisting, exploit blocking)
• Isolation Security (keeps resource users use away from attackers)
• Threat Inquiry and Response (finding threats once you have a clue)
• Continuous Endpoint Recording (if you know everything that is going on you can make some very interesting decisions using behavioral analytics)
• Post-AV Detection & Response (technologies that can complement and/or replace traditional AV)

Easy enough, right? We know that things still might be a little murky. Here are some more tips from our perspective.

Prevention-focused Solutions are Different from Detection and Response-focused Solutions

The fundamental difference is that the goal of prevention solutions is to block infections or malware from ever occurring on an endpoint. Detection and response-focused solutions presume that prevention is not 100% effective and endpoints will be compromised or infected. Therefore, it’s important to be able to detect these threats and respond to them before they do damage.

Endpoint prevention solutions include application whitelisting, isolation and exploit blocking. At Hexis, we think:

• Application whitelisting has largely proven to be a niche market applicable for endpoints with a narrow usage (i.e. retail POS). This technology has proven to be too restrictive and cumbersome for wide scale commercial or enterprise deployments.
• Isolation security has also proven to be a niche market and has been challenging to deploy.
• Exploit prevention is a newer prevention capability with Palo Alto Networks’ Traps solution being the most well-known player. The early stage of exploit prevention technology makes it difficult to evaluate. However, one point to consider is that not all attacks use exploits to deliver malware. For example, ransomware and other attacks can rely on social engineering utilizing infected Word documents and other executables. So while exploit prevention is good for one specific threat vector, exploit prevention alone is inadequate.
• While 451 Research includes Cylance in the Post-AV Detection and Response category, we’d argue that they are fundamentally more a prevention technology. Cylance’s approach is to analyze binaries based on predictive modeling techniques and machine learning with the goal of stopping a malicious file or binary from execution. In short, the goal of Cylance is to stop malicious activity before it executes.

Endpoint Detection and Response Solutions are Not Created Equal

At Hexis Cyber Solutions, we think prevention is important and necessary. However, we know prevention will never be 100% effective. After all, there’s been a significant amount of security investment in prevention over the years and if prevention work in every scenario, we wouldn’t be reading about cyberattacks on an almost daily basis! This is what’s driving increased investment into detection and response technologies.

In the endpoint security space, many providers get lumped into a single category called endpoint detection and response (EDR). However, it’s important to understand that approaches and capabilities today are markedly different though we expect to see convergence over time.

Here are a few things to consider on that front:

• Many EDR solutions are threat/malware hunting solutions. Translating to the 451 Research market segments we would classify this as Continuous Endpoint Recording with a dose of Threat Inquiry and Response. Continuous endpoint recording nor Threat Inquiry and Response by themselves (or together!) should be considered detection. They are; however, enablers of detection. For example, if you are baselining (i.e. recording) the behavior of endpoints, then deviations from normal baselines may be indicative of a threat. Additionally, by having continuous information on endpoint activity security teams can do proactive detection or threat hunting. Continuous endpoint recording and Threat Inquiry and Response are also enablers for incident response. In the case of continuous recording it’s akin to a flight recorder. Something bad has happened so let’s rewind the tape and see what happened. A key point to consider with both capabilities is that it requires skilled human operators.

• Many EDR solutions are detection only. Detection is important and critical, but it’s becoming increasingly clear that once and organization detects something malicious they want to be able to do something about it. The response component or the “R” in EDR a more critical factor when evaluating solutions.

• Many EDR solutions lack network context. Many EDR solutions are endpoint only. One might say “well yeah that’s why it’s called EDR, Todd!” However, the nature of advanced threats means that an endpoint only solution will be less effective than a solution that has both endpoint and network capabilities. This is due to the nature of advanced threats which typically land on an endpoint then communicate out over the network and attackers then gain control of the endpoint and move laterally through the network and the environment to their desired targets. This means that advanced threat protection requires multiple elements that span endpoints and the network. We believe that having this network context is critical and should be a key point to consider when you evaluate next generation endpoint solutions. On this note, it’s important to consider that this network context can be gained by a vendor offering its own network capabilities or via integration with other network security solutions. Here at Hexis we are doing both with our HawkEye G solution so we got you covered!

• Threat Inquiry and Response is ultimately a feature. This capability is largely about having an indicator of compromise (IOC) and looking for signs of that on your endpoints. We would put FireEye HX in this category currently (they will add detection over time) and this is also one of Tanium’s key security use cases. This smells a lot like a feature and we are already seeing other vendors (Hexis included!) offering this capability.

451 Expects Consolidation

This makes a ton of sense from multiple angles. Organizations have a tough time deploying endpoint agents in general and will be loath to deploy multiple, next generation security agents. The trend toward consolidation will drive vendors to offer capabilities across the segments that 451 Research has defined. For example, while our HawkEye G solution has continuous recording as a key capability, we’d contend that our heuristics around static and dynamic indicators (behavior-based detection) are equally important. So Adrian, please include us in Post-AV Detection and Response category too, please! As mentioned above, many vendors are adding threat inquiry and response capabilities and I think this becomes more of a feature.

Importantly, we think this consolidation will also occur not just in EDR, but also between prevention and detection and response. In fact, Adrian highlighted this on the webinar, indicating that it’s not about dumping prevention but adding another layer. Adrian also indicated that he is already seeing signs of consolidation happening in the market and raised the question of the potential for a single consolidated endpoint agent in 2018. Thoughts?

Not Many Replacing AV, but Should Be a Source of Funds

At Hexis, we’re not seeing many customers replacing AV with next generation endpoint solutions. However, many are augmenting their AV. AV continues to be widely deployed because many of the key compliance regulations require it. While customers are unlikely to throw out AV anytime soon, one thing to consider is using AV as a source of funds for next generation endpoint investment. Paying less to commercial AV vendors, or consider using free AV capabilities from someone like Microsoft, can “checking the AV box” while reallocating AV budget to fund the purchase of a next generation endpoint solution.

Tips for Evaluating Next Generation Endpoint Solutions

Adrian offered several recommendations for customers looking at next generation endpoint security solutions including:

• Identify current pain points and scenarios
• Find a way to test them through a proof of concept
• Create a list of important use cases
• If budget is a concern, consider using free or low cost products

One key theme embedded in these recommendations is that it’s important for customers to understand what problem(s) they are looking to solve. Only then can you map problems to the different types of solutions outlined above to help discern which technologies can best help solve your problem.

Summing it All Up

• Next generation endpoint security is becoming a greater area of focus as security organizations look to gain more visibility into advanced threats operating in their environments and to improve their security posture.
• With a wide array of approaches and vendors, it’s a confusing market. Hopefully the webinar and this blog represent a step forward in helping organizations better understand the market and the different approaches. Key points to consider are prevention vs. detection and response capabilities and the multiple key capabilities within REAL EDR solutions. The good news for security organizations is that industry research firms like 451 Research have increased their research focus on this area. Be sure that more helpful resources should be on the way!
• Advanced threat protection requires multiple elements that span endpoint and the network. Looking at a next generation endpoint player’s network capabilities (whether they offer their own network solution or achieve this via tight integration with other network security players) is critical.
• Detection is critical, but detection alone is insufficient. The ability to respond is becoming more important and should be considered when evaluating values.

 http://www.hexiscyber.com/news/hot-topics/how-do-i-choose-endpoint-security-solution