The State Of Constant Change In Endpoint Security

Doug Cahill
Posted: 02/14/2018

Endpoint security is one of the most dynamic areas of cyber security and one that is in a state of constant change. To combat both the relatively pedestrian and more sophisticated range of attacks, most organizations, according to research conducted by the Enterprise Strategy Group, are implementing multiple compensating measures.

The actions taken to improve endpoint security are across the dimensions of processes, skills and technologies. In fact, ESG’s research reveals that 69% of organizations regularly reevaluate the effectiveness of their endpoint security strategies. Why all the attention on endpoint security? The epidemic levels of ransomware experienced in 2016 through 2017 and that are sure to extend into this year served as a catalyst for many IT and cyber security professionals to rethink how they secure their endpoints.

Endpoint Security Duality: Efficacy and Efficiency

The operational impact of endpoint security challenges is rooted in a fundamental need to improve threat detection efficacy and, by extension, accuracy. Weak efficacy leads to infection, overly sensitive efficacy leads to chasing squirrels. In fact, the significant endpoint security challenge cited by the largest percentage of ESG research participants was responding to alerts to investigate a possible incident, many of which end up being false positives. And when squirrels find their way into the house, many companies fall into the rinse and repeat cycle of re-imaging infected endpoints impacting both knowledge worker and IT productivity. Tied at the hip, efficacy and efficiency are no longer mutually exclusive.


To move both the efficacy and efficiency needles in unison, many organizations are changing their antivirus vendor. In fact, three quarters of the participants in ESG’s study have changed, are in the process of changing, or plan to change their antivirus vendor, signaling a market in transition. But the change isn’t done as a flip of the switch; often additional preventative controls including “next-gen” AV co-exists with the existing “traditional” AV product, with the former, once proven on some set of endpoints over some period of time, representing a Trojan horse threat to the latter. The layering of additional controls also includes the use of endpoint detection and response (EDR) sensors to enable incident response, security analytics, and threat hunting use cases. Only well-resourced and skilled organizations, such as those with SOC and/or CERT teams, which were equipped to do the heavy lifting required, had to date been able to realize value from EDR. However, EDR-as-a-service, including managed EDR and threat hunting, as well as improvement in usability, have made the compelling visibility benefits of EDR attainable by more organizations.

See Related: Patch Your Gaps: Identifying Mobile Security's Challenges

Front And Center: Services

In addition to making advanced capabilities, such as threat hunting, accessible to more of the masses, most endpoint security vendors offer cloud-delivered endpoint security to reduce some operational headaches. Security-as-a-service (SECaaS), however, is a lot more than eliminating the care and feeding of on-premises management servers; it provides the environment to employ a variety of computationally intensive detection techniques such as a dynamic analysis, integrated with cloud-delivered email and web security solutions to stop threats at the exposure layer, and expedite the sharing of threat intelligence to all subscribers. In this model versus siloed, on-premises deployments, all boats truly rise. While some who operate in an air gap environment will not be able to leverage these benefits, and locally deployed machine learning smarts can help protect disconnected endpoints, the efficacy and efficiency benefits provided by cloud-delivered endpoint security are highly compelling.

Beyond The Tech: Re-Evaluating Awareness And Skills

ESG’s research also highlights that many organizations are focusing on their people, both the end-users being targeted and those charged with preventing and investigating cyber-attacks. In fact, the action that most respondents cited as having been the most impactful to improving their company’s endpoint security posture over the last two years is creating or increasing end-user awareness and training programs to educate their employees about cyber security threats. Many organizations conduct red teaming exercises, typically with fictitious phishing email attacks, to baseline and measure the effectiveness of awareness training. Research participants also noted that the training they provide their security teams on new types of threats and endpoint security best practices has been impactful.

See Related: Top Tips For Optimizing Mobile Security In The Enterprise

Endpoint Security Suites, Redux

There is clearly a dichotomy between how most companies are behaving and their aspirations when it comes to endpoint security. Because so many organizations are operating from a back-of-the-heels posture, they take multiple actions, including buying and deploying disparate controls, typically from multiple vendors. But this is not what they prefer to do strategically. When asked what would be most attractive as new endpoint security requirements arise, 87% of participants in ESG’s research cited a comprehensive endpoint security suite from a single vendor. While this signals a return to endpoint security suites and away from the current approach of layering controls, the participants were split down the middle as to whether such an endpoint security suite would be purchased from an established endpoint security brand or “next-generation” vendor, punctuating the state of change on the supply side of the market.

Precious Real Estate

After attacks such as Operation Aurora disclosed in early 2010 which were dubbed advanced persistent threats, many in the industry indexed on a network-centric approach of “catching it on the wire” that was dismissive of endpoint security. Now that the central role that the endpoint plays as a soft target in attack campaigns is well understood, and all too often exploited, the endpoint has become precious real estate for attackers, organizations, and vendors alike. Fortunately, cloud-delivered endpoint security, the use of machine learning and attack chain aware behavior analysis, and awareness training promise to provide the efficacy and efficiency requirements to mitigate today’s threat landscape.

For more on ESG's Cyber Security research and analysis, click here.

Be Sure To Check Out: APIs: Cyber Security's Emerging Threat Vector

Doug Cahill
Posted: 02/14/2018
The Baronette Renaissance Detroit-Novi Hotel, Novi, MI, United States
March 25 - 27, 2018
Dusit Thani Hotel, Abu Dhabi, United Arab Emirates
March 26 - 28, 2018