By NSS Labs Research
USERS WEIGH IN ON RIP-AND-REPLACE, OR AUGMENT
Despite near-universal pessimism about the state of digital security today, many organizations are relying on the promise of a new crop of advanced endpoint protection (AEP) products for improving their odds against the bad guys. But the large field of contenders—at least three dozen by NSS Labs’ estimates—has brought confusion about which features are common in AEP products, and how vendors differentiate their products. An AEP product must be able to successfully detect and protect against threats, and it must provide sufficient context about malicious behavior to enable a security team to take action. By monitoring resource usage, communication activity, and system state, an AEP product provides contextual awareness and end-to-end visibility into threats for the end user/enterprise. Among enterprises that have placed their bets on these new products, many are now grappling with the decision to either rip-and-replace or augment existing endpoint security controls.
To get a better handle on users’ perceptions and expectations of AEP products, NSS surveyed cybersecurity officers at Global 2000 companies headquartered in North America that deploy endpoint security controls. As part of the survey, we asked respondents using legacy security controls (e.g., Symantec) what their immediate goals were regarding the purchase of AEP products. About two-thirds of respondents said they augmented their existing EPP deployments with AEP products, while less than one-third said that they replaced those controls. This is consistent with the approach that most newer AEP start-ups are taking: supplementing existing protection with faster and more lightweight defenses.
One factor that clearly contributes to an augmentation strategy is a new desire for detection and response tools on the endpoint. When we asked the AEP owners in our survey why their organizations bought these products, the majority (77%) said that it was due to a new organizational focus on detection and response tools. This finding supports a broader trend among leading enterprises to adopt a security architecture that supports protection, detection, and response capabilities.
Other key findings include:
AEP products can detect, remediate, and prevent threats. Of these capabilities, remediation is the least developed and the least supported.
AEP products that require few or no updates are particularly appropriate for use cases such as air-gapped networks because they provide additional protection for devices that do not have constant online connectivity.
AEP products are differentiated by their continuous monitoring functionality, their awareness of indicators of attack and indicators of compromise, their forensic data collection capabilities, and their system containment capabilities.
There are currently more than three dozen AEP vendors in the market; however, we believe the market cannot sustain this level of vendor interest, and we anticipate consolidation over the next 12 to 24 months.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.