Blog post

Putting the P, D, & R back into Endpoint Protection Detection and Response

By Avivah Litan | October 23, 2017 | 0 Comments

We just published a research note Market Insight: Increase Market Share With User-Aware and Bundled Endpoint Security  that shows most endpoint security buyers want to buy EPP (Endpoint Protection) and EDR (Endpoint Detection and Response) together in one package with one agent. That would be a good start for a fragmenting market.


This trend and buyer push towards integration is accelerating through 2019 as seen in the next chart.


Both users and vendors are realizing that feature integration is a must. But so is functionality, and endpoint security capabilities are still too disconnected, hard to manage and hard to navigate – especially when it comes to EDR.

The Industry’s Dirty Little Secret

The disconnect between IT OPS and IT SEC was emphasized last week when a highly skilled network security engineer whispered to me at a dinner table that the dirty little secret in endpoint security is that there is no integration between vulnerability management, patching, and endpoint protection.

It may not be that big a secret but it certainly isn’t discussed enough amongst security professionals who seem to prefer talking about the latest shiny toys or advances in AI. The longstanding tug of war over patching between IT Operations and IT Security is well known and there is good logic for this disagreement on both sides. IT Ops doesn’t want to bring the business down with patching, and IT Security doesn’t want to bring the business down by opening it up to hackers via unpatched vulnerabilities (as just happened in the infamous Equifax breach and Wannacry attacks, and is likely about to happen with the major newly discovered Reaper IoT botnet see Krebs on Security: Reaper Calm before the IoT Security Storm ).

Surely endpoint security vendors can more effectively help enterprise security users in this area than most of them are doing today. They should prioritize vulnerabilities, check for un-patched endpoints and enable compensating controls such as virtual patches (like TrendMicro provides) until physical patches can be applied. Lots of industry statistics show hundreds of millions of malware objects still only use a small subset of vulnerabilities – often less than 50.  Endpoint security managers need to worry about these common vulnerabilities and do what it takes to get priority patches installed and stopgap measures implemented in the interim.

Bridging the Great Divide Between IT Security and IT Operations

Some vendors are already trying to bridge the gap between IT Security and IT Operations. IBM seeks to address the gap with its BigFix product. Carbon Black has plans, as part of its new Predictive Security cloud offering, to prioritize endpoint configuration weaknesses, vulnerabilities and risky user activity so that they can predict likely exploits. Other security startups such as Balbix and Panasaeer provide independent health checks and risk views across technology controls. For example, Balbix assesses risk across devices, users and applications in a colorful user interface that clearly highlights issues which need varying levels of attention. Panaseer analyzes configuration management, vulnerability management and malware protection data to assess which endpoints don’t have endpoint protection and are completely exposed, and which endpoints are vulnerable.

Identifying gaps and weaknesses in current controls is the first step. Rectification isn’t always easy (given patch issues etc.) but at least compensating control measures can be put in place and security programs can be prioritized based on this knowledge.

Human Driven Endpoint Detection and Response

I still can’t figure out why the EDR market is named as it is.  It should really be named Human Driven Endpoint Detection and Response (HDEDR) because the level of automation and advanced analytics in most EDR products is minimal, at best. Highly skilled security investigators are needed to do any real detective and IR work. After all, if the software’s analytics were more advanced, the machines would be good enough to detect malicious events with enough confidence such that they could be moved into endpoint protection mode for future blocking purposes. (Analytics will improve over time as vendors learn repeat scenarios that can be modeled by machines, an easier feat if the vendor runs a Managed Detection and Response service).

For now, EDR solutions remain largely disconnected from EPP although the vendors are starting to change that. Once the vendors get their endpoint protection and detection modules working together, and simplify the user interface while improving the analytics, they should consider adding user context and UEBA functionality to their valuable data troves to more effectively detect file-less attacks, and other inside/r threats. Some vendors, such as Cylance, NPCore and Absolute Software have plans or have already implemented user-related features in their endpoint products.

Bottom Line

Why keep the IT OPS and IT SEC divide a dirty little secret, or at least something most security professionals don’t want to talk about, either because they think it’s unimportant, hopeless or boring? Why not connect the dots and improve the controls most organizations have already invested in?

When you think about it, there are very few new ideas under the sun. Just making all these existing security products work well together, however, would be “very evolutionary.”  I think the other dirty little secret is that most attackers are lazy — even those who are talented programmers. They’d rather use common exploits and techniques, then spend their valuable time doing something truly innovative.

Comments are closed