The Battle for Endpoint Security Begins (Again)

It is hard to imagine a PC these days without a taskbar filled with various agents, tools, and monitors. There was a time in the history of PCs when the idea of even running anti-virus was ridiculous. Those days are long since gone.

Rise of the Endpoint Security Suite

In the early 2000s, there was the first battle for the endpoint. IT departments everyhere were completely unprepared for the rapid spread of malware such as SQL Slammer and Code Red. This lead to an explosion of antivirus and personal firewall products.

Ultimately, the winners were those that outlasted their competitors. Symantec, McAfee, and TrendMicro all rose to prominence during this time. Microsoft even managed to field an endpoint security product to surprising success (and unsurprising implosion.)

Endpoint IDS/IPS also became a viable product at this time as well. All the big players rapidly acquired innovative companies. McAfee acquired Entercept, Symantec acquired Sygate, Cisco acquired Okena, and my beloved BlackICE agent would find home at ISS (ultimately IBM). These acquisitions were spun into endpoint security suites that sold like crazy. New companies rushed into the space as well, such as Eset, Sophos, and Kaspersky. Everybody had an endpoint security suite with new features, such as encryption, application control, and data-loss prevention getting added constantly.

However, the fall out was coming. By 2008 pundits were saying “anti-virus” is dead, and really meaning it. However, the fall of the endpoint was not a failure of performance, capability, or accuracy as many believe.  Rather, it was more mundane.

Fall of the Endpoint Security Suite

The troubles with endpoint security is rooted in a single fact: managing endpoint agents is an epic headache. For a large enterprise, managing tens of thousands of endpoint agents is not merely difficult, it is a miserable time suck of non-stop support tickets and tinkering. Endpoint agents are demanding monsters. They require perpetual care and feeding, and the the slightest misstep can crash desktops and bring the entire enterprise to its knees.

Such was the case with McAfee’s infamous DAT file disaster of 2010. An error in the virus signature updates crashed Windows desktops, requiring manual clean up. This left numerous large enterprises paralyzed while technicians raced around to cleaning up affected systems.

That event (and others) galvanized the opposition to the endpoint. If a product required an endpoint agent it would be mercilessly removed from the shortlist. This fever got so hot, that by 2011 companies were regularly promoting their “agentless” capabilities. While companies were resigned to anti-virus being an annoying must-have, they were not going to add anything else the mix.

Naturally, into this vacuum came new technologies. The demise of endpoint security would subsequently see the rise of secure-web gateways (SWG), next-generation firewalls (NGFW), and breach-detection systems (BDS) that all work at the network level to stop attacks. These technologies promised all the security, with none of the endpoint agent headaches. They also united security and network teams, leaving the systems administrators to go be miserable elsewhere. Everybody was sold and the Palo Altos, Fortinets, Blue Coats, CheckPoints and FireEyes were flying off the shelf.

Then the mother of all breaches happened: Target.

When the Target breach was announced in late 2013, the news went from bad, to worse, to jaw dropping, finally settling on just being depressing. Here was a company with tremendous resources and the best technology devastated with a huge breach. Target had all the security goodies: NGFWs, BDS (FireEye), SWGs, people, policies, and PCI compliance reports with big green check boxes all over them. How could this happen?

Rebirth of the Endpoint Security Suite

Even before the Target attack, savvy security people knew the network would never be able to do it all. Regardless of how innovative NGFWs and BDS products were, there are some attacks they cannot detect. Specifically the attacks that ride in on “trusted” traffic, like what happened at Target. If traffic is encrypted, most NGFWs are BDS products are totally blinded.  You must decrypt that traffic first and then inspect it. Line-speed decryption is possible, but it adds complexity, overhead, and challenges to a network architecture.

Even while the world was digesting the impact of the Target breach, a new generation of endpoint security products was emerging. These new products were not anti-virus, but rather Endpoint Security Analytics (ESA). Products such as Cylance, CounterTack, Crowdstrike, and Bit9 CarbonBlack entered the market promising to detect malware without signatures using the latest threat intelligence to detect malware. Other companies were quick to jump into the market as well.

Halt and Catch Files

So what is inside endpoint security analytics? Most of these technologies perform some kind of behavior analysis. We fully defined this technology in our series on Security Analytics (here).

Typically, these technologies embed themselves deep into the operating system and monitor multiple dimensions of system activity such as API calls, file writes, network traffic, DNS requests, etc. When the system behaves in a “malware-like” manner, the software can report the event, record activity, and if necessary block it. The exact manner in which each of these technologies works varies.

Endpoint ESA Benefits

Endpoint security analytics has numerous advantages to network-based products.

  • Forensics: Real-time capture of not only system and network activity, but also user interaction as well.
  • Encryption: Network-based devices are blind to encrypted traffic, unless it is intercepted and decrypted. This is processor intensive and routinely gets bypassed for performance and/or privacy reasons.
  • Unsecure Networks: Mobile systems wander around to all manner of filthy networks, where they can pick up malware and bring it back into the environment.
  • Real-Time Defense: It is easier to block activity at the host level, since the software only has to focus on the activities of one system, rather than many.

Endpoint ESA Challenges

However, while ESA can see a lot more on a system, it also has significantly more administrative overhead. While your average IT administrator can handle an anti-virus console, ESA consoles demand highly-skilled incident handlers. These technologies generate a lot of data, only some of which is actually dangerous. Only the most mature security programs will be able to implement and use it effectively.


Old technologies never die, they are just given an HTML5 interface and have the word “next generation” prefixed to the name. The endpoint security market is coming back and this time, there may be no stopping it. This time, there is more at stake and the vendors have significantly more clever marketing. In 2005, hacking was something that happened to somebody else. Now hacking is an equal-opportunity annoyance.

However, endpoint security analytics is only one part of this story. Security Analytics is the future of information security. NGFW, SWG, DLP, and anti-virus all have their places now. They are settling into commoditization. But security analytics has nowhere to go but up. This partially explains why companies like Intel paid $7.7 billion for McAfee and Bain paid $2.4 billion for Blue Coat. The future of security is bright.

2 thoughts on “The Battle for Endpoint Security Begins (Again)

  1. Excellent article summarizing good part of the history, can you also please check “Nexthink” company, its one of the players in the ESA and has an edge where it has an ITOA ( Operation Analaytics) dimension.

  2. Interesting piece, though when talking about moving beyond AV toward next-generation endpoint protection, I believe there are much better options than analytics. I’d encourage you to take a look at endpoint isolation technologies that actually prevent malware persistence by isolating the execution of untrusted code. Case in point is Bromium, which creates disposable micro-VMs on the fly for each untrusted task, and throws them away when the user is done. So if the user hits a malicious website or document, it can’t ever touch the real system. Sandboxing approaches (Invincea, Buffer Zone) do similar things, but with less robust isolation. Either way, if the goal is stopping malware and software exploitation on the endpoint, I’d rather start with an isolation technology before going down the analytics path.

Leave a Reply