Ensilo_Blog_12-09-16-500x500.jpgIn 2017, we predict that customers will mandate the integration of both Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) capabilities into a single one-stop shop platform.

 

Earlier in 2016, Gartner Inc. shared the following worrisome statistic in their Magic Quadrant for Endpoint Protection Platforms, February 1, 2016: “Presumably, protecting 60 percent of customers has somehow become the industry benchmark for success.”

Indeed, threat actors are continuously modifying their techniques to bypass these anti-infiltration tools – examples of such include:

  • infecting devices early on in the supply chain,
  • abusing cloud sync services for lateral movement,
  • leveraging design vulnerabilities, and
  • executing data-only attacks.

 (See “Infiltration by Design” for more detail on these threat vectors.)

With customers, analysts and the vendors themselves realizing that EPPs aren’t enough, a new category has risen in the past three years: Endpoint Detection and Response (EDRs). The idea behind this technology is that everything missed by the EPP can be later detected by incident response analysts assisting EDR technologies that record all activity on the endpoint. Pretty soon this technology became the sweet child of security.

All great, in theory.

In practice, EDRs leave most security teams dazed and confused by what they need to search for. While EDRs record all the activity that an analyst would need when analyzing the threat, the analyst, to begin with, needs to know what to look for.

Simply put, there’s nothing actionable; the classic EDR is not preventative. Sure, the EDR as a post-mortem tool provides incredible information, but not when you need it most. That’s because by the time the threat is detected, the horses have left the barn and the security team is stuck figuring out what happened.  

In summary, EPPs are missing the unknowns — call it accuracy. And EDRs are missing preventative capabilities.

The market is adapting to address these gaps. The second half of 2016 brought changes: Pure EDR vendors acquired EPP vendors while more well established AV and NG-AV vendors (namely, EPP vendors) announced releases of their new EDR functionality.

But customers are still restrained from jumping with joy. These M&As, while better for the vendor’s bottom line, are still a nuisance for the end-user to manage. The customers have now received two separate platforms, two configurations, two workflows.

Now, as we continue this discussion, we know that as a vendor with endpoint presence, we’re naturally biased. But it also means that we’ve been researching, studying and building security platforms for almost two decades. Before starting this company of ours, we were security specialists – strategists, researchers, product leaders, and enterprise security leaders. We too looked for an accurate, effective endpoint protection technology that would work in real-time and be actionable. We could not find it. So we decided to build it.

It’s for this reason we can shamelessly brag that from its inception, enSilo inherently includes EDR & EPP in one effective security platform. We’re the only platform on the market today to provide the two capabilities… and more:

  • As an EPP, enSilo protects the data on the endpoint not only from theft but also tampering and ransomware.
  • We excel in EDR because we don’t just detect and allow responding… We prevent the consequences. In real-time. Pointing the analyst to the relevant search point, without the Incident Response fire drill.
  • Application Communication Control stops only un-authorized applications from communicating which reduces the threat surface dramatically. In essence, this is about further combining endpoint solutions into a one-stop shop.
  • Frictionless Security ensures your users can continue to work even on compromised endpoints.

So yes, we’re blowing our horn. But the winds of change are showing that we’ve steered towards the right direction. As the end of 2016 rolls around, we can already see that in 2017, other vendors will follow this track – demanded by their customers. Customers are fed up with point solutions. They want that combination of an effective, manageable and actionable security solution. 2017 will give them that.

What purchase criteria should organizations demand from their endpoint security platform?

  1. Manageable — The current situation of numerous installed solutions at the endpoint level is too much too handle. A feasible one-stop endpoint shop doesn’t just reduce deployment-related and maintenance costs, but can also offer accurate correlated results.

  2. PreventivePre-infection or post-infection detection (aka incident-response or forensics) are helpful, but prevention is critical. Any attack should be stopped before impacting the organization not after.

  3. AccurateSecurity operations (secops) should only be alerted to genuine Forensic teams should also receive the necessary insight to pinpoint attack sources.

  4. Real-time Real-time operation is a must. “Near real-time” or “virtually-real-time” means either negatively impacting user experience or worse, analyzing threats after inflicting damage.

  5. AutonomousNo additional security tool should be required to complement the platform from addressing its core functionality. Working with other solutions is helpful, but requiring them for the technology to function adds capital and operational costs.

  6. FrictionlessMinimum impact on business operations is essential. At a minimum, this means alerting secops to genuine threats without the false positives. But it also means that the business operations should not be impacted. Users should be able to perform any action, without compromising the company’s security Should a penetration occur, remediation of infected devices should exact minimum downtime, ideally at the time and place of user’s choosing.

edr-epp-technology-comparison-matrix.png