Scan properties

It is hard to imagine a PC these days without a taskbar filled with various agents, tools, and monitors. There was a time in the history of PCs when the idea of even running anti-virus was ridiculous. Those days are long since gone.

Endpoint IDS/IPS also became a viable product at this time as well. All the big players rapidly acquired innovative companies. McAfee acquired Entercept, Symantec acquired Sygate, Cisco acquired Okena, and my beloved BlackICE agent would find home at ISS (ultimately IBM). These acquisitions were spun into endpoint security suites that sold like crazy. New companies rushed into the space as well, such as Eset, Sophos, and Kaspersky. Everybody had an endpoint security suite with new features, such as encryption, application control, and data-loss prevention getting added constantly.

When the Target breach was announced in late 2013, the news went from bad, to worse, to jaw dropping, finally settling on just being depressing. Here was a company with tremendous resources and the best technology devastated with a huge breach. Target had all the security goodies: NGFWs, BDS (FireEye), SWGs, people, policies, and PCI compliance reports with big green check boxes all over them. How could this happen?

Even while the world was digesting the impact of the Target breach, a new generation of endpoint security products was emerging. These new products were not anti-virus, but rather Endpoint Security Analytics (ESA). Products such as Cylance, CounterTack, Crowdstrike, and Bit9 CarbonBlack entered the market promising to detect malware without signatures using the latest threat intelligence to detect malware. Other companies were quick to jump into the market as well.

Halt and Catch Files

So what is inside endpoint security analytics? Most of these technologies perform some kind of behavior analysis. We fully defined this technology in our series on Security Analytics ().

Typically, these technologies embed themselves deep into the operating system and monitor multiple dimensions of system activity such as API calls, file writes, network traffic, DNS requests, etc. When the system behaves in a “malware-like” manner, the software can report the event, record activity, and if necessary block it. The exact manner in which each of these technologies works varies.

Endpoint ESA Benefits

Endpoint security analytics has numerous advantages to network-based products.

• Forensics: Real-time capture of not only system and network activity, but also user interaction as well.
• Encryption: Network-based devices are blind to encrypted traffic, unless it is intercepted and decrypted. This is processor intensive and routinely gets bypassed for performance and/or privacy reasons.
• Unsecure Networks: Mobile systems wander around to all manner of filthy networks, where they can pick up malware and bring it back into the environment.
• Real-Time Defense: It is easier to block activity at the host level, since the software only has to focus on the activities of one system, rather than many.

Endpoint ESA Challenges

However, while ESA can see a lot more on a system, it also has significantly more administrative overhead. While your average IT administrator can handle an anti-virus console, ESA consoles demand highly-skilled incident handlers. These technologies generate a lot of data, only some of which is actually dangerous. Only the most mature security programs will be able to implement and use it effectively.

Conclusion

Old technologies never die, they are just given an HTML5 interface and have the word “next generation” prefixed to the name. The endpoint security market is coming back and this time, there may be no stopping it. This time, there is more at stake and the vendors have significantly more clever marketing. In 2005, hacking was something that happened to somebody else. Now hacking is an equal-opportunity annoyance.

However, endpoint security analytics is only one part of this story. Security Analytics is the future of information security. NGFW, SWG, DLP, and anti-virus all have their places now. They are settling into commoditization. But security analytics has nowhere to go but up. This partially explains why companies like Intel paid $7.7 billion for McAfee and Bain paid $2.4 billion for Blue Coat. The future of security is bright.