Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/18/2019
03:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

In a Crowded Endpoint Security Market, Consolidation Is Underway

Experts examine the drivers pushing today's endpoint security market to consolidate as its many players compete to meet organizations' changing demands and transition to the cloud.

The overcrowded endpoint security market is rife with activity as its many players compete to meet new enterprise demands and large companies buy small ones in hopes of staying afloat.

Gartner listed 20 companies in its "2019 Magic Quadrant for Endpoint Protection Products," says Peter Firstbrook, research vice president with the company and one of the report's authors, but he could have easily invited another 10. "There's far too many," he points out. "This market is overdue for consolidation."

What made it so crowded? There are two types of companies in the endpoint security market, which, in general, provides centrally managed technology to lock down the endpoint. The traditional giants, including McAfee, Symantec, and Kaspersky, were early players in the market and historically provided antivirus tools and firewalls to defend machines against cyberattacks.

"Then someone would come up with a new way to attack endpoints, and someone else would come up with a way to block those attacks," says John Pescatore, SANS' director of emerging security trends, of how the market evolved – until a new wave of companies introduced the idea that protection is never perfect. Businesses must be able to detect and respond to threats.

The shift to endpoint detection and response (EDR), and the consequent proliferation of endpoint-focused companies, began when ransomware started to become a major enterprise problem, Firstbrook explains. Incumbent providers were complacent in their roles and "caught flat-footed" when ransomware hit. It wasn't necessarily the vendor's fault, he adds, noting that customers didn't always upgrade their systems as needed. Still, the problem demanded a change in how organizations approached security and kept their security software up-to-date. 

"Ransomware was a big wake-up call, costing serious amounts of money, and companies were going out of business," Firstbrook says. Incoming EDR companies, including CrowdStrike, Carbon Black, SentinelOne, and Endgame, took an approach to security the older players hadn't, with behavioral-based detection instead of seeking indicators of compromise. It's much more efficient to watch for strange behavior than to watch for every version of malicious software.

"It's really hard for [attackers] to completely rearchitect a program," Firstbrook says. "Behavioral-based detection forces them to rewrite it. EDR and behavioral detection are becoming primary components of endpoint detection solutions." EDR companies brought several new advantages — for example, the ability to run on top of more traditional platforms.

These startups, with their new behavioral-based approach and "assumed breach" mindset, generated venture capital money, Firstbrook explains, and the market grew. Both old and new endpoint security businesses have their strengths. Now, there are simply too many of them.

Redefining the Endpoint
One of the biggest trends in today's endpoint security market is product management, and much of the decision-making for security products is moving to the cloud. Traditional endpoint companies sold on-premises systems to communicate with a central cloud server that provides IOC data. That made it tough to keep users updated; however, moving management servers to the cloud eliminates this requirement and gives users the most current protection.

Cloud and virtualization are changing the definition of the endpoint and companies' approach to securing it, SANS' Pescatore explains. As the attack surface grows to include firmware and supply chain attacks, organizations are investing more in cloud-native products to protect themselves.

The promise of a cloud-based platform is as threats change, companies can detect and react to changes without having to install any new management software. They don't have to maintain the management server, it's easy to get up and running, and it's easy to pull data from clients outside the network. While "cloud native" is hard to define, Firstbrook points to CrowdStrike as the best example, citing its lightweight architecture and role as a rules enforcement engine and data collection engine. If a company has an idea for how to create a rule, it can do it.

Amid such a disruptive period, it can be difficult for bigger firms to keep up. Firstbrook points to Symantec: It offers a cloud-based management console, but there is not a lot of integration between protective technology and EDR technology. He says it may be a little more clunky, and a little less efficient, until the company converges to fully cloud-native architecture.

"They see the changes, and they're addressing them, but I think at this point it's such a big change they may not make the changes in time to really capture it," Firstbrook adds.

On top of the move to cloud, there is a greater demand for simplicity, says Hank Thomas, partner at Strategic Cyber Ventures. Security buyers in the enterprise are tired of dealing with complex systems and multiple point products for narrowly focused needs. "They want to focus on security tools that they can remotely maintain and are consolidated in one place," he said.

Endpoint security products are becoming harder to use, Firstbrook points out. People want them to be more sensitive, but they're not always qualified to review the data and say whether it's a false positive or actual threat. As a result, vendors are starting to provide more operational services, from installation, to configuration, to light management, to full management. IT teams don't have time to swap out their vendors, learn a new tool, and continuously monitor it.

"Endpoint is something everyone has to do, but not every company has to be an expert in," he adds. Going forward, it will be important for endpoint security tools to adopt to different detection technologies or new machine learning techniques without the client needing to act.

Too Many Cooks in the Kitchen?
The endpoint security market has grown packed with companies old and young attempting to meet these new enterprise demands. Several recent acquisitions underscore the growing importance of new technologies among older companies struggling to innovate, experts say.

{Continued on next page} 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.
CVE-2019-6659
PUBLISHED: 2019-11-15
On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.
CVE-2019-6660
PUBLISHED: 2019-11-15
On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed HTTP requests may consume excessive amounts of systems resources which may lead to a denial of service.
CVE-2019-6661
PUBLISHED: 2019-11-15
When the BIG-IP APM 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.4.1, or 11.5.1-11.6.5 system processes certain requests, the APD/APMD daemon may consume excessive resources.