Introducing the Endpoint Advanced Protection Buyer’s GuideBy Mike Rothman
Endpoint security has undergone a renaissance. Similar to network security a decade ago, the technology had not seen significant innovation for years and the adversaries had improved to a point where many organizations questioned why they kept renewing their existing endpoint protection suites. It was an untenable situation.
The market spoke and security companies have responded with a wave of new offerings and innovations that do a much better job of detecting advanced adversaries and the techniques they use to obfuscate their activities. To be clear, there is no panacea. Nothing is 100% effective in protecting endpoints. But the latest wave of products have improved dramatically over what was available two years ago.
But that creates a conundrum for organizations of all sizes. With so many vendors addressing the endpoint security market with seemingly similar offerings, what should a customer buy? What features make the most sense, depending on the sophistication and adversaries that organizations face? Ultimately, how can they make heads or tails out of the noise that comes from the security marketing machinery?
For us at Securosis, it was a frustrating situation. So many buzzwords were thrown around without context. New companies emerged making (what we thought were) outrageous claims about effectiveness. Some of the nonsense reminds us of a certain database vendor’s Unbreakable claims. Yes, we’ve been in this business a long time. And yes, we’ve seen pretty much everything. Twice. But we’ve never seen a product that blocks every attack with no false positives. Even if some companies were making that claim.
Sadly enough that was only the tip of the iceberg of our irritation. There was a public test of these endpoint solutions that we thought drew the wrong conclusions with a suspect testing methodology. If the tests were to be believed, some products kicked butt and others totally sucked. But we’ve talked with a bunch of folks that got results that were consistent with the public tests and others where the results were diametrically opposed. And not every company with decent technology was included in the tests. So if a customer was making a choice entirely based on this public test, they could be led astray because ultimately how a product will perform in your environment can only really be determined by testing it in your environment.
In Securosis-land, frustration and irritation causes action. So we got irritated and decided to provide some clarity to a very murky environment. If we could help organizations figure out what capabilities were important to them based on the problem they were trying to solve, they’d be a much more educated consumer when sitting with the endpoint security vendors. If we could map out a process for them to test the efficacy of each product and be able to compare “apples to apples,” then they’d make a much better purchase decision based on their requirements, not how many billboards a well funded vendor buys.
Just to be clear, billboards and other marketing activity is not a bad thing. You can’t grow a sustainable company without a significant amount of marketing and brand building. But it’s not a reason to buy an endpoint security product. We have found little correlation between marketing spend and product capability.
So Securosis is writing an Endpoint Advanced Protection Buyer’s Guide. This comprehensive project will provide organizations with what they need to select and evaluate endpoint security products. It will roll out over the next month, and be delivered in two parts:
Selection Criteria: This part of the Buyer’s Guide will be focused on the capabilities you need to address the problems you face. We’ll explain terms like file-less malware and exploit pathways, so when the vendors use these terms – you’ll know what they are talking about. We will also be preparing a matrix that will allow you to assess the capabilities against your own requirements, based on the attacks you believe you’ll face.
POC Guide: Figuring out what product seems to fit is only half the battle. You have to make sure it works in your environment. That means a Proof of Concept (POC) to prove the value and that the product do what they say they do. You know, that old “Trust, but verify” thing. So we’ll map out a process to test the capabilities of endpoint security products.
Prevention vs. Detection/Response
There has also been a pseudo-religious battle being waged, in terms of trying to block attacks versus focusing on detection and response once an attack is successful. We aren’t religious folks, and believe the answer is both. As mentioned above, we don’t buy into the hype that any product can stop every attack. Nor do we believe that prevention is totally useless either. So you’ll be looking at both prevention technologies and detection/response. But maybe not at the same time.
So we’ll prepare versions of the Buyer’s Guide specifically for prevention and detection/response. And yes, we’ll also integrate the two for those that want to evaluate a comprehensive Endpoint Advanced Protection Suite.
For those of you familiar with the Securosis business model, you know we post research on our blog and then license that content to educate the industry. You also probably know that we do research based on our Totally Transparent Research methodology. We don’t talk about specific vendors, nor do we mention or evaluate specific products. Yet, why would an endpoint company license a totally vendor neutral buyer’s guide that educates customers to see through marketing shenanigans?
Because they believe in their products. And they want to opportunity to show that their products to actually present a better mousetrap and can solve the issues facing organizations relative to protecting their endpoints.
So hats off to our licensees for this project. They are equipping their prospects to ask tough questions and to evaluate their technology in an objective fashion. We want to thank (in alphabetical order) Carbon Black, Cybereason, Cylance, ENDGAME, FireEye, SentinelONE and Symantec for supporting this effort. We expect there may be a handful of others later in the year, and we’ll recognize them when they come onboard.
We’ll post pieces of the Buyer’s Guide to the blog over the next month. As always, we value the feedback of our readers, so it you see something wacky, let us know.