There's no lack of endpoint security software vying for your budget. Here’s a simple, no-nonsense way of understanding what does what and what’s right for you.
Antivirus. Anti-malware. Endpoint detection and response. Incident isolation. Containerization. Heuristics and behavior-based tools. Threat intelligence. Artificial intellgence. Machine learning and "next generation" just about everything on this list...
If you're one of the 86% of IT professionals planning on replacing or augmenting your existing antivirus, chances are you're already getting tired of seeing buzzwords and having to read between the lines to determine what it is all these new security solutions actually do.
Trying to figure out the difference between what one vendor calls "threat prevention" and another calls "advanced endpoint protection" probably isn't what you'd prefer to be doing with your time. The good news is there's a surprisingly simple way of thinking about the endpoint security landscape that can help you straighten things out fairly quickly.
Before we dive into it, let’s take one quick second to step back and look at the problem that sparked this explosion of different endpoint security options in the first place.
The Problem that Made Things Complicated:
For years, endpoint security has primarily meant antivirus. The way that antivirus has traditionally worked is by relying on signature-based detection. Since every file has unique identifying data (a signature), once antivirus vendors discover a piece of malware they add its signature to a blacklist of programs that they can block. It’s basically like using fingerprints to keep record of criminals and identify them later.
That approach worked wonders for spotting older malware that’s already been flagged and tagged by security researchers, but today it leaves users open to getting infected by new malware and malware that attackers have disguised. That's a big problem, because, according to Verizon’s 2016 Data Breach Investigations Report, 99% of malware is only seen once before hackers modify the code so it can continue evading detection.
99% of malware is only seen once before hackers modify the code so it can continue evading detection.
But if AV and other traditional endpoint protection technologies aren’t enough to protect your organization against today’s modern attacks, where are you supposed to turn?
The honest answer is this is an area of security that's very much in flux. Hence the explosion of new solutions (many pitched as "next-generation" products) as vendors jockey to become the next go-to option.
So what does calling a security solution "next generation" really mean? It means it has functionality that attempts to pick up where traditional, signature-based antivirus leaves off.
It's that simple.
It's a term that can be applied to products that utilize any number of different approaches (ex: machine learning, behavioral analysis, etc.), so it's important to dig in whenever you see it to find out what a solution really does.
Side note: In the case of Barkly, we believe we're taking an entirely new approach to stopping malware, so we don't call ourselves a "next generation" version of anything. Find out more about how we work here.
The real key when researching security software is to avoid getting too caught up in vendor buzzwords and terminology. Make sure you're assessing solutions on your terms, not theirs, and that you have your own sense of your top needs and priorities before you listen to them try to tell you what those are.
With all that said, here is one way of segmenting the endpoint security landscape that may help you understand what all these products actually do and narrow down your search.
The Key to Understanding All the Different Solutions:
The clearest way to get a handle on the many endpoint security solutions out there is to first decide how you want to address your current reliance on antivirus:
From this overview, we can see there are three primary categories of solutions designed to pick up where antivirus leaves off. Let’s dive into the pros and cons of each.
Despite its blind spots, the truth is AV technology remains an integral (and in some cases, a compliance-required) component of many organizations’ security stacks. And for good reason — it can still be quite effective at blocking a vast amount of older malware that is still very much in use.
As with any security solution, the mistake is thinking AV can be 100% effective on its own. To address its gaps, the preferred solution for many organizations is to augment it with one of the following types of technologies:
Rather than relying on signatures to identify malware, behavior-based security solutions spot it by watching how it acts. This allows them to identify malware even if it’s disguised or hasn’t been seen before. Once they detect the tell-tale signs of malicious activity these products can block those behaviors immediately, before the malware can do any harm.
Example vendor: Barkly
Antivirus software requires frequent updates to keep its signature database current. This makes maintaining a strong security posture across all endpoints a challenge, especially in large organizations. Configuration and update management platforms centralize endpoint information and help companies address that problem.
Example vendor: Tanium
The second option being offered to organizations looking to improve their security is to abandon their traditional antivirus products altogether and replace them with “next generation” antivirus solutions that leverage additional capabilities.
Next-generation antivirus tools do many of the things that traditional antivirus does, including signature-matching against a whitelist or blacklist. Typically, these platforms include newer functionality like machine learning or downstream behavioral recognition to detect attacks that are already in progress.
Example vendors: Confer, Cylance, SentinelOne, Webroot
The shortcomings exposed in traditional signature-based solutions like AV have also prompted many security vendors to give up on prevention altogether, and focus on enabling post-infection detection and response instead. Here are a few examples of the types of tools organizations are using to better determine when they’ve been attacked and how it happened:
SIEM platforms give IT admins a centralized dashboard of security activity across their systems and network. These platforms typically integrate with other protection tools, pulling in information via API.
Example vendors: AlienVault
Incident response solutions focus on helping companies detect and respond to malware that is already on their systems. They give companies the information they need to stop the attack from spreading and eventually clean up the system.
Example vendors: Carbon Black, CounterTack, Crowdstrike, Malwarebytes
Incident isolation products work to isolate and contain attacks that have already breached your system, to prevent them from further infiltrating your system and network.
Example vendors: Bromium, Invincea
Of course, this is far from a comprehensive list. There are other endpoint security options out there, and likely more on the way. But each should fall into one of these three categories — antivirus enhancement, antivirus replacement, or detection and response — and that should help you understand not only what it can help you do, but how it relates to other products including those in your existing security stack.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.