How to
Jonathan Crowe
Jun 2016

The Clear-Cut Guide to Understanding Endpoint Security Software ("Next Gen" Included)

Photo by Source

endpoint_security_options_sized.jpg

There's no lack of endpoint security software vying for your budget. Here’s a simple, no-nonsense way of understanding what does what and what’s right for you.

 

Antivirus. Anti-malware. Endpoint detection and response. Incident isolation. Containerization. Heuristics and behavior-based tools. Threat intelligence. Artificial intellgence. Machine learning and "next generation" just about everything on this list... 

If you're one of the 86% of IT professionals planning on replacing or augmenting your existing antivirus, chances are you're already getting tired of seeing buzzwords and having to read between the lines to determine what it is all these new security solutions actually do. 

Trying to figure out the difference between what one vendor calls "threat prevention" and another calls "advanced endpoint protection" probably isn't what you'd prefer to be doing with your time. The good news is there's a surprisingly simple way of thinking about the endpoint security landscape that can help you straighten things out fairly quickly. 

Before we dive into it, let’s take one quick second to step back and look at the problem that sparked this explosion of different endpoint security options in the first place.

 

The Problem that Made Things Complicated:

Traditional Antivirus Alone Isn’t Enough

For years, endpoint security has primarily meant antivirus. The way that antivirus has traditionally worked is by relying on signature-based detection. Since every file has unique identifying data (a signature), once antivirus vendors discover a piece of malware they add its signature to a blacklist of programs that they can block. It’s basically like using fingerprints to keep record of criminals and identify them later.

That approach worked wonders for spotting older malware that’s already been flagged and tagged by security researchers, but today it leaves users open to getting infected by new malware and malware that attackers have disguised. That's a big problem, because, according to Verizon’s 2016 Data Breach Investigations Report, 99% of malware is only seen once before hackers modify the code so it can continue evading detection.

99% of malware is only seen once before hackers modify the code so it can continue evading detection.

Tweet this stat


But if AV and other traditional endpoint protection technologies aren’t enough to protect your organization against today’s modern attacks, where are you supposed to turn?

The honest answer is this is an area of security that's very much in flux. Hence the explosion of new solutions (many pitched as "next-generation" products) as vendors jockey to become the next go-to option.

next_generation_you_keep_using_that_word.jpg

So what does calling a security solution "next generation" really mean? It means it has functionality that attempts to pick up where traditional, signature-based antivirus leaves off.

It's that simple. 


It's a term that can be applied to products that utilize any number of different approaches (ex: machine learning, behavioral analysis, etc.), so it's important to dig in whenever you see it to find out what a solution really does. 

Side note: In the case of Barkly, we believe we're taking an entirely new approach to stopping malware, so we don't call ourselves a "next generation" version of anything. Find out more about how we work here.

The real key when researching security software is to avoid getting too caught up in vendor buzzwords and terminology. Make sure you're assessing solutions on your terms, not theirs, and that you have your own sense of your top needs and priorities before you listen to them try to tell you what those are.

With all that said, here is one way of segmenting the endpoint security landscape that may help you understand what all these products actually do and narrow down your search.

 

The Key to Understanding All the Different Solutions:

You've Got 3 Options for Closing the Gap in Your Security

The clearest way to get a handle on the many endpoint security solutions out there is to first decide how you want to address your current reliance on antivirus:

  • Do you want to continue using antivirus to stop known malware, but enhance its effectiveness with complementary solutions that address its blindspots? Focus on antivirus enhancement solutions.
  • Do you want to replace antivirus with a product that performs the same function but with new technology? Focus on antivirus replacement solutions.
  • Or do you want to move away from prevention altogether, and focus your efforts on detecting and responding to attacks instead? Focus on alternative endpoint detection and response solutions.

 

The Endpoint Security Software Landscape

Endpoint_Security_Software_Landscape.png

From this overview, we can see there are three primary categories of solutions designed to pick up where antivirus leaves off. Let’s dive into the pros and cons of each.


 

Option 1: Enhance Antivirus

Antivirus_enhancement.jpg

Pros:

  • Protect yourself against attacks that hide from current antivirus
  • Avoid switching costs by keeping your current antivirus tools
  • Improve protection immediately without waiting for a multiyear contract to expire

Cons:

  • Adding another product on top of AV will increase your security spend
  • Managing multiple products can add operational complexity

Despite its blind spots, the truth is AV technology remains an integral (and in some cases, a compliance-required) component of many organizations’ security stacks. And for good reason — it can still be quite effective at blocking a vast amount of older malware that is still very much in use.

As with any security solution, the mistake is thinking AV can be 100% effective on its own. To address its gaps, the preferred solution for many organizations is to augment it with one of the following types of technologies:

Behavior-based prevention

Rather than relying on signatures to identify malware, behavior-based security solutions spot it by watching how it acts. This allows them to identify malware even if it’s disguised or hasn’t been seen before. Once they detect the tell-tale signs of malicious activity these products can block those behaviors immediately, before the malware can do any harm.

Example vendor: Barkly

Configuration and update management

Antivirus software requires frequent updates to keep its signature database current. This makes maintaining a strong security posture across all endpoints a challenge, especially in large organizations. Configuration and update management platforms centralize endpoint information and help companies address that problem.

Example vendor: Tanium

 

 

Option 2: Replace Antivirus

antivirus_replacement.jpg

Pros:

  • Get the benefits of multiple protection functions in one solution
  • Next-gen companies can move faster to improve their product than traditional AV

Cons:

  • Replacing your AV solution may force you to move away from an established relationship with a vendor you trust
  • Your existing AV may have additional functionality you don’t want to give up  
  • You may be in the middle of a license agreement or subscription contract with your AV vendor that you would have to break

The second option being offered to organizations looking to improve their security is to abandon their traditional antivirus products altogether and replace them with “next generation” antivirus solutions that leverage additional capabilities.

Next-generation antivirus

Next-generation antivirus tools do many of the things that traditional antivirus does, including signature-matching against a whitelist or blacklist. Typically, these platforms include newer functionality like machine learning or downstream behavioral recognition to detect attacks that are already in progress.

Example vendors: Confer, Cylance, SentinelOne, Webroot

 

 

Option 3: Focus on Detection & Response

alternative_endpoint_security_approaches.jpg

Pros:

  • Know what’s happening across all your systems at all times
  • Get alerted to suspicious activity and attacks in progress
  • Understand what happened so you can clean up your system and avoid repeat attacks

Cons:

  • Getting alerted about an attack after the fact often means damage has already been done (ransomware is a good example)
  • Leveraging these solutions often requires security experts on staff to analyze a host of data and alerts

The shortcomings exposed in traditional signature-based solutions like AV have also prompted many security vendors to give up on prevention altogether, and focus on enabling post-infection detection and response instead. Here are a few examples of the types of tools organizations are using to better determine when they’ve been attacked and how it happened:

Security information & event management (SIEM)

SIEM platforms give IT admins a centralized dashboard of security activity across their systems and network. These platforms typically integrate with other protection tools, pulling in information via API.

Example vendors: AlienVault

Incident response

Incident response solutions focus on helping companies detect and respond to malware that is already on their systems. They give companies the information they need to stop the attack from spreading and eventually clean up the system.

Example vendors: Carbon Black, CounterTack, Crowdstrike, Malwarebytes

Incident isolation

Incident isolation products work to isolate and contain attacks that have already breached your system, to prevent them from further infiltrating your system and network.

Example vendors: Bromium, Invincea

 

One Last Note

Of course, this is far from a comprehensive list. There are other endpoint security options out there, and likely more on the way. But each should fall into one of these three categories — antivirus enhancement, antivirus replacement, or detection and response — and that should help you understand not only what it can help you do, but how it relates to other products including those in your existing security stack.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.