Pity endpoint security software. Venerable antivirus has gotten a bad reputation for being an ineffective commodity product. This situation is illustrated by some recently published ESG research (note: I am an employee of ESG). Security professionals working at enterprise organizations (i.e. more than 1,000 employees) were given a series of statements and asked whether they agreed or disagreed with each. The research revealed that:
- 62% of respondents "strongly agreed" or "agreed" with the statement: "Endpoint security software is effective for detecting/blocking older types of malware but is not effective for detecting/blocking zero day and/or polymorphic malware commonly used for targeted attacks today."
- 52% of respondents "strongly agreed" or "agreed" with the statement: "Our continued use of traditional endpoint security software is driven by regulatory compliance requirements for the most part."
- 44% of respondents "strongly agreed" or "agreed" with the statement: "Endpoint security software is a commodity product with little measurable differences between brands."
Wow, it's no wonder why some have declared that endpoint security software is "dead." Negative opinions like these have put leading security firms like Kaspersky, McAfee, Sophos, Symantec, Trend Micro, and Webroot on the defensive and opened the door for endpoint antimalware upstarts like Bromium, Cisco/Sourcefire, Cylance, Crowdstrike, IBM, Invincea, Malwarebytes, and Triumfant.
No question that new threats and requirements are changing the endpoint market and this is sure to disrupt the status quo. That said, there is more to this story than technology alone. Allow me to elaborate.
Endpoint security software was considered somewhat of a security panacea in the past. Install AV on each PC, maintain a steady diet of vulnerability scanning, patch management, and signature updates and you were pretty well protected from the flood of pedestrian adware, spyware, viruses, and worms.
This formula worked pretty well for many years, leading to a "set it and forget it" mentality in many organizations. And since AV software was part of standard PC configurations, endpoint security management was delegated to junior IT operations personnel who owned PC provisioning and help desk support.
Alas, somewhere around 2007 the endpoint security landscape changed. Organized hackers got serious about attacks by using stealthy malware, evasion techniques, rootkits, and zero-day exploits. In response, endpoint security software vendors introduced countermeasures like static/dynamic payload analysis, file reputation services, and integrated cloud intelligence.
Yup, cybersecurity was going through a profound change as malware and endpoint security vendors engaged in an accelerating cat and mouse technology game. Unfortunately, many of the foot soldiers in this battle (i.e. the IT operations team) were caught in the "fog of war." In too many cases, they didn't know about advanced malware or the new antimalware capabilities baked into their traditional AV products. These folks simply continued to deploy endpoint security in a default configuration, rendering it less-and-less effective over time.
Regrettably, this situation still exists at many organizations. IT operations handles endpoint security, deploys endpoint security software in some minimal configuration, organizations get breached, and pundits declare AV as "dead."
This is a pathetic state of affairs, and it needs to change. CISOs must take ownership of endpoint security and designate a group of specialists who own endpoint security controls as part of an overall responsibility for incident prevention, detection, and response. This group should gain an understanding of endpoint security requirements and product capabilities and then create a plan to tailor endpoint security controls to mitigate risk on various types of endpoint devices.
In summary, we've treated endpoint security as a PC provisioning and IT operations task for too long. By doing so, we are assigning endpoint security to staffers with the wrong skills and we aren't using our endpoint security tools correctly. I suggest we fix this organizational issue before making radical changes to our endpoint security technology strategies or throwing existing endpoint security technologies under the proverbial bus.