The endpoint security market is in the midst of a consolidation. Two key security tools are being merged into one to provide comprehensive pre-execution prevention, post-execution detection, and response and remediation capabilities. Gartner estimates that 40% of EDR deployments are using EDR and EPP from the same vendor. EDR vendors are adding or improving their prevention capabilities, while legacy EPP vendors are integrating EDR capabilities.
So how did the market get here? The progression from the first antivirus products to the endpoint protection platforms of today started in the 1980s and has had a winding back-and-forth of trial and error over the past forty years.
Use MITRE ATT&CK to create a closed-loop process to iteratively improve your defense. Watch the on-demand webinar to learn how.
By the early 2000s, computer viruses had begun to spread on a global scale: the Melissa virus was purported to have caused $80M in damages, and the ILOVEYOU virus infected tens of millions of machines. Though the first antivirus products were released in the late 1980s, the scale-up of the antivirus industry ran in parallel to malware developments, and by the late 1990s, major players like Symantec and F-Secure had released their first antivirus products.
Antivirus was an effective solution for a time, but with the aggressive spread of evolving or “polymorphic” malware as well as “packed and encrypted” files, it was far from a permanent and standalone solution. In a world with dozens of viruses, the signature-based antivirus solution was fine for a time. However, even in the early days when the number of viruses stretched into the thousands, signature-based methodologies were in trouble.
Antivirus posed two main challenges for businesses: signature-based antivirus techniques were no longer highly effective, and keeping large signature files up-to-date across enterprise endpoints was an operational challenge, and legitimate signatures would sometimes be mistakenly blacklisted during updates. Antivirus was unable to prevent-in-depth and did not do no harm.
Calling back to the late 1990s, developments like the personal firewall and what would later be host-based intrusion prevention were already looking to find new, architectural ways to beat viruses and hackers. By the early 2000s, prototyping in whitelisting had just begun to crack the surface of tracking the world of “everything good”, which dramatically outnumbered the world of “everything bad”.
By the late 2000s, growing doubts over the power of antivirus and the development of these additional tools pushed the industry towards next-generation antivirus. Leaders in the antivirus market began leveraging additional techniques including machine learning and cloud-based analysis to perform better examination of legitimate and malicious software. In some instances, these techniques became stand-alone next-generation antivirus. In others, they were merely supplemental to existing antivirus. A single security approach was no longer an option. The next evolution of enterprise endpoint security had to apply multiple methods to securing endpoints as part of a combined solution: the Endpoint Protection Platform (EPP).
Some organizations also began investing in technologies meant to detect, investigate, and remediate malicious activity: what is now modern day endpoint detection and response (EDR). This includes our cofounders, Lior, Yossi, and Yonatan, who founded Cybereason in 2012 to face modern day threats with EDR.
And it wasn’t just EDR: the industry experimented with other network-based approaches that failed to produce viable results. UEBA is an example of this, which is now largely an analytics feature of SIEM.
This need for a defense that used multiple approaches to safeguard endpoints was hammered home after the 2013 Target data breach, which affected 60M customers and cost Target $18.5M, the largest multi-state settlement for a data breach as of 2017.
Traditional EPPs are exclusively focused on preventing initial infection through the combination of antivirus, data encryption, personal firewalls, intrusion prevention, and data loss prevention. They largely miss out on additional, critical security architecture capabilities like hardening, incident detection, and incident response. This left an opening for security companies to mesh the prevention capabilities of next-generation antivirus with detection and response capabilities, as well as other integrations like network detection, SOAR, and SIEM.
Largely led by the MITRE ATT&CK evaluations, the industry adapted and redefined what an EPP could do to enhance capabilities to detect adversary behavior. Gartner’s definition of an EPP changed from what they had defined years earlier, and as of 2018, an EPP is a solution deployed to endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities to respond to dynamic security incidents and alerts.
This opened a door for EDR vendors to enter a much larger industry, from addressing a $1B EDR market to addressing the larger $7B EPP market. Further, it put pressure on traditional EPPs to develop EDR capabilities to stay competitive - a large shift from antivirus.
This brings us to present day, with EDR vendors going all in on the EPP market, and vice-versa, with EPP vendors adopting EDR capabilities.
The endpoint security market is constantly adapting to fit the needs of the industry. In order to stay competitive, vendors must adopt a dual approach of prevention and detection and response. The hope is that this will fuel cutting-edge implementations of prevention that leverage EDR visibility and capabilities. With the rise of new, evasive attacks like fileless, it could not be more timely for prevention to once again evolve.
SIEM, SOAR, and EDR have complementary and interdependent uses that can reduce costs and improve efficiency in the SOC. Read about them in our white paper.