EDR Convergence Into Traditional Endpoints Is Overblown And Misdirected
I’m going to start this blog post by saying that if you only read one paragraph, scroll down and make it the last one.
I’m frequently approached by vendors who want to know my thoughts on the convergence of endpoint detection and response (EDR) and endpoint protection (EP) into a single-agent solution. “It only makes sense,” they say, “no one wants to manage another agent.” I’m going to agree that, for the time being, this seems to be the direction of the market. But we’re not there yet, in part because EDR means something different for enterprise organizations and security vendors.
- The first question I ask vendors is if their EP solution is good enough to kick Symantec off the endpoint. I’m not holding Symantec up as a benchmark of quality, but it has incredible enterprise market penetration, and as the saying goes, no one ever got fired for buying X. As an emerging endpoint security vendor, do you really want to go back to your investors and tell them you’re splitting your R&D effort to also compete with a vendor who has a $17 billion market cap and can afford to give its product away? Choose the hill you want to die on.
- There’s still room for a solid EDR product on the endpoint, but none for vendors that are mediocre at both and trying to claim the endpoint for themselves. Clients aren’t calling and asking me for the best unified solution — they’re asking for the best EDR solution. EDR adoption is still in the early stages for many organizations that rightly view ripping out their EP vendor to go all in with a smaller vendor as a risky play. The trend toward a unified security solution feels like it’s being driven by the traditional endpoint players that are using their market cap to expand into EDR while attempting to prevent another security vendor from getting on the endpoint. Think “land and expand” — but these traditional vendors have already landed. I agree that the minimum viable product in the EDR space has some manner of static analysis as a preventative control, but static analysis alone isn’t what defines EP, so in a lot of ways we’re creating a false equivalence in the way these products are being pushed together. I can also confidently say that the majority of EDR offerings from the traditional EP vendors are still reaching maturity, which removes some of the urgency from this conversation.
- I hear that our friends at another analyst firm are getting ready to kick off research that combines EDR and EP — and this is making a lot of vendors nervous. I think we’re a software refresh away from there being enough vendors in the space that do both well enough to try to justify this. To reiterate one of the points from the last paragraph, EDR vendors haven’t really figured out EP and EP vendors just aren’t that established in the EDR space. That said, I’m sad I’m not going to get invited over to be a part of their internal discussions on how they choose to prioritize these capabilities, because I have a feeling those conversations are truly going to be magical.
- I think it’s important to consider there being different buyer personas with different sophistication between EP and EDR. Don’t believe me? Ask the person responsible for managing your EP product how to perform statistical analysis of the startup processes across your enterprise to find malicious portable executable (PE) files that have evaded preventative controls. EP is a traditional tool used by organizations of all sizes to add resilience against known or easily identifiable threats (read: malware); EDR is a sophisticated threat hunting and endpoint management tool. If you don’t believe me, ask yourself why Tanium has been a part of so much EDR research over the past five years. Think about it, and then bear with me as I try to wrap this whole thing up.
It’s important to understand what EDR represents for the enterprise, to understand why I feel a lot of vendors are being hasty in trying to create one endpoint security solution to rule them all. At its core, EDR turns your infrastructure into a fabric of queryable systems with scalable remote management capabilities and the ability to detect abuse. Done. That’s it. This is only tangentially a security tool and it’s time to reframe how we think about EDR into that of a SecOps tool. Security vendors spend a lot of time talking about how to elevate level 1 SOC analysts to function as level 2s, but when is the last time you heard anyone talking about who fills that void? In terms of cost and accountability, I would argue that this gap is best filled by empowering the IT service desk to remediate procedural security issues and leverage their metrics to identify processes that are candidates for automation. There will always be a need for security expertise, but it should be an escalation point. This brings me to my final point: Security has to find a way to start integrating into operations, much the same as we’ve seen development do, or risk not having a seat at the table. To do this, we need to get away from the vendor driven discussion of worrying about whether EP and EDR are converging and actually start solving problems.