Critical Change is Inevitable and Imminent in the Endpoint Security Paradigm
Back in 2002, when I was about to join McAfee, some of my friends warned me that Microsoft was in the process of fixing the Windows operating system, and that security companies (read AV companies) will be out of business. They couldn’t have got it more wrong. Although Microsoft did improve the Windows operating system significantly over the last decade and released their own security products and services, it did not slow the tide of new threats. Fast forward to 2017, the security market has gotten bigger than ever, and is only growing to address the expanding threat landscape. If protecting customer is the only measure used, this is an industry that can hardly claim the scale of innovation that you would expect from a $80B* market over a decade. The endpoint security market for 2017 is estimated at over $10B* this year and growing (*IDC report titled “Worldwide Semiannual Security Spending Guide” dated March 29, 2017). It is an industry caught in the trap of “the innovator’s dilemma” (as defined in Clayton Christensen’s book with same name) on top of a rigid market ecosystem which results in serious friction for new ideas to succeed.
A deeper look at the endpoint security market during the last decade will provide insight into the shackles that is holding back significant innovation, and it is not for lack of brilliant people in this industry: The endpoint security products reached a level of competence in signature-based security that is now taken for granted, yet we now assume that many attacks will get through. Such an admittance by vendors was inconceivable just a few years ago. This lack of comprehensive prevention has given birth to the category of technologies called EDR (endpoint detection and response) which says to the customer “you are probably already breached, you need tools and services to investigate and discover the hack and stop it”. Most of the innovation in the 10 years since 2006 seems to be from vendors improving the signature-based detection, consolidating the multiple agents to fewer agents, and adding 2-3 new detection methods that were useful. A couple of startup companies led the detection breakthroughs using data analytics (or machine learning or artificial intelligence or as one vendor claimed, mathematics) which launched the most significant wave of startups using variations of AI techniques for security. Does this put the endpoint security market on the right track? Can we be proud of the endpoint security industry’s innovation track record to keep customers safe?
Wear the enterprise customer hat for a moment. From the CIO/CSO perspective, we have gone from making sure the virus signatures are updated, and ensuring prevention of up to 99.99x percent of malware, to accepting we may already be hacked. While the threats are more sophisticated to steal IP and confidential data from our corporations, the choices in the market come with many down sides: we cannot easily replace the endpoint products that are inadequate, we are bound by multi-year contracts for an endpoint suite, we still need some half a dozen other agents to protect the endpoints since the large suite cannot, and the SOC team has to deal with multiple consoles at a high cost. Guess what, at the end of it, our endpoints are not yet adequately protected. This is the result of a bigger structural problem in the security industry, one that has resulted in architecture I call “security by a thousand silos”.
The endpoint security market is about to be hit by changes so big this decade, it will shake the entire industry to its core in the subsequent decade. I am not even talking about the changes to the dynamic virtual endpoints, which add a level of complexity to all incumbent vendors. The change is going to result in reordering of the security industry unlike the last market transformation around 2006 when threats started spreading over the internet. That time the hierarchy of companies in the market remained largely unchanged. Symantec and McAfee dominated both the consumer and corporate markets before 2006 and ever since. Approximately 500 million corporate endpoints (and much more on the consumer side) are locked-in by half-a-dozen vendors. The upcoming change will be brought about by customers and enabled by insightful vendors. Protecting the customers will require a paradigm shift that will demand cooperation between vendor technologies not just regarding threat intel, but at a deeper level for command and control as well as event information. The multi-agent approach needs to give way to a platform-based approach that eliminates duplication of infrastructure and resulting performance issues. In other words, the industry will be forced towards creating a level playing field, creating a perception of losing some control over its ecosystem. These changes are inevitable, if we are to protect the customers in this intensifying threat landscape. More on the changes in upcoming articles.