IDCUKI Dominic Trott

Dominic Trott                                    
Research Manager, European Security
Read full bio  @DominicTrott

Whisper it, but an announcement on the 8th of February 2017 may just mark the beginning of the end for the current level of hype surrounding ‘next-generation’ endpoint protection. Slipped into Microsoft’s pre-RSA security strategy announcement, it emerged that Windows Defender will be re-branded as Windows Defender AV. The change is small, but it points to a broader cultural shift at the company that could have a significant impact on the endpoint protection market as a whole.

This shift can be traced back to the appointment of Satya Nadella as Microsoft’s CEO in February 2014. Since this point, the Redmond-based company has placed a far greater emphasis on security. In fact, the February 2017 announcement was aimed at showing just how much of a big deal security is for Microsoft. For starters, it was announced that the company invests over $1bn annually on security R&D. This is a staggering figure, equal to Symantec, the world’s largest specialist security product vendor.

The headline for analysts was that Microsoft is betting big on security. But buried among the updates was a small, yet significant claim. Windows Defender AV uses machine learning to identify and deal with unknown threats, a core tenet of next-gen security. In fact, it has done so for two years. So why is this a big deal? To understand, let’s first consider what is meant by next-gen endpoint. Broadly, it refers to products that identify unknown threats, as opposed to blocking known attacks. More or less, it represents the use of techniques other than signatures to foil endpoint attacks.

Considering that last year’s breach reports pointed to over a million new malware variants being released every day (we await the 2017 updates shortly!), it is unfeasible to develop a signature for all of them. Relying on endpoint protection that blocks known threats cannot ensure enterprise-level security. This is why there is so much interest in alternative techniques such as behavioral analysis, application control and machine-learning. While not forgetting known attacks, these solutions are geared towards the growing number of unknown threats and non-malware-based attacks. In a recent conversation with Carbon Black, it emerged that 53% of attacks against its customers are non-malware based.

A critical point for the next-gen endpoint players was the 2014-15 period. This time saw huge amounts of investment in emerging players, such as $42m funding into Cylance and $100m into Crowdstrike. This period also saw Palo Alto Networks acquire Cyvera (the basis of its Traps endpoint suite) and Carbon Black’s merger with Bit9 (marrying incident response with advanced threat detection). These vendors have all been able to point to significant revenue growth since that time. Traditional endpoint vendors would also mention the large volumes of marketing material released by the next-gen players.

Traditional vendors initially dismissed the next-gen ‘upstarts’ as single-feature players, whose marketing hype forced the market to listen. In the established players’ defense, the scale of these marketing campaigns has helped to raise awareness. Also, customers increasingly recognize next-gen endpoint as a feature, not a solution in its own right. But customers view it as an important feature. In fact, IDC’s recent discussions with enterprise CISOs and traditional endpoint vendors indicate that users aren’t interested in endpoint discussions unless vendors can point to the next-gen element of their portfolio.

Emerging players suggest that buyers have moved beyond the view of next-gen endpoint as an augmentation for their traditional endpoint products. Instead, it is becoming a replacement opportunity. This change in buyer behavior has driven a sea-change in the portfolios of traditional endpoint players over the past year or so. For example, next-gen security features heavily in recent releases such as Trend Micro’s ‘XGen’ concept, Symantec’s SEP14 and Intel Security’s McAfee Endpoint Security 10.5 offering.  Most recently, on the same day as Microsoft’s pre-RSA announcement, Sophos signalled its acquisition of Invincea, a provider of “machine learning-based predictive malware detection solutions”.

Given this flurry of activity in the next-gen endpoint space, why was Microsoft’s Windows Defender AV news so important? Is this not just one more major vendor latching onto the next-gen bandwagon? To answer this, we must note that Windows Defender AV is not a packaged product like those listed above. It comes bundled for free with a Windows 10 license. This suggests that the use of, for example, machine-learning to identify unknown threats is no longer next-generation, but an entry requirement.

So where can endpoint protection vendors seek differentiation? For IDC, the answer lies in the bigger picture the established vendors alluded to in their initial, dismissive reaction to the next-gen upstarts. As enterprises have struggled to come to terms with the growing security challenge that they face, they have sought the comfort of technology. As new threat vectors emerge, they have implemented new products to address them. The problem is that this has resulted in complex security environments. Enterprises can no longer make sense of everything that they are being told by their technology. What they need is a means of clarifying this tangle, not an incremental improvement to one element of it.

The bigger goal for security product vendors must be the integration of these disparate products. Several players have already made progress to this end. For example, a key motivation of Symantec’s acquisition of Blue Coat was to marry its endpoint, DLP and messaging security capabilities with Blue Coat’s strength at the web gateway. Intel Security has recently announced that its DXL integration layer has been made open source. Palo Alto Networks and Sophos both compete on the virtuous cycle that results from the integration of their network security and endpoint protection offerings.

Despite this activity, it is also clear that a truly integrated security offering is still some way off. Customers’ dreams of the clichéd ‘single pane of glass’ through which to understand their holistic security posture remains exactly that: a dream. What is clear, though, is that vendors who fail to embrace this integrated future will become less strategic to their customers. Those that persist with single-use case offerings will increasingly be sidelined. Instead, customers will turn to those who can simplify their security environment, not add to its complexity.

If you want to learn more about this topic and other related European Security trends, please contact Dominic Trott.