IDC Opinion

The criticality of effective endpoint security has never been greater for enterprises. A principal reason is enterprises’ evolving IT footprint. Spurred by the COVID-19 pandemic, millions of office workers changed locations from onsite to work from home (WFH). While workers are gradually returning to the office, the workplace landscape for many organizations is unlikely to return to its pre-pandemic state. In addition, the usage of cloud applications surged during the pandemic as business leaders sought flexibility to support their immediate needs and to better compete in a digitally transformed future. 

This dual shift of workers and applications to off premises has been a gift to threat actors. The exploitability of personal computers (PCs) of WFH employees increased. In addition to being situated outside office-based perimeter defenses, these devices were now on a full-time basis connecting through unmanaged home networks and with increasing potential, used for nonbusiness purposes and by other family members. The viability for threat actors to infect remote PCs, in essence, multiplied. And since users of these devices required access to cloud-based applications (custom and software as a service) and on-premises applications through a VPN to remain productive, the attractiveness of PCs as targets rose. Moreover, as worker remoteness increased along with access to both cloud and on-premises applications, business networks became flatter. Legacy approaches to use network segmentation as a security mechanism became less effective. Also a benefit to threat actors, their lateral movement from the first infected PCs to other PCs and connected IT systems encountered fewer barriers. 

Not only have threat actors intensified their focus on endpoints, but they have also advanced their tradecraft. A decade ago, signature-based antivirus software was considered an adequate defense in identifying and removing malware from end-users’ devices. Times have radically changed. Threat actors no longer rely exclusively on dropping malware onto devices to carry out their attacks. Instead, they are more apt to manipulate legitimate software programs, tools, and files (i.e., living off the land attacks). Subsequently, identifying behaviors of malicious intent has become a requirement in mounting an adequate defense.

Identifying malicious behaviors, however, is no simple task. The varied, wide ranging, and complex nature of what end-user devices (PCs and smartphones) are equipped to do blurs the distinction between malicious and legitimate behaviors. In addition, threat actors will orchestrate a series of actions, each seemingly benign, to further disguise their presence. Assembling the trail of related actions has become essential in uncovering active attacks and then responding with speed and precision to blunt them.

Building up endpoint security is crucial. Modern endpoint security (MES) products, the combination of endpoint protection platforms (EPPs) for deterministic prevention and endpoint detection and response (EDR) for post-compromise reaction, are the latest evolution in endpoint security designed to combat threats aimed at endpoints. It is confirmed through IDC research that the demand for modern endpoint security is on the rise. 

A modern endpoint security product, however, is not an island. Rather, it is a component in a constellation of complementary security technologies and operations that function together to fortify the security posture of endpoints and the resiliency of business functions. Given this more holistic view of modern endpoint security, enterprises should not limit their assessment of the independent merits of modern endpoint security products. They should also examine integration and workflow streamlining with and across other technologies that fortify security and enhance security and IT operations. A list of these technologies includes but are not limited to hardware-based device integrity checks and restoration, endpoint/IT hygiene management, file and data backup and recovery, and the evolution of EDR to eXtended Detection and Response (XDR). 

Tech Buyer Advice

Just as the threat landscape has evolved so too has the endpoint security market. 

As the threat landscape has evolved with intensified focus on compromising endpoint devices, so too has the landscape of modern endpoint security vendors included in this IDC MarketScape. With this, enterprise endpoint security buyers have greater choice and opportunity to select a vendor that is best aligned with their circumstances and requirements. Our overarching advice is to evaluate vendors from the perspective of strategic fit. Selecting a vendor and its MES product is not only for combating the threats of today as they will be different tomorrow. Rather, the selection should be made from a long-term perspective on whether the vendor can adapt to the threats of the future while also reducing the cost and complexity of security operations. 

More tactically, IDC offers this advice to enterprise MES buyers:

• Focus first on MES fundamentals:
  • Protection efficacy. IDC buyer analysis revealed enterprises’ top consideration in choosing a MES vendor is its research into never-before-seen threats and attack tactics. But buyers are not content with just research, they want results. There is no better result than automatically and deterministically blocking new forms of attacks. Independent evaluations on protection efficacy are useful guides in this regard but are not the panacea. IDC recommends conducting proof of concepts (POCs). We further recommend that EPP POCs should become a routine activity. With existing vendors evolving their EPP capabilities and new vendors emerging with “next generation” approaches, comparative analysis in your environment is the best litmus test. Avoid the trap of being the enterprise that started its search for a more effective MES product after it suffered a serious security incident. 
  • EDR automation. Second on the list of buyers’ vendor selection criteria is incident investigation speed and ease. The unfortunate reality is some attacks will evade the immediate preventions of EPP and establish a footprint on endpoints. Security teams need to be prepared. But just having EDR functionality is not enough, human engagement is required. Concentrating human engagement more on decision making and less on investigatory processes is vital in lessening threat actors’ dwell time and the time required of your security personnel. Therefore, automation is essential and is present in various forms, such as assembling and cross-correlating relevant data, visualizing attack sequence, devising risk-rated responses, and executing on the chosen response(s). In addition, enterprises cited automated threat hunting as an important factor in considering a MES vendor. Conducting a proof of concept is the most effective means for evaluating the vendor’s level of automation and usability fit with your security personnel.
  • Device support. MES products can only deliver EPP and EDR capabilities on endpoint device types and operating systems (OS) that their software agents support. Obviously, you will want to confirm support for the device types and OS platforms that are in your environment. All vendors in this IDC MarketScape support recent OS versions of Windows and Mac. But Windows and Mac PCs are not the only device types attacked. Mobile devices, physical and virtual servers, and cloud workloads are also targeted. While vendors’ datasheets list supported device types and OSs, IDC recommends digging deeper into feature parity and feature distinction to ensure the vendor’s product is adequately equipped for all of your devices and provides unified management.
• Examine cross-function integration. Endpoint security and endpoint management functions are intertwined. Unpatched and out-of-date software applications and OS versions are targets of exploitation by threat actors. When exploited, EPP and EDP become the next two layers of compensating security. Quite likely, your organization has a dedicated patch management solution in place. If that is the case, cross-vendor integrations should be examined for time-saving enhancements in workflows and acceleration in risk reduction. Alternatively, an increasing number of vendors offer patch management as part of their product suite. This too can be a suitable option if the feature set meets the varied needs of your IT estate. In addition, patch management is one of several functions that reduce an endpoint’s attack surface and, consequently, exploitability. Other functions include device control, host firewall management, vulnerability assessment, micro-segmentation, and application blacklisting, whitelisting, and process-level allow listing. In your consideration of MES vendors, comparing their collection of attack surface reduction capabilities with those of dedicated products may reveal an effective and possibly a more affordable approach to strengthening your security posture.
• Evaluate XDR frameworks. Reaching a complete and speedy understanding of attacks affecting endpoints may require more than telemetry gathered from endpoints running a MES software agent. Telemetry from other sources (e.g., network sensors, perimeter defenses, email and web gateways, cloud access security brokers, and identity management services) can bring in beneficial context. Many of these sources can also be control points for applying attack-mitigating responses and in refining security policies. An oversimplified description, this is the realm of eXtended Detection and Response. Nearly all vendors in this IDC MarketScape have an XDR framework that encompasses their non-endpoint security product portfolios, ecosystem partners, or a combination of both. As part of your assessment of MES products, evaluate the vendor’s current state of XDR, future developments, and incremental security value and what a transition from EDR to XDR will entail (e.g., additional cost, technology upgrades, and staff training and augmentation).
• Question ransomware defenses and recovery options. The consequences of ransomware incidents are a top-of-mind concern for business leaders, and for good reason. According to IDC’s July 2021 Future Enterprise Resiliency and Spending Survey, Wave 6, 75% of IT decision makers with organizations that experienced one or more ransomware incidents in the past 12 months indicated that significant extra resources beyond what internal staff handled were required to rectify. Ransomware, like other forms of malware, frequently enter business networks through endpoint devices. Subsequently, endpoint security products, like MES, are a vital line of defense. But just as ransomware has evolved to evade detection, and ultimately, increased the likelihood of payment and amount of ransom payment, MES products must also evolve to detect ransomware and prevent its execution (e.g., data exfiltration and file encryption) and propagation to other endpoints and critical systems. IDC recommends that you query MES vendors about their ransomware defenses and incident recovery options for returning affected files and endpoint configurations (e.g., changes to registry keys) to their previous known good state. As you do, assess these capabilities within the context of your overall business cyber-resiliency plans.
• Gain perspective on incorporation of built-in device security capabilities. Worth repeating, threat actors will evolve how they conduct attacks. They will continuously probe for new avenues to enter and takeover endpoints. While not yet mainstream, attackers compromising the device’s firmware is a possibility. Rather than react to this possibility once it becomes reality, ask MES vendors about their approach to confirming firmware integrity and restoration. Also ask about leveraging the device’s chip-based processing features in conducting or augmenting MES functions. Eventually, the measuring stick for endpoint security solutions will entail the collaboration of built-in device security with overlay on-device security software augmented with cloud-powered features. To make security-maximized decisions on device and MES product purchases, ask MES vendors about their current and planned approaches to leveraging built-in device security features. 
• Consider managed services options. Although MES vendors have and will continue to automate and simplify the use of EDR, experienced security professionals are needed to produce maximum return on EDR’s capabilities. IDC recommends that you consider the managed service options offered by MES vendors and/or their channel partners. As service needs vary by level of engagement (e.g., from on-demand collaboration to around-the-clock outsourcing) and tasks performed (e.g., threat monitoring, threat hunting, and threat response), seek a managed services arrangement that best aligns with your current needs and budget but is also flexible to adjust for changing circumstances.

Methodology