the endpoint security paradox

Research Report

The Endpoint Security Paradox

By Jon Oltsik, Senior Principal Analyst and Bill Lundell, Senior Research Analyst

With Jennifer Gahm, Senior Project Manager and Kyle Prigmore, Associate Analyst

January 2015

© 2015 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Research Report: The Endpoint Security Paradox 2


Contents

List of Figures ................................................................................................................................................ 3

List of Tables ................................................................................................................................................. 4

Executive Summary ...................................................................................................................................... 5 Report Conclusions ................................................................................................................................................. 5

Introduction .................................................................................................................................................. 7 Research Objectives ............................................................................................................................................... 7

Research Findings ......................................................................................................................................... 8 The Endpoint Security Landscape ........................................................................................................................... 8 Endpoint Security Technology .............................................................................................................................. 19 Endpoint Security Services ................................................................................................................................... 35 Future Endpoint Security Strategy Decisions ........................................................................................................ 37

Conclusion ................................................................................................................................................... 39 Research Implications for Information Security Vendors ..................................................................................... 39 Research Implications for IT and Information Security Professionals ................................................................... 41

Research Methodology ............................................................................................................................... 45

Respondent Demographics......................................................................................................................... 46 Respondents by Current Job Function .................................................................................................................. 46 Respondents by Number of Employees................................................................................................................ 46 Respondents by Industry ...................................................................................................................................... 47 Respondents by Annual Revenue ......................................................................................................................... 47



List of Figures Figure 1. Approximate Total Number of Endpoint Computing Devices Supported by IT Organization ..................... 8 Figure 2. IT Organization’s Support of Endpoint Device Platforms ........................................................................... 9 Figure 3. Approximate Percentage of Employees Who Connect to the Corporate Network Remotely Via VPN on an

Average Day ................................................................................................................................................. 9 Figure 4. Considerations That Have the Most Significant Influence on Organization’s Endpoint Security Strategy

Moving Forward ......................................................................................................................................... 10 Figure 5. Most Important Security-related Endpoint Provisioning Tasks Performed .............................................. 11 Figure 6. Security Professionals Rate Aspects of Their Organization’s Endpoint Security ....................................... 12 Figure 7. Endpoint Security Challenges ................................................................................................................... 13 Figure 8. Actions Organizations Have Taken Over the Past Two Years with Regard to Endpoint Security .............. 14 Figure 9. IT Organization’s Ability to Support Endpoint Security Technologies and Processes with Necessary

Number of Trained Staff ............................................................................................................................ 15 Figure 10. Survey Respondents Rate IT/Security Staff in Endpoint Security Areas ................................................. 16 Figure 11. Weakest Area with Regard to the Individuals Responsible for Endpoint Security .................................. 17 Figure 12. Is There a Dedicated Individual/Group Responsible for Endpoint Security? .......................................... 18 Figure 13. How Organizations Address Endpoint Security and Endpoint Management/Operations ...................... 18 Figure 14. How Organizations Keep Track of Endpoint Assets ................................................................................ 19 Figure 15. Approximate Number of Security Agents Installed on a Typical Endpoint ............................................. 20 Figure 16. Installation of Antivirus Software on the Endpoint Devices that the Organization Formally Supports .. 20 Figure 17. Survey Respondents Rate Their Organization’s Standard Antivirus Software ........................................ 21 Figure 18. Antivirus Software Supplementary Functionalities Currently Used........................................................ 22 Figure 19. Challenges Experienced with Antivirus Products as Part of Organization’s Endpoint Security Strategy 23 Figure 20. Approximate Number of Unique Antivirus Software Products Deployed .............................................. 24 Figure 21. Antivirus Upgrade Patterns .................................................................................................................... 24 Figure 22. How Often Organizations Change Antivirus Vendors ............................................................................. 25 Figure 23. Why Organizations Do Not Change Antivirus Vendors ........................................................................... 26 Figure 24. Why Organizations Are Not Averse to Changing Antivirus Vendors ....................................................... 26 Figure 25. Likelihood of Replacing Commercial Antivirus Software with an Alternative Free Antivirus Product .... 27 Figure 26. Usage of Security Software Technologies to Protect Sensitive Data on Endpoint Devices ..................... 28 Figure 27. Challenges of Data Security Software on Endpoint Devices ................................................................... 29 Figure 28. Familiarity with Types of New Advanced Malware Detection/Prevention Products .............................. 30 Figure 29. Deployment of Advanced Malware Detection/Prevention Software ..................................................... 30 Figure 30. Reasons for Deploying or Considering Deploying Advanced Malware Detection/Prevention Software 31 Figure 31. Familiarity with Endpoint Forensic Solutions ......................................................................................... 32 Figure 32. Deployment of Endpoint Forensics Solution .......................................................................................... 32 Figure 33. Reasons for Deploying or Planning to Deploy/Interested in Deploying an Endpoint Forensics Solution 33 Figure 34. Interest in Integration Between an Endpoint Forensics Solution and Other Types of Security Analytics

Systems ...................................................................................................................................................... 34 Figure 35. Usage of a Managed Security Service for Any Aspect of Endpoint Security ........................................... 35 Figure 36. Endpoint Security Services Currently in Use or Expected to Be Used ..................................................... 35 Figure 37. Reasons for Using or Planning to Use Managed Services for Endpoint Security .................................... 36 Figure 38. Type of Endpoint Security Technology Approaches Most Attractive to Organizations .......................... 37 Figure 39. Functionality Most Desired in a Comprehensive Endpoint Security Product Offering ........................... 38 Figure 40. Importance of the Inclusion of Remediation and Recovery Capabilities in an Endpoint Security Suite . 38 Figure 41. Survey Respondents by Current Job Function ........................................................................................ 46 Figure 42. Survey Respondents by Number of Employees ...................................................................................... 46 Figure 43. Survey Respondents by Industry ............................................................................................................ 47 Figure 44. Survey Respondents by Annual Revenue ............................................................................................... 47



List of Tables Table 1. Endpoint Security Challenges among Organizations with Sufficient Endpoint Security Resources ........... 16 Table 2. AV Product Challenges, by Organizations that Rate Their Standard AV Software as Very Effective .......... 23

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.



Executive Summary

Report Conclusions

Endpoint security is one of the oldest areas of information security, with the first commercial products having become available in the late 1980s. The market for endpoint security products remained relatively small until the introduction of the Mosaic browser and the commercialization of the World Wide Web in the mid-1990s. Once enterprise organizations connected internal networks to the public Internet, endpoint security software evolved from a niche product to an information security requirement. This situation remains today: As this report indicates, endpoint security software is regularly installed on around 90% of Windows PCs and is gaining popularity on other PC platforms and mobile devices.

For nearly 20 years, endpoint security was really synonymous with signature-based antivirus (AV) software. Furthermore, AV was dominated by a handful of vendors that operated as a virtual oligopoly by offering similar products at similar prices. Users would either choose a product and stick with it or regularly replace one product with another in order to save a bit of money on subscription fees. On the supply side, vendors would regularly enhance products with new types of protection (i.e., anti-spyware, port blocking, password vaults, etc.) or bolster usability by improving GUIs and management features.

Fast forward to the last few years and the endpoint security market is proceeding through a new phase in its evolution. Why? Sophisticated cyber-adversaries have figured out how to exploit AV weaknesses, circumvent security protection, and compromise endpoint systems. As a result, many organizations have suffered extremely damaging security breaches, in spite of near ubiquitous implementation of AV software.

As hackers develop new cyber-attack techniques, CISOs have little choice but to respond in kind with new (and additive) layers of defense and more effective controls. This is exactly what is happening with endpoint security. Organizations are not eliminating AV software, but rather building new defenses above and beyond AV alone.

With the endpoint security ecosystem in a profound state of change, ESG surveyed 340 IT and information security professionals representing large midmarket (500 to 999 employees) and enterprise-class (1,000 employees or more) organizations in North America. The objective of this research was to assess how these organizations are changing their endpoint security strategies in response to new types of threats and cyber-attack techniques.

Based on the data collected from this survey in regard to endpoint security trends, ESG concludes:

Endpoint security is getting more difficult. Eighty percent of the security professionals surveyed agree that managing endpoint security processes and technologies has become more difficult over the last two years. This change is certainly due to the increasingly dangerous threat landscape, the rise of targeted attacks, and the frequency of publicly disclosed data breaches. On the other hand, ESG’s data points to gaps in endpoint security technology. Indeed, nearly two-thirds of security professionals believe that there is no single endpoint security vendor that delivers a product suite capable of meeting all of their organizations’ endpoint security requirements.

Endpoint security strategy is driven by anti-malware and mobile device security. When asked to identify the biggest factors influencing endpoint security strategy, 31% of security professionals cited addressing new types of malware threats, while 29% pointed to the need to address new risks associated with mobile endpoints. These two data points really characterize the state of endpoint security today and—more importantly—moving forward. Security professionals face a cabal of cyber-adversaries with sophisticated skills, and armed with an assortment of malware weapons. To address this hodge-podge of cyber-enemies, CISOs must protect a growing portfolio of endpoint devices that often number in the thousands and can be located anywhere across corporate and public networks.

Changing endpoint security requirements are driving lots of activities. Since 2012, 66% of organizations say that they have reevaluated their endpoint security policies, processes, and tools; 57% of organizations have increased their endpoint security budget; 56% of organizations have invested in endpoint security



training; and 56% have purchased new security technologies. It’s safe to assume that organizations are undertaking these actions because legacy endpoint security skills, processes, and technologies were no longer sufficient.

Endpoint security remains fraught with many challenges. Endpoint security is a balancing act between addressing the threat landscape and managing thousands of disparate local and remote/mobile devices. ESG’s research indicates that many firms are struggling to keep up. For example, 38% of security professionals say that their security teams spend a lot of time “firefighting” and little time with process improvement or endpoint security strategy. Additionally, 29% complain that endpoint security is based upon too many manual processes. The data also demonstrates that many organizations simply go through the motions with endpoint security. More than one-third of organizations see endpoint security as a compliance checkbox task, while 23% view endpoint security as a basic requirement and neglect the time and effort needed to develop endpoint security best practices.

Organizations have problems monitoring endpoint security status. When asked to identify the biggest weakness of their endpoint security staffs, 23% indicate monitoring endpoint status to attain a real-time or near real-time inventory of endpoints on the network (i.e., endpoint configurations, installed software, etc.). This shortcoming limits their ability to detect and respond to security incidents in a timely manner and could mean that a relatively minor security incident might “fly under the radar” and then balloon into a major data breach over time.

Security professionals have mixed opinions about AV software. Endpoint security contrasts extend into the realm of antivirus software. In this survey, more than half of security professionals claim that AV is very effective at blocking or detecting malware, which would indicate positive experiences with this type of software. Alternatively, however, about one-third of organizations point to AV challenges, saying that AV generates too many false positive alerts and that AV products are not nearly as effective at blocking/detecting malware as they should be. AV software’s effectiveness is also called into question since many organizations are assessing endpoint security policies and processes or adding new layers of technology defenses.

Many organizations take a tactical approach to AV. ESG was somewhat surprised to find out that more than one-quarter of the organizations surveyed claim to have three or more unique antivirus products deployed across their networks (i.e., “unique” AV products could be different revisions of AV software from a single vendor, or multiple AV products from different vendors). Furthermore, more than half of organizations claim that they change antivirus vendors frequently or occasionally. Security professionals often make these changes to find the AV vendor offering the lowest price per seat. Finally, 57% of organizations say it is likely that they will replace commercial AV software with freeware alternatives. The ESG research illustrates that many organizations manage their AV software in a constant state of churn. There is little wonder then why they are so confused about endpoint security.

Organizations are embracing new types of endpoint security tools. Nearly one-third of security professionals say that their organizations are implementing new advanced threat protection software and/or endpoint forensic software as layers of endpoint security defense in addition to traditional AV. Most are doing so based upon recommendations from service providers and penetration testers, or in response to security breaches in their industries.

Endpoint security services offer a promising alternative to point products. More than half of respondent organizations are already outsourcing some aspect of endpoint security today or plan to do so in the future. Why? Of those using or seeking to use endpoint security services, 45% believe that a managed security service for endpoint security can help their organization improve incident prevention, detection, or response. In other words, an endpoint security service provider can manage endpoint security better than their organization can itself. There is also a financial angle here, with 37% of those using or seeking to use endpoint security services operating under the assumption that endpoint security services can help their organizations reduce costs.



Introduction

Research Objectives

In order to accurately assess organizations’ endpoint security technologies, policies, and processes, ESG surveyed 340 IT and information security professionals representing large midmarket (500 to 999 employees) and enterprise-class (1,000 employees or more) organizations in North America. All respondents were responsible for evaluating, purchasing, and managing endpoint security technology products and services.

The survey was designed to answer the following questions about:

Endpoint security knowledge and opinions

o Do IT organizations believe that endpoint security is becoming more difficult? If so, why?

o What is driving endpoint security strategy?

o What are the biggest endpoint security challenges for organizations?

The organization(s) responsible for endpoint security

o Do organizations have the right skills and staff levels to address endpoint security?

o Which groups are responsible for endpoint security today? Are they merging with different groups, or becoming more independent? Do these groups communicate well?

Endpoint security technologies

o What types of security controls and technologies are used today? How are these changing?

o How are organizations adopting specific types of security technologies such as endpoint forensics, endpoint analytics, and advanced anti-malware products?

o What are the most compelling features of these products?

AV/host-based security software sentiment

“Next-generation” endpoint security software sentiment

Endpoint security strategies

o Are organizations looking at endpoint security with a long-term perspective? Or are they making tactical purchases to solve immediate problems?

o Are customers trying to integrate their endpoint security with other things, such as their network security solutions or threat intelligence feeds?

Survey participants represented a wide range of industries including financial services, manufacturing, retail, business services, communications and media, and government. For more details, please see the Research Methodology and Respondent Demographics sections of this report.



Research Findings

The Endpoint Security Landscape

Endpoint Device Usage Trends

Security professionals tend to equate endpoint security with volume, scale, and complexity, and ESG data reveals why this is so. More than one-quarter (28%) of respondents work at organizations tasked with supporting at least 10,000 endpoint devices (see Figure 1). Not surprisingly, it is difficult to secure this vast array of endpoints as they move from location to location, change configurations, and interact with files and applications on the public Internet.

Figure 1. Approximate Total Number of Endpoint Computing Devices Supported by IT Organization

Source: Enterprise Strategy Group, 2015.

With BYOD and mobile computing initiatives, security professionals are expected to support more device types and operating systems. Aside from standard Windows-based PCs, 71% of organizations currently support iOS devices (i.e., iPads and iPhones), 69% support Mac OS desktops and laptops, and 65% support Android devices (see Figure 2). It is also noteworthy that an additional 20% of organizations have plans in place for formal support of Android and Windows Mobile devices in the future. This complex matrix of supported devices forces CISOs to expand their endpoint security resources and defenses.

Ubiquitous user mobility is yet another endpoint security challenge for security professionals to manage. To quantify the issue, ESG asked respondents what percentage of their organizations’ employees connected to corporate networks via VPN on an average business day. As the data indicates, 40% of respondents say that at least half of all employees typically connect to the network through a VPN on a daily basis (see Figure 3). Supporting a remote workforce can be a challenge for many reasons because off-premises devices have a higher risk of being breached or stolen as they lack the direct IT oversight and physical security safeguards. Furthermore, spotty network connectivity makes it difficult to monitor remote devices, manage configuration settings, or update software.

4%

16%

21%

17%

14%

10%

6%5%

7%

0%

5%

10%

15%

20%

25%

Less than500

500 to 999 1,000 to2,499

2,500 to4,999

5,000 to9,999

10,000 to19,999

20,000 to49,999

50,000 to99,999

100,000 ormore

Approximately how many total endpoint computing devices (i.e., desktop PCs, laptop PCs, netbooks, tablets, smartphones, etc.) does your IT organization currently support? (Percent of

respondents, N=340)



Figure 2. IT Organization’s Support of Endpoint Device Platforms


Figure 3. Approximate Percentage of Employees Who Connect to the Corporate Network Remotely Via VPN on an Average Day


49%

56%

65%

69%

71%

93%

13%

21%

20%

9%

14%

6%

10%

10%

7%

5%

8%

1%

26%

11%

7%

13%

6%

3%

2%

1%

4%

1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

BlackBerry

Windows Mobile

Android devices (i.e. Android phones and tablets)

Desktop/laptop (Mac)

iOS devices (i.e., iPhones, iPads)

Desktop/laptop (Windows)

How would you describe your IT organization’s support of the following endpoint device platforms? (Percent of respondents, N=340)

IT currently formally supports We have plans to formally support Interested in supporting

No plans or interest at this time Don’t know / not applicable

5%

21%

34%

24%

16%

1%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Less than 10% Between 10%and 25%

Between 26%and 50%

Between 51%and 75%

More than 75% Don’t know

On an average business day, approximately what percentage of your organization’s employees typically connects to the network remotely via VPN? (Percent of

respondents, N=340)



Organizational Perceptions about Endpoint Security

Aside from the combination of endpoint volume, diversity, and remote connectivity requirements, ESG wanted to identify other issues impacting endpoint security strategies. According to Figure 4, more than one-quarter of organizations identify these influencing factors as new malware threats (31%), new risks associated specifically with mobile endpoints (29%), and general organizational initiatives to address cyber risk and improve information security best practices (26%). Note that 22% of respondents said that regulatory compliance had the most significant influence on their organization’s endpoint security strategy. While this is a fairly significant percentage, regulatory compliance is no longer the major security strategy driver it was three to five years ago. This data demonstrates that most security professionals now realize that compliance does not necessarily equate to strong security. As a result, strategic endpoint security priorities are moving in a new direction.

Figure 4. Considerations That Have the Most Significant Influence on Organization’s Endpoint Security Strategy Moving Forward


Endpoint security starts with provisioning systems with a secure configuration, but numerous tasks and options are involved in this process. Which ones are most important? Nearly one-third (31%) of security professionals believe that ensuring that users do not have administrator rights/privileges is most important, while 30% believe it is critical to install a corporate-approved VPN on endpoint clients in order to limit network access and enforce granular access controls (see Figure 5). More than one-quarter (27%) of security professionals believe it is important to install an endpoint agent to track location for loss/theft protection, a capability that is often included in mobile device management (MDM) solutions because it is especially important for mobile devices like smartphones and tablet computers.

13%

20%

21%

22%

23%

26%

29%

31%

0% 5% 10% 15% 20% 25% 30% 35%

Numerous data breaches resulting from targeted attackson my organization's industry

Addressing new risks associated with an increase inunmanaged devices (i.e., BYOD)

An increase in oversight by my organization’s executives and/or board of directors

Regulatory compliance

Aligning our endpoint security strategy with our use ofcloud computing services (i.e., IaaS, SaaS, etc.)

A general organizational initiative to address cyber riskand improve information security best practices

Addressing new risks associated with mobile endpoints

Addressing new types of malware threats

Which of the following considerations would you characterize as having the most significant influence on your organization’s endpoint security strategy moving forward?

(Percent of respondents, N=340, two responses accepted)



Figure 5. Most Important Security-related Endpoint Provisioning Tasks Performed


Security professionals paint a complex and confusing picture about their organizations’ current endpoint security status. From a positive perspective, Figure 6 reveals that 93% of organizations believe they have the right policies, processes, and technologies in place to meet their endpoint security needs. Alternatively, 80% of respondents feel that endpoint security is much more difficult to manage than it was two years ago, while 63% of security professionals strongly agree or agree with the notion that there is no single endpoint security vendor that can deliver a product suite that could meet all of their organization’s needs.

14%

20%

22%

23%

26%

27%

30%

31%

0% 5% 10% 15% 20% 25% 30% 35%

Limit users to a corporate-approved browser

Install digital certificates or other type ofdevice authentication

Configure endpoints with port blocking rulesenforced

Install some type of monitoring agent to trackuser activity

Provision endpoints with a standard secureconfiguration

Install some type of monitoring agent to trackendpoint location for loss/theft protection

Install a corporate approved VPN client

Ensure that users/employees do not haveadministrator rights/privileges on endpoints

What would you say are the two most important security-related endpoint provisioning/setup tasks that you/your IT organization performs? (Percent of

respondents, N=340, two responses accepted)



Figure 6. Security Professionals Rate Aspects of Their Organization’s Endpoint Security


This data indicates that endpoint security is highlighted by extreme conditions. While many organizations may believe they have the right endpoint security strategy, their own responses seem to contradict this notion. Since the information security chain is only as strong as its weakest link, CISOs should reassess their endpoint security processes and technologies, especially in comparison to network security processes and technologies. The ESG data seems to indicate that this exercise could expose persistent vulnerabilities and weaknesses that may be bigger than the security team believes.

16%

24%

34%

39%

44%

49%

51%

52%

25%

39%

46%

43%

49%

46%

42%

43%

32%

25%

15%

14%

5%

4%

5%

5%

24%

11%

5%

3%

1%

1%

1%

3%

1%

1%

1%

1%

1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

We really can’t secure endpoints as we’d like to because endpoint security requires too many

specialized products/agents

There is no single endpoint security vendor that delivers a product suite that could meet all of my

organization’s requirements

Managing endpoint security processes andtechnologies has become more difficult over the past

two years

My organization’s network security processes, controls, and skills are more advanced than my

organization’s endpoint security processes, controls, and skills

My organization has the right endpoint securitypolicies, processes, and technologies in place for an

organization of our size

My organization’s endpoint security strategy is closely aligned with other areas of information security such

as network security and security analysis

The executive management team at my organizationunderstands the risks associated with endpoint

security strategy

My organization evaluates the effectiveness of itsendpoint security strategy and responds to changing

risks

Please respond to each of the following general statements about endpoint security as it relates to your organization. (Percent of respondents, N=340)

Strongly agree Agree Neither agree nor disagree Disagree Strongly disagree



ESG also wanted to understand what security professionals consider to be their biggest endpoint security challenges. The data in Figure 7 points in two different directions. For example, 38% of security professionals say that their security team spends a lot of time “firefighting” as they attend to high-priority issues, and 29% complain that endpoint security is based upon too many manual processes. These two data points indicate that endpoint security is akin to the “wild west,” dominated by individual efforts rather than process-oriented methodologies. Alarmingly, the ESG data also demonstrates that many organizations simply go through the motions with endpoint security. More than one-third of organizations (34%) see endpoint security as a compliance checkbox task, while 23% view endpoint security as a basic requirement and neglect the time and effort needed to develop endpoint security best practices. Aside from these issues, it is noteworthy that 17% of organizations also point to issues around endpoint security monitoring, vulnerability scanning, and patch management.

This data seems to fly in the face of the results presented previously in Figure 6. How can 93% of organizations believe they have the right endpoint security policies, processes, and technologies when the security staff is burdened by manual processes and constantly firefighting? If executive managers at 93% of organizations understand endpoint security risks, why are so many firms treating endpoint security as a compliance requirement or a low priority? The data demonstrates a big gap between endpoint security perceptions and reality. Unfortunately, this gap means that endpoint security risk is likely far greater than many organizations believe.

Figure 7. Endpoint Security Challenges


11%

17%

17%

23%

29%

34%

38%

0% 10% 20% 30% 40%

We lack budget to purchase the right endpoint securityproducts

My organization isn’t particularly good at vulnerability scanning and/or patch management so we are always

vulnerable to having an endpoint compromised by malware

My organization doesn’t monitor endpoint activities proactively so it can be difficult for us to detect a security

incident

My organization views endpoint security as a basic requirement and doesn’t put enough time or resources

into developing best practices

Endpoint security is based upon too many manualprocesses making it difficult for the security staff to keep

up

My organization is more focused on meeting regulatorycompliance requirements than addressing endpoint

security risks with strong controls and oversight

The security staff spends a lot of time attending to high-priority issues so staff members don’t have ample time

for process improvement or strategic planning

In your opinion, which of the following presents the biggest endpoint security challenges to your organization? (Percent of respondents, N=340, two responses accepted)



In the past, endpoint security activities were fairly limited. PCs were provisioned in secure configurations and outfitted with antivirus (AV) software. Once provisioned, the security team scanned endpoints for vulnerabilities and installed software patches when necessary.

Given the increasingly dangerous threat landscape, ESG wondered whether organizations were going beyond these tried-and-true endpoint security routines. According to Figure 8, they are indeed: Two-thirds of organizations report that they have reevaluated their endpoint security policies, processes, and tools, and 56% say they have invested in endpoint security training and purchased new security technologies over the last two years, demonstrating a significant financial commitment to endpoint security. This flurry of recent activity supports the thesis that endpoint security is evolving beyond the basic tasks and oversight of the past.

Figure 8. Actions Organizations Have Taken Over the Past Two Years with Regard to Endpoint Security


39%

40%

51%

56%

56%

56%

57%

59%

59%

66%

0% 20% 40% 60% 80%

Hired security professionals to augment our endpointsecurity capabilities

Procured professional or managed services for endpointsecurity

Conducted penetration testing to identify vulnerabilitieson the network and at the endpoint

Increased network segmentation to enhance endpointsecurity protection

Purchased new endpoint security technologies inaddition to those used in the past

Created or increased end-user/employee trainingprograms to better educate them about cyber threats

Increased the allocation of security budget earmarkedfor endpoint security or associated activities

Implemented technologies for endpoint profiling and/orcontinuous monitoring

Trained our security team on new malware threatsand/or endpoint security best practices

Reevaluated our endpoint security policies, processes,and tools to create a plan for improving our endpoint

security

With regard to endpoint security, which of the following actions – if any – has your organization taken over the past two years? (Percent of respondents, N=340, multiple

responses accepted)



Endpoint Security Staffing

In ESG’s 2014 IT Spending Intentions Survey, one-quarter of organizations claimed that they had a problematic shortage of IT security skills. This is consistent with other industry data and highlights a critical issue—the global cybersecurity skills shortage. As such, it is somewhat surprising that more than half (56%) of organizations believe that they have a sufficient number of resources in place to support endpoint security technologies and processes (see Figure 9).

Figure 9. IT Organization’s Ability to Support Endpoint Security Technologies and Processes with Necessary Number of Trained Staff


The key word here is likely “sufficient,” by which respondents may believe that given overall endpoint security circumstances, “sufficient” equates to “all that can be expected.” ESG comes to this conclusion by analyzing the data in Figure 9 with the endpoint security challenges identified in Figure 7. It turns out that organizations with a sufficient number of resources capable of supporting endpoint security technologies and processes also have a multitude of endpoint security challenges that could be equated with inadequate skills or staffing (see Table 1). It is also interesting that 35% of organizations claiming to have sufficient endpoint security resources equate endpoint security with regulatory compliance, while 24% of organizations that have sufficient endpoint security resources view endpoint security as a basic requirement. In these last two cases, organizations are addressing a subset of real endpoint security requirements, so their perception of sufficient resources is relative at best.

Aside from staff resources, respondents are also extremely confident about their endpoint security competency, claiming that endpoint security skills are excellent or good in most cases (see Figure 10). Once again, this data is somewhat paradoxical. Perhaps these organizations believe that their endpoint security skills are good enough for regulatory compliance or basic requirements so they invest in more advanced security skills in other areas like network security and security analytics. In any case, ESG is troubled by this display of overconfidence, especially in light of the persistent onslaught of targeted attacks and data breaches.

We have a sufficient number of resources capable of supporting

endpoint security technologies and processes, 56%

We have a moderate lack of resources

capable of supporting endpoint security technologies and processes, 41%

We have a severe lack of resources capable of supporting endpoint

security technologies and processes, 2%

In general, how would you describe your IT organization’s ability to support endpoint security technologies and processes with the necessary number of trained staff?

(Percent of respondents, N=340)

http://www.esg-global.com/research-reports/2014-it-spending-intentions-survey/



Table 1. Endpoint Security Challenges among Organizations with Sufficient Endpoint Security Resources

We have a sufficient number of resources capable of supporting endpoint security

technologies and processes (N=191)

The security staff spends too much time attending to high-priority issues so staff members do not have ample time for process improvements or strategic planning

37%

My organization is more focused on meeting regulatory compliance requirements then addressing endpoint security risk with strong controls and oversight

35%

Endpoint security is based upon too many manual processes making it difficult for the security staff to keep up

27%

My organization views endpoint security as a basic requirement and doesn’t put enough time or resources into developing best practices

24%


Figure 10. Survey Respondents Rate IT/Security Staff in Endpoint Security Areas


34%

42%

42%

43%

44%

48%

50%

46%

47%

49%

45%

46%

14%

11%

10%

8%

11%

6%

1%

1%

1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Ability to remediate a system without re-imaging

Ability to investigate security incidents to discover rootcauses, scope, lifecycle, etc.

Up-to-date knowledge of the threat landscape (i.e.,cyber-crime market, malware tactics, threat actors,

etc.)

Knowledge of endpoint security technologies and theirfeature/functionality

Ability to respond to security incidents in a timelymanner

Basic knowledge of endpoint technology (i.e., operatingsystems, secure configurations, common vulnerabilities,

indications of compromise, etc.)

Think about the IT/security staff member(s) responsible for endpoint security. How would you rate them–including yourself–in each of the following areas? (Percent of

respondents, N=340)

Excellent Good Fair Poor



Given organizations’ overwhelming endpoint security self-assurance, are there any areas in which the endpoint security staff has flaws or deficiencies? Of course. When asked to identify their endpoint security teams’ biggest weaknesses, 23% of respondents pointed to real-time endpoint monitoring/asset profiling, 18% said they had issues with security training for non-IT employees, and 16% admitted to shortcomings with regard to testing and deploying critical patches in a timely manner (see Figure 11). Once again, this data seems inconsistent with the “excellent” and “good” responses above. Perhaps organizations simply equate good with good enough when it comes to endpoint security.

Figure 11. Weakest Area with Regard to the Individuals Responsible for Endpoint Security


Most organizations have dedicated resources for endpoint security, but organizational models vary. For example, 20% of organizations have a dedicated individual responsible for endpoint security (see Figure 12). This person is likely to be a senior employee who leads the effort around defining endpoint security policies, establishing processes, and selecting technology controls. Two-thirds of organizations say that they have a dedicated endpoint security group, which, in many cases, is more likely to be responsible for day-to-day operations as opposed to strategic decisions. Another 12% of organizations are creating an endpoint security organization or are interested in doing so. These organizations may be behind or they may be moving from a passive to a more proactive endpoint security approach that includes dedicated staff.

ESG believes that there is a blurring line between endpoint security and endpoint operations. Currently, numerous tasks, such as provisioning, remediation, or patch management, could be justifiably assigned to either group. Although they are operational tasks, organizations remain vulnerable if they are not executed in a timely manner.

The majority of enterprise organizations seem to recognize endpoint security and operations synergies as 59% employ a single group responsible for both areas, while another 34% plan to merge their endpoint security and operations groups in the future (see Figure 13).

Monitoring endpoint status to attain a real-time or near real-time

inventory of endpoints on the network (i.e., endpoint

configurations, installed software, etc.), 23%

Providing end-user training on endpoint security to non-IT employees, 18%

Testing and deploying critical software patches to endpoints in

a timely manner (i.e., within 3 business days), 16%

Providing proactive training to the information security team on

endpoint security threats and best practices, 14%

Performing regular vulnerability scans on all endpoint devices,

14%

Monitoring endpoint activities to analyze whether systems are acting

anomalously or suspiciously, 13%

None of the above, 2%

Which of the following do you consider your organization’s biggest weakness as it pertains to the individual(s) responsible for endpoint security? (Percent of respondents,

N=340)



Figure 12. Is There a Dedicated Individual/Group Responsible for Endpoint Security?


Figure 13. How Organizations Address Endpoint Security and Endpoint Management/Operations


Yes, a dedicated individual, 20%

Yes, a dedicated group, 66%

No, but we are in the process of creating a dedicated role/group that will be

responsible for endpoint security, 10%

No, but we are interested in creating a dedicated

role/group that is responsible for endpoint

security, 2%

No, 2%

Does your organization have a dedicated individual/group responsible for endpoint security? (Percent of respondents, N=340)

My organization has one group responsible for both

endpoint security and endpoint management and

operations, 59%

My organization has one group responsible for endpoint security and another group

responsible for endpoint management and operations today, but we plan to merge

these two groups sometime in the future, 34%

My organization has one group responsible for endpoint security

and another group responsible for

endpoint management and

operations today, and we have no plans to

merge these two groups, 6%

Which of the following organizational models best describes how your organization addresses endpoint security and endpoint management/operations (i.e., endpoint provisioning, software distribution, support, etc.)? (Percent of respondents, N=340)



Endpoint Security Technology

Tracking Endpoint Security

The multitude of endpoints and remote devices, and the many combinations of device/OS platforms can make keeping track of endpoints a logistical nightmare. To address this, 34% of organizations use an endpoint profiling tool that continuously monitors the state of all endpoint assets as they gain access to the network, while 21% maintain a single database within IT where information about endpoints is collected and stored (see Figure 14). Unfortunately, the plurality of organizations (45%) gather information through a collection of disparate tools covering endpoint security, asset profiling, asset management, configuration management, patch management, vulnerability scanning, etc. This group likely struggles to get a timely and comprehensive picture regarding their endpoint security status for risk management and mitigation purposes.

Figure 14. How Organizations Keep Track of Endpoint Assets


As Figure 6 previously revealed, 41% of security professionals don’t believe they can really secure endpoints as they’d like to because it requires too many specialized products/agents. This is a problem because each agent must be deployed and then managed on an ongoing basis. Some agents—or combinations of agents—can impact system performance, while certain agents may be incompatible with one another. Endpoint security agent management may be a growing and underappreciated problem, especially if new security tools require additional agents. As seen in Figure 15, more than half (58%) of organizations report that they already have at least three endpoint security agents on a typical endpoint, so incremental agents will only exacerbate existing problems with agent deployment, management, and tuning.

This accumulation of agents may be the result of tactical investments, meaning organizations see a security hole, and plug it with a new tool. Each new tool requires a new agent, and soon organizations are deploying more agents per endpoint than they perhaps anticipated during the strategy phase. Additionally, while organizations may ideally seek fewer vendors to perform a wider variety of security functions and thus require fewer agents, Figure 6 revealed that organizations have been largely unable to find vendors offering such a solution.

We maintain a single database within IT where this

information is collected and updated, 21%

We gather this information by accessing a series of different

tools used for endpoint management, security

management, asset management, etc., 45%

We use an endpoint profiling tool that continuously

monitors the state of all endpoints as they gain access

to our network, 34%

Which of the following best describes how your organization keeps track of its endpoint assets (i.e., system ID, software installed, current configuration, security

signatures in place, etc.)? (Percent of respondents, N=340)



Figure 15. Approximate Number of Security Agents Installed on a Typical Endpoint


Antivirus Software Trends

Antivirus is a staple security control for a multitude of different systems. As seen in Figure 16, more than half of all organizations say that antivirus software is always installed on various endpoint devices, including Windows-based PCs, Macs, and a number of mobile device types. While the PC numbers are certainly possible, ESG isn’t so sure about the responses for AV installed on mobile devices based upon years of qualitative interviews with CISOs. Respondents may be confusing MDM software agents with AV deployment. If that is the case, CISOs would be wise to reassess malware defenses and risk management scenarios for mobile endpoints.

Figure 16. Installation of Antivirus Software on the Endpoint Devices that the Organization Formally Supports


8%

31% 31%

20%

7%

0% 1%

0%

5%

10%

15%

20%

25%

30%

35%

1 2 3 4 5 More than 5 Don’t know

On average, approximately how many security agents (i.e., security software installed on an endpoint system that works autonomously and continuously to align endpoint activities with a

particular security software function) are installed on a typical endpoint? (Percent of respondents, N=340)

52%

55%

57%

61%

80%

89%

28%

25%

25%

25%

17%

11%

6%

4%

7%

4%

1%

1%

14%

16%

11%

10%

2%

1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

BlackBerry (N=165)

iOS devices (i.e., iPhones, iPads) (N=243)

Android devices (i.e. Android phones and tablets)(N=221)

Windows Mobile (N=191)

Desktop/laptop (Mac) (N=236)

Desktop/laptop (Windows) (N=317)

Is antivirus software installed on the endpoint devices your IT organization formally supports? (Percent of respondents)

Yes, always Yes, usually Yes, but only on a case-by-case basis No Don’t know



Clearly, most PCs are instrumented with AV software, but many data breaches can be traced back to an infected PC, compromised by a malicious e-mail attachment, drive-by download, or phishing scam. Given this, do security professionals believe that AV software can actually block and detect the presence of malware? This question seems to present yet another endpoint security enigma. Nearly half (49%) of the security professionals surveyed consider AV software to be very effective at blocking/detecting malware (see Figure 17).

Figure 17. Survey Respondents Rate Their Organization’s Standard Antivirus Software


Antivirus vendors have long been trying to shed the perception that antivirus software is nothing more than signature-based endpoint protection. A popular approach to that end has been to add more functionality to their suites. Not every antivirus vendor offers every supplementary function listed as an option in Figure 18, but most of the major players do. The most common features used are AV firewalls, HIPS, and various advanced protection heuristics (see Figure 18). As the data indicates, extra features are not used as often as one might believe.

Very effective, 49%

Somewhat effective, 39%

Ineffective, 4%

Very ineffective, 7%

How would you rate standard antivirus software in general (i.e., not specific to your organization’s experience with a particular vendor or solution) in terms of its security efficacy (i.e., ability to prevent and detect security incidents, block/detect advanced and/or targeted

malware, etc.)? (Percent of respondents, N=340)



Figure 18. Antivirus Software Supplementary Functionalities Currently Used


Like any other information security technology, AV software presents its share of challenges. Nearly half (48%) of security professionals have issues with AV’s impact on overall system performance, making this the most commonly identified issue (see Figure 19). Aside from the effect on system performance, it is also noteworthy that 34% of organizations are challenged by too many false positives, while 33% say that products are not nearly as effective at blocking or detecting malware as they should be.

Once again, these responses would appear to be in stark contrast to the findings presented in Figure 17, in which 49% rated their AV software as very effective. In fact, looking at the AV software challenges cited by these respondents, it is hard to reconcile how AV products could be considered very effective when 29% believe they generate too many false positive alerts and 27% complain that products are not nearly as effective at detecting or blocking malware as they should be (see Table 2). Once again, this illustrates the persistent paradox of endpoint security.

1%

28%

41%

42%

43%

44%

46%

46%

52%

53%

58%

0% 10% 20% 30% 40% 50% 60% 70%

None of the above

Browser sandboxing

Application controls

Application sandboxing

Port controls

Cloud-based threat intelligence

Reputation-based protection

File-integrity monitoring (FIM)

Advanced protection

Host-based IDS or IPS

Endpoint firewall

Some antivirus products offer supplementary functionality in addition to standard signature-based AV protection. These functions include things like port controls, application white listing, and advanced malware detection. Which of the following–if any–is your organization currently

using? (Percent of respondents, N=340, multiple responses accepted)



Figure 19. Challenges Experienced with Antivirus Products as Part of Organization’s Endpoint Security Strategy


Table 2. AV Product Challenges, by Organizations that Rate Their Standard AV Software as Very Effective

Standard AV software is very effective in terms of its security efficacy (i.e., ability to

prevent and detect security incidents, block/detect advanced and/or targeted

malware, etc.) (N=168)

New product revisions tend to be very different from previous versions, requiring a lot of time and resources for training and deployment

41%

Too many false positives that classify benign files/software as malware 29%

Products are not nearly as effective at blocking and/or detecting malware as they should be

27%

Products are too complex to configure or manage to their full potential 24%


While AV software is nearly ubiquitous on PCs and servers, it is not unusual for organizations to deploy several distinct AV products across the enterprise. It is not surprising, therefore, that only 27% have a single, enterprise standard for AV (see Figure 20). These results make sense since larger organizations often have decentralized IT

13%

24%

26%

29%

33%

34%

35%

48%

0% 10% 20% 30% 40% 50% 60%

We have not experienced any challenges with antivirusproducts

AV management systems don't scale to supportenterprise needs

Products are too complex to configure and manage totheir full potential

AV management doesn’t integrate with other security and IT management systems

Products are not nearly as effective at blocking and/ordetecting malware as they should be

Too many false positives that classify benignfiles/software as malware

New product revisions tend to be extremely differentfrom previous versions requiring a lot of time and

resources for training and deployment

Products impact overall performance of endpointsystems

What challenges – if any -- has your organization experienced with the antivirus products used as part of its endpoint security strategy? (Percent of respondents, N=340,

multiple responses accepted)



organizations that purchase and implement technologies for individual business units or geographic locations. Nevertheless, CISOs may want to consider organizational standards for AV to gain experience and establish best practices around particular AV products.

Figure 20. Approximate Number of Unique Antivirus Software Products Deployed


Whether antivirus is cast in the IT operations or information security domain, most organizations like to ensure that their deployments are always up to date. Indeed, 50% of respondents indicate that their organizations upgrade to the latest version of antivirus software immediately, while another 39% upgrade within six months (see Figure 21).

Figure 21. Antivirus Upgrade Patterns


27%

44%

21%

6%2% 1%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

One uniqueantivirus productdeployed acrossthe enterprise

Two uniqueantivirusproducts

deployed acrossthe enterprise

Three uniqueantivirusproducts


Four uniqueantivirusproducts


Five uniqueantivirusproducts


Don’t know

Approximately how many unique antivirus software products does your organization have deployed throughout the enterprise? (Percent of respondents, N=340)

Yes, immediately, 50%

Yes, within 6 months of the new release,

39%

Yes, within one year of the new release,

8%

Yes, but we do so as we can over some

undefined period of time, 2%

No, we tend to stick with what we have,

1%

Does your organization upgrade to the latest version of antivirus software when your vendor(s) introduces a new version of its product? (Percent of respondents, N=340)



As described, many organizations deploy several different AV software products across the enterprise. Additionally, security professionals report that their organizations are willing to replace one AV product with another on a fairly regular cadence: 22% of organizations change vendors frequently, while another 22% change vendors on an occasional basis (see Figure 22). Alternatively, only 5% say that they never change antivirus vendors.

Figure 22. How Often Organizations Change Antivirus Vendors


The ESG data presents a picture of AV deployment polarity as about half of all organizations willingly replace AV products while the other half do so rarely if ever. What’s behind these discrepancies? ESG explored this question with each camp. First, organizations that rarely or never change AV vendors have invested time and resources into developing skills, learned how to manage their AV tools at scale, and developed best practices with AV products (see Figure 23). Interestingly, 22% of these organizations believe that they get the best possible price from their existing AV vendors so they don’t bother price shopping their business to others. Perhaps these firms have also conducted cost/benefit analysis studies and concluded that the benefits of saving a few dollars per seat does not outweigh the cost of a replacement project across thousands of endpoints or disrupting existing endpoint security operations processes.

As for those willing to change AV vendors, these organizations are driven primarily by financial considerations. Indeed, more than one-third (37%) believe they can get the best possible price on AV products by having vendors compete for their business on a regular basis (see Figure 24). Remarkably, one-third of organizations said that they willingly change AV vendors because AV is a priority and they are constantly seeking the best product available. This is a unique philosophy demanding a highly knowledgeable security staff with appropriate resources for regular AV testing.

Frequently, 22%

Occasionally, 34%

Rarely, 40%

Never, 5%

How often does your organization change antivirus vendors (i.e., when it is time to renew the annual antivirus subscription)? (Percent of respondents, N=340)



Figure 23. Why Organizations Do Not Change Antivirus Vendors


Figure 24. Why Organizations Are Not Averse to Changing Antivirus Vendors


We have invested time and resources into our vendor’s AV

management platform and would need to start over again if we switched AV products, 25%

We believe we get the best pricing possible from our existing AV vendor, 22%

We have developed strong skills and/or processes with our current AV product

and would need to start over again if we switched AV products, 21%

We’ve made a strategic commitment to our AV vendor (i.e., use other non-AV products from this vendor, integrate

multiple products from this vendor, work with the vendor on product development

and roadmaps, etc.), 18%

We would rather invest our security time and resources in other areas than making an AV change, 13%

Other, 1%Don't know, 1%

You indicated that your organization does not change antivirus vendors often or ever. What is the primary reason why this is the case? (Percent of respondents, N=151)

We believe that we can get the best possible pricing by having

vendors compete for our business regularly, 37%

We consider AV to be a priority and are continually seeking the best product available,

33%

We have not made a strategic vendor commitment so we are

regularly open to changing for a variety of reasons (price, functionality, etc.), 15%

We have not developed a deep skill set with one product, so we are regularly open to changing for a variety of reasons (price,

functionality etc.), 7%

We have not invested a lot of time and resources into our current AV so we do not feel much would be

lost by changing, 7%

Don’t know, 1%

You indicated that your organization is not averse to changing antivirus vendors often. What is the primary reasons why this is the case? (Percent of respondents, N=189)



In 2013, ESG asked 315 enterprise security professionals whether they agreed or disagreed with the following statement:

Host-based security software (i.e., AV) is a commodity product with little measurable differences between brands.

As it turned out, 44% of the information security professionals surveyed agreed with this statement.1 This opinion is likely inherent in the large percentage of organizations willing to replace one AV vendor with another. Some organizations are considering further action on their belief that AV is a commodity by replacing commercial AV software with free antivirus alternatives. Nearly one in five (19%) say it is extremely likely and that they are already evaluating/implementing free AV offerings, while 38% claim that it is likely that they will replace commercial AV with free antivirus alternatives (see Figure 25). If organizations proceed down the free AV path, it could have a major impact on the $5 to $7 billion commercial AV market.

Figure 25. Likelihood of Replacing Commercial Antivirus Software with an Alternative Free Antivirus Product


Data Security on Endpoint Devices

Blocking and detecting the presence of malware is just one aspect of endpoint security. Endpoints are used to access, manipulate, and store various types of sensitive information like customer and regulated data, intellectual property (IP), etc. Loss or theft of this type of data is extremely likely to have financial implications.

How are organizations protecting the confidentiality, integrity, and availability of data stored on endpoints? ESG asked security professionals about a series of data security technologies to see which ones are used most. Security professionals indicated that their organizations utilize file-based encryption, encryption of removable storage, and full-disk encryption most extensively (see Figure 26).

1 Source: ESG Research Report, Advanced Malware Detection and Protection Trends, September 2013.

10%

13%

20%

38%

19%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Extremely unlikely (we would never replace ourproven commercial antivirus products with free

alternative versions)

Unlikely (free antivirus products would have to achieve wide market acceptance and establish a

proven track record of reliability before we’d consider switching)

Neutral (we’re satisfied with our antivirus environment at the moment, but we might be open

to change down the road)

Likely (we’re interested in learning more about free antivirus offerings, but have not taken any steps in

that direction at this point)

Extremely likely (we have already startedevaluating/implementing free antivirus offerings)

How likely would your organization be in replacing its commercial antivirus software with an alternative free antivirus product(s)? (Percent of respondents, N=340)

http://www.esg-global.com/research-reports/advanced-malware-detection-and-protection-trends/



Figure 26. Usage of Security Software Technologies to Protect Sensitive Data on Endpoint Devices


Once again, this data presents a somewhat muddled picture. ESG was very careful to define DLP and Digital Rights Management software in terms of functionality and form-factor. In other words, survey respondents were clearly asked about specialized add-on software rather than DLP or DRM functionality provided as part of an endpoint security suite or deployed elsewhere on the network. In spite of these specific definitions however, more than half (52%) of security professionals believe their organizations use endpoint DLP in an extensive manner, while 47% say they use endpoint DRM extensively.

These responses simply don’t align with historical market research indicating that deployment of endpoint DLP and DRM software is fairly low. Of course, ESG did not define the term “extensively,” but it’s fair to assume that endpoint DRM software deployed only in the legal department would not constitute extensive use. Once again, ESG believes that organizations remain confused about what security controls they have, where they are deployed, and whether these controls address endpoint security requirements or not.

Many organizations report a number of challenges with endpoint data security software technologies. For example, 39% say that endpoint data security software can impact user productivity, and 38% claim that endpoint data is difficult to secure because it constantly moves and changes (see Figure 27). This data is important because any security control that interferes with user productivity is often phased out, leading to a rapid increase in IT risk. CISOs should work with their line-of-business management colleagues closely to create the right data security policies and controls to bridge the gap between data security and usability.

47%

49%

52%

53%

56%

56%

38%

40%

38%

39%

34%

35%

15%

11%

9%

8%

10%

9%

1%

1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Specific Digital Rights Management software for PCendpoints

Any type of encryption for mobile devices (i.e. smartphones, tablets, fixed-function devices, etc.)

Specific Data Loss Prevention software for PCendpoints

Full-disk encryption on laptop/desktop PCs (anyoperating system)

Encryption of removable storage on laptop/desktopPCs

File-based encryption of laptop/desktop PCs (anyoperating system)

Is your organization using any of the following security software technologies to protect sensitive data stored on endpoint devices? (Percent of respondents, N=340)

Yes, we use extensively Yes, we use on a case-by-case basis No Don’t know/not applicable



Figure 27. Challenges of Data Security Software on Endpoint Devices


New Types of Endpoint Security Technologies

While 49% of security professionals believe that their AV software is very effective at blocking/detecting the presence of malware, the ESG data indicates that they are quite willing to add incremental layers of defense for endpoint security. VC-backed startups and established security vendors now offer a plethora of new tools and technologies to address enhanced endpoint security requirements.

As part of its survey, ESG presented respondents with the following description of advanced malware detection/prevention products for endpoint security:

There have been numerous products introduced over the past few years that are specifically designed to detect and/or block advanced malware that circumvents traditional antivirus software. Typically, these tools perform dynamic analysis of files to identify malware, contain malware, or detect suspicious endpoint-based network connections. Note that the following questions are about the use of specific advanced malware tools and not related to core or even advanced functionality in standard antivirus software.

This definition was used to make it clear to respondents that the questions were about new types of software and not about cutting-edge AV features/functionality. Based upon this definition, 54% of security professionals indicate that they are very familiar with anti-malware detection/prevention offerings, while another 43% claim that they are somewhat familiar with this type of endpoint security software (see Figure 28).

11%

12%

15%

27%

27%

38%

39%

0% 10% 20% 30% 40% 50%

We do not have the right skill set to use certain datasecurity technologies

We don’t have a clear strategy for data security on endpoints

We have not classified data appropriately so we really don’t know what data is sensitive and should be

protected

We lack the right level of collaboration betweensecurity, IT, and business groups to effectively secure

sensitive data on endpoints

We share sensitive data with 3rd parties often and don’t have the authority to secure sensitive data in

these cases

Endpoint data constantly moves and changes so it isdifficult to keep up with appropriate data security

Endpoint data security software can impact userproductivity

What are your organization’s biggest challenges in terms of data security software on endpoint devices? (Percent of respondents, N=335, two responses accepted)



Figure 28. Familiarity with Types of New Advanced Malware Detection/Prevention Products


Are organizations using this advanced anti-malware software on endpoints? Many organizations are doing exactly so, with nearly one-third (32%) reporting that they are already deploying advanced malware software extensively on endpoint systems and another 41% doing so, but on a more limited basis (see Figure 29). As for the rest of the survey population, 26% are planning to deploy advanced malware protection or are interested in doing so in the future. CISOs and security technology products/services vendors should internalize this data in context. While this data can’t be used to determine absolute market penetration or revenue, it does point to an evolving trend in which AV software will be increasingly supplemented with other types of anti-malware protection. CISOs should interpret this ongoing trend as a developing endpoint security best practice and make sure they include advanced anti-malware tools as part of their endpoint security strategies. Vendors should be ready to differentiate their offerings against standard AV and an emerging army of advanced anti-malware software offerings.

Figure 29. Deployment of Advanced Malware Detection/Prevention Software


Very familiar, 54%

Somewhat familiar, 43%

Not very familiar, 3%

How familiar are you with these types of new advanced malware detection/prevention products (i.e., those that are offered as a supplement to

traditional AV)? (Percent of respondents, N=340)

Yes, already doing this extensively, 32%

Yes, already doing this on a limited basis, 41%

No, but we are planning to do so in the next 24

months, 20%

No, but we are interested in doing so

at some point, 6%

No, and we have no plans for or interest in doing so

in the future, 1%

Don’t know, 1%

Has your organization deployed or is it considering deploying this type of advanced malware detection/prevention software (in addition to traditional AV)? (Percent of

respondents, N=329)



ESG wanted to understand why organizations are moving beyond AV alone and adding new types of advanced anti-malware software on endpoint devices. The responses point to an interesting mix of supply and demand (see Figure 30). On the demand side, 31% of organizations are deploying advanced anti-malware on endpoints based upon a recommendation from service providers or penetration testers; 30% are doing so because of security intelligence indicating that their organization may be the target of cyber-adversaries; and 27% are deploying advanced anti-malware software on endpoints because of security breaches at other organizations within their industries. From a supplier perspective, note that 35% of organizations were presented with the opportunity to acquire/deploy advanced anti-malware products at a very low cost. In other words, vendors are trying to gain market share by essentially giving away their products with the hope that customers will renew their subscriptions. While this is a common business tactic for VC-backed startups, only a handful of established vendors can actually pull off this tactic. CISOs should carefully assess the business model, financial strength, and long-term viability of advanced anti-malware firms before moving forward. An attractive short-term deal may become a fool’s errand when critical layers of defense become obsolete if and when aggressive startups go out of business.

Figure 30. Reasons for Deploying or Considering Deploying Advanced Malware Detection/Prevention Software


Aside from advanced anti-malware software, ESG also wanted to investigate plans for endpoint forensics. ESG provided the following definition of endpoint forensics to survey respondents:

Endpoint forensic solutions typically install software agents on endpoint systems and then collect data on various aspects of system behavior that may indicate that a system has been compromised by malware. For example, endpoint forensic solutions may monitor registry changes, file downloads, in-memory processes, and network connections. Anomalous activities in these (and other) areas could help an organization

18%

18%

27%

30%

31%

35%

0% 10% 20% 30% 40%

My organization suffered a security breach in the past, sowe are adding new security controls to mitigate the risk

of another breach

Our current antivirus software cannot detect or blockadvanced malware threats well enough on its own

One or several organizations in my industry havesuffered a security breach so we decided to add an

additional layer of endpoint security software

While my organization has not been breached, we haveintelligence suggesting that we are being targeted bycyber-adversaries so we are adding another layer of

endpoint security to mitigate this risk

Service providers or penetration testing indicated thatmy organization should purchase and deploy advanced

malware detection/prevention software

We were presented with the opportunity toacquire/deploy this type of advanced malware

detection/prevention software at a very low cost so itwas relatively easy to achieve the ROI metrics we require

Why has your organization deployed or is it planning on/interested in deploying this type of advanced malware detection/prevention software (in addition to traditional

antivirus)? (Percent of respondents, N=324, two responses accepted)



improve incident detection, analyze the scope of an attack, and understand the timing and actions of various system changes. In aggregate, this data can be used to improve incident detection and response. Note that endpoint forensic capabilities are NOT a standard function of traditional antivirus software.

The preponderance of security professionals were either very familiar (46%) or somewhat familiar (41%) with endpoint forensics solutions based upon the ESG definition (see Figure 31).

Figure 31. Familiarity with Endpoint Forensic Solutions


The research indicates that the future of endpoint security will include both advanced anti-malware and endpoint forensics. Nearly one-third (31%) of organizations are already deploying endpoint forensics tools extensively on their endpoint devices, while another 38% report doing so more selectively. The vast majority of other organizations are planning to add endpoint forensics solutions or are interested in doing so in the future (see Figure 32).

Figure 32. Deployment of Endpoint Forensics Solution


Very familiar, 46%

Somewhat familiar, 41%

Not very familiar, 11%

Not at all familiar, 1%

How familiar is your organization with endpoint forensic solutions? (Percent of respondents, N=340)


Yes, already doing this on a limited basis,

38%

No, but we are planning to do so in the

next 24 months, 17%

No, but we are interested in doing so

at some point, 12%

No, and we have no plans for or interest in doing so

in the future, 2%

Don’t know, 1%

To the best of your knowledge, has your organization deployed or is it considering deploying an endpoint forensics solution? (Percent of respondents, N=298)



Unlike advanced anti-malware, many organizations are adding endpoint forensics proactively as a means for improving incident detection and response (see Figure 33). In these cases, the security team is focused on collecting and analyzing endpoint forensic data, correlating it with other types of security data, and then using security data analytics to guide them through anomaly detection, problem isolation, and response priorities.

Figure 33. Reasons for Deploying or Planning to Deploy/Interested in Deploying an Endpoint Forensics Solution


10%

16%

19%

22%

23%

24%

29%

29%

0% 10% 20% 30% 40%

My organization suffered a security breach in the past, sowe are adding an endpoint security forensics solution to

mitigate the risk of another breach

We use endpoint forensics software for internalinvestigations

One or several organizations in my industry have suffereda security breach so we decided to add an endpoint

security forensics solution to proactively mitigate IT risk

We are doing more around network forensics and believethat an endpoint forensics solution will complement and

supplement this work

We believe that an endpoint forensics solution can helpus reduce the workload on our security analyst team

While my organization has not been breached, we haveintelligence suggesting that we are being targeted by

cyber-adversaries so we are adding an endpoint securityforensics solution to mitigate this risk

We believe that an endpoint forensics solution can helpus improve the time it takes for incident detection

We believe that an endpoint forensics solution can helpus improve the time and effectiveness related to incident

response

Why has your organization deployed or is it planning on/interested in deploying an endpoint forensics solution? (Percent of respondents, N=291, two responses accepted)



Finally, endpoint forensics tools are also being considered in the greater context of security analytics. One-third of organizations are integrating endpoint forensics solutions with network-forensics and/or security analytics tools (i.e., SIEM, big data security analytics systems, etc.) extensively, while another 38% are integrating endpoint and network forensics on a limited basis (see Figure 34).

Figure 34. Interest in Integration Between an Endpoint Forensics Solution and Other Types of Security Analytics Systems



Yes, already doing this on a limited basis, 38%

No but we are planning to do this type of integration within the next 24

months, 18%

No, but we are interested in doing

this type of integration in the

future, 8%

No, and we have no plans for or interest in doing so in the future,

2%

Some organizations are integrating endpoint forensics solutions with network-forensics and/or security analytics tools (i.e., SIEM, big data security analytics systems, etc.). Is your organization doing or planning to do any type of similar integration between an endpoint forensics solution

and other types of security analytics systems? (Percent of respondents, N=291)



Endpoint Security Services

It is clear that endpoint security can be a difficult challenge for organizations. Strong endpoint security demands the right skills, policies, technology controls, and oversight. Given this, emerging endpoint security requirements can be overwhelming for many organizations, so—at least for some—it makes sense to outsource aspects of endpoint security to capable service providers. This behavior may be far more prevalent than conventional wisdom would suggest as 57% of organizations report using managed security services for at least one facet of endpoint security today, while an additional 21% plan to do so in the next 24 months (see Figure 35).

Figure 35. Usage of a Managed Security Service for Any Aspect of Endpoint Security


Which endpoint security services are being utilized the most? As Figure 36 reveals, antivirus deployment and management, and endpoint security monitoring and management were the two most commonly cited responses, followed by DLP/DRM, advanced malware protection, and encryption/key management.

Figure 36. Endpoint Security Services Currently in Use or Expected to Be Used


Yes, 57%

No, but we are planning to do so in the next 24 months, 21%

No, but we are interested in doing so in the future, 13%

No, and we have no plans for or interest in doing so, 6%

Don’t know, 2%

Is your organization using a managed security service for any aspect of endpoint security? (Percent of respondents, N=340)

35%

36%

44%

46%

50%

54%

58%

58%

0% 10% 20% 30% 40% 50% 60% 70%

Incident response

Incident detection

Endpoint forensics

Disk encryption and key management

Advanced malware software deployment andmanagement

Data loss prevention and/or Digital RightsManagement

Endpoint security monitoring and management

Antivirus deployment and management

Which of the following endpoint security services is your organization using or planning to use? (Percent of respondents, N=313, multiple responses accepted)



Organizations are flocking to endpoint security services for a number of reasons. Specifically, 45% believe that a managed security service for endpoint security can help them with incident detection, prevention, or response, while 37% report that managed security is a way to reduce costs (see Figure 37). Surprisingly, 35% report that they are using or planning to use managed security services for all aspects of endpoint security.

In some ways, the use of endpoint security services follows a pattern that is consistent with other types of IT services. Many organizations look toward services for two types of activities: 1) Pedestrian tasks for which outsourcing is more cost effective than hiring or dedicating fulltime employees, or 2) Advanced tasks requiring specialized skill sets. AV deployment/management fits into the former category, while endpoint security monitoring may fit into the latter. Endpoint security services popularity may also increase in light of a general movement toward SaaS solutions. Given the potential cost savings associated with SaaS, many CISOs are now being asked to consider SaaS options as part of the selection process for all cybersecurity technologies. Since endpoint security often involves high capital and operating costs, it may be easier to justify a SaaS solution for endpoint security than for other information security needs.

Figure 37. Reasons for Using or Planning to Use Managed Services for Endpoint Security


21%

21%

25%

27%

31%

35%

37%

45%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

My organization does not have the right level of endpointsecurity skills to address the current threat landscape, sowe decided to move toward a managed security service

My organization doesn’t have the right sized staff to address our endpoint security needs so we decided to

move toward a managed security service

Endpoint security is not a core competency of IT and/orthe business so we prefer to outsource this to a managed

security service provider

We are actively looking for areas where we can replaceinternal activities with SaaS alternatives

We are already using managed security services in otherareas so endpoint security is the next phase of our

project

We are using (or plan to use) managed services for allaspect of endpoint management and endpoint security

We believe that a managed security service for endpointsecurity can help us reduce costs

We believe that a managed security service for endpointsecurity can help us improve incident prevention,

incident detection, or incident response

You’ve indicated that your organization is currently using or planning on/interested in using managed services for some aspects of endpoint security. What are the reasons for pursuing this course of action?

(Percent of respondents, N=313, multiple responses accepted)



Future Endpoint Security Strategy Decisions

The endpoint security enigma presented throughout this report demonstrates that many organizations are overwhelmed and confused by endpoint security. The task of selecting the best products—as well as deploying and managing those products appropriately—can be daunting, leaving organizations unsure of where to even begin.

One possible way to address this complexity is by deploying integrated endpoint security solutions designed to address all aspects of both legacy and burgeoning endpoint security requirements. This appears to be an appealing option as 58% believe that a comprehensive endpoint security software suite from a single vendor would be the most attractive option for their organization (see Figure 38). In the past, security professionals may have opted instead for a portfolio of best-of-breed endpoint security tools and, indeed, 33% of organizations continue to favor this approach. On balance however, the perceived ease of use and streamlined operations offered by integrated suites trumps the best-of-breed option by a significant margin.

Figure 38. Type of Endpoint Security Technology Approaches Most Attractive to Organizations


Since many organizations would prefer a comprehensive endpoint security software suite, ESG wondered what type of functionality these suites should include. Interestingly, many security professionals yearn for a suite that contains the two new endpoint security capabilities that many are adding today—advanced malware detection and endpoint forensics (see Figure 39). Aside from these, security professionals want a long menu of other options including full-disk encryption, application sandboxing, and other capabilities.

Many organizations also want some additional help with remediation so they don’t have to reimage systems each time they encounter a security issue. More than three-quarters (76%) of organizations state that the inclusion of remediation and recovery capabilities in an endpoint security suite would be very important to their organization (see Figure 40).

A comprehensive endpoint security

software suite from a single vendor, 58%An assortment of endpoint security

technologies from various vendors, enabling my organization to choose

best-of-breed products in each category, 33%

A portfolio of endpoint security products from various vendors that establish technical partnerships to integrate their products together into a heterogeneous endpoint

security suite, 8%

Don’t know, 1%

As new endpoint security requirements arise and your organization considers new endpoint security controls and analytics, which of the following choices do you think

would be most attractive to your organization? (Percent of respondents, N=340)



Figure 39. Functionality Most Desired in a Comprehensive Endpoint Security Product Offering


Figure 40. Importance of the Inclusion of Remediation and Recovery Capabilities in an Endpoint Security Suite


11%

13%

13%

14%

18%

24%

25%

27%

33%

43%

45%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

DLP/DRM software client

Phone home beaconing for lost/stolen endpointdevices

Port controls

Removable storage media encryption

Application controls

Endpoint-based digital certificate that can be used fordevice authentication

File-based encryption

Application sandboxing

Full-disk encryption

Endpoint forensics software

Advanced malware detection functionality

Aside from traditional antivirus software functionality, which of the following functionality would be most attractive to your organization as part of a comprehensive endpoint security

product offering? (Percent of respondents, N=340, three responses accepted)

Very important, 76%

Somewhat important, 22%

Not very important, 2%

How important is the inclusion of remediation and recovery capabilities (i.e., advanced software functionality that provides for malware removal and system recovery without the need to reimage a system) in your endpoint security suite? (Percent of respondents, N=223)



Conclusion

The data presented in this report indicates a fair amount of endpoint security activity. To address the increasingly insidious threat landscape, organizations are evaluating endpoint security polices and processes, training the security staff, and deploying an assortment of new endpoint security technologies. While CISOs take on these tasks, endpoint systems continue to grow more powerful, more mobile, and more connected to an assortment of cloud-based applications for corporate and personal use. Given this vexing situation, it is easy to understand why security professionals believe that endpoint security is growing more difficult.

Somehow, CISOs and endpoint security product/services vendors must strive to bring order to the current state of endpoint security chaos. New endpoint security technologies will certainly help, but ESG believes that the future of strong endpoint security depends upon a thoughtful assessment of where we are today, how we got to this point, and what we need to change to cope with new endpoint security realities. For example, many organizations are overwhelmed by endpoint security “firefighting,” more than one-third still treat endpoint security as a regulatory “checkbox,” and 29% believe that endpoint security remains dependent upon too many manual processes. Smart CISOs will recognize these historical shortcomings and will thus include people, process, and technology improvement considerations in their future endpoint security strategies.

Research Implications for Information Security Vendors

Endpoint security product and services vendors have a great opportunity moving forward. After all, 57% of organizations have increased their endpoint security budgets while 56% have already started to move down the path of purchasing next-generation endpoint security technologies to complement—and in some cases replace—traditional offerings.

While ESG’s data clearly indicates numerous market opportunities, it also points to endpoint security chaos and organizational confusion. Panicky CISOs often react to new threats by purchasing the latest threat management technologies, but these point tools are typically subsumed into a more strategic security architecture or product suite over time. Given this, the most successful endpoint security vendors will be those that help customers through both short-term emergencies and long-term strategic direction.

Endpoint security vendors need a plan to capitalize on market churn and execute on a business plan for future growth. To accomplish these distinct goals, endpoint security vendors must:

Educate the market. Throughout this report, ESG pointed out the paradox of endpoint security. ESG believes that a lot of these apparent contradictions stem from the fact that many organizations address endpoint security tactically with a combination of AV software, junior IT operations staff, and regulatory compliance checkbox audits. Many CISOs realize that this is ineffective, but aren’t sure what’s needed to move beyond this endpoint security legacy. Smart endpoint security vendors will help bridge this knowledge gap with proactive market education as part of customer support efforts. For example, AV vendors may want to educate customers on product functionality as many organizations do not take advantage of all aspects of built-in software defenses. Furthermore, endpoint security is too often treated generically with standard device configurations, scanning/patching processes, and installed security software. Endpoint security vendors should help with customized defenses built for different types of users, devices, and industry threats. For example, retail organizations should have specific defenses for POS systems, while technology companies should bolster data security controls on developers’ systems. Holding customer hands can add cost, but it will pay off in the long term when tactical product sales turn into strategic accounts.

Focus on ease of use and security operations. While ESG’s data indicates that some organizations believe they have the right endpoint security skills and staff levels, many still point to challenges around manual processes, endpoint security monitoring, and constant “firefighting.” Additionally, 21% of current users of and those considering endpoint security services are doing so because they lack the necessary in-house endpoint security or threat intelligence skills to do this on their own. ESG believes that endpoint security



product and services vendors should assume that their customers are understaffed or lacking in aspects of endpoint security skills. Endpoint security technology discussions are dominated by efficacy—the ability to prevent, detect, or respond to endpoint security incidents. While security efficacy will remain tantamount, vendors should realize that it can only be achieved if the security staff has the time and skill set necessary to manage and operate best-of-breed security technologies. Given the global cybersecurity skills shortage, it is incumbent upon endpoint security vendors to make their technologies simple and easy to use. Beyond improved GUIs, this demands the right reporting capabilities and endpoint security products designed for integration with network security and security analytics technologies.

Integrate products and services. More than half of all organizations report using some type of managed endpoint security service today or plan to do so in the future. This data is consistent with other ESG research, all of which pointed to a precipitous increase in the use of managed security services. This trend bodes well for MSSPs, but all vendors must understand that endpoint security will most likely be a mix of products and services, especially within enterprise organizations. The best offering will be hybrid in nature—a flexible combination of on-premises technologies and SaaS offerings with common policy management, reporting, and operations. Furthermore, vendors should offer flexible pricing and options so customers can mix and match products and SaaS offerings and have the freedom to replace one with another, without the fear of incurring any financial penalty for doing so.

Make data security part of endpoint security. While most organizations use some type of encryption or other security controls for data security, the survey data points toward tactical tools, incomplete policies, and lots of vulnerabilities. Enterprise data governance and security projects can be time consuming and costly, which may be why so many organizations address data security on a catch-as-catch-can basis. Nevertheless, valuable data is more at risk today than any time in the past. As CISOs work with business managers to address this risk, security vendors should create products and strategies assuming that customers will bolster data security in phases. In the short term, this means identifying sensitive data and then adding data security controls for protection and monitoring. Vendors should help customers with these “crown jewels” projects and then work with them to extend data security controls, best practices, and comprehensive monitoring for various endpoints (and the sensitive data they contain and access) across the enterprise.

Address the end-user performance stigma. Almost half of security professionals claim that AV products impact the overall performance of endpoint systems, while 39% said that data security products can impact user productivity. Based upon both of these responses, it’s clear that endpoint security products continue to get in the way, and as security professionals know well, business productivity always trumps security. Unfortunately, this may mean that security products are removed or degraded, which may bolster user productivity but also increase IT risk. Endpoint security vendors have several tasks ahead. First, they should test the performance impact of their endpoint security tools in real-world settings. Any performance impact must be addressed in future revisions. Second, endpoint security vendors must work with customers to understand where product performance is a problem. Given today’s multi-core PCs, performance problems may be the results of configuration issues or even simply remnants of security performance stigmas of the past. Vendors should work with customers to find and fix problems and change historical biases. Finally, vendors with high-performance endpoint security tools should make sure to trumpet performance as part of their overall marketing messages. Security efficacy is still the primary priority, but CISOs will certainly pay attention to performance in order to enable the business while simultaneously—and adequately—addressing IT risk.

Create a model that includes mobile devices and the Internet of Things. While most organizations’ primary concerns include cyber-adversaries, malware, and data breaches, securing non-PC devices is a clear emerging issue. Endpoint security vendors should pay attention here and look for opportunities to extend their coverage to mobile device and Internet of Things (IoT) security. ESG believes that security monitoring technologies like endpoint visibility, access, and security (EVAS) should already recognize and profile non-PC devices on the network. Pure-play security technologies for incident prevention, detection, and response



should monitor new threats and data breach activity. Once a publicly disclosed data breach is linked to mobile device or IoT security issues, it’s likely that enterprise customers will scramble to add layers of defenses. The most attractive security technology options will be those with an existing endpoint security footprint.

Increase the focus on endpoint identity. With the increasing number of endpoint devices, many organizations are seeking to weave user identity and device security together, especially as employees use multiple devices to get their jobs done. This necessitates strong multi-factor user and device identity linked with factors like user role and machine learning. By bringing these security domains together, CISOs can better identify anomalous behavior regardless of whether it is rooted in a compromised system or a malicious insider. And by taking user and device security analytics into account, the security team should be able to get a more accurate picture of abnormal activities that can help them with risk scoring and prioritizing remediation activities. Given these benefits, endpoint security vendors should integrate tools and analysis with identity management, network access controls, and security analytics engines.

Research Implications for IT and Information Security Professionals

The endpoint security paradox described in this report presents a difficult situation for security professionals. On the one hand, nearly half of organizations believe that their AV software is very effective at blocking/detecting advanced or targeted malware, while on the other, they are reevaluating their endpoint security strategies, training employees, and adopting new types of advanced threat prevention and endpoint forensics technologies.

While the current endpoint security environment is highlighted by these apparent contradictions, many security professionals are reacting to the threat landscape by deploying technologies for new types of malware threats, seeking better endpoint visibility, and improving their ability to prevent, detect, and respond to endpoint security incidents. This activity is certainly justified but the ESG data indicates that many organizations are proceeding haphazardly, layering on additional security controls without a formal enterprise endpoint security strategy. In these cases, new security technologies may provide incremental improvements but they won’t address the challenges associated with manual processes, too many security tools, and constant firefighting exposed in this report.

Endpoint security used to be synonymous with a finite number of activities including secure provisioning, vulnerability scanning, patch management, and antivirus software. This situation is changing rapidly as endpoint security moves toward tight interoperability with other areas like data security, mobile security, network security, and security analytics. As this integration proceeds, organizations will need a comprehensive end-to-end endpoint security strategy designed for greater security efficacy, operational efficiency, and business enablement. To achieve these goals, CISOs should:

Present clear risk management metrics to executive management. When asked to define their endpoint security challenges, 34% of security professionals said that their organizations were more focused on regulatory compliance than addressing endpoint security risks, while 23% view endpoint security as a basic requirement and don’t put enough time or resources into developing best practices. Organizations with these laissez faire attitudes must understand that they are sitting ducks—an easy target for most competent hackers.

CISOs at these firms must address this situation quickly and aggressively. How? By presenting an endpoint risk management report to the executive team as soon as possible. Smart security managers will eschew technical details and tailor their reports toward business risks like the cost of a data breach, lost revenue, share price declines, litigation, and loss of reputation. It’s sensible to use real-world examples of data breaches to accentuate these points—there are many to choose from. If this doesn’t change minds in the boardroom, CISOs will have no choice but to have executives sign-off on the fact that they are willing to accept endpoint security risks and the possible consequences of a security breach. Laggard executives may have a change of heart when they realize that they now own this risk.



Look into staffing and skills. The ESG research indicates that 43% of organizations have a moderate or severe lack of resources capable of supporting endpoint security. Furthermore, 38% claim that the security team is constantly reacting to the security emergencies while 29% say that endpoint security is based upon too many manual processes. All of this data suggests that a fair number of organizations are understaffed and under-skilled when it comes to their information security requirements. Given this, CISOs should assess their current and future information security staffing needs as part of an overall endpoint security strategy. As an example, it is worthwhile to understand whether the current endpoint security and IT operations staff have the bandwidth to take on mobile device security or the skills needed for advanced threat detection/response. As a general rule, ESG believes that CISOs should make every decision with the assumption that they will continue to have an information security skills shortage at their organizations for the foreseeable future. The only way to compensate for the skills shortage is to improve staff efficiency by embracing ease-of-use tools, security technology integration, and process automation.

Get to know their AV. Many organizations manage several AV products today and actively swap out one AV product for another on an annual basis. This complicates AV management as security professionals churn through a multitude of different products. Security professionals also describe challenges as AV can impact system performance, new revisions are often different than previous ones, and AV doesn’t integrate well with other security management technologies. Others say that AV generates too many false positive alerts and some contradict themselves as 33% say that AV software isn’t nearly as effective at blocking/detecting malware as it should be. Given these issues, the ESG research indicates that some organizations are moving beyond AV and deploying additional layers of advanced malware software and endpoint forensics tools. This may be an appropriate next step but ESG suggests that CISOs first take the time to assess their current AV products and practices. For example, it may be worthwhile to standardize on one AV vendor across the enterprise to maximize endpoint security management proficiency and establish best practices. Additionally, security professionals should fully evaluate and test AV feature/functionality before purchasing supplementary endpoint security tools. Many AV vendors already offer some advanced malware prevention/detection capabilities today or plan to add this functionality soon. Finally, all organizations should include stress/performance testing in each and every endpoint security technology they consider. In the current era of endpoints with multi-core processors and gigabytes of memory, any endpoint security tools that place undue stress on system performance should be dismissed or replaced outright.

Develop an endpoint security strategy. The insidious threat landscape combined with IT scale and complexity present new and unprecedented cybersecurity challenges that can no longer be addressed by endpoint security point tools, manual processes, and tactical decisions. CISOs need to move on from the tactical ways of the past and create a comprehensive endpoint security strategy to maximize protection, accelerate detection and response, and streamline security operations. This strategy should include:

o Mobile and IoT. In the past, many organizations employed separate groups for mobile device security and PC security but this situation is changing. According to a recent ESG research report, 49% of enterprise organizations now have a common IT team for mobile and PC security (see the ESG Research Report, The State of Mobile Computing Security, February 2014). PC and mobile device security will continue to come together in the near-term over the next 12-18 months so endpoint security strategies should cover both types of platforms.

During this timeframe, many organizations will also introduce various IoT technologies (sensors, collectors, actuators, etc.) for various industry use-cases. While specialized IoT devices may not be common targets, specialized cyber-adversaries will likely seek to compromise them, alter settings, or steal IoT data. It’s likely that IoT security will differ from PC and mobile device security, but CISOs should remain proactive in this area by monitoring IoT-based business

http://www.esg-global.com/research-reports/the-state-of-mobile-computing-security/



processes, conducting stringent risk assessments, and looking for common areas where endpoint security best practices can be easily extended for IoT.

o Continuous monitoring. A majority (79%) of organizations keep track of endpoint assets with multiple tools and databases. Perhaps this is one reason why 23% of organizations have weaknesses when it comes to monitoring endpoint status to attain a real-time or near real-time inventory of endpoints on the network (i.e., endpoint configurations, installed software, etc.). As the old business adage goes, “you can’t manage what you can’t measure.” This is true of endpoint security as well—it is impossible to secure endpoints if you can’t accurately monitor their status and activities at all time. To attain the right level of continuous monitoring, large organizations should evaluate endpoint visibility, access, and security (EVAS) for endpoint profiling. EVAS tools can be used to monitor and manage all devices (i.e., PCs, servers, mobile devices, IoT, etc.) connected to the network. Many organizations are also integrating EVAS data with other security technologies (SIEM, threat management, MDM, etc.) to enhance threat intelligence and security analytics with endpoint profiling and security information. EVAS and other security analytics can then be used to detect anomalous network activities and help organizations accelerate incident response.

o Network Access Control (NAC). Aside from monitoring, many EVAS solutions can also be used to enforce network access controls. Many organizations are now embracing NAC to enforce granular access controls based upon corporate governance or compliance requirements, and leading NAC solutions can also be used to enforce network access controls for mobile and other types of non-PC devices. Some firms start projects by using EVAS for endpoint profiling/monitoring and then adding NAC capabilities over time. Since NAC can help organizations decrease the endpoint security (and overall cybersecurity) attack surface, NAC should be part of an overall endpoint security strategy.

o Identity. With employees now using multiple devices, endpoint security strategy should overlap with identity management. In this case, security professionals will want to authenticate users and devices, and use this information to enforce access policies. For example, business managers may want to restrict or limit access to sensitive data depending upon attributes like a user’s role, his or her device type, and where he or she is located (i.e. physical location, network location, etc.). CISOs may also want to monitor device and user activities to help them spot anomalous behavior. An employee may have legitimate access to sensitive data but the security team will want to be alerted when they suddenly download hundreds of documents or access sensitive data from a mobile device for the first time. This could indicate a malicious insider, a compromised system, or stolen user credentials.

o Data security. The ESG data demonstrates that organizations are using a variety of controls for data security including disk encryption, file encryption, and port controls. At the same time, security professionals point to data security challenges associated with system performance, data movement, and the need to share sensitive data with external third-parties. ESG believes that this indicates that data security is another area that must evolve from a tactical to a strategic model. Defining this strategy is beyond the scope of this paper but it should include data discovery, classification, role-based access controls, least privilege, and continuous monitoring across the enterprise. From an endpoint security perspective, all mobile devices should be instrumented with encryption and port controls at the very least and these controls should be managed uniformly throughout the enterprise. It’s likely that data security will become more document-centric (i.e., metadata tags built into sensitive documents so that security policies “follow” the document from location to location) in the future in order to protect the confidentiality and integrity of data on endpoints, servers, and in the cloud. CISOs should include this type of functionality in their endpoint security strategies—some tools already offer similar data security today.



o Layered defenses. The ESG data indicates that about one-third of organizations are using advanced malware detection/prevention tools on endpoints. This extends endpoint protection into a defense-in-depth architecture—a good start but not enough. Since endpoints are just one aspect of enterprise security, layered endpoint security defenses should work collaboratively with network defenses, cloud defenses and threat intelligence. In other words, all security defenses should enforce policies, detect suspicious activities. and remediate security events collectively. In the future, endpoint, network, and cloud defenses should also be coordinated on remediation. When a new threat or suspicious behavior is suspected, security professionals should have the ability to apply new blocking rules on endpoints and networks simultaneously or even move to automated remediation based upon triggers. When new indications of compromise (IOCs) are identified in the wild, security technologies should automatically generate new firewall rules, IDS/IPS signatures, and AV signatures to block IP addresses, URLs, files, or packets exhibiting newly discovered malicious behavior.

o Endpoint security Integration. Over the next few years, organizations will focus a lot of their attention on integrating disparate security technologies to create an enterprise security architecture. This trend was exhibited in Figure 34 where 71% of organizations are already integrating endpoint forensics with SIEM and other security analytics tools. In general, security technology integration projects are intended to help CISOs gather information for end-to-end continuous monitoring, streamline security operations, and accelerate incident detection and response. Security technology integration should also help them cope with the persistent cybersecurity skills shortage by centralizing command-and-control of security management. CISOs should plan for widespread security integration between areas like endpoint and network security, mobile and PC endpoint security, and between various data security tools.

Consider endpoint security services as part of the strategy. This report indicates that 57% of organizations are using, or planning to use, endpoint security services from MSSP and/or SaaS providers. Given the global cybersecurity skills shortage, this is not surprising. ESG believes that security services should be an integral part of an organization’s overall endpoint security strategies. For example, organizations with limited staff should consider using endpoint security services for multiple activities to cope with the scale and complexity of endpoint infrastructure. Those with limited malware, forensic, and security analytics skills should look for endpoint security services partners focused on incident detection and response. Even organizations with strong security skills, ample resources, and formal processes should consider security service providers for pedestrian endpoint security tasks like vulnerability scanning, AV management, and basic reporting.



Research Methodology

To gather data for this report, ESG conducted a comprehensive online survey of IT and information security professionals from private- and public-sector organizations in North America (United States and Canada) between September 10, 2014 and September 22, 2014. To qualify for this survey, respondents were required to be IT professionals directly involved in evaluating, purchasing, and managing endpoint security technology products and services. All respondents were provided an incentive to complete the survey in the form of cash awards and/or cash equivalents.

After filtering out unqualified respondents, removing duplicate responses, and screening the remaining completed responses (on a number of criteria) for data integrity, we were left with a final total sample of 340 IT and information security professionals.

Please see the Respondent Demographics section of this report for more information on these respondents.

Note: Totals in figures and tables throughout this report may not add up to 100% due to rounding.



Respondent Demographics

The data presented in this report is based on a survey of 340 qualified respondents. Figures 41-44 detail the demographics of the respondent base, including individual respondents’ current job function, as well as respondent organizations’ total number of employees, primary industry, and annual revenue.

Respondents by Current Job Function

Respondents’ current job function within their organizations is shown in Figure 41.

Figure 41. Survey Respondents by Current Job Function


Respondents by Number of Employees

The number of employees in respondents’ organizations is shown in Figure 42.

Figure 42. Survey Respondents by Number of Employees


Information Technology (IT) (i.e.,

CIO, IT management/staff

positions), 45%

Information security/cybersecurity

(i.e., CISO or other security-focused

management/staff positions), 55%

Which of the following best describes your current job function? (Percent of respondents, N=340)

500 to 999, 17%

1,000 to 2,499, 21%

2,500 to 4,999, 19%

5,000 to 9,999, 17%

10,000 to 19,999, 10%

20,000 or more, 15%

How many total employees does your organization have worldwide? (Percent of respondents, N=340)



Respondents by Industry

Respondents were asked to identify their organizations’ primary industry. In total, ESG received completed, qualified respondents from individuals in 20 distinct vertical industries, plus an “Other” category. Respondents were then grouped into the broader categories shown in Figure 43.

Figure 43. Survey Respondents by Industry


Respondents by Annual Revenue

Respondent organizations’ annual revenue is shown in Figure 44.

Figure 44. Survey Respondents by Annual Revenue


Financial (banking, securities, insurance),

19%

Manufacturing, 17%

Retail/Wholesale, 11%

Business Services (accounting, consulting,

legal, etc.), 10%

Communications & Media, 7%

Health Care, 6%

Information Technology, 6%

Government (Federal/National,

State/Province/Local), 4%

Other, 19%

What is your organization’s primary industry? (Percent of respondents, N=340)

7%9%

14%15%

19%

12%14%

9%

3%

0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

20%

Less than$100

million

$100million to$249.999

million


million


million

$1 billion to$4.999billion

$5 billion to$9.999billion

$10 billionto $19.999

billion

$20 billionor more

Notapplicable

(e.g., publicsector,

non-profit)

What is your organization’s total annual revenue ($US)? (Percent of respondents, N=340)

20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0128 | www.esg-global.com

the endpoint security paradox

Documents