Demystifying: Next-Generation Endpoint Security
The term “next-generation” is used quite frequently across the tech industry – it’s not limited to security. Since we see the term so often, it’s easy to gloss over without giving it much thought. Next-generation pretty obviously implies that the product you’re purchasing today is better than the versions that came before it.
When it comes to endpoint security, it’s important to understand why a new generation of tools is needed, and what makes these tools better than the “last generation”. Similar to buying into a tool simply because it uses machine learning, purchasing a tool because it’s labeled as “next generation” can leave you with unmet needs. This is largely because there’s no real standard in the industry dictating what’s required for a product to call itself “next-generation.” While some features are relatively consistent across the solutions claiming to fit into this category, it’s important to dig into the details of exactly what you’re getting.
Let’s demystify* the term and value of “next generation” for endpoint security.
Why we need the next-generation
We need a new generation of security tools because we’re dealing with a new generation of threats. Malware authors are highly motivated to get their threats into your network and onto your endpoints. Many of them operate as full-blown software development shops with teams dedicated to building malware, and other teams dedicated to testing it against the very solutions you use to protect your environment. They’re using fileless malware, ransomware, cryptomining, and a variety of other cutting edge approaches to be successful. As a result, you’re not fully protected unless you have tools that are capable of identifying and stopping less common or newly discovered threat types. Which leads us to next-generation endpoint security tools.
We see next-generation used to describe two different products: next-generation endpoint security and next-generation antivirus. Although they sound similar, these products offer very different functionality.
Next-generation antivirus typically goes beyond its previous generation of point-in-time antivirus to continuously monitor files on the endpoint whether or not they are malicious. This is very useful when a file that initially appeared clean starts to exhibit malicious behavior after getting into your environment. The trouble with these solutions comes in their lack of remediation capabilities you desperately need when a breach is detected.
Next-generation endpoint security
Here’s where it gets tricky. Nearly every endpoint security vendor today calls its product next-generation. Everyone knows outdated approaches don’t stand a chance against new threats. As a result, next-generation endpoint security tools typically come packed with continuous monitoring capabilities similar to those found in a next-generation antivirus, but typically offer far more robust remediation capabilities.
The cloud plays a huge role in next-generation endpoint security. With the rapidly-evolving and frequently-changing threat landscape, we need protection that is just as rapidly and frequently updated with the latest threat intelligence. By taking a cloud-based approach to endpoint security, next-generation tools have constant and instant access to the latest threat intelligence without requiring manual updates from you.
Cisco believes the following six capabilities must be available in an endpoint solution before it can qualify as next-generation:
- Flexible deployment options: Next-generation products should make your life easier from your very first interaction with them. They should adapt to your current environment and needs, offering cloud or on-premises deployment options, and protection for every endpoint in your organization, whether it’s a PC, Mac, Linux, iOS, or Android device.
- Layered Prevention: With the variety and multitude of threats attempting to enter your environment, multiple preventative engines are necessary. Tools with limited techniques are easily evaded when attackers identify a weakness. Next-generation tools should constantly evolve to protect you against new threat types, like fileless malware and self-propagating ransomware.
- Rapid time to detection: With the industry average sitting at 100 days, detecting threats as early as possible is crucial. The longer a threat sits in your environment, the more it spreads, and the more damage it can ultimately do.
- Continuous monitoring: If there were a preventative method that could block 100% of threats, endpoint security would no longer be a topic of conversation. Knowing that malware and evasion techniques will always advance and evolve, it’s vital to have visibility into what happens within your environment after a file has been granted access.
- Cross-environment integrations: A barrage of point products in your environment don’t save you time or money. And it certainly doesn’t increase your effectiveness. Endpoint security tools should be able to communicate with the other security tools across your environment, sharing and ingesting threat intelligence in order to learn from each other over time.
- Prevention, detection, and response capabilities: Prevention and detection capabilities have always been a given in endpoint security, but if your solution doesn’t allow you to investigate and remediate within the same lightweight connector, you’re again being robbed of time, money and security effectiveness.
Cisco’s next-generation approach
Cisco’s next-generation endpoint security solution, AMP for Endpoints, has taken a continuous approach to endpoint security for years. Like the last generation of antivirus and endpoint security tools, AMP scans and attempts to block as many files as possible at the point of entry. We run every file through over a dozen prevention and detection engines to stop a wide variety and large quantity of threats. But again, we know threats can still get passed these measures. So we continue to track every file we let into your environment, never losing sight of where it goes or what it does. And if that file ever begins to exhibit malicious behavior, AMP is there with a full history of the threat, showing you exactly how the file entered, everywhere it has been, and everything it has done. Your investigation and remediation time is drastically cut down because you’re provided with a comprehensive, detailed timeline of the threat. We then share all intelligence gained from this threat with the AMP cloud, which then updates all other Cisco security products within your environment so you can see a threat once, and automatically block it everywhere else.
AMP’s lightweight connector can be installed on just about any device your employees use. With support for PCs, Macs, Linux, Android and iOS devices, blind spots are eliminated from your environment. Most IoT devices in your network that connect to the internet can’t have an endpoint agent installed, creating blindspots for you and gold mines for attackers. AMP’s integration with Cognitive Threat Analyticsprovides insight into anomalous traffic coming from these devices that could indicate a breach. How’s that for next-generation?
Moral of the story
Finding a solution that promises to be better than the products that came before it is great. But don’t take these products at their word. Identify what you need in an endpoint solution, and don’t settle for anything less. See an overview of AMP’s next-generation features in this video demo.
*Dymystifying: Endpoint Security blog series: After visiting trade shows, attending customer meetings, and hearing a lot of misguided but well-intentioned questions, we decided it was important to demystify some of the terms we hear about the most. Because beyond their surface level appearance of “marketing fluff,” the concepts that these terms represent are actually very important. A lot of them are features and capabilities you should demand in the solution you ultimately invest in. But if you don’t understand what they really mean, you could be buying into an incomplete story, or a tool that doesn’t provide exactly what you need. Our first blog in this series demystified one of the most overused terms in the endpoint security industry, machine learning.