By Gary Golomb
Well I guess the title actually says it all, and yes I know it might seem self-serving but hear me out.
Next Gen AV and EDR didn’t just find sensible applications for AI and ML, they ushered in an absolute renaissance in endpoint protection and investigation capabilities over the past six years (on supported endpoint operating systems in supported configurations anyways). However, when examined over the past ~30 years, a cyclical pattern begins to emerge—of which end points are only a piece of the puzzle.
In a simple sense, in the enterprise, you have three fundamental sources of data to protect/analyze. They are: end points, network traffic, or logs (with logs arguably being just a subset of data from the first two).
Prior to the EDR revolution on end points, a similar renaissance was in full-swing with the emergence of numerous “big data” technologies offering many new capabilities. For those who’ve been attending the RSA Expo for at least the past 10 years, you may remember a time around 2010 when the hottest buzzword on the floor was “Analytics” – at that time a term mostly applied to visualization of log-based data across innumerable tools.
And prior to that? If you guessed a renaissance in network-focused solutions, you’d be correct. It was during this time we saw the birth of several new market segments, from APT detection to new forms of investigation and forensics products – and they were primarily focused on network data.
There’s also an ironic history lesson here. Have you heard someone explain “the network is dead” at any point over the past few years? Well, you can smile knowing that during the late 2000s, the rhetoric was that endpoint security products were dead. I remember sitting in an executive roundtable session in 2009 where CISOs from a couple of large F500 organizations were discussing not buying AV anymore because of the ineffectiveness of endpoint solutions.
Before that renaissance in network-focused solutions was event correlation (logs). Before that was host-based intrusion detection (end points; aka: EDR v1). Before that was network-based detection (network). And the cycle continues into at least the early 90’s…
So Why the Network, Now?
Do I postulate that the next major technology shakeup will happen on the network simply because it’s the network’s turn?
Rather, like every disruptive evolution just described, each evolution has its roots in the renaissance that preceded it. For example, a major enabler for the EDR revolution was the lessons learned performing analytics across thousands of systems during the analytics hype cycle. The analytics hype cycle was born from the challenges and successes of the preceding revolution on the network that brought data analysis scales to levels never seen before.
As is true for the previous evolutions, no one single reason is “the” reason. Rather, the answer lies in the confluence of many factors, and in my opinion, many factors are pointing in this direction now.
- Because human network investigative techniques have dramatically advanced over the past 10 years, while network investigation tools from both incumbents and start-ups have advanced very slowly (incrementally), largely by developing integrations of more commodity components (a condition I’ve recently and affectionally called the human centipede problem of InfoSec advancement).
- Because the EDR market has shown us there’s another methodology for automated threat detection that is predicated on a system with strong investigative capabilities – something we call “forensic detection” at Awake).
- Because in enterprise networks, the percentage of devices discovered on networks that support EDR clients continues to shrink – there I said IoT.
- Because the percentage of devices InfoSec teams have administrative access to on a network also continues to shrink.
- Because malwareless compromises frequently thwart end point security products, and in relative terms, that trend has only begun unfolding – meaning we’ll certainly be seeing more “exciting” advances on the offense side here. The question is, will we be learning about them from researchers, or from breach investigations?
- Because many log-based solutions not only require adept people to navigate the data, they are the most likely to require additional engineering support, many times requiring fulltime DevOps people.
- Because log-based licensing schemes incentivize enterprises to limit analyzed data while network solutions typically do not have the same counter-productive incentives.
- And, because, as noted, history points in this direction.