When it comes to strong cybersecurity, endpoints and servers have often been second-class citizens when compared to the network. I described this situation in a March 2013 blog post. According to ESG research, 58% of security professionals working at enterprise organizations (i.e. more than 1,000 employees) said that network security processes, skills, and technical controls were “much more thorough” or “somewhat more thorough” than server security processes, skills, and technical controls.
Why the discrepancy? Network security includes mature technologies like firewalls, IDS/IPS, and Web Application Firewalls (WAFs). Furthermore, network security often involves a lot of network design and engineering for segmentation, access control, and traffic management. Alternatively, endpoint and server security is typically based on nothing more than AV software and its associated signature downloads and occasional scans.
This created a cybersecurity imbalance that can be easily exploited. Once cybercriminals and hackers navigate around the network, endpoints are sitting ducks for zero-day attacks, phishing scams, or drive-by downloads.
Driven by the increasingly dangerous threat landscape, targeted attacks, and a series of highly-visible security breaches, the cybersecurity duopoly situation is finally starting to change. In a recently published ESG research report titled Network Security Trends in the Era of Cloud and Mobile Computing, ESG asked enterprise security professionals whether their organizations were engaged in any type of project to integrate anti-malware and analytics on networks and endpoints. The responses were as follows:
- 22% said, yes, their organizations were integrated network and endpoint anti-malware and analytics “extensively.”
- 39% said, yes, their organizations were integrated network and endpoint anti-malware and analytics “somewhat.”
ESG also created a scoring system to segment the survey populations into three sub-groups, advanced, progressing, and basic organizations. It is interesting to note that 65% of advanced organizations said they were integrating network and endpoint anti-malware and analytics “extensively.”
Endpoint/network security integration makes sense. When malware or suspicious traffic is detected on the network, security analysts can then cross correlate this intelligence with granular endpoint activities like network connections, file downloads, in-memory processes, etc. This is certainly a much more thorough and timely analytics methodology than poking around networks and endpoints independently.
Given this demand-side behavior change, it is not surprising to see so many security vendors jumping on the bandwagon. Just this week, RSA Security announced new versions of its Security Analytics and ECAT (endpoint forensics) software with tight integration between the two. Similarly, Guidance Software announced a partnership with HP ArcSight to bring endpoint forensics to SIEM. A long list of other vendors, including Bit9, Cisco, FireEye, IBM, LogRhythm, McAfee, Palo Alto Networks, and Trend Micro, also recognize endpoint/network security alignment and are developing products, acquiring startups, or establishing partnerships accordingly.
We are off to a good start, but everyone (i.e. users, vendors, service providers, etc.) needs to pick up the pace. There are still too many organizations that haven’t integrated endpoint and network security, and others don’t even realize what a good idea this is. As an industry, we need to promote this model, trumpet its benefits, and educate laggards as soon as possible. After all, our critical infrastructure, businesses, and personal data is at stake.