Welcome to our KuppingerCole Analysts webinar, Don′t Let the Endpoints Become the Entry Door for Attackers. This is a KuppingerCole Analysts only webinar, so the only speaker today, that′s me, Martin Kuppinger, I′m Principal Analyst at KuppingerCole Analysts. Some very brief housekeeping, we are muted centrally, no need to do something here. We will run two polls, one more at the beginning, one towards the end of the webinar.
We will have a Q&A session, so feel free to enter questions at any time, and then we will do a recording of the webinar, and we will make the recording and slide deck available short term. With that, let′s have a look at the agenda, which is also very lean.
Basically, it′s the Q&A by the end, and the more questions we have, the better it is, so please enter questions at any time. The main part that will be, I would call it, thoughts on EPDR, on Endpoint Protection Detection Response, also looking a bit at the results of our recent leadership compass on EPDR. This will basically be what we do, so a bit of a walkthrough, some thoughts from my end, some things. If you have any questions, enter these questions, because as I said, the more questions we have, the better it is. First poll, how do you protect your endpoints?
Is it an integrated EPDR solution, so covering endpoint protection, covering endpoint detection response, or is it a unified endpoint management that has some more extensive endpoint security capabilities? Is it a mix of multiple endpoint security solutions in contrast to a central solution, or is it via built-in features of the operating system, so what, for instance, comes with Windows? Which of these approaches is at least the favorite or the main approach you are using in your organization?
As always with these polls, the more results we have, the better it is, and if you have a sufficiently big sample size here, then the advantage is that we also can have a look at it, discuss it during the Q&A session, so don't hesitate to write your answers here. We will leave the poll open for a bit, so you have some time to respond to the poll.
So endpoints, endpoints are one of these elements, and I'll touch the sort of the relationship to zero trust a little later, but endpoints basically are part of the attack chain, and they're also not only part of the attack chain, but at the end, in some sense, also a target. So when we look at ransomware, then encrypting endpoints, encrypting the data on endpoints is very typical for ransomware, even while ransomware attacks also go beyond that.
And on the other hand, we have this risk of someone losing an endpoint, this endpoint getting into the wrong hands, so we have a variety of threats that involve endpoints. So at the end of the day, I would say at the end, we have basically, we have a couple of typical entry points for attackers, and one is via the identity, and one is via the endpoint, one is via vulnerabilities of software, one is via software supply chain attacks, so there are different paths, ways an attacker can take, but at the end of the day, endpoints are very frequently involved in that.
And this is where endpoint security solutions such as EPDR come into play. EPDR is something that can help you stopping ransomware, or at least it can help you reducing the ransomware risk, because there are quite a number of methods for detecting and preventing damage that are part of endpoint security solutions.
But not only of endpoint security solutions, we also should be very clear, it's not that you say, there's this one thing, this is the only way to stop ransomware, that's not true, you need to look at identity-related threats like TDR, Identity Threat Detection Response, like with a phishing-resistant passwordless authentication, you need to look at email security and other ways, but it is a very important element in that.
Based on traditional signature-based analysis, which still is relevant and important, based on memory analysis, what is happening in the memory of systems, sandboxing and virtualization, so having potentially critical or malicious content being handled in segregated, so to speak, sandboxes, so that if there's something really malicious in, if it comes out that this is happening, it's in a restricted area. So we have various of these approaches available, and then we have clearly more and more AI and ML usage detection models that help us to update these models, but also to identify anomalies.
We have a lot of other analytical capabilities we can use there, so looking at what is happening in the system, what changes there, like mass changes to file extensions or zeroing out data and files, which are common indicators for ransomware attack. And if we have the right tool in place, then we can detect this early. This is where detection comes into place. We can respond to that by acting on it and avoiding that the damage becomes bigger.
So at the end of the day, we need technology that helps us not only to build a layer of defense, but to go beyond that and really go into a protection approach. And maybe, again, the hint, if there are any questions you have, any hints, any comments, don't hesitate to use the Q&A section. You can enter questions, et cetera, at any time, and we will pick up, or I will pick up these questions by the end of this webinar. EPDR is just a part of a bigger journey, and we could add ITDR here as well, and probably we'll see more DR things.
Maybe we see some DSDR, like data security detection response, whatever else will pop up, maybe AI DR, so misbehavior in AI. Let's wait and see what happens. I think vendors and sometimes analysts are very creative in coming up with these new terms and new abbreviations. But at the end of the day, a part of this is really just, it's part of the bigger XDR story.
It's extended detection response, which integrates basically MDR, so network detection and response, with other technologies like deception platforms or the DDP part, like vulnerability management systems, like CVPs or cloud workload protection platforms into a bigger solution. Part of this bigger solution, then, is also the EPDR part, which basically evolved from the traditional EPP systems, which we, in the early stages, called just antivirus, then anti-malware, then EPP.
And on the other hand, the EDR part, the detection response part, just spanning a broader range of this entire attack cycle, not only the protection part, but also the detection on the response part. So, this is part of what we're seeing here. And this entire thing is something you need to always think about.
So, where do you start? Where do you come from?
So, when you have already EPR in place, then you may want to integrate it into a broader XDR. If you don't have much in place, it might make sense to start with a bigger XDR vision, then think about, can I have something that delivers the EPR part as part of a unified solution?
So, as usual with this, there's no simple answer, because most organizations don't start as a greenfield approach. Most organizations have certain elements in place, and need to think about, how do we move forward from there?
So, if you have a UEM, do we need a separate EPR, or is this UEM capable, together maybe with components that come with the operating system, to solve a lot? And maybe it's just email security we add for specific use cases.
So, we need to think about what is the right approach to tackle this challenge, and to move forward in this field. Depending on where you stand, this might be saying, I go for a fully EPR solution, or I use point solution I bring together, I replace over time. What I just would encourage to think about is, how can you keep the number of components over time at a reasonable number?
So, if you have every of these circles, and this is by far not complete in place, then you probably have too much complexity. So, you need to then think about, how could you potentially reduce complexity again in such an environment? But basically, EPR is a very important element. It's a powerful set of technology that's placed, and I think this is basically the purpose of this picture, place a central role in a bigger cybersecurity story, with the endpoints being very relevant.
So, let's look a bit deeper into the EPR space, and look at what we perceive as being relevant features for this type of solutions. So, then there's, on one hand, there's the endpoint protection part.
So, the features that are really relevant from an endpoint protection perspective, like having agents for the relevant environments, which are different operating systems, but also the support for virtual desktops. The ability to have autonomous agent operation, and to use multiple malware pre-execution detection engines. A very near-term monitoring also to identify anomalies in the behavior. The ability to detect ransomware and prevent it from executing, sandboxing, exploit prevention, et cetera.
So, the typical endpoint protection features which really help to protect. But then there are secondary, so to speak, EPP controls, like endpoint firewalls, like application controls, URL filtering. There are various centralized capabilities that should be part of the solution, like MFA and the very sophisticated internal security model. Remote management, integration to SOAR tools, clearly integration to everything, which is XDR. Dashboards to help you understand the mapping of events to different types of the mitre ATT&CK metrics, and clearly modern software architecture.
We also clearly could argue that there's a need for having, when you look at the automated updates, et cetera, something I'll touch on in a minute with the innovative features, or something in place which helps us to ensure that the system always is stable. And by the way, going back a bit to the multiple solution thing, one of the things which clearly must not be underestimated as consequences is if you have a lot of solutions, you will have a lot of agents on the endpoint, which basically causes two challenges.
Aside of the challenge of operating and buying or paying for different solutions, the two challenges are, on one hand, if you have more agents, you need to deploy, to update, to patch more, because you don't do it for one agent, you do it for many. The other is that there can be interferences between different agents.
So, if you have an option to go for a unified agent, and this means an integrated EPDR solution, maybe even beyond EPDR, as some of the vendors are offering, this clearly reduces your complexity and the challenge you will be facing. So, going back to features, there's the endpoint detection and response part.
This is, so to speak, a bit the newer part. So, EPP, as I've said, evolved from anti-malware or anti-virus to anti-malware to EPP. The detection response then came in and really saying, okay, how can I detect events? And this is partly sort of triggered by EPP, because this is already looking at things, and then respond on these.
So, this has really done the threat handling, the forensics, the automated responses to events, but also the ability to look at major attack vectors systematically, all these things that are detection response. And as you already see here, there's a bit of a blurring line between what is protection, what is detection. Some of the things which are listed on EPP could also be considered as being just more the DR side, but there's also the history of this market segment.
And the history is that EPP was there, and to a certain extent, already did detection, which is logical, not just prevent, but say, hey, there's something going wrong. And then the response was added with a new set of tools that clearly comes from the response side into the detection, and the detection is where both segments overlap.
And also, if you have questions about any of these features or specific questions, feel free to enter them into the Q&A. As I've said, the more questions we have, the better it is. It's the same like with polls.
So, Q&A is the best place to enter this information here. Yes, and then there's the innovative features, clearly mobile device clients, no discussion. Delegated administration, very important capability here. Browser application level sandboxing, applied AI ML, and pre-execution heuristic detection models, so models that help to identify things ideally before they happen. What I would count amongst these features also is, you could call it kill switch for updating. As we have learned latest with the crowd strike incident, there is a continuous updating. We all know, in fact, much longer.
There's a continuous updating of various information from signatures to detection rules to whatever else, and also to the software. And the point is that this is rolled out to a very large number of target systems of endpoints, not just clients. That's a better term here, because a server can be an endpoint, but it's not a client. And when something goes wrong at scale, then I think we need to move forward to approaches that help stopping such an update on time as early as possible, and avoid that it sort of travels across the entire globe, time zone by time zone.
So I think we clearly also need, aside of the backend side, like proper testing, et cetera, we definitely need technologies that also allow to stop a rollout, because we have this challenge that we need to have the latest information to protect ourselves as best as we can with all the zero day attacks we are facing. So we need a very fast reaction, but clearly we can't afford that a large number of endpoints is impacted by an update, a patch going wrong. So this is a bit of what we are looking for when we look at the market, and what we just did recently.
This was primarily by a colleague, with some support by me, that was looking at the landscape and creating our leadership compass on EPDR. So leadership compass, as we do this analysis of the market, of major players in the market, and looking at their capabilities on the product and the innovation side, on their strengths in the market, and compiling this.
So we had, in this case, 10 vendors in the rating, which were several, I would say, really many of the most relevant names in the market, especially on the enterprise side, like Broadcom, CrowdStrike, EZ, Fortinet, Group IB, ABI, Microsoft, SentinelOne, Sophos, and Trellix. We basically looked at a few more. So the entire list of vendors we have an eye on in this space is significantly longer. So there are some, I think, 17 additional vendors we have in the list of vendors to watch, which we approached for research.
Two or three asked us for being removed because they didn't feel lucky with the result. But basically, some of them just refrained from participating. We will definitely have more next time. It's an unusual thing. It will grow. From an overall leadership perspective, some of the vendors are a bit smaller or more regional players. Others are relatively large. And what we see really here is we have a very fierce competition, if you look at overall product leadership, a very, very fierce competition for the market.
So most of the solutions are, so to speak, a bit competing head-to-head with their capabilities. And at the end of the day, and I'll also cover this in my summary, it's very important to look really into the details here when you want to select a solution. Because the approaches, let's say, from Microsoft's broad portfolio of solutions, a lot of integrated capabilities to Broadcom or CrowdStrike, which take different approaches. Broadcom also is where Symantec is nowadays. So Broadcom slash Symantec. They are frequently very different.
And so even while they, at the end, score all relatively good, it also, the picture also demonstrates when we take, for instance, product leadership where they just pass the threshold between challenger and leader, that none of these products yet is really perfect. So there's distinction between these products, even while they are all relatively good, but it's not that any of these products is really standing out massively. They're excellent different areas, and this is what is very important to analyze when you look at this market.
So many really good solutions, a good mix of product features, innovation, market share, but very specific strengths. And this is what it really means if you select one, examine it very thoroughly during your RFP, during the tool stress, something which our team is very happy to support. We do these things very frequently, supporting organizations and picking the right solutions, providing a much more detailed list of criteria, all our knowledge about vendors integrating and vendors to watch to help you making a decision that suits your specific needs.
But what is very clear, it's essential to have EPDR in place, absolutely essential, because the threats will not go away. They are increasing and they continue to increase. XDR is something where we see a consolidation across different areas. Not everything is really brand new. Something is just a bit re-branded, integration level differs. Complexity also differs. So the question always is, is XDR the right path or do you say, okay, I have XDR more as a non-top solution, and I have my own sort of EPDR solution I selected very specifically for my own use cases.
Okay, that's it. In a nutshell, we have the first questions here and happy to, so if you have more questions, just enter these questions into the Q&A. Second poll, and that's also something I'm really curious about, and I hope that we have some responses here. Which consequence, I think it should say, which consequences in singular of cyber attacks are you most concerned about? Is it paying ransomware? Is it being involved in software supply chain attacks, maybe as the one where it is dribbled in?
Is it reputational damage, the loss of intellectual property, or is it the loss of personally identifiable information, which triggers all the other consequences? Again, we'll leave this open for a bit. And with that, we then directly move to the Q&A session.
So, as I said, more questions are better. So, feel free to enter your questions here. By the way, someone posted into the chat, not a Q&A session, but I still want to bring it up. What is protection detection response?
So, protection installing a steel reinforced door with double-deck bolt locks on the front, or yes, you try to protect it. Detectors, the CCTV and camera watching, the same front door, and responses, so to speak, the trained rottweilers that are released when the CCTV detects an entrance that the person is unknown.
So, yes, you can take analogies here. And at the end of the day, I think this analogy also makes very clear, it's not sufficient to just protect the front door. By the way, also, you may have windows, but even if you protect everything, it still means that when something happens, someone cracks the door, then you need to detect it and you need to respond. And this is what you need to do, and response can have also a variety of forms, like, so to speak, calling the police, calling your specialist firm that supports you in the process.
So, there's a question that someone said they looked at the market and that XDR products basically all are cloud, and EDR also is very limited without a cloud or update connection. So, basically, yes, the answer is yes. Virtually everyone for a couple of years towards an approach that is very cloud-centric, very cloud-heavy.
So, this is the, I would say, the typical approach. Trying to do something, so to speak, more on the DR side without a cloud is very limited, because at the end of the day, the point behind that is it's about scale. It's about the number of data. And if you want to train an AI ML model, you need a lot of data. And vendors have their approaches. They have usually some of the very well-thought-out concepts for doing this with a sufficient level of anonymization.
So, this is what they are focusing on, that they gather data, that they provide feedback, that they also deliver all the updated information, but usually with a connection, which basically also makes it more difficult to implement such approaches in environments which have some sort of data. For whichever reason, some air-gapped structure. I think for these environments, the only thing I can offer is that you reach out to me and we discuss the use case in a bit more detail to figure out what you can do or not, where the limitations stem from, and how to tackle this problem.
Because at the end of the day, as I've said, there's not a simple answer on this. The trend goes towards cloud. And for a reason, as I've said, I think continually delivering updates is something you only can do when you're connected. And on the other hand, also the learning models, as I've said, they benefit from large numbers of data. And all these vendors also try to figure out, is there something sort of happening in many places, which is really important to focus their awareness on whatever newly detected attack vectors. This is the way they handle it.
So, if you want to be purely on-premises, it's difficult. What might, so I don't have the full context of this question, but if it's more about sort of EU versus non-EU saying, I want something, quote-unquote, sorry, here, then there are also players that reside here in EU, for instance. And the same clearly for US, so you have also then sometimes more regional vendors that could serve use cases where you feel, I want to have a solution there.
And to the follow-up question, XCR vendors with private cloud models, I don't have, I think it still sort of hits the, or the problem is that at the end, it's still gathering data and comparing events across a lot of clients who have a huge number of data. And your ML model requires that you have data from, so that you have a cloud service.
So, I admittedly would need to look at, is there anyone with a private cloud model I can, so if you drop me an email, my email is available on the final slide, or you'll find me easily on LinkedIn. I can forward it to my colleagues, which are currently analyzing our leadership compass on XCR, which will go out next week at our cyber security conference, the cyber revolution in Frankfurt next week. And that's where we will release the XCR leadership compass, and I can surely forward this question to my colleagues.
Okay, with that, I think we are mostly done. I don't see a lot of questions here. I hope this provided you some insights into the PDR market and how we see this market evolving, what we see as important here. Thank you very much for taking the time to listen in to this Google Analyst Webinar, and hope to have you soon at one of our onsite events.
So, it's at next week Frankfurt, and then in May, our European identity conference in Berlin, or at one of our webinars, or you look for our membership to have regular interactions and access to all of our research. Thank you, and talk to you soon again.
