This article is part of a VB special issue. Read the full series here: Intelligent Security
Achieving greater visibility and control over endpoints is table stakes for any organization pursuing zero-trust security. Human and machine identities are the new security perimeter in any network, and protecting those identities with data-driven insights and intelligence is one of the highest priorities for CISOs today. Knowing the current configuration and condition of every endpoint asset helps to keep patches current and endpoints safe.
To underscore how essential endpoint security is to zero trust strategies, the White House published the Federal Zero Trust architecture (ZTA) strategy last month. The strategy states that federal agencies need to ensure that Endpoint Detection and Response (EDR) tools will meet Cybersecurity and Infrastructure Security Agency (CISA) technical requirements and are deployed government-wide. The strategy provides practical, pragmatic advice for securing endpoints that are applicable to any organization, also identifying the need for greater analytics-based visibility across networks.
Analytics improve endpoint visibility and control
Analytics are proving effective in helping enterprises take on these challenges, becoming a growth catalyst for Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) platform. Enterprises spent $13.3 billion on EPP in 2021, predicted to reach $26.4 billion by 2025, attaining a compound annual growth rate of 18.7%. By the end of 2025, more than 60% of enterprises will have replaced older antivirus products with combined Endpoint Protection Platforms (EPP) and EDR solutions that supplement prevention with detection and response capabilities according to Gartner. Overall enterprise spending on information security and risk management market is projected to reach $233 billion by 2025, attaining an 11.2% compound annual growth rate between 2020 and 2025. The following are ten ways analytics improves endpoint security, contributing to more effective zero trust architectures and strategies in the process:
- Predictive analytics and AI show the potential to become the primary detection method for identifying and stopping malware attacks. AI-based techniques such as algorithms have long contributed to improving endpoint security by identifying potential malware attack patterns. More cybersecurity vendors are designing AI into EPP and EDR platforms as the primary detection method and technology for malware. AI-based algorithms can detect file-based malware and learn which files are harmful or not based on the file’s metadata and content. Broadcom’s Content & Malware Analysis illustrates how machine learning is being used to detect and block malware. Their approach combines advanced AI and static code file analysis to detect and analyze threats and stop breach attempts before they can spread.
- Analytics and AI-based techniques for deriving risk scores based on previous behavioral patterns, time of login, location, and many other quantifiable factors is proving to be effective at securing and controlling access to endpoints. Using AI- and machine learning-based techniques to fine-tune risk scores in milliseconds is proving effective in stopping breach attempts using privileged access credentials. By combining supervised machine learning models that mine historical data to find patterns and unsupervised machine learning to find new anomalies and interrelationships, cybersecurity vendors integrating AI into their platforms are helping to stop breaches. There’s a broad spectrum of cybersecurity vendors either working on or delivering solutions with these technologies, with Microsoft Defender for Endpoint being noteworthy. Microsoft has integrated AI into the Defender platform so its customers can initiate threat hunting across networks, provide real-time threat-monitoring and analysis, detect and respond to advanced attacks with AI-based monitoring, and reduce attack surfaces. Additional vendors providing AI-based endpoint protection include CrowdStrike, Trend Micro, SentinelOne, McAfee, Sophos, VMWare Carbon Black, Broadcom, Cybereason, Ivanti, Kaspersky and others.
- Integrating predictive analytics, AI and SIEM (Security Information and Event Management) into a single platform enables enterprises to predict, detect and respond to anomalous behaviors and events. Predictive analytics are a core part of SIEM platforms today as they provide automated, real-time correlation and ongoing analysis of all activity observed within a given IT complex. Capturing and analyzing endpoint data in real-time using predictive analytics and AI is providing new insights into asset management and endpoint security. LogRhythm continues to be a leading provider of SIEM platforms for enterprises. The LogRhythm NextGen SIEM Platform relies on predictive analytics and AI-based algorithms to provide automated,real-time analysis and correlation of all activities across an IT environment.
- Predictive analytics are also helping to keep every endpoint in compliance to regulatory and internal standards. In highly regulated industries including financial services, healthcare and insurance, predictive analytics is increasingly being relied on to discover, classify and protect sensitive data. This is especially the case with HIPAA (Health Insurance Portability and Accountability Act) compliance in healthcare. Amazon Macie is representative of the latest generation of cloud security services. Amazon Macie is often used in workflows aimed at recognizing sensitive data such as personally identifiable information (PII) or intellectual property and provides enterprises with contextual insights that give visibility into how data is being accessed or moved. Amazon Machine monitors data access for any anomalies and creates alerts when it detects the risk of unauthorized access or inadvertent data leaks.
- Predictive analytics and AI combined are enabling threat analytics to drive greater precision regarding the risk contexts of privileged users’ behavior, creating notifications of risky activity. Combining predictive analytics and AI is the foundation of the most effective threat analytics engines on the market today. High-risk events are immediately flagged, alerted, notified and elevated to IT’s attention. Machine learning-based threat analytics also provide new insights into privileged user access activity based on real-time data related to unusual recent privilege change, the command runs, target accessed and privilege elevation. Leaders in the area include Broadcom, CrowdStrike, Cybereason, Ivanti, Kaspersky SentinelOne, Microsoft, McAfee, Sophos, VMWare Carbon Black and others.
- Performing real-time endpoint scans and using predictive analytics to identify potential threats in real-time. CISOs are looking for more effective approaches to achieving Hunt and Respond across diverse device networks with a large number of endpoints. Predictive analytics combined with supervised and unsupervised machine learning algorithms are becoming more ingrained in EPP and EDR platforms, helping to identify and resolve potential threats and breach attempts. Predictive analytics are also being used to discover patterns in known or stable processes where anomalous behavior generates an alert then pauses a given process in real-time.
- Predictive analytics are table stakes in Unified Endpoint Management (UEM) platforms today. The goal CISOs want to accomplish when they acquire and install a UEM often centers on consolidating the many diverse, often conflicting security apps and tools across their organizations. Today UEM platforms rely on predictive analytics, and in some cases, AI-based systems to deliver greater identity, security and remote access reliability and accuracy. The goal of streamlining UEM apps is to better pursue a zero trust security strategy for the long-term. UEM vendors are concentrating on making the connection between predictive analytics, AI and zero trust, showing how they can support an everywhere workplace. Leading UEM platforms are relying on analytics, AI and machine learning to deliver intelligence-driven experience automation to reduce IT overhead and improve employee experience. Leading UEM vendors include Microsoft, VMWare, Ivanti, IBM, ManageEngine, BlackBerry, Matrix42 and Citrix.
- Privileged access controls to the API level on endpoints need more analytics-driven adaptive intelligence. Endpoints could benefit from having privileged access controls be more adaptively intelligent. That’s the goal many EPP and EDR vendors are pursuing by replacing their static-based approaches to securing machines with session-based API calls from a vault. Knowing the access patterns of machine-based endpoints and identities relative to human ones reduces false-positives and better secures endpoints from API-based attacks. Using predictive analytics, AI and machine learning to define privileged access control levels and identify potential breach attempts to the API level is the fastest-growing area of R&D in endpoint security today.
- Predictive analytics combined with AI and machine learning is proving effective battling ransomware, starting with patch management. CISOs see the potential of using predictive analytics to gain pre-emptive insights into how they can best identify the start of a potential ransomware attack across any threat surface. As attacks are multifaceted and becoming more complex, the greatest weaknesses enterprises have today is a lack of solid data on patch management progress. Cybersecurity vendors need to concentrate on the long-standing CVEs that cybercriminals keep coming back to and exploiting, using analytics to better understand how CVE gaps can be closed. As ransomware becomes more weaponized, it’s becoming more urgent for EEP and EDR vendors to improve the depth of analytics insight and predictive accuracy of CVD-based attack scenarios.
- Analytics are proving invaluable for asset management including track and trace of endpoints on or off the network. Every endpoint is another threat surface that needs to be protected. Real-time analytics and a reliable, resilient connection to every endpoint make track-and-trace possible, giving CISOs the visibility and control they need. By combining real-time track-and-trace information with device data, CISOs can find gaps in endpoint security that need to be closed. Having analytics on asset’s health, current patch levels to the OS level and hardware configurations is also invaluable. One of the more interesting vendors is Absolute Software, who provides real-time analytics on the current condition of every endpoint on a network. Absolute’s approach of collaborating with 28 different hardware partners to have their endpoint client integrated at the BIOs level in a wide variety of endpoint devices provides asset management data in real time. Endpoint asset management is an area that private equity and venture capitalists show high interest in, given the increased reliance enterprises have on endpoints that’s driven by rapid growth of virtual workforces and cloud-first business initiatives.
Analytics in 2022 and beyond
Analytics is defining the future of endpoint protection platforms and is the differentiator from a technology standpoint all vendors are looking to strengthen today. It’s feasible in 2022 there’s going to be heavy merger, acquisition and private equity activity on the part of leaders in the EPP and EDR to address the areas in their product strategies most needing more data-driven insights to remain competitive for the long-term. As the cybersecurity arms race continues to escalate, improving contextual intelligence with analytics, AI and machine learning is key.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.