Observations about Endpoint Security Vendors at RSA
by Nir Shafrir, Senior Director of Field Engineering at Nyotron
RSAC 2017 will definitely be remembered as a semi endpoint, anti-APT conference. Wandering around the north, south and west halls was a very confusing experience for those who were searching for the right endpoint solution for their organization.
Recently, many organizations have been hit by endpoint attacks. Ransomware was only part of the problem. Lots of these organizations were hit despite their deployment of well-known endpoint protection as well as the new “next-generation” technologies.
Being vulnerable to new unknown attacks is still a significant problem for this market, leading to a burst of new companies and new techniques that claim to be the latest thing to cope with attacks coming from everywhere, attacking anything and unknown to anyone.
While roaming around the hundreds of booths, I could hear “machine learning,” “artificial intelligence,” “deep learning,” “neural networks,” and more. The problem for all of us who are not rocket scientists, is that it all sounds the same. They are all trying to predict the next attack while using up-to-date mathematical algorithms over huge amounts of data from the past.
Imagine a CISO trying to figure out what should be the best solution to spend their 2017 endpoint security budget on. Should they go for the safe choice, the old and well known vendors even though they have proved to be ineffective at stopping unknown threats or maybe invest in the small but promising startup with exciting new technology that would put you in the early adopter category?
In the past, a CISO could have used objective research and public test cases to actually see major differences between vendors, but nowadays in every booth there is a “proven to be 100% efficient” research paper (sponsored or not) that supports the vendor’s messaging of being the best thing ever.
Anyone venturing into this market should do their research first to try and find the new approaches in fighting new and unknown threats, they should then invest the time and effort to test 3 or 4 of these technologies against the latest attacks and also against unknown and unsigned attacks, only then should they choose the right solution that fits their organization’s needs.
To summarize, the endpoint security market is saturated and under a cloud of smoke, the stronger the vendors scream, the better they will be heard, as history shows that eventually the smoke will clear and the best will come forward in this field, in the meantime, I hope you enjoyed all of the beer at the great parties during the conference.