Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™

ESG SHOWCASE

An Ounce of Prevention Is Worth a Pound of Detection and Response

By Dave Gruber, Principal ESG Analyst
MARCH 2022

ABSTRACT

As momentum continues around the XDR movement, ESG urges security teams to stay diligent about strengthening prevention capabilities. Considered a game of inches, small improvements in prevention capabilities can translate into a significant reduction in risk and threat investigation activities, offering security analysts room to focus on more strategic activities. With security solution providers hungry for a piece of the XDR pie, ESG recommends buyers hold vendors accountable for continuing investment and delivery of stronger preventative controls.

Overview

Effective and efficient endpoint security strategies depend on an integrated combination of assessment, prevention, detection, and response capabilities, grounded by extensive threat intelligence and scalable analytics.
Following many years of focus on strengthening threat prevention capabilities together with the addition of endpoint detection and response (EDR), much of the industry is now heavily focused on delivering extended detection and response (XDR) capabilities, as advanced threats evade siloed security controls.
ESG worries that security vendors may be over-rotating to detection and response, shifting investment from critical prevention capabilities to the growing market opportunity associated with XDR. While detection and response remain critical to successful security strategies, prevention anchors every security strategy and needs to remain a priority for every defender and security vendor.
This paper explores the importance of prevention, the shift to detection and response, and the overall impact that both have on a skills and resource-strapped security industry.

Modern Endpoint Security Strategies

Modern endpoint security solutions now include a plethora of security controls rallying around securing multiple device and workload types, including laptops, mobile, IoT, servers, and multi-cloud workloads. Beyond expanded device type coverage, endpoint security platforms now commonly provide EDR, vulnerability assessment, and device hygiene, in addition to core, next-gen antivirus capabilities that defend all types of modern attacks.
Recent ESG research explored the importance of these many capabilities in the context of endpoint security solutions. Not surprisingly, organizations prioritize prevention as the most important endpoint security capability, with 75% reporting preventative malware/antivirus protection as a core requirement for their endpoint security solution (see Figure 1).
Endpoint detection and response (EDR) similarly ranked high, with 63% calling out EDR as a core capability required for their endpoint security solution. Mobile device security also continues to gain importance, with 56% now considering it a core capability.
Figure 1. Top 7 Endpoint Security Feature Priorities

How would you describe the level of importance for each of the following capabilities in terms of the endpoint security solution(s) used by your organization? (Percent of respondents)

Source: ESG, a division of TechTarget, Inc.

Megatrends Drive Endpoint Security Upgrades

When exploring key motivators driving upgrades to current endpoint security solutions, attention shifts to two industry megatrends: zero trust and XDR. ESG research reveals that 75% of organizations have an active project underway to upgrade their endpoint security in support of zero trust initiatives, making zero trust a leading driver (see Figure 2).
Figure 2. Most Believe that Endpoint Security is Key to Zero Trust

Would your organization be willing to change out its endpoint security solution if it could help accelerate its zero trust implementation? (Percent of respondents, N=342)

Source: ESG, a division of TechTarget, Inc.

Concurrently, many are prioritizing improved detection and response capabilities as a key investment area, looking first to their current endpoint security solution provider to deliver extended detection and response (XDR) capabilities in an effort to either supplement or replace current EDR solutions. As advanced threats evade core controls and EDR solutions, new levels of visibility, threat intel, and analytics engines are needed for detection. According to an ESG research survey, 46% of organizations are actively investigating consolidated endpoint security platforms.

Despite Ongoing Investments, Successful Attacks Continue

Despite investments in additional detection and response capabilities, organizations continue to experience compromise and successful breaches, even when staffed with experienced security personnel armed with the latest detection and response mechanisms.
In a perfect world, we would be able to count on endpoint security solutions to detect and prevent every malicious activity on every endpoint. In a near-perfect world, we would be able to layer multiple security mechanisms in a defense-in-depth approach to achieve a near perfect solution to detect and prevent every malicious activity.
We, however, live in neither a perfect nor a near-perfect world, leaving most organizations with the continuing challenge of recovering from ongoing successful attacks that make it through all layers of defense. Security architects are taking a step back, reconsidering current strategies to combat this seemingly unstoppable trend. After much investment in detection and response solutions, many are reconsidering the effectiveness of core prevention capabilities at the heart of their endpoint security strategy.

Inches, Not Miles

The past ten years have brought significant improvements in endpoint prevention, leveraging a combination of machine learning, behavioral analytics, and signature-based detection models, together with integrations across the security stack to further inform endpoint prevention mechanisms.
These multi-threaded techniques have produced significant improvement in the prevention of attacks. Yet even with these improvements, attacks continue to evade most major endpoint security solutions, motivating 75% of organizations to increase spending on endpoint security over the next 12 months.
With security teams challenged to prevent threats, more than two-thirds (67%) report extensively leveraging EDR solutions to detect what can’t be prevented, with a goal of stopping attacks in progress before damage occurs. This strategy has sadly increased the need for more security analysts in an already skills- and resource-challenged industry, further straining security teams.
ESG challenges the assumption that prevention is as good as it can get. We believe that prevention matters more than ever, especially as the pace of advanced threat introduction accelerates at unprecedented rates. Security teams need to demand that endpoint security vendors strengthen their effort on improving the detection and prevention of advanced threats, reducing the dependency on downstream detection and response functions.
Prevention Matters More Than Ever Before…
… as the pace of advanced threat introduction accelerates at unprecedented rates. Increased focus on detection and response is increasing the need for more security analysts in an already skills- and resource-challenged industry.

The Importance of an Integrated Approach

Despite the convergence of security controls, organizations continue to depend on defense-in-depth strategies. Once challenged with discrete silos of security data, security teams are now tasked with integrating multiple “mini platforms,” combining adjacent controls for improved efficiency and efficacy.
Reducing the heavy lift required to integrate isolated controls, the ability to integrate these mini platforms remains critical to the overall efficacy and efficiency of security operations.
ESG recommends organizations prioritize foundational integration architecture, out-of-the-box capabilities, and openness of the architecture in support of long-term scalability and growth. Attack intelligence gained throughout the process should also be shared across security controls and analytics, further strengthening overall security posture.
Long-term Scalability Matters
ESG recommends organizations prioritize foundational integration architecture, out-of-the-box capabilities, and openness of the architecture in support of long-term scalability and growth.

Introducing Symantec Endpoint Security Complete

Broadcom/Symantec solutions were once considered the gold standard for endpoint security. Yet as new, next-gen antivirus (NGAV) solutions centralized analytics leveraging cloud-delivered architectures, offered a single-agent solution, and added endpoint detection and response solutions, many considered these more centralized platforms as a path to improved overall endpoint security.
Meanwhile, Symantec engineers have completely rearchitected the Symantec security platform, centralizing analytics, consolidating endpoint agents into a single agent, and integrating endpoint security with a broad set of additional security capabilities that surpass what so many other endpoint security vendors offer, including:
• Adaptive protection.
• Mobile protection.
• Active directory protection.
• Analyst-curated detection and notification.
During this same time, Symantec solutions have consistently led the market in prevention effectiveness, as demonstrated below.
• MITRE ranked SES as a leader, with scores of 100% in protection and 91% in detection. Symantec was further showcased as having the best alert quality.
• Retained the highest AAA ranking from SE Labs for the past 38 consecutive quarters and frequently lead the top tier for total accuracy rating.
• Won the AV-TEST Best Protection award 6 of the last 7 years by scoring consistently in the highest tier in each bimonthly test cycle for that entire duration.
These impressive results demonstrate the unrelenting focus that the Broadcom/Symantec team continues to have on endpoint threat prevention.

The Bigger Truth

Cybersecurity continues to require a defense-in-depth strategy, with effective prevention required at every attack vector. Endpoints continue to be a focus for cyber-criminals, leveraging email, web, collaboration tools, and other personal productivity tools as a potential point of compromise.
While detection and response capabilities play an important role in an effective security strategy, a continuing focus on prevention is required to minimize the load on security teams. A single percentage point of increased efficacy can translate into significant reduction in the investigation and response time spent by understaffed security teams.
ESG recommends that security teams of all sizes stay vigilant in ensuring that endpoint security solutions provide the absolute highest levels of prevention, while ensuring coverage extends across all device types. Prevention alone is not the answer; however, every ounce of improved prevention can exponentially reduce downstream detection, investigation, and response activities, relieving understaffed security teams of unnecessary effort.
ESG suggests that security teams encourage their endpoint security vendors to strengthen investments in endpoint security prevention, reducing the rapidly increasing dependency on downstream detection and response functions. While detection and response will continue to be needed, ESG believes the industry is over-rotating on detection and response, leaving prevention behind.

This ESG Showcase was commissioned by Broadcom and is distributed under license from TechTarget, Inc.

All product names, logos, brands, and trademarks are the property of their respective owners. Information contained in this publication has been obtained by sources TechTarget, Inc. considers to be reliable but is not warranted by TechTarget, Inc. This publication may contain opinions of TechTarget, Inc., which are subject to change. This publication may include forecasts, projections, and other predictive statements that represent TechTarget, Inc.’s assumptions and expectations in light of currently available information. These forecasts are based on industry trends and involve variables and uncertainties. Consequently, TechTarget, Inc. makes no warranty as to the accuracy of specific forecasts, projections or predictive statements contained herein.

This publication is copyrighted by TechTarget, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of TechTarget, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact Client Relations at cr@esg-global.com.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.