Is it Time?: The Case for Replacing Your Endpoint Security Stack

Few would dispute that endpoint protection programs have grown complex, costly to maintain, and struggle to keep up with attacker sophistication. Instead of continuing to add layer after layer of point solutions, a consolidated endpoint platform enables enterprises to keep up with the ever changing business, regulatory, and threat environments. In this blog, I’ll briefly discuss the current, dominant approach to endpoint security and detail why a consolidated endpoint platform is the best approach to protecting against targeted attacks. I’ll conclude by offering some tips and criteria for evaluating endpoint platforms.  


The Current Frankenstein Approach to Security

Endpoint security has traditionally been reactive and focused on stopping file-based, malware-centric, and exploit-oriented attacks. As new threats appear, businesses invest in point products that address a specific objective such as a single attack vector (e.g., malware or application control) or compliance. As a result, enterprises have accumulated several solutions for AV, NGAV, IOC Search, exploit protection, and incident response tools. According to a recent Forrester survey, enterprises have on average more than seven endpoint tools to stop attacks. Each additional tool in the security stack makes it complex to operate, maintain, and costly.

The Benefits of A Single Endpoint Platform

Previously, single endpoint protection products that deliver comprehensive and extensible protection did not exist. Fortunately, this is no longer the case, so it is important to understand the benefits of and how to move to a single agent for endpoint protection. A single endpoint platform helps organizations improve operational business security, including greater adaptability to changing regulatory environments,cost-savings, and better defenses. Below are four of the top benefits organizations can experience when replacing or augmenting existing endpoints.

  1. Protecting against emerging threats:  From ransomware outbreaks (e.g., WannaCry, NotPetya, and BadRabbit) to the Equifax breach to the open source proliferation of nation-state exploits, the range of attacks has moved well beyond malware-based attacks. With a comprehensive endpoint platform that offers instant protections with a broader scope and high efficacy, enterprises can consistently stop threats rapidly, and gain a broader view of their security posture without the swivel-chair across multiple consoles. Furthermore, platforms that provide machine learning, understand attacker techniques, and leverage analytics across large datasets can help monitor and prevent threats throughout an organization.
  2. Keeping up with the regulatory environment: HIPAA, PCI, and other regulatory requirements identify certain security controls and associated reporting requirements. International laws specify management requirements in addition to technical requirements, such as the ability to control or view information. The General Data Protection Regulation requires organizations to report a data breach within 72 hours, and similar data breach disclosure legislation has been proposed in the United States. Changing requirements dictate the inclusion or exclusion of specific capabilities or operational processes based upon location. A platform that is architected with strict data access schemas, limiting access to and minimizing collection and transfer of personal data simplifies addressing regulatory challenges and can eliminate the risk of third-party data processors impacting any organizational compliance efforts.
  3. Responding to business requirements: Business requirements such as acquisition or centralization result in the introduction of new vendors for an existing product or the addition of a new product into the support structure of the corporate support organization. Regional or country-specific requirements and in-country vendor support capabilities are key drivers in the selection of international endpoint security products. These changes to internal corporate endpoint device support structures may serve as the catalyst for larger change and may provide the opportunity to revisit product selection strategies. A single endpoint platform provides a single pane instead of multiple disparate tools that need to be updated, tuned, and maintained to tackle the changing business needs such as mergers and acquisitions, and can result in cost savings.


Evaluation criteria to choose your endpoint product

Of course, understanding the merits of a single endpoint platform is only the first step. How can organizations evaluate single endpoint platforms and choose the one that best fits their needs?  To maximize value from your next endpoint solution, focus on how the platform impacts your security program - your people, process, and technology. Below are four key criteria when selecting a consolidated endpoint platform.

  1. Comprehensive scope: Choose an endpoint security solution that leverages a comprehensive attack model and covers the breadth and depth of techniques in the attackers arsenal. At Endgame, we believe the MITRE ATT&CK™ matrix is the most comprehensive model that addresses the attacker landscape.  Forward leaning analysts from financial services, healthcare, and other industries have adopted and developed tools to automate gap analyses that can be tracked over time. One open source effort leverages the MITRE ATT&CK™ matrix to produce a heat map depicting exposure to targeted attacks and the resources necessary to eliminate them. This kind of holistic, real-world assessment is facilitated by an endpoint platform that provides comprehensive coverage across the ATT&CK matrix.

  2. Ease of use: Choose an endpoint tool that is intuitive and easy to operate without in-depth technical engineering knowledge. Most endpoint security interfaces are complex, require proprietary query languages, and are built for experts. Given the well-documented security workforce gap and the growing workload with limited resources, a single endpoint platform should be easy to use and give analysts answers, and not just data, to make informed decisions in real time.  

  3. Fast and accurate protections: Attackers take milliseconds to steal credentials or execute a ransomware attack. The speed of attacks requires protection that can stop these threats in milliseconds to be effective. The goal of the endpoint platform must be to block new attacks and detect ongoing attacks, decreasing the time for processes such as alert validation, investigation, and response, before damage and loss occurs. Along with speed, another factor to consider is the accuracy of the protections - efficacy with fewer false positives. A 2017 study shows that it costs organizations an average of $1.37 million annually responding to false positives. Without the accuracy, it is too late to stop any damage and loss.

The endpoint buyer’s guide provides additional information on how to evaluate vendors for your endpoint program, including the key criteria for protections, performance, usability, and independent testing.


When evaluating endpoint security solutions, organizations should focus on how the endpoint platform impacts the overall security program, including the people, process, and technology. A comprehensive platform should address today’s attacker landscape with speed, efficacy, and skills while adhering to regulatory requirements to stop targeted attacks. At Endgame, we address the requisite people, process, and technology by providing superior protection and a comprehensive scope, augmenting analysts with ease of use and effective processes with automation. Meet us at RSA to learn more about how Endgame fits into your organization’s needs and provides protection from targeted attacks, before damage and loss.