(Editor’s note: This blog appears as part of the eBook, “Should You Buy Endpoint Security from a Network Security Vendor?” available here.)
By Richard Stiennon, Chief Research Analyst, IT-Harvest
Decoupling, an engineering term used to describe breaking a problem into its component parts, is a useful concept for IT security. In mechanical engineering it means a mathematical separation. In security it is often termed layered security.
There is no question that every organization needs to deploy layered security. Solutions are needed for data security, user identity and access management, endpoint security, server security, network security, and most recently, cloud and mobile device security. No matter how enthusiastic Wall Street may become, there will never be a single vendor that dominates in the complete stack.
Let’s go back to basics. At the simplest level of security commandments are these rules:
- A secure network assumes the host is hostile.
- A secure host assumes the network is hostile.
- A secure application assumes the user is hostile.
These rules are very powerful when applied to product strategies. Any proposed product that binds any two of host, network, and application, will be a market failure. Sadly, the messaging around coupling can be very compelling, and many high-flying vendors are spinning their narratives around this coupling.
None of these companies have experienced any benefit from having endpoint and network solutions. There is no synergy, and the most successful acquisitions come when the acquirer keeps the two businesses separate.
The reason network and endpoint security solutions do not mix are plentiful:
- Buying centers. Endpoint security is managed by a different team within the enterprise than is network security. Endpoint security is primarily focused on protecting Windows machines, which do not exist in the network where most routers and gateway devices run something akin to Linux. Network operators are more likely to use Pine for email than Outlook. For the vendor trying to conquer both spaces this means different sales cycles, different sales teams, separate contracts, and most importantly, different skill sets.
There is a broad gap between the Microsoft Windows experts responsible for laptop and desktop configuration and the network wizards that maintain switches, routers, and firewalls.
- Brand perception. Let’s face it, anti-virus products are a pain to work with. Every end user has had frustrating slowdowns, system crashes, and false positives from their endpoint AV. Those users include the network administrators. The last thing they want is a product from the same vendor on their network where slowdowns and crashes are much more damaging to productivity. Ever wonder why Microsoft never introduced a router and every attempt at introducing a network firewall has failed completely?
- Best of breed. Every organization needs the best firewall and the best endpoint protection for their environment. They will always make those decisions independently. It’s also critical for organizations to select security products that are open and extensible so they can be integrated into a complete, layered defense.
A full stack security strategy is one of consolidation. But the security industry does not consolidate. Unlike every other segment of the IT industry, security has an outside driver: threat actors. Cyber criminals and nation states force each security vendor to innovate or die. It is hard enough to stay ahead of the curve in one space. Attempting to do it in two spaces is futile.
But what about so-called advanced malware defenses? Yes, detonating executables in a network attached sandbox provides valuable intelligence. New forms of malware, even zero-days, can be caught in this way. Assuming, of course, that the sandbox works perfectly, which they never do.
The endpoint must still be protected with the best possible defense, one that has a default deny approach. Treat known good applications differently than unknown executables.
While decoupling is a good way to analyze the viability of a vendor’s go to market strategy, what about from the buyer’s viewpoint? Should you purchase your endpoint security solution from your network security vendor? You have to ask yourself these questions:
- Has the vendor ever deployed a product to the number of endpoints we have?
- What does the management console look like? Does it integrate with my other endpoint management solutions? What reports does it provide?
- Do they support my environment? Windows XP SP3 all the way to Windows 10? What about my Linux and VM systems?
- What resources does the vendor devote to endpoint R&D? Are they nimble enough to innovate?
- Have they figured out what to do about my mobile workforce? Can they protect them when they are at a coffee shop browsing the Web?
And finally, do you really want to be part of a high-flying network security vendor’s attempt to grab market share and keep up with Wall Street’s expectations of 50% growth year over year? This model has a name: it’s called vendor lock-in. One of the advantages of decoupling in IT security is that you can choose a different network security vendor when something better comes along. The same holds true for your endpoint security vendor.
The combination of a failed business model, the lack of focus on endpoint deployments, and decoupling makes a complete case for keeping your network and endpoint security separate.