Too many opportunities to bypass traditional layers of security
Traps marks shift from detection and remediation to pure prevention
CATEGORISING Palo Alto Networks’ new endpoint security solution Traps Advanced Endpoint Protection was apparently a tricky proposition for analysts after a recent briefing in Singapore.
“It didn't fit neatly into the category like other endpoint security products in the market, so the analysts were wondering how best to categorise Traps,” Palo Alto Networks director of product marketing Sebastian Goodwin (pic) told Digital News Asia (DNA) at an interview in Singapore.
The solution’s mix of technology and a proactive approach to securing endpoints is intended to herald a paradigm shift from detection and remediation, to pure prevention.
“The analysts did agree that compared with other products in the market, ours was the only one that was really focused on prevention rather than detection,” said Goodwin.
Traps is designed to close the door on threats, including unknown malware and zero-day exploits, well before any damage can be done. The company claims it prevents threats that often manage to evade detection or take advantage of blind spots within traditional network-based security architectures.
[Amended to clarify Asia Pacific launch timeline]
Officially launched in the United States as well as Europe/ Middle East/ Africa (EMEA) in September 2014, Palo Alto Networks is working on making the solution available in Asia Pacific, with plans to release it sometime in the third quarter of this year.
Traps is the result of Palo Alto Networks’ acquisition of Israeli security software maker Cyvera for US$200 million, which was announced in March and completed in April of 2014.
Cyvera had developed an innovative offering for enterprises that used a unique approach to block unknown, zero-day attacks at the endpoint.
“We took the product off the market for about six months to make improvements and to integrate it to our next-generation firewall and threat intelligence cloud product WildFire,” Goodwin said.
Today's pain points
According to a 2014 Network World report, the security software market is estimated to be over US$20 billion worldwide, with endpoint security software, notably antivirus solutions, accounting for the bulk of this revenue.
A recent Palo Alto Networks survey asked if customers would consider “switching to ‘free’ enterprise antivirus in order to fund more advanced endpoint protection for your company.”
Out of the 555 responses received, 44% responded either ‘Absolutely,’ ‘Likely,’ or ‘Already in progress.’
In his own blog post outlining endpoint security trends for 2015, Goodwin described the survey results as ‘telling.’
“It means that in 2015 we will see many organisations opt for free anti-malware products like Microsoft’s System Centre Endpoint Protection (SCEP), which some customers will find they already own due to enterprise licence bundling.
“The significance of that 44% should not be understated. Many organisations are on a three-year renewal cycle for anti-malware.
“So does that mean vendors of traditional endpoint anti-malware products should expect to lose approximately 14.67% of their renewals each year for the next three years?” he wrote.
Goodwin reported that Palo Alto Networks has also been observing a positive trend of endpoint security dollars becoming increasingly available, thanks in part to general cybersecurity budgets going up.
“And also, with a lot of companies moving in the direction of saying that they’re not going to pay for antivirus solutions anymore, getting it for free, it frees up the cheque they could write for other endpoint solutions,” he added.
That is not to say that enterprises the world over would stop paying for antivirus solutions altogether, with Goodwin noting that many regulations for security compliance require such solutions to be installed, and a rewording of existing regulations would be required that puts importance on the fact that endpoints are protected, as opposed to how they are protected.
Moving beyond antivirus
Though largely associated with the segment, endpoint security is not limited to antivirus and includes host-based software products that protect computing devices from many forms of malware, cyber-attacks, and unwanted applications.
According to ESG research, 62% of security professionals working at enterprise organisations believe that traditional endpoint security software is not effective for detecting zero-day and/ or polymorphic malware commonly used as part of targeted attacks today.
In addition, over half (51%) of large organisations are planning to add new layers of endpoint security software in order to detect or prevent advanced malware threats.
“It is almost impossible to keep up with patching, and it’s a reactive approach as before the vulnerability is discovered and a patch created and released, the fact remains that it has been vulnerable till that date and hackers have known about it for months,” said Goodwin.
“It takes a lot of time to test and install new patches across organisations, and now that technology like Traps is available, we believe that it makes for a pretty compelling adoption case,” he added.
Against this backdrop of increasing pressure on enterprises to secure themselves against rising volumes of new malware, sophisticated advanced persistent threats (APTs) and wider exposure to attacks due to the rise of a mobile workforce, Palo Alto Networks believes Traps can effectively secure its market position.
As a relatively new player in the endpoint space, asked how confident the company was in taking a slice of a pie dominated by established brands, Goodwin pointed to the reputation the company had already built up in launching innovative solutions in the firewall and APT space – which has resonated well with customers.
“We also don’t have the association in the minds of CISOs (chief information security officers) as a product they’ve been paying for that hasn’t been working,” he quipped.
Goodwin claimed that market feedback in the United States has been particularly positive since the solution’s launch last year.
“We’ve just closed our first seven-figure deal with a healthcare provider in the States and achieved great results during the evaluation process, even when stacked up side-by-side against established competitors in the endpoint space,” he proclaimed.
To date, the healthcare, energy and financial services have been the core verticals that have really embraced the new offering.
Traps is offered as a subscription service and currently covers Windows operating systems, including servers and desktops iterations.
[Amended to clarify support for other platforms]
Goodwin said the decision was made to focus on Windows as it remains the most pervasive platform, and support for other platforms is being considered with the company's researchers having confirmed that the techniques they use in Traps on Windows apply to other operating systems as well.
“It is difficult for any organisation to secure the entire spectrum of endpoints within their network – there is no silver bullet solution, and the fact remains that the majority of attacks are still targeting Windows systems they are so ubiquitous and make for easy targets.
“Endpoints such as ATMs (automated teller machines) and Scada (supervisory control and data acquisition) systems – which may run on older versions with no patch support and have not been upgraded due to cost restraints – are especially critical,” he added.
Goodwin said Palo Alto Networks is also working on covering major mobile platforms, but also already offers an enterprise mobility solution called GlobalProtect which helps enterprises manage, protect and control access to data on mobile devices.
Last line of defence
If endpoint security is enjoying increased attention and focus this year, it doesn’t come as any surprise to Goodwin – he has lived through this shift himself, having only joined Palo Alto Networks four months ago from a previous position as a CISO overseeing 400 offices around the world with 12,000 employees.
“I’ve definitely experienced this shift back towards focusing on the endpoint myself, as I’ve gone through it all.
“[I was] purchasing all the latest and greatest layers for network security, only to realise that there were millions of events getting logged in the database and no smart way for my team to ensure that they were looking at the right things.
“This progressed to buying all the fancy analytics tools to sift through the mountain of data, but eventually I also gave up on that because you can’t detect everything, and it’s like looking for a needle in a haystack every day,” he shared.
Part of the pain came from the fact that most tools in the market were geared toward detection and remediation rather than proactive prevention.
Goodwin believes that CISOs are now looking for real solutions to endpoint security as the way out of a reactive, labour-intensive security approach – especially in the face of the rising number of mobile devices.
“Especially with targeted attacks on specific employees, there are so many opportunities to bypass the layers of security. But you can’t bypass the fact that you need to exploit the endpoint to gain access in the first place.
“The endpoint is the last line of defence and that’s why companies are still getting hacked because endpoint security isn’t robust enough and are open to hackers circumventing traditional defences,” he argued.
And while vendors are coming up with more innovative solutions to help secure enterprises, and enterprises are moving to better police the Bring Your Own Device (BYOD) movement by limiting choices to more secure models, there is one quirk that Goodwin has observed in his time on ‘both sides of the fence.’
“The thing about companies that get strict about BYOD is that there’s always an exemption for the most important people in the company.
“They’ll say ‘I know we’re all supposed to use the BlackBerry but I really want the iPhone 6’ and the IT department goes out and gets it for them because a senior level executive asked for it – which kind of defeats the whole purpose really,” he said.
Basic security products don't cut it anymore: IDC
Unknown traffic bigger security threat than social media
‘You may never want to go online again’
Smarter, shadier and stealthier cyber-crime forces dramatic change
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.