August 30, 2021 - Threat detection and response is a core pillar of any modern security programs, but what may have gone unnoticed is the increased investment shift over the last 2 years from protection to detection that underscores their growing importance. Even before the COVID-19 pandemic, security teams, particularly those dealing with security operation workflows, were already dealing with ever-growing complexity in multiple dimensions.

  • Technology – evolving threat complexity: Modern attack patterns change, leveraging automation in combination with human actors to burrow deep within organisations, evading most detection methods.
  • Process – constant changing environment: Technology platforms change with the rise of cloud-based environments and modern application development practices that emphasise shorter time to value.
  • People – siloed customised IT projects and tool: The broader penetration of IT services across the entire business brings more diverse initiatives, which are often being pursued in parallel by an increasing number of teams, each potentially using custom tooling.

Importance of endpoints in threat detection and response
Organisations can increase business agility when threats are better understood and controlled. If there’s one data source that could be considered primary for better threat visibility, that must be endpoint data. Endpoints play multiple roles, with different levels of prominence – they’re the interface between end-user behavior and system activity, they’re a prized foothold for adversaries looking for persistence during an attack and may be the location of the actual attack objective itself. Considering end-user-centric endpoints and their role in an attack campaign, endpoints are a source of rich telemetry from process activity as well as alert data from endpoint security tooling itself. Naturally, because of the pandemic and workforce disruption, endpoints become even more important as a source of telemetry as organisations look to corporate endpoints as a source of additional insight for any telemetry they lost because of the shift to remote work.

Hyper-growth of Endpoint Detection and Response (EDR)
Over the last 5 years, endpoint protection platforms (EPP) has ceded ground to EDR. The fundamental catalyst behind this shift has been the failure of EPP to adequately detect breaches before malware is deployed on an endpoint, which requires analytics of endpoint behaviour to detect latent malicious activity. The urgency of this gap has been underscored by the SolarWinds and Hafnium breaches and further exacerbated by:

  • Increasing volume of endpoint attacks: While the types of endpoint attacks have not changed dramatically in recent years, the volume of attacks has increased exponentially via automation.
  • Emerging threat surfaces: The number of endpoint attack surfaces has multiplied, with the proliferation of mobile and IoT devices. Attacks are now customised rendering each endpoint a potential threat exposure.
  • Incumbent weakness: Incumbents have been slow to emerging threat updates to existing deployments, specially addressing zero-day threats, which has created a shift to next-generation EDR vendors.

The biggest endpoint innovation EDR vendors bring has been in behavioral-based detection techniques. Improved threat hunting capabilities from startups and machine learning algorithms are disrupting the endpoint security market. Emerging services can use lightweight software agents to identify the nature of the attack in the wild and identify the appropriate response. Furthermore, machine learning is enabling improved detection and response capabilities, in contrast to the rules-based approaches of legacy EPPs. Ransomware is currently the biggest risk for all organisations and advanced adversaries targeting organisation can evade any protection solutions, making detection and hunting critical to fast incident response.

Rise of Extended Detection and Response (XDR)
The next phase of endpoint security is emerging as XDR, which aims to automate the detection & response phases of enterprise breaches. XDR promises to consolidate the tool sprawl in security operations by aggregating logs from across the enterprise IT environments and automating security responses to alerts. In short, XDR is a technology approach of providing pre-built integration of multiple security telemetry sources with analytics and response capabilities. Its purpose is to improve threat detection and response goals in detecting advanced threats, increasing automation tasks, and improving the mean time to respond (MTTR) to threats. Organisations see XDR as a potential path to helping them detect, identify, and understand complex attacks across the kill chain. Simply put, SOC teams need better threat detection and response efficacy, especially as it relates to unknown threats.

Security staff skills set a limitation on product-market fit
More telemetry is generally desired, but correlation and analysis is a heavy lift. Most organisations can see value in combining threat data from multiple threat vectors to provide context and accelerate detection and response; however, most lack the expertise and tools to correlate data, often leading to the reactive elimination of point threats without understanding broad attack campaigns.

The biggest barrier to adoption of both EDR and XDR remains the skills required to operate them. Despite advanced feature sets and automation capabilities, XDR still requires manual supervision to address alerts and false positives, which can reduce the actual addressable market for emerging startups.

When organisations have limited to no relevant expertise, XDR requires organisations to make significant investments in advanced security talent to cover 24/7 threat detection, investigation and response. Although XDR can be a force multiplier for organisations without a SOC or only staffing a lean security team, effective detection and response requires human insight and specialised expertise that many organisations lack.

XDR left the door open as they focus on a different path to XTD
Considering the prevalence of product-centric XDR approaches, the motivation of XDR vendors will inordinately focus on first strengthening threat efficacy as extended threat detection (XTD) to anchor its existing security portfolio in the customer’s environment. A deeper relationship is a stickier relationship and XDR vendors will focus on pre-integration to capture data telemetries in a single pane of glass as a defence against a best of breed approach. To alleviate the skills gap, managed detection and response (MDR) services that provide monitoring and alert triage are becoming popular and are increasingly being offered by the EDR/XDR solution providers themselves rather than through partners. Whilst this anchors traction for their detection technology stack, it becomes a disincentive to build product innovation that will cannibalise their lucrative expert-centric service supporting response and remediation. This leaves a white space for emerging startups to build a truly AI-powered, automated response endpoint product. To be fair, automation can fail in practice: machine learning models are trained on historical data and use correlations to make decisions about new incidents. For this reason, they are not foolproof against future attacks and can both create false positives and miss zero-day attacks. A different thinking may be needed: one that goes beyond current behavioural analysis of commercial malware to deeper forensics investigation capabilities of complex, state-sponsored attacks. This drives the ML approach and architecture needed to construct endpoint environmental artefacts and anchor contextual evidence that will ultimately deliver true automated response and remediation. In this aspect, the unfair advantage goes to countries with inordinate experience with complex, state-level attacks and a strong military cyber defence program. Besides Israel and U.S, it will bode well for venture investors to also start tracking emerging next generation EDR startups from Taiwan and South Korea.

Primary research through interviews with startup founders and investors. Secondary research through startups’ public domain information and analyst reports from 451 Research, ESG, Gartner, IDC, Pitchbook & Ponemon Institute. Startups covered : CyCraft (Taiwan), Crowdstrike (U.S), Cyberreason (Israel), SentinelOne (Israel), FireEye (U.S).