C-level briefing: Where others have failed, Sophos CEO Kris Hagerman hopes to succeed.
The history of combining network and endpoint security technologies has not been a particularly successful one, but cyber security company Sophos is hoping that the time has finally arrived.
These two separate cyber security disciplines grew up in parallel to each other, and several companies from both sides have tried to expand into the other. The list encompasses some of the biggest names in cyber security: Symantec, McAfee, Fortinet, CheckPoint, Palo Alto Networks and FireEye.
The basic difference is that network security monitors traffic moving through the pipes of the network and between different segments of it, regardless of the destination.
Endpoint security sits on the devices and monitors activity on them, only protecting that specific device.
The lack of success in combining the network and endpoint has led to doubts about its viability. Richard Stiennon, Chief Research Analyst, IT-Harvest wrote in Forbes in April 2014 that "none of these companies have experienced any benefit from having end point and network solutions. There is no synergy and the most successful acquisitions come when the acquirer keeps the two businesses separate."
Kris Hagerman, CEO of Sophos, which has been demoing its ‘Synchronized Security’ product Heartbeat says that there are good reasons why the two technologies have been so separate.
"Most of these solutions have been built for larger enterprises. In larger enterprises, the organisations managing the network are separate from the organisations managing the endpoint.
"As a result, when these companies built solutions they built them to be really good for the people managing their product and their discipline," says Hagerman.
The siloing of the two dates back to the early (pre-internet) days of IT. As Bob Tarzey, Principal Analyst at Quocirca says, the original security products were endpoint security, antivirus software that sat on devices and protected against viruses that were physically inserted into devices: for example, sitting on USB sticks.
Why are they only coming together now? Hagerman argues that several technologies have reached maturity that facilitate this.
"There really have been advances in the technology ecosystem itself that makes these products more able to communicate that are relatively recent: cloud, big data, analytics. Those things didn’t exist with anywhere near the maturity they have today ten years ago.
"One of the real problems in integrating between endpoint and network is to take all of the information that gets generated and make sense of it. To do that, the cloud is really important and so is big data."
If companies have been doing fine all of this time without combining their two products, why do they need it now?
John Shaw, VP of Product Management at Sophos, says that customers have some "very real problems that this solves."
"Until they are aware of this possibility, it’s a bit like the Henry Ford quote: ‘if I’d asked my customers what they’d wanted they’d have asked for a faster horse.’"
John Shaw, VP of Product Management at Sophos
One of the major benefits that combining the technologies offers is the sharing of information and the ability to create products at this intersection.
Sophos’s messaging around this combination likens network security and endpoint security to having two security guards that formerly didn’t talk to each other but have now been given walkie-talkies.
"[The different types of security product] all have the ability to generate security intelligence and the ability to benefit from it," says Hagerman.
Bob Tarzey highlights network access security as one area where the two technologies combine. The security product on the endpoint assesses the condition of the device and then submits this information to the network. An infected device can in this way be prevented by the network security product from accessing the network.
This ability for devices to be effectively quarantined is incorporated into the Heartbeat product, isolating compromised devices.
Another example is the firewall alerting the user to suspicious traffic coming from somewhere on the network. The Firewall automatically communicates to the suspect system what the firewall is detecting and the endpoint protection agent uses this information to discover the process causing the threat.
As Hagerman says, these capabilities require data situated in the cloud, being processed by analytics.
The other major part is solving the alert problem. Organisations are bombarded constantly with alerts about things going wrong from all of their different cyber security products. The volume of these and the lack of prioritisation of alerts gives the IT administrators a tough job managing which alerts actually require action and which can be ignored.
"People have the security software telling them that potentially bad things are happening but they don’t know how bad they are or if data has been stolen," says Shaw.
Time will tell if Sophos succeeds where others have failed, but the potential of the combination is undeniable.