Q: Thinking about macro trends in endpoint security, we’ve seen product shifts from all-in-one EPP suites to standalone “best of breed” products and back again. Many endpoint vendors have also gone public or gotten acquired. Where is all this headed and what are some of the pros and cons?
Brian Beyer: One of the big trends we’re seeing is security becoming more embedded inside all the platforms we use every day. From my perspective, it looks like that continues to happen in two ways. The first phase is that we’re able to get really good telemetry and monitoring out of those platforms—whether it’s a cloud platform like AWS, Azure, or DCP, or the endpoint platforms running an operating system, or even something in between like VMware’s hypervisors. Second, we see the ability to do detection and prevention coming from those platforms. So we are now seeing the operating systems, cloud providers, vSphere, and all of these systems giving us more data than we ever had before.
That’s what we as a security team—and for many security teams, and for all of you—view with so much optimism and why I love the world we’re in right now. We have more data than we’ve ever had before and that’s great.
What’s been an interesting change over time is this yo-yo back and forth between very low quality, single EPP products that are supposed to be a single agent and do a mediocre job across the board of everything it tries to do, and then the creation of EDR gives us really best-of-breed sensors. Sensors like Carbon Black Response and now Threat Hunter and CB Cloud are still setting the gold standards for the amount of telemetry they collect off systems, but the reason we love this current evolution of Carbon Black products is that they’re now paired with great prevention capabilities in what used to be called CB Defense and in Endpoint Standard and in other parts of LiveOps being brought together. My hope is that we don’t go down the path we went down in the past, where the quality suffered as they were consolidated, and that we’ll continue to see really good, best-of-breed features, all as a part of this total suite.
Finally, endpoints continue to change. At Red Canary, we use a mix of Windows, Mac, and Linux systems, but a lot of those Linux systems are also Chromebooks being run by different parts of our company. And those really look more like thin clients which makes the “endpoint” that we’re talking about both that thin client, but also effectively the SaaS applications behind the scenes.
The question we ask ourselves and what we’re doing a lot of work to figure out right now is: how can we monitor those SaaS endpoints for our teams that we work with and for our customers just as well as we monitor their more physical or virtual operating systems?