CISOs: Self-healing endpoints key to consolidating tech stacks, improving cyber-resiliency

Self-healing endpoint platform providers are under pressure to create new solutions to help CISOs consolidate tech stacks while improving cyber-resiliency. CISOs see the potential of self-healing platforms to reduce costs, increase visibility and capture real-time data that quantifies how cyber-resilient they are becoming. And reducing costs while increasing cyber-resilience is the risk profile their boards of directors want.  

A self-healing endpoint is one that combines self-diagnostics with the adaptive intelligence to identify a suspected or actual breach attempt and take immediate action to stop it. Self-healing endpoints can shut themselves off, complete a re-check of all OS and application versioning, and then reset themselves to an optimized, secure configuration — all autonomously with no human intervention. 

Gartner predicts that enterprise end-user spending for endpoint protection platforms will soar from $9.4 billion in 2020 to $25.8 billion in 2026, attaining a compound annual growth rate of 15.4%. Gartner also predicts that by the end of 2025, more than 60% of enterprises will have replaced older antivirus products with combined endpoint protection platform (EPP) and endpoint detection and response (EDR) solutions that supplement prevention with detection and response. But self-healing endpoint vendors need to accelerate innovation for the market to reach its full potential.

Absolute Software’s recent company overview presentation provides an insightful analysis of the self-healing endpoint market from the perspective of an industry pioneer in endpoint resilience, visibility and control. Absolute has grown from 12,000 customers in fiscal year 2019 to 18,000 in fiscal year 2023.

Mining telemetry data to improve resilience 

Self-healing endpoint platform providers need to mine their telemetry data and use it to accelerate their initiatives. Industry-leading executives, including CrowdStrike co-founder, president and CEO George Kurtz, see this as essential to finding new ways to improve detections.

“One of the areas that we’ve pioneered is the fact that we can take weak signals from across different endpoints,” he said at the company’s annual Fal.Con event last year. “And we can link these together to find novel detections. We’re now extending that to our third-party partners so that we can look at other weak signals across not only endpoints but across domains and come up with a novel detection.”  

Nikesh Arora, Palo Alto Networks chairman and CEO, remarked during his keynote at Palo Alto Networks‘ Ignite ’22 conference that “we collect the most … endpoint data in the industry from our XDR. We collect almost 200 megabytes per endpoint, which is, in many cases, 10 to 20 times more than most of the industry participants. Why do [we] do that? Because we take that raw data and cross-correlate or enhance most of our firewalls; we apply attack surface management with applied automation using XDR.”  

The first benchmark every enterprise IT and cybersecurity team needs to use in evaluating self-healing endpoint providers is their efficiency in mining all telemetry data. From datasets generated from attacks to continuous monitoring, using telemetry data to improve current services and create new ones is critical. How effectively a vendor uses telemetry data to keep innovating is a decisive test of how well its product management, customer success, network operations and security functions are working together. Success in this area indicates that a self-healing endpoint vendor is committed to excelling at innovation.

At last count, over 500 endpoint security vendors offer endpoint detection and response (EDR), extended detection and response (XDR), endpoint management, endpoint protection platforms and/or endpoint protection suites. 

While most claim to have self-healing endpoints, 40% or less have implemented them at scale over multiple product generations.

Today, the leading providers with enterprise customers using their self-healing endpoints include Absolute Software, Cisco, CrowdStrike, Cybereason Defense Platform, ESET, Ivanti, Malwarebytes, Microsoft Defender 365, Sophos and Trend Micro.  

How consolidating tech stacks is driving innovation

CISOs’ need to consolidate tech stacks is being driven by the challenge of closing growing security gaps, reducing risks and improving digital dexterity while reducing costs and increasing visibility. Those challenges create the perfect opportunity for self-healing endpoint vendors. Here are the areas where self-healing endpoint vendors are innovating the fastest:

Consolidation is driving XDR into the mainstream

XDR platforms are designed to integrate at scale across all available data sources in an enterprise, relying on APIs and an open architecture to aggregate and analyze telemetry data in real time. XDR platforms are strengthening self-healing endpoint platforms by providing the telemetry data needed to improve behavioral monitoring, threat detection and response, as well as identify potential new product and service ideas. Leading self-healing endpoint security vendors, including CrowdStrike, see XDR as fundamental to the future of endpoint security and zero trust.

Gartner defines XDR as a “unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.” CrowdStrike and other vendors are continually developing their XDR platforms to reduce application sprawl while removing the roadblocks that get in the way of preventing, detecting and responding to cyberattacks.

XDR is also core to CrowdStrike’s consolidation strategy and the similar strategy Palo Alto Networks launched at the companies’ respective annual customer events in 2022.

Self-healing endpoints need automated patch management scaleable to thousands of units simultaneously

CISOs told VentureBeat that their most urgent requirement for self-healing endpoints is the ability to update thousands of endpoints in real time and at scale. IT, ITSM and security teams face chronic time shortages today. Taking an inventory approach to keeping endpoints up-to-date with patches is considered impractical and a waste of time.

What CISOs are looking for was articulated by Srinivas Mukkamala, chief product officer at Ivanti, during a recent interview with VentureBeat. “Endpoint management and self-healing capabilities allow IT teams to discover every device on their network, and then manage and secure each device using modern, best-practice techniques that ensure end users are productive and company resources are safe,” Srinivas said.

He continued, “Automation and self-healing improve employee productivity, simplify device management and improve security posture by providing complete visibility into an organization’s entire asset estate and delivering automation across a broad range of devices.”  

There’s been a significant amount of innovation in this area, including Ivanti’s launch of an AI-based patch intelligence system. Its Neurons Patch for Microsoft Endpoint Configuration Monitor (MEM) is noteworthy. It’s built using a series of AI-based bots to seek out, identify and update all patches across endpoints that need to be updated.

Other vendors providing AI-based endpoint protection include Broadcom, CrowdStrike, SentinelOne, McAfee, Sophos, Trend Micro, VMWare Carbon Black and Cybereason.

Silicon-based self-healing endpoints are the most difficult for attackers to defeat

Just as enterprises trust silicon-based zero-trust security over quantum computing, the same holds for self-healing embedded in an endpoint’s silicon. Forrester analyzed just how valuable self-healing in silicon is in its report, The Future of Endpoint Management. Forrester’s Andrew Hewitt, the report’s author, says that “self-healing will need to occur at multiple levels: 1) application; 2) operating system; and 3) firmware. Of these, self-healing embedded in the firmware will prove the most essential because it will ensure that all the software running on an endpoint, even agents that conduct self-healing at an OS level, can effectively run without disruption.” 

Forrester interviewed enterprises with standardized self-healing endpoints that rely on firmware-embedded logic to reconfigure themselves autonomously. Its study found that Absolute’s reliance on firmware-embedded persistence delivers a secured, undeletable digital tether to every PC-based endpoint. Organizations told Forrester that Absolute’s Resilience platform is noteworthy in providing real-time visibility and control of any device, on a network or not, along with detailed asset management data.

Absolute also has the industry’s first self-healing zero-trust platform that provides asset management, device and application control, endpoint intelligence, incident reporting, resilience and compliance.

CISOs look to endpoints first when consolidating tech stacks 

It seems counterintuitive that CISOs are spending more on endpoints, and encouraging their proliferation across their infrastructures, at a time when company budgets are tight. But digital transformation initiatives that could create new revenue streams, combined with customers changing how, where and why they buy, are driving an exponential jump in the type and number of endpoints.

Endpoints are a catalyst for driving more revenue and are core to making ecommerce succeed. “They’re the transaction hub that every dollar passes through, and [that] every hacker wants to control,” remarked one CISO whom VentureBeat recently interviewed.

However, enterprises and the CISOs running them are losing the war against cyberattackers at the endpoint. Endpoints are commonly attacked several thousand times a day with automated scripts — AI and ML-based hacking algorithms that seek to defeat and destroy endpoints. Self-healing endpoints’ importance can’t be overstated, as they provide invaluable real-time data management while securing assets and, when combined with microsegmentation, eliminating attackers’ ability to move laterally across networks.