Tidal Forces: Endpoints are Different, More Secure, and Less Open

This is the second post in the Tidal Forces series. The first introductory post is available here.

Computers aren’t computers anymore.

Call it a personal computer. A laptop, desktop, workstation, PC, or Mac. Whatever the name or brand a very large percentage of the practice and products of information security focus on keeping the devices we place in our user’s hands safe. They are the boon and bane of information technology; forcing us to find the delicate balance between safety, security, compliance, and productivity. Lock them down too much and people can’t get things done and will find an unmanaged alternative. Loosen things too much and a single click on the wrong web ad banner can take down a company. For vendors, gain a foothold on the enterprise endpoint, or the network to protect the endpoints, and you can hit hundreds of millions, if not billions, in revenue. Extend it to consumer computers at home and even the smallest market footprint can sustain a decade of other failed products and corporate mis-steps.

But it’s all changing. Fast.

A series of smaller trends in computing devices are overlapping and augmenting each other to form the first of our Tidal Forces that are ripping apart security. As with all three trends it hits harder the closer we get as the effects accelerate. The changing natures of endpoints is the one that is most likely to deeply impact established security vendors for economic reasons, while simultaneously improving our general ability to protect ourselves from attacks. While the other forces will deeply impact required security skills and operational processes, the endpoint changes will disproportionally impact vendors and the transition shouldn’t be nearly as painful for security practitioners.

• Most of our devices aren’t “computers” anymore: According to both Gartner and IDC PC shipments have declined for five years in a row. While the number of “traditional computers” shipped in 2016 was in the 260 million devices range we bought over 1.5 billion smartphones. The change is so dramatic that Gartner is predicting Apple operating systems (iOS and MacOS) will overtake Microsoft Windows in 2017. Employees and consumers spend more time on mobile devices than they do on an only-school computer with a keyboard and monitor. Simultaneously we see a concurrent rise in single-purpose computers known as the “Internet of Things”. Fitness trackers, lightbulbs, toys, televisions, voice-activated AI portals, thermostats, watches, and nearly anything more complex than a fork (or not.
• The devices we use are more secure: There is effectively no mass malware on iOS. Current iPhones and iPads are so secure it is creating a government showdown over privacy and civil rights. Even Android, if you are on a current version and use it correctly, is secure enough most people don’t need to worry about losing their data. While there is a glut of insecure IoT devices, companies like Apple and Amazon are using their market power, through HomeKit and AWS, to drag manufacturers (over time) towards solid baseline security. While we don’t have survey data we do know that Windows 7-10 are materially more secure than Windows XP and most organizations experience far lower infection rates. I’m not saying we have perfect security, I’m saying we have much better security out of the box with a much higher cost to exploit, the trend is only continuing, and most devices don’t need third-party security tools to be safe.
• The devices we use are less open: You can’t install any antivirus or monitoring agents on an iPhone. This won’t change, because Apple sees the required system-wide monitoring as a security risk… because it is. Overall the trend, especially for consumers, is towards closed-ecosystems and app stores. Today an operating system vendor needs to open access and loosen security on parts of the system to allow for security monitoring and enforcement. It is likely safe to assume this access will continue to be ratcheted down to improve the overall platform security, even on general purpose operating systems. Microsoft even first started closing off parts of the system back with Windows Vista, resulting in an anti-security advertising campaign by certain vendors to keep the system open. The end result is an ever-tightening footprint for endpoint security tools.
• We don’t control the networks and encryption is widespread and stronger: Not only are our devices more secure, but so are our network connections. TLS encryption is increasingly ubiquitous in applications and services and TLS 1.3 eliminates any possibility of out of band monitoring, forcing us to rely on man in the middle techniques (which reduce security) or endpoint agents (we can’t always install). We are increasingly reducing the effectiveness of bumps in the wire to secure our endpoints and monitor communications.

Thus there is a simultaneous shift away from traditional general purpose computers towards mobile and other devices, combined with significantly stronger baseline security, and reduced accessibility for security tools. As I mentioned in the opening, this affects the market more than the practice of security but definitely impacts both:

• Security vendors will see a large contraction in consumer antimalware/endpoint protection: The market won’t disappear, but it’s hard to see how it doesn’t materially shrink. As it is few consumers purchase endpoint security for Macs, and none for iOS. Windows 10 ships with AV built in, and it’s likely good enough for most consumers. We are talking about billions of dollars in revenue fading away in a relatively short period of time. I strongly believe that’s why we see moves like Symantec buying Lifelock and releasing a security-enabled WiFi router as they position to try and remain relevant to consumers. But it’s hard to see these products make up for such a large loss of addressable market, especially in competition with free credit monitoring and network vendors like Luma who offer basic home network security and don’t require annual subscriptions.
• Endpoint security vendors will also see some reduction in enterprise sales: Although the impact on their consumer business will be high we also expect to see impact on the enterprise side through a mix of a smaller addressable device footprint, competition from free tools (for example, OSQuery for configuration monitoring, and feature commoditization forced as operating system vendors close gaps and lock down parts of the OS. It’s hard to fully quantify this one, but it’s clear that losing licenses as device types shift will hurt. It’s also hard to see endpoint DLP and other compliance-oriented tools filling in the gap.
• Network box vendors are in trouble: We will talk a lot more about box vendors in the next couple of posts, but with more distributed access over strongly encrypted connections enterprises either need to route everything through VPN connections and man in the middle all the traffic, or use a cloud service, or just start to rely more on the inherent security of the devices. It is really hard to see any long term trend in their favor, even as attackers continue to innovate.

Remember, I’m not saying endpoint and network security go away, I’m saying the markets will contract and these vendors will be forced to change to maintain revenue. Some will figure it out, some won’t, and life will go on.

We also see the practice of endpoint security changing:

• Security will be better but monitoring harder: We are losing our ability to monitor everything on the endpoint at the same time it’s harder to monitor network connections. This hurts employee monitoring and (some) compliance more than it does security from attacks.
• We won’t need to manage as many endpoint tools: Because we won’t use them, and the ones we use will be on fewer things. I suggest using your newfound free time to learn more about cloud security architectures.
• We will move to zero trust networks: This will come into play again when we discuss SaaS, but the concept is that we assume our networks are compromised and rely more on inherent endpoint security and encrypted connections to secure services. Some companies do this today, it isn’t a fantasy.
• We will use more cloud-based network monitoring and filtering: Although network monitoring is harder it isn’t impossible. It makes sense to use a cloud service instead of local network tools for things like URL filtering and DLP since it becomes easier to manage widespread users and devices instead of maintaining our own large VPN infrastructures. There are definitely tradeoffs here, and super-long term I even see this market shrinking.

I’m sure I’m missing a hell of a lot but the fundamentals are solid. IOS alone is already having a pretty big impact, now imagine a world where most of the devices we use rely on a similar security model while simultaneously leveraging more secure network connections.

Please let me know what you think in the comments and on twitter.

- Rich (0) Comments Subscribe to our daily email digest

from Tidal Forces: Endpoints are Different, More Secure, and Less Open