VMware Signals The End Of “Endpoint” Detection And Response
The acquisition of Carbon Black by VMware was a bit of a surprise to me, but once put into perspective, it makes sense. First, a few observations from a value perspective: Carbon Black brings a strong brand and technology that warranted a Leader position in my last Forrester Wave™ on the endpoint detection and response (EDR) space. Meanwhile, the company has been suffering as a public entity, with a stock price that has spent most of this year in the teens. VMware is paying a premium on the stock price at $26 but is arguably getting a product worth more than what it is paying . . . that’s what they’re betting, at least.
Endpoint has traditionally referred to laptops and workstations, which makes the naming of “endpoint detection and response” a bit unfortunate. Almost two years ago, when I ran my last iteration of Forrester’s EDR Wave, the customer references uniformly reported that they have been utilizing EDR products outside of what is traditionally considered endpoint. I was even on a webinar a few weeks ago with a CISO who went so far as to refer to EDR as “enterprise detection and response.” I like this and think it’s representative of where this technology is going.
Looking at the rest of the market, we see players such as Trend Micro and Palo Alto Networks making a concerted branding effort to offer something they have both been marketing as XDR. The X could be anything, but the concept is simple — what if you tie all your NAV devices, your EDR data, and any other log data together to improve detection and give a more holistic view of the environment? While the branding might not be unique, the concept is important, as many organizations have 10–20% of their “endpoints” not under management. You simply can’t do EDR detection on unmanaged devices. Not wanting to hype any particular vendors too much, a few less fashion-forward vendors that are doing similar things in the space are RSA and Cisco (NetWitness and AMP, respectively).
Interestingly, the consolidation of technologies is also happening with Google Cloud Platform and Microsoft Intelligent Security Graph, where these companies are trying to reinvent what the endpoint is by pulling application-level telemetry out of their productivity suites to supplement other detections.
Let’s be honest, we all spend most of the time in our browsers and productivity suites, so this is an extremely interesting place to try doing detection, and these are really the only companies that can do it. It’s also no coincidence that these two vendors recently dove headfirst into the security incident management (SIM) space, because you have to tie the data together somewhere.
While the obvious bit about the VMware acquisition of Carbon Black from a technology perspective is how it enables you to deploy EDR capabilities across your cloud/virtualized environment, big picture, it’s just a continuation of a trend.
Is it time we rebrand EDR as “enterprise detection and response”?