Bridging Security Gaps with Network‐to‐Endpoint Integration

This IDC Technology Spotlight introduces the concept of an endpoint security solution integrated with network security components, to provide greater effectiveness and efficiency in security provisioning. After examining the broad arguments for such an architecture, we examine the specific case of Traps, provided October 2018 by Palo Alto Networks.

The Case for an Integrated Approach to Security

Three Challenges Dominate Security Operations

Security teams face three primary challenges today. The first is a dynamic threat landscape, which continues to evolve and typically swamp security operations with an ever-increasing number of incidents and alerts. This challenge, though daunting, is at least well understood by security experts. It is the security team's day job, and there is a high degree of technical pride and professionalism exhibited in addressing it.

The other two primary challenges extend the scope of security into new territories. Digital transformation is the prevailing strategic business priority these days, and it involves providing broad access to a company's information resources to a host of third parties (customers, suppliers, partners, etc.). Securing an organization while it is undergoing a digital transformation adds a substantial degree of effort to a security team's workload, as it introduces new threat vectors, such as those from cloud and mobile computing platforms.

Regulatory upheaval is the third big challenge, and it forces security professionals to also become familiar with legal and compliance concerns. The General Data Protection Regulation (GDPR) is an example of major international legislation that has substantial security impacts, but it is not alone. Privacy and data protection legislation has been introduced in over 100 countries worldwide, we see the build-up of general security regulations (such as NISD in the EU or China's "Cyber Security Law"), and this trend is set to continue. Security teams must be aware of emerging security requirements, and also be able to advise their business colleagues on appropriate mechanisms to comply with new rules.

The consequence of these three challenges is a net increase in pressure on security operations teams. The workload required to keep an organization secure is beyond the capabilities of most security teams, and the general rule is that security operations processes and technologies are failing to keep the business secure at reasonable cost.

A New Focus on Efficiency

A key contributor to the increased pressure on security teams is the fragmented and heterogeneous security environment that the vast majority of companies have patched together. The average number of security products in use per enterprise is 30. And most of these products are provided by a variety of vendors, meaning that they typically do not integrate well, and little information sharing is possible. The security team receives alerts from many of these products, which leads to an overwhelming cacophony of noisy events and alerts. Given this pressure, 48.9% of organizations highlight better management of risk and compliance as a key driver for automating IT security. Potentially devastating inbound attacks remain an issue, however.

Worse, the lack of integration between products causes a loss of visibility of security across the environment, meaning that companies do not have a holistic sense of their state of security. A security estate of multiple products from multiple vendors is a source of increased risk to the business.

Chief information security officers (CISOs) are the custodians of security in many organizations. They worry about their fragmented security estate and the impact this has on their ability to keep the organization secure. In particular, they worry about:

  • The management overhead of dozens of tools, and the consequent loss of visibility
  • The overhead in time and cost of managing dozens of vendors, including design and development of manual processes and/or programmatic integrations
  • The cost and risk implications of having duplicated, or insufficient, security coverage

What CISOs need is a security platform that provides integration of the products in their estate and consequent reduction of alerts fatigue. Once the environment is integrated, it can then be orchestrated and automated, thus reducing the time and effort required to address security incidents.

Toward an Integrated Security Architecture

This integration-to-automation approach points to the trend toward adopting an integrated security platform that delivers a unified architecture upon which security products are built to address efficiency and effectiveness issues. This approach requires a more strategic perspective with regards to a security estate, versus the more tactical point solution approach that is traditionally deployed.

Using a portfolio of integrated products from fewer vendors means greater synergies and efficiencies. But it also means a departure from a best-of-breed approach, where functionality and cost are the traditional buying criteria. This is especially true of endpoint security software, where many organizations have long and established relationships with a favorite vendor. This can lead to a sense of complacency, and there may also exist a disincentive to replace software on all of an organization's endpoint devices.

Doesn't a Best‐of‐Breed Approach Still Work Just Fine?

CISOs often have concerns about moving away from their well-tested approach to procuring security products. But often these fears are unfounded, based on out-of-date perceptions of market capability.

Best‐of‐Breed Point Solution Offers Optimal Functionality

No one expects an enterprise to implement substandard security technology. In fact, providers of integrated portfolios are among the leaders in endpoint security functionality. Although capabilities vary between endpoint products, to play in the market at all a vendor must offer substantial capabilities. There is no correlation between an endpoint security product being standalone and its functionality.

Trading Functionality for Integration

Traditionally, enterprises have selected security products based on some balance between functionality and cost. However, IDC research shows that more security leaders now consider technology rationalization (42%) above functionality (30%) or cost (28%) in the primary decision-making criteria. Technology rationalization is the process of integrating security products in order to increase efficiency through integration and automation. This may also allow a reduction in the number of product vendors, offering the potential for cost reduction and vendor management simplification.

Spreading Risk Among Many Vendors

Some CISOs may think that they want to spread risk by selecting multiple products from multiple vendors. Certainly, there is a risk in selecting a single vendor, but this is extremely unlikely: no one vendor provides the complete stack of security solutions. Fewer vendors increases the likelihood that products integrate, and reduces the overhead in managing vendors, while also decreasing the risk that non-integrated environments miss important opportunities to share data and intelligence generated at different levels of the stack (e.g., updating firewall rules with newly discovered threat at endpoint level).

If It's Not Broken, Don't Fix It

CISOs may already believe their security estate is optimal and needs no additional rationalization. However, IDC thinks that fragmented estates of security products may have been functional previously but are now inefficient and, given the increase in attacks and attack types, increasingly ineffective. Rising security budgets have been a long-term feature in IDC's spending analysis, but this trend cannot continue forever. In fact, we think a financial crisis in security is pending, as companies seek to rein in security spending. This means that the importance of efficiency, as well as effectiveness, will gain prominence.

Doesn't EDR Offer Better Functionality?

Endpoint detection and response (EDR) tools have rapidly gained traction and market share. It is tempting to think that these new products can simplify endpoint security issues. However, EDR should be seen not as a replacement for endpoint protection but as an enhancement. And if an EDR tool is used, then the same integration and automation requirements should still apply: many EDR solutions come from point vendors with little integration capability built in.

The Benefits of an Integrated Approach to Endpoint Security

In IDC's view, an integrated approach to security offers greater benefits than persisting with the prevalent approach of best-of-breed. There are four main reasons behind this conclusion.

Turning Endpoints into Sensors and Enforcement Points

Enterprises typically have more endpoint devices than any other piece of equipment in their organization and this is typically the primary target or starting point of attacks. Integrating endpoint security software with network security turns endpoint devices into sensors that can act as early warning detectors of malicious activity yet to spread across the network. In such merged security infrastructure, detection on the network or endpoint layer automatically updates rulesets for the whole enterprise estate. The improvement in network telemetry not only enhances security operations efficiency, but also improves general visibility in security posture across the network, allowing CISOs to report more accurately on security posture.

Prevention is Still Better Than Cure

The recent focus on detection and response has largely been prompted by the mantra that a breach is a matter of if, not when. Whatever the veracity of this assertion, the trend has led to a decrease in emphasis on threat prevention. What this means in real terms is an inevitable increase in alerts and incidents, which must then be dealt with using modern detection and response capabilities. IDC thinks that many companies are in danger of getting this balance wrong: an equilibrium should exist between preventing most attacks and remediating those that are successful. This approach minimizes the incident response effort by reducing the noise from numerous security events.

Sharing Threat and Attack Data

Integration of endpoint security with other security elements in the enterprise provides the opportunity for sharing threat and attack data across the enterprise architecture. Network security products will not detect a malware-infected USB key inserted into a laptop, at least not until it is too late. But an integrated endpoint solution can not only detect this attack but alert the network to its existence and update rulesets, thus preserving security across the organization. Sharing threat information in terminal context and correlating it to historical data lake can enhance the threat intelligence function with retrospective forensics and build effective measures upon greater understanding of attacks footprint. This increased visibility of the dynamic state of security enables a more insightful understanding of risk to be gathered.

Integrated Products Eventually Deliver Better Solutions Than Best‐of‐Breed

Integrated security portfolios from individual vendors are built to the same standards of functionality as best-of-breed solutions. In fact, vendors offering integrated portfolios tend to be the larger, better resourced, and more innovative players in the market, and are thus more likely to offer market-leading capabilities.

Considering Palo Alto Networks

With the technology advancement, digital transformation (DX) projects become strategic for the majority of medium and large businesses, with 88.6% of organizations already having DX as a key part of corporate strategy. IDC's research indicates that the incorporation of sufficient cybersecurity and privacy technologies is the top priority (61.0% of organizations) for DX projects, followed by mobility, data, and cloud. In parallel, under the pressure of innovation and organizational digital footprint expansion, endpoint security issues have also evolved. Now, protection against the unknown demands proactivity; a growing number of threats drive up the volume of alerts generated, dictating the use of automation and shared intelligence; and the increasingly diverse, remote, and constantly changing enterprise IT environment drives demand for unified security management.

Therefore, an integrated security stack is critical for holistic enterprise security.

The shift from detection to prevention rests on the ability of endpoint solutions to analyze code and block anomalous behavior without reliance on signatures. While there are different ways to implement this approach, Palo Alto Networks combines its Traps endpoint component with its WildFire threat intelligence offering. This combination delivers capabilities that:

  • Run initial analysis by tapping into hashes already known to WildFire, reducing response time to known threats
  • Perform static local analysis of code on the endpoint, which identifies potentially malicious components by using an ML model trained on the WildFire data pull, and remediate in accordance with the set policy
  • Can send the sample into the WildFire platform for validation, where secondary static, dynamic (sandbox), and bare metal analysis is run against a greater dataset with higher compute resources at hand
  • Prevent script-based and file-less attacks, and identify and block exploits use and vulnerability profiling/reconnaissance actions

A majority of these functions are available offline with a lightweight agent that can run regular (policy) updates from the server. The online capabilities of the WildFire platform add an extra layer of verification to the action taken and confirm or overwrite the verdict, considerably reducing false-positives.

Shared intelligence has long been a desired concept for the industry. In 2017 IDC research confirmed that 39% of security professionals considered it a high or extreme priority in order to improve the security posture to put shared intelligence in place. A further 47% said it was of moderate importance. Traps shares threat intelligence with WildFire and Aperture services, which feed the offline Traps' hash repository, distribute threat intelligence to the network, endpoints, and cloud, and continuously train the local Traps analysis engine. This way, community-sourced intelligence from Palo Alto Networks' firewalls, endpoint, and cloud customers provides an enormous base for machine learning and analysis via the Traps agent.

Automation of security processes in IDC research ranks a close number 3 priority when it comes to driving security in organizations, behind proactive insight into evolving threats and the use of threat intelligence. The majority of automated actions for Traps are readily available out-of-the-box and are tangled with the threat intelligence utilization across endpoints, network, and cloud. Additionally, automated mechanisms are tightly connected with the network functionality that allows organizations to localize malware outbreaks and isolate affected hosts for remediation, as well as feed logs into third-party systems for further actions.

Unified security management and security integration are cornerstones to building effective security in the enterprise. The Traps, Panorama, and AutoFocus solutions from Palo Alto Networks are an example of the synergetic effects of integration.

AutoFocus enables security teams to navigate through the threat information and respond to incidents. Panorama, in turn, provides automated threat correlation and surfaces malicious behavior that would otherwise be buried in the noise. Working in concert, the AutoFocus, Panorama, and Traps products provide security team with visibility from endpoints to the network layer. In turn, the WildFire correlation engine can deliver insight into incidents. Further, logs from both the endpoint and network layers can be immediately and automatically shipped into an enterprise SOC or SIEM environment. (It is worth mentioning here that Palo Alto Networks has a technology partnership with Splunk, as well as other event management providers.) Moreover, identifying a new threat on the second or third step of analysis (local Traps or cloud WildFire), WildFire pushes updated threat intelligence to all network firewall rulesets, immediately closing that gap, and vice versa.

Detection and response have been top-of-mind for security professionals in recent times. Through recent acquisitions, Palo Alto Networks has declared that endpoint detection and response will be superseded by a new technology category — XDREDR capability — that will be applied across the entire platform, so not just endpoints, but network and cloud as well. Calling into question the focus on endpoint, XDR expands the process of detection, investigation, and response to threats across the network, endpoint, and cloud. This additional visibility gives security teams a wider purview of information when performing analysis and aims to not only eliminate the need to "swivel chair" (moving from one interface to another, sometimes duplicating work), but to really focus on simplifying investigations for all SOC operations. This is by no means a simple task. However, if it does succeed in producing products that fall under this category and other vendors get behind the idea, it will likely create a sea change for security teams.

To summarize, the latest version of Traps from Palo Alto Networks delivers cross-platform next-generation antivirus functionality. In combination with access to the WildFire analytics offering (included with the Traps subscription), centralized management for endpoint and network security, and out-of-the-box third-party security product integrations, Traps can help to improve the security posture of an organization and add proactive, holistic, and automated endpoint-to-network protection.


Existing evidence and feedback from CISOs that are Traps users indicate that the product is delivering on its promise. It is easy to deploy, and existing capabilities function as described and/or expected. There are still some shortcomings to consider, however:

  • Rollout of longer rulesets with Traps slows down and complicates a full-scale enterprise implementation. There also are some transition time requirements to migrate all policies from non–Palo Alto Networks systems, which should be accounted for in any deployment.
  • Executive reporting is not currently available from Traps directly, but it is possible to create custom views and reports with AutoFocus, pulling alerts, threat information, and other data from WildFire, Traps, firewalls, and other third-party data feeds. Still, it requires time and effort over and above simple deployment in order to achieve this.
  • Despite its strength in the endpoint and network space, Palo Alto Networks does not provide an end-to-end security stack. Assessment of an internal security stack for integration is strongly recommended before deployment.
  • An enterprisewide Traps implementation will require a value-added partner to drive deployment in diverse or siloed environments with multiple integration points.

By expanding the technology partner ecosystem and continuous expansion of noncore functionality, many of these challenges for Traps can be addressed.


Most enterprises have taken some kind of architectural approach to their security environment for the past decade or more. This typically consists of a wide range of security products that are provided by multiple vendors and perform very specific tasks (firewall, intrusion detection, antimalware, and so on). IDC thinks this approach is now out of date, rendered inefficient by the huge rise in the number and types of threats addressing the enterprise. Standalone and unintegrated solutions cannot cope with the massive number of events and incidents captured by a typical security operations team. This creates intense strain on staffing, which leads to the well-described skills shortage. The primary method for solving the skills shortage is to make security operations more efficient. IDC believes this requires an integrated approach to security, enabled by vendors offering a platform proposition.

CISOs need to balance the inefficiency and risk from fragmented environments against the notional benefit of a best-in-class technology approach. IDC thinks the balance now needs to shift toward addressing operational inefficiencies. This may be difficult, as it requires security leaders to unpick possibly a decade or more of existing relationships with trusted vendors. It will also require a potentially onerous exercise of switching out point products for more integrated solutions. But this is a one-time cost, and a piecemeal approach no longer fits the requirements of security operations. Integrated security platform approaches have been discussed over the past four or five years. In the beginning, platforms were not much more than visions of the overall direction that security architectures should take. Now, these platforms are available and offer a viable solution to improve the efficiency of security operations.