The Merging of Acronyms & Endpoint Agents: Why DLP, ATP and ETDR Shouldn’t Be Separate Agents Anymore | Digital Guardian

The Merging of Acronyms & Endpoint Agents: Why DLP, ATP and ETDR Shouldn’t Be Separate Agents Anymore



So the world of endpoint agents’ pendulum has swung again. First we had agents, then we had to be agentless, and now we have to have agents again, only this time they are advanced.

Agents are hotter than the star at the center of the Red Spider Nebula (540,000 degrees F). There are at least 14 companies selling some form of “Advanced Threat Protection”, at least 10 companies selling some form of “Data Loss Prevention” and at least 8 companies selling some form of “Endpoint Threat Detection and Response”. That’s THREE agents right there because even the company that has two of those products sells you two agents and two consoles for the price of one. And - hold the phone - I did not even mention NAC, Antivirus, Host Firewall, Host IPS... (to be fair you can get antivirus, firewall and IPS in one agent). Ok, lets add them up – you need 5 security agents today (DLP, ATP, ETDR, NAC, AV/IPS/FW). According to the 2014 State of Endpoint Risk report published by Ponemon Institute in December 2013, the average enterprise now has 6-10 different software agents and management interfaces for endpoint risk management.

2014 Ponemon State of Endpoint Risk, Figure 13

It’s time to change this approach, period.

What if your agent could do DLP, ATP, ETDR and FW? What if you could provide visibility so that you could have better insight than the NAC solution? You need one agent plus some kind of antivirus (yes you should still run it; signatures, while not able to keep up, are still the fastest and easiest way to clean up a known mess). One agent plus antivirus. Let’s count the benefits:

  • Cost savings from operations to licenses (get antivirus for free, seriously).
  • Support from IT – non-security IT people love installing security agents (nudge, wink) and they will love them more when there is only one.
  • One console with lots of context from the threat stopped to the details to view suspicious activity.
  • The most important – am I going to be in the news or out of business because someone might have stolen my sensitive data?

Reality check. Nothing is 100% - one agent or five agents. I know, I have been in both worlds, running security groups doing both and everything in-between. But let’s face it, you do not need to outrun the bear. You need three things to defend against the bear: you only need to outrun everyone else being chased, you need an alarm when a bear might be approaching and you need a pair of binoculars to keep an eye out. One agent can do this today.

Imagine an agent that knows what your sensitive data is but goes beyond keeping it safe, it screams if something unknown just touches it (DLP), hits the big red button every time a threat approaches (ATP) and, just in case, records everything everyone does with it (ETDR). Is that not a better investment of time and money?

Going forward, demand change from your agents, ask why the DLP is “free,” understand why the ATP solution is not really advanced, and think about searching through ETDR, without context, looking for a needle in a stack of needles. It’s time for a change – get an agent that protects your data, tells you the threats to your data and shows you the most pertinent information related to your data – the one needle from the stack of them that actually matters.

David Guretz

Please post your comments here

Related Articles
Healthcare Cybersecurity: Tips for Securing Private Health Data

A robust healthcare data protection program goes beyond compliance - here are some tips for protecting healthcare data against today's threats.

Friday Five 9/11

Initial access brokers, scam domain names, and Brazil's new data protection law - catch up on the week's news with the Friday Five.

Friday Five: 2/16 Edition

Data protection jobs, Bitcoin phishing, and Amazon S3 leaks -- catch up on the week's infosec news with this roundup!