The term "virus" was first coined to describe self-replicating programs by Frederick Cohen and his colleague, Len Adlema in 1983. Frederick defined a virus as "A program that can infect other programs by modifying them to include a, possibly evolved, version of itself."
Signature-based antivirus software was invented to scan all endpoint files for patterns or signatures of known malware.
In the late 1990s and early 2000s, viruses and worms like Code Red and Mydoom infected millions of computers.
To combat polymorphic malware, security vendors added machine learning and behavioral threat protection to create next-gen antivirus in the early 2000s.
The endpoint protection platform (EPP) combines antivirus or next-gen antivirus, personal firewall, encryption, USB device control, vulnerability assessment, and more.
The Gartner Hype Cycle for Security Operations, 2021 claims: "Endpoint protection platforms (EPP) no longer address the nature of modern threats as it is no longer practical to focus on achieving 100% prevention and protection."
Personal firewall software, first appearing in the 1990s, protected endpoints by controlling inbound and outbound traffic.
To protect data from unauthorized access, disk encryption encrypts all data on a disk or disk volume.
Gartner Analyst Anton Chuvakin coined the term "Endpoint Threat Detection and Response" to describe "the tools primarily focused on detecting and investigating suspicious activities" on endpoints in 2013. This name evolved to Endpoint Detection and Response by 2015.
For scale, agility, and ease of management, EDR tools increasingly began to support cloud deployment.
The Gartner report "Redefining Endpoint Protection for 2017 and 2018" acknowledges the convergence of EPP and EDR, stating "Interest in [EDR] capabilities has grown significantly over the past few years and has become more broadly adopted and desired by the mainstream EPP market."
In 2018, Palo Alto Networks CTO Nir Zuk declared, "It just doesn't make any sense to do detection and response just from endpoints." Forrester Research claimed in 2021, "EDR Is Dead, Long Live XDR."
Syslog was developed as a network-based logging service in the 1980s. Built for Unix systems originally, it is now supported by many operating systems and devices.
Log management systems introduced correlation to link related events together. This advancement allowed users to analyze data from different sources together for advanced detection and security use cases.
In 2004, the top payment brands released the Payment Card Industry Data Security Standard (PCI DSS). It mandated that organizations "track and monitor all access to network resources and cardholder data." Many organizations acquired log management systems to address PCI requirement 10.
In 2005, Gartner analysts Mark Nicolett and Amrit Williams coined the term SIEM or security information and event management system. A SIEM combined the capabilities of:
SIM (security information management), which offered storage capacities and indexing of all traces of systems for analysis and reporting.
SEM (security event management), which offered real-time event processing to extract, normalize, correlate, and report alerts to the operators in a management console.
As defined by Williams and Nicollet, a SIEM solution shall:
In January 2008, Yahoo released Hadoop as an open-source project. Big data technologies like Hadoop help organizations store and process large datasets.
Vendors began using big data and analytics to detect financial fraud, account takeover, and insider abuse.
User Behavior Analytics (UBA) emerged as a technology that "helps enterprises detect insider threats, targeted attacks, and financial fraud," according to the 2014 Gartner Market Guide for User Behavior Analytics. UBA platforms provided visibility into activities and behaviors of threat actors and malicious insiders.
The UBA category expands to include behavioral analysis of "entities" such as devices and applications, in 2015.
UBA uses large datasets to model expected and unusual behaviors of users and entities within a network. It uses machine learning and statistical analysis to determine whether anomalous activity or behavior could indicate an attack.
Increasingly, UBA became a feature of other security tools, such as SIEM, Cloud Access Security Brokers (CASB), or XDR.
Early packet filter firewalls emerged in the late 1980s to help monitor and control network traffic. They were simple but also easy to bypass.
Stateful packet inspection firewalls added the ability to track the sessions of network connections traversing through the firewall.
Worms, Trojans, and phishing led to an increase in network intrusions in the early 2000s.
Palo Alto Networks introduced the first next-generation firewall (NGFW) in 2008. The NGFW offered enhanced application visibility and control to traditional firewalls and also added user, content, and app awareness.
To power network detection and response, NGFWs add rich device and application data to log messages.
For the first time ever, machine learning allows NGFWs to deliver proactive, real-time, and inline zero-day protection.
Similar to the Hardware NGFWs but offered in virtualized, containerized, or cloud form factors to ease deployment and scaling of network security.
Cloud computing was first used in 1996 by engineers at Compaq to refer to the delivery of computing services over the quickly expanding yet still nascent commercial internet. Virtualization, originally developed in the 1960s to partition mainframes, evolved and helped pave the way for cloud computing.
In 2014, Docker took containers mainstream, allowing users to run multiple containers or applications on the same kernel or operating system. The release of Kubernetes v1.0 in July 2015 took container deployment, management, and scaling to the next level.
Cloud Infrastructure Entitlement Management (CIEM) products, according to Gartner, help organizations manage cloud access risks. They use analytics and machine learning to detect anomalies in account entitlements and privileges.
Organizations are increasingly turning to Cloud Native Security Platforms (CNSP) to protect their cloud assets. CNSPs:
Cloud Detection and Response (CDR) allows SOC teams to extend detection, monitoring and investigation to cloud environments. Encompassing cloud host data, traffic logs, audit logs, and cloud security data, CDR empowers SOC teams to hunt for threats and quickly uncover and respond to attacks.
Cloud Security Posture Management (CSPM) products reduce risk and improve defenses of cloud resources by providing visibility into misconfigurations, detecting threats and addressing compliance. According to Gartner research, in 2021, 50% of organizations mistakenly have cloud storage, applications or APIs directly exposed to the public internet, driving the need for CSPM.
Gartner defines cloud workload protection platforms (CWPPs) as "workload-centric security products that protect server workloads in hybrid, multicloud data center environments." Organizations need to protect workloads by identifying vulnerabilities and misconfigurations and protect against attacks with runtime protection and development scanning.
Learn more by reading the Gartner 2021 Market Guide for Cloud Workload Protection Platforms.
In February 2019, Palo Alto Networks introduced Cortex XDR. Cortex XDR gathers endpoint, network, and cloud data for detection and response. XDR is designed to detect attacker techniques that evade prevention, streamline analysis, and improve SOC efficiency.
Cortex XSIAM is the automation-first platform for the modern SOC, harnessing the power of machine intelligence to radically improve security outcomes and transform security operations.
XDR platforms integrate with security orchestration tools for case management, alert enrichment, response automation, and more.
XDR platforms begin to gather data from third-party sources such as firewalls. XDR platforms fully integrate NGAV and endpoint protection capabilities.
Third-generation XDR platforms add support for data from any source, full cloud detection and response, including containers and Kubernetes integration, identity analytics, and digital forensics.
XDR platforms added the ability to collect, parse, and correlate data from any source.
Network Detection and Response(NDR) tools first appeared in the mid-2010s to help organizations detect network-based threats such as lateral movement, command and control, and malware activity.
According to Gartner, "NDR solutions primarily use non-signature-based techniques (for example, machine learning or other analytical techniques) to detect suspicious traffic on enterprise networks." NDR tools monitor and analyze network traffic and profile behavior to detect unusual activity associated with attack techniques.