As part of the Endpoint Observatory study, ETR Insight hosted a feedback panel. This was a data-driven discussion between technology leaders and security consultants from the finance, manufacturing, healthcare, and chemicals industries. These experts rely on tools like Microsoft Defender, CrowdStrike, Fortinet, and Palo Alto Networks to counter zero-day vulnerabilities and other cyber threats, prioritizing integration and cost efficiency; less commonly cited tools like Huntress and ThreatLocker offer particular advantages and exceptional customer support. While the shift toward cloud-based platforms has streamlined deployment, fragmentation still forces organizations to juggle multiple tools. Panelists stressed the importance of ease of deployment, operational fit, and strong vendor support while exploring how AI might proactively anticipate and mitigate threats. Read on to learn more about a potential return to centralized mainframe-style security, barriers to vendor collaboration, and the impact of recent security incidents on vendor credibility.

Vendors Mentioned: BlackBerry (Cylance) /Cisco / CrowdStrike / Darktrace / Fortinet / Google / Huntress / Malwarebytes / Microsoft (Defender) / Palo Alto Networks / SentinelOne / Tanium / ThreatLocker / VMware (Carbon Black)

Panel Highlights

Companies across sectors depend on endpoint security vendors to counter rising cyber threats, in particular zero-day vulnerabilities. “We're definitely using Palo Alto right now, Microsoft Defender, and CrowdStrike,” says the IT Data Center Operations Manager for a large professional services enterprise. “Fortinet isn’t used in endpoint, though for VPN technologies, and Cisco is still being used there.” A CISO from finance and manufacturing speaks to how layering Fortinet and CrowdStrike products save cost. “Fortinet, using that on the network, we try to take advantage of the endpoint and their other capabilities to reduce expense.” A third panelist, a CIO in chemical manufacturing uses Fortinet and Defender, but also Huntress and ThreatLocker, two vendors that are less frequently cited in ETR survey data. The panel generally finds that the shift toward cloud-based security platforms has simplified endpoint deployment, enabling faster implementation and operational flexibility. Still, “[You] have to do due diligence of all the tools that are in the market before you choose or replace.”

According to the panelists, ease of deployment, cost efficiency, and operational fit are priorities over technical performance. One panelists praises Tanium’s self-updating feature, which eliminates the need for constant re- deployments and simplifies management across their global network of 120,000 endpoints. “Typically what we see as far as breaches in endpoint security, it's mostly due to lack of user awareness: weak passwords, social engineering, unauthorized software installations, and things of that nature. The more that we control and limit that exposure from the end users, that's better for us overall in a large-scale network environment.” A second CIO is less optimistic. “I don't think there can be a solution or can be a feature against social engineering or ‘dumb’ acts.”

As with other areas of security, endpoint adoption decisions often hinge on existing technological footprints and the ability to integrate tools across multiple defense layers. In many organizations, Microsoft Defender has an edge, leveraging Microsoft’s extensive telemetry data and bundled within existing E5 licenses. “Obviously, if you can use a technology in two to three of the layers, it's efficient and our CFOs and CEOs like that.”

ETR Data: ETR’s most recent Observatory for Endpoint survey showed that Microsoft Defender was the endpoint tool with the fastest return on investment expectation, followed closely by pure-play endpoint vendors SentinelOne and CrowdStrike.

For those organizations acquiring another company, one panelist described how they evaluate whether to retain or replace existing technologies. “I'll be frank, a lot of it's business driven — cost, current deployment, and then how does it fit into their multi-layer defense and depth strategy? Does it help them with cyber-insurance?” Robust vendor support is critical; one CIO mentions Huntress’ particularly proactive and accessible approach. “They’ll call me or my team to tell us if something is going on, which I really, really appreciate. The support should be easy to maintain, easy to install—or no install at all—and an overall good experience talking to the customer.” They also emphasize the importance of clear roadmaps to address emerging threats, and urge vendors to provide assurance about future- proofing their tools. “What will you do to safeguard me from the things that are on the horizon?”

Broadly, panelists are skeptical of so-called “XDR” offerings, pointing to significant gaps in their promise to consolidate security into a singular, effective solution. “XDR folks claim they have one pill—no, they don't. Defender has come a long way, but still, you're telling me you buy a car and then you have to buy another layer on top of it? This is your tool. Shouldn't you have proper security before selling it to me?”

Often, fragmentation forces organizations to juggle multiple tools. “You have so many different vendors that have good products, but other vendors kind of cross over one another. For example, Fortinet doesn't play well with Malwarebytes. Malwarebytes does a great job of cleanup, but Fortinet does a great job of securing your network and your connectivity.” This panelist imagines collaboration to create unified solutions, but the antagonistic nature of industry competitors casts doubt. “I'm just not sure what that's going to look like, unless we start to see these big boy players moving and working together, and actually sort of allowing one another behind the scenes.” A groundbreaking innovation or new leadership paradigm could disrupt the status quo. “Because everybody's not playing nice, I wonder if some new technology leader is going to emerge—we'll call it an ‘Elon Musk for the PC World.’”

One cybersecurity expert suggests we might abandon the complex endpoint, looking back to the mainframe era, where devices serve as mere access points. “With the advent of Chromebooks and all of this, is it a reasonable thing say, I'm not going to trust that phone, that tablet, that computer, or let my employees, let my users bring it in? With the advent of browser security, and other tools for remote workers, could we say, let's just take it out of the equation?” Alternatively, the industry might integrate endpoint security into standard services, as antivirus protection is now standard email platforms and operating systems. “Do we not trust the endpoint, or does it just evolve to where it's packaged as part of things, because it became so much a utility or a standard capability?”

 Another CIO expects AI to soon anticipate and mitigate threats proactively. “Cylance or Darktrace and those companies, that at least claim they are using AI—and it is perhaps a total BS claim—that they can sense a virus or malware as soon as soon as it comes in the horizon, around the world, and they will have protection before it attacks you.” Pie-in-the-sky vendors would explicitly incorporate cyber insurance within their offerings, guaranteeing clients protection in the event of a breach. “Why can’t you tell me that if it happens, you’ll pay for it? Here is cyber insurance included now as a total cost, and it clearly states that if this happens, everything is covered. Every dime will be paid.”

CrowdStrike Commentary: The CrowdStrike outage caused significant disruption for many Global 2000 organizations, prompting some to consider alternatives such as Microsoft, Palo Alto Networks, and Fortinet. The unique nature of the issue at the Microsoft kernel level led to prolonged troubleshooting efforts. CrowdStrike’s initial response did not impress. “I had an engineer that had to be on-site at multiple data centers for multiple days, working hand in hand with the CrowdStrike engineers. Frankly, they didn't know what they were looking at either.”

Despite CrowdStrike’s attempts to restore goodwill through incentives and service extensions, customer trust is shaken, although many are weighing the cost of switching providers against the relatively low likelihood of a repeat incident. “Why am I going to spend all this money to replace something that is still working and protecting our environment?” Still, Microsoft is again positioned to benefit. “If I turn these levers on in my E5s in that environment, then the cost to convert goes away.”

ETR Data: In the illustration above, we view the survey results for which vendors got high marks for product updates. Despite still holding a generally high positioning in the Endpoint Observatory, in this specific measure, CrowdStrike performed well below the peer average. The vendor ranked in the bottom three, with only 40% agreeing that product updates were executed well, a level well below last year’s edition, where 74% of respondents agreed.

According to the panel participants, another key cloud-native endpoint security provider, SentinelOne has struggled to take advantage of the market opportunity presented by the CrowdStrike outage. One panelist expected SentinelOne to garner more attention as the main alternative to CrowdStrike. Generally speaking, our panelists find them credible, but cite concerns about the company’s strategic vision and customer engagement. “The folks that I talked to, did not seem to be of that level. I may have talked to the wrong people or they didn't bring in their A-Team, but the people I talked to did not give me the confidence that they are better than other tools I selected.” In the end, long-term impact from the CrowdStrike incident may be less dramatic than expected. “I don't know that we've seen data on how many businesses kept moving and didn't have a material impact. How many 8-Ks were filed as a result of the CrowdStrike event? I think we'd be shocked how small that number might be.”