ESET World 2025: From prevention to response featuring Forrester

Follow Forrester’s Joseph Blankenship and Padraic Harrington as they explore the endpoint security cycle in all its modern glory during ESET World 2025.

If you were looking for expert insights into current cybersecurity trends, there was no better place for that than ESET World 2025, a global cybersecurity conference, which took place on the 24-26th of March.

The first analyst session featured two experts from Forrester, a renowned analyst house. There, Mr. Joseph Blankenship, vice president, research director, security & risk, and Mr. Padraic (Paddy) Harrington, sr. analyst, security & risk, broke down real-world challenges and solutions, topping it all off with a bit of AI talk.

The session began with Paddy Harrington issuing a stark warning: “Attacks have evolved – we’re no longer dealing with things like bugs…we’re dealing with a lot of scripts now, a lot of memory-based attacks…it’s much more complex.” He explained, how in the past, attackers would attack businesses to build their reputation. These days, it’s different: “Now, it’s disruption for fun and profit. It’s all about money.”

The other thing that’s evolved is the definition of an endpoint. It’s no longer just laptops or servers in the backroom, businesses have evolved to manage phones and tablets, operational technology, IoT, or even internet browsers. “When we say endpoint and where the attacks are going, they’re targeting all of them,” summarized Harrington.

The main question presented by Harrington was simple – what are businesses doing to protect these devices? Harrington surmised that not much. Even if they do, some attacks still get through, be it because of a vulnerability, phishing, or a supply chain breach.

Sadly, there are some things businesses just can’t fully control, like the devices of contractors, employees at home, or their cellular networks: “That’s why businesses have to go beyond protection,” finished Harrington.

The presentation was continued by Joseph Blankenship, elaborating on the aftermath of failed prevention. Bad actors will always try to circumvent defenses and will test their exploits against protective technology. “We have to be prepared for the day of the 500-year storm, when that attacker finds something that’s gonna breach that protection…or internal users make mistakes…or do something on purpose,” he explained.

Blankenship detailed, how a quarter of cybersecurity incidents happen because of insider risk, both accidental and incidental cases – without accounting for other human error-related ones. Beyond the human element though, it’s impossible to always have an agent, or protective software on all devices. Layered protection works, but it needs to be placed beyond the confines of these devices, on networks, for example.

Blankenship then expanded more on how due to the variety of devices present on a business network, and the decisions made around security, protection isn’t simple. Airgaps fail, OT security fails (mostly due to IT connections), cloud apps are often managed externally, 3rd parties might have security gaps, and legacy systems based on old OSs are still numerous within organizations – especially OT environments.

So, what’s done besides endpoint security? Based on Forrester’s research, 24% of firms either procure a security analytics platform (like a SIEM), or a form of detection and response (EDR or XDR). This is important, as answering why an incident occurred is key in achieving a fast recovery and developing future resilience.

Incident investigation, thus, takes the most amount of time for companies looking for fast recovery. This is especially important when dealing with ransomware, which requires a thorough purge, as it’s easy to overlook all of its components, still hiding within an environment. However, this is just one of the challenges faced by SOCs.

Most often, SOCs can’t measure their success rates. “Is it the number of threats they respond to, how many issues they had, how fast they closed tickets? No one cares about those things. What they care about is ‘did this impact the business?’” Blankenship also detailed some other challenges, like the talent gap. “Every security leader I talk to tells me they don’t have enough people, and it’s not that there aren’t enough people available in the world…They don’t have the budget to hire those people, or it may be they aren’t properly trained.”

Another issue is business alignment. In-house SOCs don’t strictly do security – they have to keep a business operational. But are they aligned with business priorities? Leaders might not be aware of the many needs of a SOC team or even vice-versa.

Solving the SOC problem isn’t simple, but it’s also not impossible. Blankenship literally turned their issues around with some relevant advice.

SOCs have to create measurements and metrics for their security efforts, which they’ve got to communicate to executives in order to have impact, aligning themselves to the business. “Are we maintaining policy? Are we decreasing mean time to detect and respond, are we able to recover more quickly?” these questions and more need to be answered.

Blankenship also sees a lot of potential in automation, a goal which Forrester had called for almost 10 years ago, as it hastens threat response. He also sees a need in improving in-house talent: “Take a look inside and say: ’Hey, what skills do we need that we are missing? How do we fill that gap?’” Companies often sideline education, but when driven employees get their certifications on their own, they leave, draining their employers of skilled talent. Investments in existing people are, therefore, key to maintaining proper security and continuity.

Similarly, providing a business case for SOC activity can help achieve mutual benefits. Without activities such as 3rd party risk attestations, cyber insurance audits, or regulatory alignment, businesses might not be able to operate in certain countries or work with certain partners. “All the things you do, matter. So, you have to prove that back to the business,” said Blankenship.

One of the ways to get past SOC issues is to combine capabilities. “We wanna start with a good solid foundation of protective technology on endpoints, we wanna back that up with a robust detection capability…understanding what are the crucial events that we need to know about. And then, topping that off with response… getting to answer the ‘why’ so that we can recover,” said Blankenship.

Likewise, analyst experience (AX) is just as important. Interaction with tools in a way in which analysts are given all the information they need at a quick glance, also being to automate some tasks along the way. In essence, having a single comprehensive toolset. This is confirmed by Forrester’s research, as visible below.

“When we do have that incident, we have to be able to clean up what was broken,” said Blankenship on why ease of use is important. Additionally, going from detection to recovery takes a business around 229 days, which Blankenship issues as a warning, saying businesses should look for ways to reduce that time – be it with fast forensics, having a vulnerability and patch management solution, or even AI.

Later, Harrington returned and expanded on how “AI lies” why it’s not the be all end all solution to SOC woes, mostly due to the nature of generative AI, which is prone to making mistakes.

Not all is negative though. For the endpoint, AI is useful in detecting anomalies. According to Forrester’s research, 59% of organizations asked see AI replacing human effort in the analysis of malware, scripting, and other tools used by adversaries. “It’s looking for things that don’t fit the pattern.”

Another thing AI is good for is helping skilled analysts. “As they’re trying to do their incident investigation and response, they can provide that analyst more detail about what’s happening in the environment,” said Harrington. Thus, a combination of AI and human skill is a recipe for success.

Moreover, AI can analyze an entire environment and determine its security posture. It’s even useful during post-incident investigation, to figure out the origin of an attack. For a compromised endpoint, this can determine how its security layers failed and make recommendations to create better future outcomes.

Lastly Harrington explained how AI is great at guidance. “Your average user isn’t wearing the security hat day-in day-out…they’re clicking links that come in… AI can notice when users are acting poorly, or in an unsafe manner and guide them to work better. The last thing a user wants is a big red X on their screen,” he said.

In the end, the presenters from Forrester concluded that security is not a choice of one layer of defense, it’s all those layers working together with the skilled members of a security team to understand and protect endpoints, whatever they happen to be.

Thus, it’s not just the solution, but also the people that use them who are critical in establishing a mature security posture.