Early viruses, such as the "Creeper virus" first appeared in the 1970s. The term "virus" was coined by
Frederick Cohen to describe a "program that can infect other programs by modifying them to
include a, possibly evolved, version of itself."
Commercial antivirus products emerged in the 1980s to remove malware. Most early antivirus tools scanned endpoint files
for patterns or signatures of known malware.
In the late 1990s and early 2000s, viruses and worms like Code Red and Mydoom
infected millions of computers.
To combat polymorphic malware, security vendors added machine learning and
behavioral threat protection to create next-gen antivirus in the early
The endpoint protection platform (EPP) combines antivirus or next-gen
antivirus, personal firewall, encryption, USB device control, vulnerability
assessment, and more.
The Gartner Hype Cycle for Security Operations, 2021 claims: "Endpoint
protection platforms (EPP) no longer address the nature of modern threats as
it is no longer practical to focus on achieving 100% prevention and
Personal firewall software, first appearing in the 1990s, protected endpoints
by controlling inbound and outbound traffic.
To protect data from unauthorized access, disk encryption encrypts all data
on a disk or disk volume.
Gartner Analyst Anton Chuvakin coined the term "Endpoint Threat Detection and Response" to describe
"the tools primarily focused on detecting and investigating suspicious
activities" on endpoints in 2013. This name evolved to Endpoint Detection
and Response by 2015.
For scale, agility, and ease of management, EDR tools increasingly began to
support cloud deployment.
The Gartner report "Redefining Endpoint Protection for 2017 and 2018"
acknowledges the convergence of EPP and EDR, stating "Interest in [EDR]
capabilities has grown significantly over the past few years and has become
more broadly adopted and desired by the mainstream EPP market."
In 2018, Palo Alto Networks CTO Nir Zuk declared, "It just doesn't make any sense to do detection and
response just from endpoints." Forrester Research claimed in
2021, "EDR Is Dead, Long Live XDR."
Syslog was developed as a network-based logging service in the 1980s. Built
for Unix systems originally, it is now supported by many operating systems
Log management systems introduced correlation to link related events
together. This advancement allowed users to analyze data from different
sources together for advanced detection and security use cases.
In 2004, the top payment brands released the Payment Card Industry Data
Security Standard (PCI DSS). It mandated that organizations "track and
monitor all access to network resources and cardholder data." Many
organizations acquired log management systems to address PCI requirement 10.
In 2005, Gartner analysts Mark Nicolett and Amrit Williams coined the term SIEM or security information and event management
system. A SIEM combined the capabilities of:
SIM (security information management), which offered storage
capacities and indexing of all traces of systems for analysis and reporting.
SEM (security event management), which offered real-time event
processing to extract, normalize, correlate, and report alerts to the
operators in a management console.
As defined by Williams and Nicollet, a SIEM solution shall:
In January 2008, Yahoo released Hadoop as an open-source project. Big data
technologies like Hadoop help organizations store and process large
Vendors began using big data and analytics to detect financial fraud, account
takeover, and insider abuse.
User Behavior Analytics (UBA) emerged as a technology that "helps enterprises
detect insider threats, targeted attacks, and financial fraud," according to
the 2014 Gartner Market Guide for User Behavior Analytics. UBA platforms
provided visibility into activities and behaviors of threat actors and
The UBA category expands to include behavioral analysis of "entities" such as
devices and applications, in 2015.
UBA uses large datasets to model expected and unusual behaviors of users and
entities within a network. It uses machine learning and statistical analysis
to determine whether anomalous activity or behavior could indicate an
Increasingly, UBA became a feature of other security tools, such as SIEM,
Cloud Access Security Brokers (CASB), or XDR.
Early packet filter firewalls emerged in the late 1980s to help monitor and
control network traffic. They were simple but also easy to bypass.
Stateful packet inspection firewalls added the ability to track the sessions
of network connections traversing through the firewall.
Worms, Trojans, and phishing led to an increase in network intrusions in the
Palo Alto Networks introduced the first next-generation firewall (NGFW) in
2008. The NGFW offered enhanced application visibility and control to
traditional firewalls and also added user, content, and app awareness.
To power network detection and response, NGFWs add rich device and
application data to log messages.
For the first time ever, machine learning allows NGFWs to deliver proactive,
real-time, and inline zero-day protection.
Cloud computing was first used in 1996 by engineers
at Compaq to refer to the delivery of computing services over the quickly
expanding yet still nascent commercial internet. Virtualization, originally
developed in the 1960s to partition mainframes, evolved and helped pave the
way for cloud computing.
In 2014, Docker took containers mainstream, allowing users to run multiple
containers or applications on the same kernel or operating system. The
release of Kubernetes v1.0 in July 2015 took container deployment,
management, and scaling to the next level.
Cloud Infrastructure Entitlement Management (CIEM) products, according to
Gartner, help organizations manage cloud access risks. They use analytics
and machine learning to detect anomalies in account entitlements and
Organizations are increasingly turning to Cloud Native Security Platforms
(CNSP) to protect their cloud assets. CNSPs:
Cloud Detection and Response (CDR) allows SOC teams to extend detection,
monitoring and investigation to cloud environments. Encompassing cloud host
data, traffic logs, audit logs, and cloud security data, CDR empowers SOC
teams to hunt for threats and quickly uncover and respond to attacks.
Cloud Security Posture Management (CSPM) products reduce risk and improve
defenses of cloud resources by providing visibility into misconfigurations,
detecting threats and addressing compliance. According to Gartner research, in 2021, 50% of organizations
mistakenly have cloud storage, applications or APIs directly exposed to the
public internet, driving the need for CSPM.
Gartner defines cloud workload protection platforms (CWPPs) as
"workload-centric security products that protect server workloads in hybrid,
multicloud data center environments." Organizations need to protect
workloads by identifying vulnerabilities and misconfigurations and protect
against attacks with runtime protection and development scanning.
Learn more by reading the Gartner 2021 Market Guide for Cloud Workload Protection
In February 2019, Palo Alto Networks introduced Cortex XDR. Cortex XDR
gathers endpoint, network, and cloud data for detection and response. XDR is
designed to detect attacker techniques that evade prevention, streamline
analysis, and improve SOC efficiency.
XDR platforms integrate with security orchestration tools for case
management, alert enrichment, response automation, and more.
XDR platforms begin to gather data from third-party sources such as
firewalls. XDR platforms fully integrate NGAV and endpoint protection
Third-generation XDR platforms add support for data from any source, full
cloud detection and response, including containers and Kubernetes
integration, identity analytics, and digital forensics.
XDR platforms added the ability to collect, parse, and correlate data from
Network Detection and Response(NDR) tools first appeared in the mid-2010s to
help organizations detect network-based threats such as lateral movement,
command and control, and malware activity.
According to Gartner, "NDR solutions primarily use non-signature-based
techniques (for example, machine learning or other analytical techniques) to
detect suspicious traffic on enterprise networks." NDR tools monitor and
analyze network traffic and profile behavior to detect unusual activity
associated with attack techniques.