This is the first blog in a two-part series about the hidden costs of endpoint management and how to avoid them. To get the full story, read part two as well.

Companies today are paying much more than they realize for endpoint management in terms of money, resources and speed — many of which are hidden expenses. A recent SANS Institute report titled “Understanding the (True) Costs of Endpoint Management,” examined the endpoint management problems that IT managers are currently dealing with, the decisions that impact (or allow an organization to determine) the true cost of endpoint management tools, and what the future holds for this ever-growing task.

Let’s take a look at some of these hidden expenses, where they come from, and how organizations reduce these costs and even avoid them altogether.

Top 5 Drivers of Hidden Endpoint Management Costs

So what’s driving these concealed costs? There are many factors, but in the top five are:

  1. Too many tools;
  2. Limited endpoint visibility;
  3. Inefficient processes;
  4. Deficient compliance enforcement; and
  5. Lack of integration.

If you struggle with these things, you’re not alone. Let’s take a closer look at each of these contributing elements.

1. Too Many Tools

How many endpoint management tools do you use? One enterprise security team that IBM spoke to was using 85 security tools from 45 different vendors — and they still had inadequate visibility into their endpoint landscape, not to mention administrative overload from managing these overlapping, nonintegrated tools. Without fast, easy visibility across the entire endpoint landscape, teams often haphazardly patch vulnerabilities with no clear understanding of risk levels.

According to the SANS report, 83 percent of organizations use between three and nine different endpoint management tools just to find and patch vulnerabilities on endpoints. Some use more than 20 tools to complete these tasks. Think about the cost of purchasing, deploying and managing all these tools across multiple servers — not to mention the impact of managing all those vendor relationships.

Then there’s the issue of infrastructure. How many management servers are required to support all of these tools? How much are you spending on the various software licenses required to enable these tools? Even free tools may need additional software licenses that cost money, such as operating systems (OSs) and database engines. Or these free tools may have unforeseen license costs if you want to use them across your entire enterprise, or for additional applications. These types of unexpected costs can add up quickly.

In addition, as IT professionals have to sift through and correlate more and more data from multiple dashboards, the greater the number of tools in use, the bigger the impact to your team’s ability to respond in a timely and agile manner. This potentially impacts both resource and speed costs.

Read the SANS Report

2. Limited Endpoint Visibility

If you asked five people from any organization how many endpoints they have, you’d likely get five different answers. Now try to determine what OSs and applications (and which versions) are running on each of these endpoints.

Another consideration is the time to value of your data. Is the information you get relevant, timely and accurate? Data value erodes over time. Endpoint information that is three minutes old has a different value than data that is three days or weeks old. And how confident are you about data accuracy? Data that is collected in different ways, using different formats and at different times by different tools can be subject to error.

Together, these factors will impact your ability to effectively prioritize and respond to your most critical vulnerabilities in a timely manner.

3. Inefficient Processes

Inefficient endpoint management processes can also carry hidden costs, and strong patch management is at the core of this. Many with low first-pass patching success rates struggle because they are using multiple OS-specific tools and have to repeat patch processes multiple times on multiple tools, increasing resource and speed costs and enabling a larger attack surface. And we all know that it only takes one unpatched endpoint to open the door for a major breach.

According to the SANS report, on average only 7 in 10 endpoints successfully receive patches on the first push. If you have less than 100 percent first-pass success, you must spend time, energy and effort to understand why the patches were not successful. How many cycles and resources does this consume?

After this is done, you’ll still need to relaunch the same patch again (often multiple times) until all endpoints are updated — assuming you know how many endpoints are still unpatched and that they are on the network when you push the patch). And this is just using one tool; multiply this effort — and the resource and speed costs — by the number of tools you are using to better understand how much you’re truly spending to patch.

4. Deficient Compliance Enforcement

Compliance is another area where you can find hidden costs, but achieving a steady state of compliance can often be challenging. Today, many end users have administrator rights on endpoints that allow them to download unapproved software and make other unauthorized changes. One in 5 of respondents to the SANS survey said they didn’t know whether their endpoint systems had fallen into a noncompliant state.

If drift has occurred, how can you remediate these compliance and configuration issues? How many resources and how much time does this take? How can you verify that your security posture meets your internal service levels? Finally, how can you analyze compliance progress over time to highlight improvement or identify gaps?

The bottom line is that if your endpoints aren’t compliant, you are at risk — and we all know that security breaches are expensive.

5. Lack of Integration

IT infrastructure and security teams are typically siloed, have dissimilar responsibilities and use different, nonintegrated tools. This exacerbates the lack of visibility, inefficient processes, sporadic endpoint hygiene, and inconsistent compliance problems and costs. It can also delay your ability to respond to potential threats and active attacks.

The good news is that since the WannaCry attack in 2017, IBM is seeing tighter collaboration between security and infrastructure teams. However, as the SANS report shows, there’s still a lot of room for improvement. Security teams need to play a larger role in patching and endpoint control, and more communication is needed as well. So while we’re seeing many organizations gradually integrate their security and operations teams, there are often still very clear delineations and limited communication mechanisms. This then shifts the focus to how we can improve the level of integration and automation between the systems and processes these teams use every day.

Understanding the Costs Is Just the First Step

There are many costs inherent to endpoint management. These include money, resource and speed costs, and they are impacted by many factors that act to increase these true, or hidden, expenses. The good news is that there are many ways to address these problems. To find out how, read the second installment of this series.

Read the complete SANS Report

More from Endpoint

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…