"Insanity: doing the same thing over and over again and expecting different results."
As a security architect, I've come to truly loathe the endpoint security space. The "answer" seems to be an unending stream of "yet another agent" to layer onto an endpoint, usually just to supplement another tool that's insufficient. Rarely, if ever, can I remove one of these tools (like AV! I still have AV after all this time?!), which means I get to encounter all sorts of conflicts and problems, and for what benefit? Why am I investing hundreds of thousands for incredibly small incremental gains? Insanity...
Part of the challenge with endpoint security is the problem state. As it stands today, we're typically stuck in a traditional general purpose OS environment with very little useful segregation. We deploy tools that live inside this general environment and then hope that a) they keep functioning, b) don't introduce more problems, and c) are somehow able to get enough visibility to assert reasonable control. Sheer folly. It's like trying to estimate the size of an infinite universe from an ant's perspective.
Putting aside specialized solutions deployed to endpoints for solving non-endpoint problems (like monitoring or controlling data movement)... the core focus of endpoint security /should/ be focused on monitoring for state changes. Unfortunately, in a general OS environment, this is very difficult because there are rarely clean, clear boundaries that can be watched for these state changes. In the mobile world we see this problem moving to a slightly more tenable position wherein wrappers and containers can be deployed to better define boundaries, which then enables watching for state changes. We're also starting to see this in production applications that leverage a container-based micro-services architecture. All of which leads me to an interesting thought: