The Advanced Malware Detection/Prevention Market

Some thoughts on the present and future

Current Job Listings

I've been thinking a lot about the Advanced Malware Detection/Prevention (AMD/P) market lately. This market is most often associated with Advanced Persistent Threats (APTs) and vendors like Countertack, Damballa, FireEye, Invincea and Trend Micro.

As an analyst I'm paid to -- well, analyze markets. For starters, the AMD/P market is hot and will remain so, as it should. According to a 2011 ESG Research report, 59% of enterprise organizations (i.e. 1,000 employees or more) are certain or fairly certain that they have been the target of an APT. As a result these incipient APT attacks, 77% plan to increase their information security budgets. Yes, this means investment in lots of areas like next-generation firewalls and IPSs, data encryption, and new types of security monitoring tools, but it is also driving lots of AMD/P research, proof-of-concept projects, and product purchasing.

RELATEDMore On The Security Skills Shortage Issue

Security Services Continue to Grow -- In the Enterprise

So what happens to the AMD/P market moving forward? Here are a few of my thoughts:

  1. The AMD/P market will remain independent for the next 2-3 years. In the past, we've seen products turn into features pretty quickly. This happened with anti-spyware and it happened with SSL VPNs. It won't happen quickly with AMD/P, however. Why? APTs aren't minor annoyances or subtle policy changes, as the FBI puts it, they represent an existential threat to our data and thus our livelihood. As a result, APTs have set off alarm bells within IT and corporate boardrooms -- as they should. CISOs won't wait for AMD/P to be integrated with other security infrastructure products. Rather they need to reduce risks right away. I realize that no product can prevent APTs and that the real need here is stronger defense-in-depth. In this regard, think of AMD/P as a new and necessary layer of defense that is being added as quickly as possible.
  2. The AMD/P vendors are emerging as cybercrime specialists. Think about law enforcement. Like mine, your town probably has a local police force in place to respond to traffic accidents and domestic abuse cases, but on the off chance that a real crime is committed, your local constable is likely to call in experts from the state police force or FBI. Same thing applies with Advanced Malware. The AMD/P vendors are gaining experience at the top of the cybercrime food chain. This knowledge alone makes them more and more valuable.
  3. The network is the place to be. APTs start with the compromise of a user's PC so it would be logical to bolster PC protection in order to address the threat. True, but this is where logic and reality clash. Large enterprises have tens of thousands of PCs. Whenever you touch these PCs you commit yourself to a major project. This is true whether you are upgrading to Windows 8, backing up hard drives, or implementing new AMD/P agents. I tend to equate PC projects with the Russian frontier -- vast, fraught with unexpected problems, and difficult to conquer. Most enterprises have been overwhelmed by past PC projects, just as the French and Germans were overwhelmed by the Russian frontier. PC-based AMD/P products may be extremely effective but most CIOs and CISOs will do all they can at a network level before invading Russia.
SUBSCRIBE! Get the best of CSO delivered to your email inbox.