Large organizations have legitimate cause for concern. Malware creation and proliferation is increasing rapidly as cybercriminals and state-sponsored organizations create the next round of APTs, botnets, Trojans, and rootkits. What's more, we've entered the era of micro attacks designed to compromise a targeted organization, business unit, or individual.Legacy security technologies are no match for this onslaught, so enterprises are investing in new tools. For example, ESG Research found that 77% of enterprise organizations (i.e. more than 1,000 employees) are increasing their security investments as a direct result of APTs.So large organizations realize they need new layers of defense, but where should these countermeasures reside? To be more succinct, this decision comes down, adding new security technologies on the network or doing so on host systems.\u00a0Typically, this decision is guided by simple math. Large organizations have thousands of hosts, but just a handful of network ingress\/egress points, so a network solution is naturally more attractive. ESG agrees that this is a good place to start with network security solutions that:1.\u00a0 Act as a client proxy. In this model, network security appliances act as a proxy in front of client machines by executing content, web threats, and executables in a virtual sandbox. FireEye\u00a0has been extremely successful\u00a0with this model and others like Trend Micro are\u00a0also pursuing this path.2.\u00a0 Monitor DNS. If you know what to look for, you can spot malicious activity based upon subtle DNS query behavior. This is where Damballa excels with both\u00a0enteprrises and service providers.3.\u00a0\u00a0Prevent data exfiltration. Bad guys can\u00a0compromise a host, escalate privileges, and find the sensitive data they are looking for, but their ultimate goal is stealing your digital assets. Network security filtering devices from vendors like Fidelis can detect and block this activity.4.\u00a0 Apply application controls. Palo Alto Networks is the poster boy here but others like Check Point, Cisco, Fortinet, and Juniper are jumping onboard. If you can block web applications you reduce your attack surface.With the right planning, design, and implementation, network security can really enhance advanced malware protection. Unfortunately, this won't be enough. Today's hosts are virtual, mobile, and multiplying like rabbits due to server\/desktop virtualization and BYOD. Furthermore, IT consumerization means that\u00a0devices\u00a0will have tremendous variation in terms of applications, configurations, patches, etc.\u00a0Like it or not, eventually we will have to reinforce host-based\u00a0defenses\u00a0on top of the network. We are starting to see this behavior in play with servers as many\u00a0large organizations now apply application controls from Bit 9, CoreTrace, Lumension, and McAfee. We also see a lot of tire-kicking on advanced malware protection software from Countertack, Invincea, and Sourcefire with visible startup Bromium on the horizon. ESG expects deployment of advanced malware detection\/prevention on a majority of\u00a0enterprise servers and endpoints within the next three years.So ultimately enterprise organizations need both network- and host-based advanced malware defenses. Yeah, it's a lot of work but it's inevitable.\u00a0 How about integrated network and host-based advanced malware defenses? It boggles my mind that no one is really pushing this concept, even though it makes a ton of sense. Stay tuned - one or two security vendors are bound to figure this out over time.