Security vendors are racing toward a new antimalware technology model

While the calendar still indicates that we are in Q1 2014, the security industry continues as a nexus of M&A activity.  The year started with FireEye grabbing Mandiant, and proceeded to Bit9’s merger with Carbon Black, and yesterday’s announcement that Palo Alto’s intent to acquire Cyvera.

These are the most recent deals but similar M&A activity is well established.  In 2011, Sourcefire acquired cloud-based AV startup Immunet.  Just last year alone, McAfee purchased ValidEdge in February 2013, IBM snapped up Trusteer in September, and Blue Coat grabbed Norman Shark just before the Christmas holiday. 

These deals vary in size and timing but the overall strategy across all of them is pretty consistent.  The steep rise in cybercrime, targeted attacks, and sophisticated malware is wreaking havoc on large enterprise organizations and CISOs are scrambling to reinforce their defenses and mitigate risks as quickly as they can.  Given the flurry of demand-side activity, security vendors are busy buying companies and deliver comprehensive anti-malware solutions to capitalize on this market opportunity.

So what does this new anti-malware model look like?  Based upon the ongoing shopping spree, security vendors are trying to build an integrated portfolio with:

1.  Network and endpoint coverage.  In the past, network and endpoint security were managed as separate entities with almost no common oversight.  Over the past few years however, these two worlds are coming together with malware defense and security analytics integration.  This network/endpoint integration will become an enterprise requirement moving forward, thus the supply side buying spree.  .

2.  Visibility into email, web threats, and content.  The key here is mutual inspection, analytics, and reporting to cover all of the most common threat vectors.  Vendors like Trend Micro are building hooks into existing security email and web security controls while others are now implementing a number of scanning engines at various points across the network. 

2.  Prevention, detection, and response.  New technologies based upon white listing, machine learning, and malware behavior patterns are being used to decrease the attack surface.  That said, vendors are looking beyond prevention alone — FireEye became the poster child incident detection technology and many others have followed this lead.  Today, security analysts and IT operations teams still need help analyzing and reacting to this new security data source so I expect incident response is the new new focus area.   

3.  Built-in threat intelligence.  Vendors are offering more on-site security tools that are tightly coupled with crowdsourcing, homegrown research, and third-party threat intelligence from vendors like Confer and Norse.  The goal?  Combine internal and best-of-breed external threat intelligence analytics to accelerate detection and response processes.

4.  Automation.  While automation remains the long straw, vendors are looking for ways to automate remediation tasks like creating firewall and IDS rules, quarantining infected endpoints, and removing malware without reimaging systems.  Given the painful transition from IDS to IPS, security professionals are still somewhat hesitant to step aside and let security technology do the work, but they are toe-dipping today at the very least.  It’s likely that automated remediation will become a focus area for users and vendors in the 2015-2016 timeframe. 

The future of anti-malware security technology will be dominated by integrated solutions featuring enterprise coverage, central command & control, and distributed enforcement.  It’s clear now that billions of dollars will change hands in M&A activities along the way.