The Return of AV Leaders?

When I started covering the infosec market around 13 years ago, anti-spyware was the hot topic Du Jour. The market went through a common cycle – VCs funded companies and cranked up the hype machine. Some product companies were acquired (CA purchased PestPatrol, Microsoft acquired Giant Software, etc.), while others pivoted from anti-spyware alone to endpoint security (Webroot). Ultimately, however, the anti-spyware boom cycle went bust when incumbent endpoint security leaders like Intel Security (McAfee), Kaspersky, Sophos, Symantec, and Trend Micro added anti-spyware to their existing AV products, turning a product category into a product feature. 

Fast forward to 2015 and leading endpoint security vendors find themselves in another turf battle. An army of upstarts are challenging the AV crowd with new endpoint security products designed to block, detect, and remediate targeted malware attacks that tend to circumvent traditional signature-based controls. Sand Hill Road is busy writing checks, declaring huge multiples for its portfolio endpoint security companies, and boastfully pitching “AV is dead” hyperbole.

To be clear, I am a big fan of a number of these new endpoint security companies who have really reinvigorated the space with creativity, enthusiasm, and innovation. Targeted malware is in fact a different animal that demands specific countermeasures. 

But here’s the rub: While it is certainly true that enterprise organizations need new types of endpoint defenses, most large enterprises haven’t pulled the plug on traditional endpoint security as of yet. This means that in spite of a well-resourced insurgency, AV leaders continue as incumbent endpoint security vendors. And like the anti-spyware saga described above, market opportunities for newbies will inevitably change once incumbent vendors catch up with similar advanced anti-malware functionality.

Note to next-generation endpoint security vendors and VCs: That sound you hear is the clock striking midnight. Over the past few weeks and months, I’ve seen some real innovation from the very endpoint security vendors ridiculed for the past few years. Intel Security just announced McAfee 10.x, which it calls its agile endpoint services platform with Active Response. At the same time, Symantec announced its Advanced Threat Protection solution, claiming it can “detect and remediate advanced threats across control points, from a single console with just a click, all with no new endpoint agents to deploy.” Trend Micro has already integrated endpoint security with its Deep Discovery malware detection and analysis engine, and is adding endpoint forensic capabilities as well. I’ve seen similar innovation from Sophos and Webroot as well.

With an existing seat at the endpoint security table, incumbent vendors will likely get a shot at new endpoint security business. While some endpoint security upstarts probably have better malware detection capabilities today, the AV old guard can push back with a proven track record and the ability to scale to manage thousands of endpoints. Enterprise CISOs really care about this. 

Finally, ESG research indicates that 58% of enterprise organizations want a single endpoint security suite that can handle prevention, detection, and response (note: I am an ESG employee). Since CISOs have seen endpoint products become features before, they will likely give their incumbent AV vendor’s a shot at their business at the very least.

Certainly the market for advanced malware protection and endpoint forensics is currently in play, and lots of newer vendors (i.e. Bit9, Confer, CounterTack, Crowdstrike, Invincea, SentinelOne, etc.) could emerge as leaders. The same goes for Cisco, FireEye, Hexis Cyber Solutions, and Palo Alto Networks as they tightly couple endpoint and network defenses. And while traditional endpoint security vendors have a fighting chance to retain a leadership position, they do have some work ahead as many cybersecurity professionals believe that traditional AV is nothing more than a signature-based commodity product that doesn’t work very well. Changing this perception will take market education and lots of hand holding.

While signature-based AV (alone) is dead, the traditional AV crowd is very much alive. And now that incumbent vendors are introducing advanced malware prevention, detection, and response features, they could end up having the last laugh to boot.