ESG just published a new research report titled, Advanced Malware Detection and Prevention Trends. The publication follows up on a 2011 research report on APTs and is based upon a survey of 315 security professionals working at enterprise organizations (i.e. more than 1,000 employees) in North America.
Not surprisingly, one of the primary objectives of this research project was to understand what large organizations think about antivirus software. Does antivirus software provide adequate protection against modern malware? Do security professionals believe antivirus software is effective? Are they looking for additional or alternative solutions?
To gauge the answers to these questions, ESG presented security professionals a series of statements about antivirus software and asked them whether they agreed or disagreed. The results describe an overall state of antivirus disillusion. For example:
- 62% of security professionals strongly agree or agree with the statement: “Host-based security software (i.e. antivirus) is effective for blocking/detecting older types of malware but it is not effective for blocking/detecting modern malware (i.e. zero-day malware, polymorphic malware, etc.).
- 52% of security professionals strongly agree or agree with the statement: “Our continued use of traditional host-based security software (i.e. antivirus) is driven by regulatory compliance for the most part.
- 36% of security professionals strongly agree or agree with the statement: “Commercial host-based security software (i.e. antivirus) is more or less the same as free security software.
Many organizations have moved beyond AV disenchant and are actually addressing this issue. In fact, 51% of enterprises claim that adding new layers of endpoint security defenses is part of their security strategy for the next two years.
This data provides further evidence of an endpoint security transition in progress, meaning:
- Antivirus leaders must respond. Kaspersky, McAfee, Sophos, Symantec, and Trend Micro have to respond to user opinions and buying trends directly or face extreme pricing pressure or even full replacement. This means adding sandboxing, application controls, and endpoint forensics to their AV offerings through acquisition, partnerships, or in-house development.
- The endpoint security market is open for business for other security leaders. Even large vendors with deep pockets tended to ignore the AV oligopoly and focus in other areas. Now that enterprises are layering in additional endpoint security controls, other large security vendors are jumping into the pool with gusto. Cisco is giddy about pushing Sourcefire’s FireAMP, IBM recently acquired Trusteer, and RSA is trumpeting endpoint forensics with its ECAT product. Check Point and Palo Alto are also on-board. All of these players now view endpoint security as a part of an overall solution rather than a stand-alone AV market.
- Startups are in play. Outside of the AV usual suspects, there was little endpoint security innovation over the past decade but this is no longer true. Startups galore, including Bit9, Bromium, Invincea, Malwarebytes, Spikes, have introduced interesting technologies that are gaining CISO attention. It’s likely some of these vendors will be acquired while others IPO.
None of this data indicates that “AV is dead” as at least one analyst is likely to declare. For the time being, enterprises continue to use AV but are actively adding new layers of endpoint security defense. Furthermore, there is no reason why current AV leaders can’t adjust to market conditions and retain their dominant market share. That said, the data surely paints a picture of a market in a state of evolution. This can only lead to new winners, losers, opportunities, and threats.