I've been thinking a lot about the Advanced Malware Detection/Prevention (AMD/P) market lately. This market is most often associated with Advanced Persistent Threats (APTs) and vendors like Countertack, Damballa, FireEye, Invincea, and Trend Micro.
As an analyst I'm paid to -- well, analyze markets. For starters, the AMD/P market is hot and will remain so as it should. According to 2011 ESG Research, 59% of enterprise organizations (i.e., those with 1,000 employees or more) are certain or fairly certain that they have been the target of an APT. As a result of these incipient APT attacks, 77% plan to increase their information security budgets. Yes, this means investment in lots of areas like next-generation firewalls and IPSs, data encryption, and new types of security monitoring tools, but it is also driving lots of AMD/P research, proof-of-concept projects, and product purchasing.
So what happens to the AMD/P market moving forward? Here are a few of my thoughts:
- The AMD/P market will remain independent for the next 2-3 years. In the past, we've seen products turn into features pretty quickly. This happened with anti-spyware and it happened with SSL VPNs. It won't happen quickly with AMD/P however. Why? APTs aren't minor annoyances or subtle policy changes, as the FBI puts it, they represent an existential threat to our data and thus our livelihood. As a result, APTs have set off alarm bells within IT and corporate boardrooms -- as they should. CISOs won't wait for AMD/P to be integrated with other security infrastructure products--rather, they need to reduce risks right away. I realize that no product can prevent APTs and that the real need here is stronger defense-in-depth. In this regard, think of AMD/P as a new and necessary layer of defense that is being added as quickly as possible.
- The AMD/P vendors are emerging as cyber crime specialists. Think about law enforcement. Like mine, your town probably has a local police force in place to respond to traffic accidents and domestic abuse cases but on the off chance that a real crime is committed, your local constable is likely to call in experts from the state police force or FBI. Same thing applies with Advanced Malware. The AMD/P vendors are gaining experience at the top of the cybercrime food chain. This knowledge alone makes them more and more valuable.
- The network is the place to be. APTs start with the compromise of a user's PC so it would be logical to bolster PC protection in order to address the threat. True but this is where logic and reality clash. Large enterprises have tens of thousands of PCs. Whenever you touch these PCs, you commit yourself to a major project. This is true whether you are upgrading to Windows 8, backing up hard drives, or implementing new AMD/P agents. I tend to equate PC projects with the Russian frontier -- vast, fraught with unexpected problems, and difficult to conquor. Most enterprises have been overwhelmed by past PC projects just as the French and Germans were overwhelmed by the Russian frontier. PC-based AMD/P products may be extremely effective but most CIOs and CISOs will do all they can at a network level before invading Russia.