Last year, ESG published a research report titled, Advanced Malware Detection and Protection Trends, based upon a survey of 315 security professionals working at enterprise organizations (i.e. more than 1,000 employees). In one question, ESG asked security professionals whether they agreed or disagreed with the following statement: "Commercial host-based security software (i.e. AV) is more or less the same as free security software."
It turns out that 36% of security professionals either "strongly agree" or "agree with this statement, while another 25% are sitting on the fence (i.e. they neither agree nor disagree with the statement).
This is especially interesting as it relates to additional data from the project. Just over half (51%) of organizations plan to add new layers of endpoint security software as part of their cybersecurity strategy moving forward, in order to better protect themselves against modern malware.
Unfortunately, this will mean allocating more money for endpoint protection, right? Maybe not. Inquisitive information security executives wonder if they can alleviate this budget increase by simply substituting commercial AV with freeware options from companies like AVAST, AVG, and even Microsoft. By doing so, large organizations can shift existing budget dollars away from commercial AV to advanced anti-malware solutions from vendors like Bit9, Bromium, Cisco/Sourcefire, Cylance, Malwarebytes, and Triumfant.
Beyond money, this model may have some additional benefits, as it:
1. Supports BYOD. As organizations embrace BYOD, they can simply transfer AV acquisition and management to end users as part of the process. In this case, employees buy their own PCs but are required to download and install free AV before gaining access to the network. This policy could also be applied to mobile devices like tablets and smart phones.
2. Aligns with Endpoint Visibility, Access, and Security (EVAS) initiatives. Driven by mobile computing, many organizations are using EVAS tools for access policy creation, endpoint status monitoring, and granular policy enforcement (think Bradford Networks, ForeScout, Great Bay Software, Juniper Networks, and the TCG). As intelligent EVAS tools are added to the network, free and up-to-date AV software can become a "checkbox" requirement for network access.
3. Offloads and automate IT operations tasks. Aside from the capital cost of commercial AV software, IT security and operations folks are responsible for operating costs associated with software installation, configuration management, signature distribution, etc. Free AV policies and processes could alleviate these IT operations burdens, replacing IT tasks with freeware, vendor update services, and automation.
As attractive as these benefits seem, there are still risks associated with a free AV strategy. CISOs must also consider:
1. Endpoint security management. Aside from endpoint security software, many vendors offer strong management platforms as part of their solutions. McAfee ePO comes to mind here. These management solutions may go beyond AV alone, helping enterprises with additional security tasks such as vulnerability scanning, patch management, endpoint security controls (i.e. USB port controls, CD/DVD read/write controls, etc.), and even PC backup/restore. In this case, free AV cost savings may pale in comparison to the systemic management benefits already in place.
2. Current vendor roadmaps. Before jumping to free AV and advanced endpoint malware solutions, CISOs should also consider what their current vendors are up to. For example, Kaspersky Lab, McAfee, Symantec, and Trend Micro are adding capabilities and changing pricing models to bundle advanced malware prevention, detection, and remediation functionality into their endpoint security offerings. Large organization may be able to ease into advanced protection with existing vendors rather than pursuing more a radical move radical freeware and layered endpoint security software strategy.
3. Endpoint security software design and efficacy. As AV's reputation continues to degrade, the fact remains that many organizations don't use security software to its full capability. For example, some organizations turn off real-time protection while others configure AV for medium rather than maximum protection. Much of this conservative configuration management was appropriate a few years ago when PCs were less powerful and security software features were immature but this is no longer the case. CISOs should certainly test the efficacy of their AV with all protection features enabled before throwing out the AV baby with the bath water. It's also worth assessing how your vendor is supplementing device-based security features with cloud-based security intelligence. Finally, all AV is not the same no matter what industry pundits say. It's worthwhile to evaluate 3rd party tests and perform in-house testing before moving forward.
I'm certain that the endpoint security market will go through a pretty substantial change over the next few years, but will free AV play a major or minor role in this evolution? Stay tuned, ESG (and endpoint security guru Kyle Prigmore) has more endpoint security research planned for later this year to investigate this and other questions.