Over the past few weeks, I’ve spoken to a number of security vendors including Bit9, Bromium, CounterTack, Invincea, Malwarebytes, and Sourcefire. Each of these firms is offering some type of new security technology for detecting/blocking advanced malware that circumvents traditional defenses like firewalls, IDS/IPS, and antivirus software.
To their credit, all of these vendors are pitching their products as an added layer of defense rather than a replacement for traditional antivirus software. A wise decision since many enterprises view antivirus software as a proverbial “check-box” and antivirus is often a specific regulatory compliance requirement. The vendors I spoke with understand this and are saying the right things. Something like, “AV is an important signature-based technology for known threats. Our product provides additional protection against APTs and other types of sophisticated, targeted malware attacks.”
Marketing rhetoric aside, the market for AMD/P is starting to grow, especially in the public sector and regulated industries. Why? Large organizations realize that they do need better host-based protection and are willing to increase security budgets and implement both AMD/P and traditional antivirus software of critical servers and endpoints.
This is a sound strategy from a defense-in-depth perspective but what about cost and IT efficiency? While vendors are being careful not to throw the AV software baby out with the bath water, I’m hearing more and more rumblings from security professionals themselves. They are asking the question: “If AMD/P solutions provide better protection, why are we still paying a premium for AV software and deploying it on every server and endpoint system?” “Is there a more efficient solution here?”
This simple and logical question has the potential to shake up the multi-billion dollar endpoint security software market over the next few years. This could be a real threat to market leaders like Kaspersky Lab, McAfee, Symantec, and Trend Micro while bolstering a number of startups and alternative technologies. Here are a few possible scenarios of how this could play out:
1. Large organizations replace AV software with AMD/P technologies on critical servers. I don’t see wholesale replacement today but I do see a lot of AMD/P implementation in the server space. As regulatory requirements evolve and recognize the capabilities of AMD/P technologies as an alternative to AV, this could certainly happen. CISOs are already asking the questions posed above in the server space.
2. Commercial endpoint AV will be replaced by freeware. Large organizations may simply spend precious security dollars on AMD/P products and then point users toward free AV products like AVG and Microsoft Security Essentials. This strategy may be exacerbated by BYOD policies. Simply install free AV software, turn on automatic updating, and voila – subscription-based software expenses go away.
3. More companies turn to Microsoft Forefront. If you buy the Microsoft Enterprise Client Access License (ECAL), you can get MS Forefront AV software for free. In the past, most shops took a pass on this deal and stayed the course with pure-play security vendors but the use of AMD/P technologies could shift the AV market toward Redmond.
4. Other vendors jump into the fray. Given the market dominance of McAfee, Symantec, and Trend Micro, few other security vendors had the stomach to invest in competitive AV suites. The rise of AMD/P technology could signal a market opportunity for others like Check Point, Cisco, HP, IBM, and Juniper who never achieved success in AV. It could also open a door for firms like Dell, Fortinet, and Palo Alto to extend their security footprint.
Of course, the big AV vendors can’t let this happen and need to add AMD/P capabilities to traditional AV products. We may see some acquisitions or new product announcements soon. AV vendors have enjoyed an oligopoly for a long time but new threats, security technologies, and finite financial resources are about to make things a whole lot more competitive.