Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:40 AM
Connect Directly

Antivirus: From Stand-Alone Product to Endpoint Feature

Endpoint experts discuss the evolution of AV and its shift from stand-alone product to a feature in broader security tools.

The endpoint security evolution is underway. Antivirus (AV) isn't dead, but its nature is changing as enterprise threats become faster, more widespread, and more complex.

"Antivirus has become, to me, more of a specific feature or age moniker than a type of product intrinsically," says Mike Spanbauer, vice president of research strategy at NSS Labs. Vendors that established the AV space - McAfee, Symantec, Kaspersky Lab - have spent the past decade enhancing their platforms with new capabilities, he explains.

Spanbauer cites two reasons for the shift from standalone antivirus systems to broader endpoint detection and response (EDR): a "race to innovation" and more complex attacks.

Malware as a service has become more accessible, says Andrew Newman, founder and CEO of Reason Software. The ease of creating new malware has resulted in a surge of malware strains, which has rendered the use of traditional AV for analyzing and creating signatures impossible.

"There are a lot more eyes looking at, and investigating, vulnerability efforts across all enterprise applications," says Spanbauer. "There are more vulnerabilities discovered than ever, more sophisticated actors than we've ever seen."

What we considered antivirus two years ago has advanced well beyond what we considered traditional AV, he continues. Companies are integrating cloud mechanics and augmenting their platforms with additional features to quickly detect increasingly complex threats.

"The reality is, the bad guys aren't resting, either," he adds.

What are we up against?

Today's attackers are organized and well-funded, and they no longer operate alone, Forrester Research reports in its Endpoint Security Software Forecast. Between 20% and 80% of cybercrime is conducted by organized criminal groups.

However, only 46% of security decision-makers are highly concerned about an attack from non-state actors, and 43% were highly concerned about foreign government attacks.

Corporate data is a prime target. Nearly half of organizations surveyed reported at least one breach of sensitive data in the year prior, and 46% of security leaders whose businesses were hit with a breach said it targeted a corporate server. Nearly 40% said corporate-owned devices were targeted in external attacks.

Today's antivirus systems aren't advanced enough to protect against these threats. They consume system resources because they have to check each new file against millions of unknown threats, and they can't protect against fileless attacks.

"Traditional antivirus, and the elements of it, take up so much space," says John McClurg, vice president and ambassador at large for Cylance. "It almost turns endpoints into boat anchors. Solutions leave such a large footprint, they aren't viable candidates for entities that will make up the Internet of everything."

AV: New capabilities and integrations

"Certainly AV isn't dead," says Newman. "If you don't have AV, you have zero protection."

AV is shifting from stand-alone product to a feature in endpoint tools. It doesn't make sense to separate AV when you can have antivirus and more in one package, he notes.

Endpoint security software is poised to grow 4.5% annually over the next five years, according to Forrester. Double-digit growth is expected for both application integrity protection, and endpoint visibility and control, offsetting declines in traditional endpoint security systems.

"We expect these 'next-gen' solutions to be the main market drivers over the next five years," says Forrester senior forecast analyst Jennifer Adams. "While typically more expensive than traditional anti-malware, these newer products are more effective and limit the burden on system resources."

Michael Fey, president and COO at Symantec, says future systems will not be focused on defending against one particular attack vector. Defense will cover each endpoint and all of its assets, taking into account each organization's needs and characteristics.

"When you think about endpoint protection, good businesses see it as part of their layered defense model," Fey explains. "Businesses that are challenged see it as a checkbox. They're not using new solutions or leveraging what advanced vendors have built."

While signatures can be efficient, accurate, and lightweight, he continues, machine learning and artificial intelligence can "futureproof" your environment by identifying what's good and bad. They will integrate with host-based firewalls and detection technologies to deliver both a safe environment and positive end-user experience. "You have to walk a fine line" to bridge the two in a way that users get what they need and administrators can operate, he adds.

Both machine learning and AI will eliminate the human-intensive process of evaluating and collecting data, McClurg notes. The process of testing, ensuring there are no false positives, is a time-consuming process that often leaves the door open for adversaries.

"Every enterprise I talk to is keenly interested to know how effective what they have is," says NSS Labs' Spanbauer. Anyone who is cyber-insured, or business risk-insured, will have comprehensive desktop protection, he adds.

We're not at a perfect state, he continues. There is always room for improvement, whether it's in terms of time to protection or time to detection, and being able to discover in as close to real-time as possible. Detecting at machine speed, as opposed to human speed, will be key.

Tying it all together

Just how these capabilities will integrate is unclear.

"Over the last three years, there have been a lot of impressive and innovative efforts to trying to solve this problem," says Spanbauer, who anticipates a future in which vendors take steps to partner and drive organic system integration.

For example, EDR could simplify the process of consuming and sending data to SIEM, behavioral analytics, and security analytics systems. The endpoint could directly feed an active security control, by proxy of the cloud or another method that aggregates network insight.

"Integration is one of the keys to successfully protecting tomorrow's enterprise," he says, adding, "I wish it were easy." He advises businesses to understand their current gaps and know where they stand in relation to the cybersecurity framework.

Some current antivirus products are free, bundled with other tools; others are offered as a broader service. Newman believes the key will be to run antivirus at the lowest level of the operating system; at the lowest level of hardware.

"It's going to take time to get there," he says. "Within ten years, certainly." Microsoft and hardware vendors will be key players in building antivirus into machines, he notes.

Symantec's Fey anticipates vendors will combine protection, detection, and response capabilities into holistic offerings to simplify the implementation process. "Customers don't want to run more agents than they have to," he explains. "They only do it today where it's absolutely required … they want to deliver the whole product family in an endpoint protection suite."

How will you buy it?

The endpoint security market is still experimenting with new ideas for how companies will purchase new systems and capabilities. Most are comfortable with the annualized or desktop model, says NSS Labs' Spanbauer, and it's unclear whether one answer will be right.

"There hasn't been a major reset yet on endpoint protection pricing relative to the established or heritage vendors today," he explains. New vendors may price differently. If a business buys three endpoint tools from one vendor, or two vendors with a strong partnership, what is the discount value? "It will depend on an organization's individual needs," he says.

Forrester data indicates new endpoint protection tools will be expensive. Application whitelisting will cost $20 to $50 per endpoint, and application integrity protection could amount to $60 per endpoint, per year. Traditional antimalware tools cost $10 to $25 per endpoint, per year and could be much less - as low as $5 per year - for large businesses.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
8/29/2017 | 10:50:40 AM
We have to ditch the term "virus"
Most anti-virus software has protected against much more than viruses for over a decade.  The virus threat is now an extremely small part of the malware threat.  We are now buying wider-purpose anti-malware packages and to be clear we should stop using "virus" for malware and "anti-virus" for any malware countermeasure.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
Mibew Messenger before 3.2.7 allows XSS via a crafted user name.
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an authentication flaw that allows remote attackers to perform a man-in-the-middle attack, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devic...
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20, after 2018-08-09 through 2020), as used by many different vendors in millions of Internet of Things devices, suffers from buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code via ...
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20), as used by many different vendors in millions of Internet of Things devices, suffers from cryptographic issues that allow remote attackers to access user session data, as demonstrated by eavesdropping on user video/audio strea...