Endpoint
8/28/2017
11:40 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Antivirus: From Stand-Alone Product to Endpoint Feature

Endpoint experts discuss the evolution of AV and its shift from stand-alone product to a feature in broader security tools.

The endpoint security evolution is underway. Antivirus (AV) isn't dead, but its nature is changing as enterprise threats become faster, more widespread, and more complex.

"Antivirus has become, to me, more of a specific feature or age moniker than a type of product intrinsically," says Mike Spanbauer, vice president of research strategy at NSS Labs. Vendors that established the AV space - McAfee, Symantec, Kaspersky Lab - have spent the past decade enhancing their platforms with new capabilities, he explains.

Spanbauer cites two reasons for the shift from standalone antivirus systems to broader endpoint detection and response (EDR): a "race to innovation" and more complex attacks.

Malware as a service has become more accessible, says Andrew Newman, founder and CEO of Reason Software. The ease of creating new malware has resulted in a surge of malware strains, which has rendered the use of traditional AV for analyzing and creating signatures impossible.

"There are a lot more eyes looking at, and investigating, vulnerability efforts across all enterprise applications," says Spanbauer. "There are more vulnerabilities discovered than ever, more sophisticated actors than we've ever seen."

What we considered antivirus two years ago has advanced well beyond what we considered traditional AV, he continues. Companies are integrating cloud mechanics and augmenting their platforms with additional features to quickly detect increasingly complex threats.

"The reality is, the bad guys aren't resting, either," he adds.

What are we up against?

Today's attackers are organized and well-funded, and they no longer operate alone, Forrester Research reports in its Endpoint Security Software Forecast. Between 20% and 80% of cybercrime is conducted by organized criminal groups.

However, only 46% of security decision-makers are highly concerned about an attack from non-state actors, and 43% were highly concerned about foreign government attacks.

Corporate data is a prime target. Nearly half of organizations surveyed reported at least one breach of sensitive data in the year prior, and 46% of security leaders whose businesses were hit with a breach said it targeted a corporate server. Nearly 40% said corporate-owned devices were targeted in external attacks.

Today's antivirus systems aren't advanced enough to protect against these threats. They consume system resources because they have to check each new file against millions of unknown threats, and they can't protect against fileless attacks.

"Traditional antivirus, and the elements of it, take up so much space," says John McClurg, vice president and ambassador at large for Cylance. "It almost turns endpoints into boat anchors. Solutions leave such a large footprint, they aren't viable candidates for entities that will make up the Internet of everything."

AV: New capabilities and integrations

"Certainly AV isn't dead," says Newman. "If you don't have AV, you have zero protection."

AV is shifting from stand-alone product to a feature in endpoint tools. It doesn't make sense to separate AV when you can have antivirus and more in one package, he notes.

Endpoint security software is poised to grow 4.5% annually over the next five years, according to Forrester. Double-digit growth is expected for both application integrity protection, and endpoint visibility and control, offsetting declines in traditional endpoint security systems.

"We expect these 'next-gen' solutions to be the main market drivers over the next five years," says Forrester senior forecast analyst Jennifer Adams. "While typically more expensive than traditional anti-malware, these newer products are more effective and limit the burden on system resources."

Michael Fey, president and COO at Symantec, says future systems will not be focused on defending against one particular attack vector. Defense will cover each endpoint and all of its assets, taking into account each organization's needs and characteristics.

"When you think about endpoint protection, good businesses see it as part of their layered defense model," Fey explains. "Businesses that are challenged see it as a checkbox. They're not using new solutions or leveraging what advanced vendors have built."

While signatures can be efficient, accurate, and lightweight, he continues, machine learning and artificial intelligence can "futureproof" your environment by identifying what's good and bad. They will integrate with host-based firewalls and detection technologies to deliver both a safe environment and positive end-user experience. "You have to walk a fine line" to bridge the two in a way that users get what they need and administrators can operate, he adds.

Both machine learning and AI will eliminate the human-intensive process of evaluating and collecting data, McClurg notes. The process of testing, ensuring there are no false positives, is a time-consuming process that often leaves the door open for adversaries.

"Every enterprise I talk to is keenly interested to know how effective what they have is," says NSS Labs' Spanbauer. Anyone who is cyber-insured, or business risk-insured, will have comprehensive desktop protection, he adds.

We're not at a perfect state, he continues. There is always room for improvement, whether it's in terms of time to protection or time to detection, and being able to discover in as close to real-time as possible. Detecting at machine speed, as opposed to human speed, will be key.

Tying it all together

Just how these capabilities will integrate is unclear.

"Over the last three years, there have been a lot of impressive and innovative efforts to trying to solve this problem," says Spanbauer, who anticipates a future in which vendors take steps to partner and drive organic system integration.

For example, EDR could simplify the process of consuming and sending data to SIEM, behavioral analytics, and security analytics systems. The endpoint could directly feed an active security control, by proxy of the cloud or another method that aggregates network insight.

"Integration is one of the keys to successfully protecting tomorrow's enterprise," he says, adding, "I wish it were easy." He advises businesses to understand their current gaps and know where they stand in relation to the cybersecurity framework.

Some current antivirus products are free, bundled with other tools; others are offered as a broader service. Newman believes the key will be to run antivirus at the lowest level of the operating system; at the lowest level of hardware.

"It's going to take time to get there," he says. "Within ten years, certainly." Microsoft and hardware vendors will be key players in building antivirus into machines, he notes.

Symantec's Fey anticipates vendors will combine protection, detection, and response capabilities into holistic offerings to simplify the implementation process. "Customers don't want to run more agents than they have to," he explains. "They only do it today where it's absolutely required … they want to deliver the whole product family in an endpoint protection suite."

How will you buy it?

The endpoint security market is still experimenting with new ideas for how companies will purchase new systems and capabilities. Most are comfortable with the annualized or desktop model, says NSS Labs' Spanbauer, and it's unclear whether one answer will be right.

"There hasn't been a major reset yet on endpoint protection pricing relative to the established or heritage vendors today," he explains. New vendors may price differently. If a business buys three endpoint tools from one vendor, or two vendors with a strong partnership, what is the discount value? "It will depend on an organization's individual needs," he says.

Forrester data indicates new endpoint protection tools will be expensive. Application whitelisting will cost $20 to $50 per endpoint, and application integrity protection could amount to $60 per endpoint, per year. Traditional antimalware tools cost $10 to $25 per endpoint, per year and could be much less - as low as $5 per year - for large businesses.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
8/29/2017 | 10:50:40 AM
We have to ditch the term "virus"
Most anti-virus software has protected against much more than viruses for over a decade.  The virus threat is now an extremely small part of the malware threat.  We are now buying wider-purpose anti-malware packages and to be clear we should stop using "virus" for malware and "anti-virus" for any malware countermeasure.
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.