The endpoint security evolution is underway. Antivirus (AV) isn't dead, but its nature is changing as enterprise threats become faster, more widespread, and more complex.
"Antivirus has become, to me, more of a specific feature or age moniker than a type of product intrinsically," says Mike Spanbauer, vice president of research strategy at NSS Labs. Vendors that established the AV space - McAfee, Symantec, Kaspersky Lab - have spent the past decade enhancing their platforms with new capabilities, he explains.
Spanbauer cites two reasons for the shift from standalone antivirus systems to broader endpoint detection and response (EDR): a "race to innovation" and more complex attacks.
Malware as a service has become more accessible, says Andrew Newman, founder and CEO of Reason Software. The ease of creating new malware has resulted in a surge of malware strains, which has rendered the use of traditional AV for analyzing and creating signatures impossible.
"There are a lot more eyes looking at, and investigating, vulnerability efforts across all enterprise applications," says Spanbauer. "There are more vulnerabilities discovered than ever, more sophisticated actors than we've ever seen."
What we considered antivirus two years ago has advanced well beyond what we considered traditional AV, he continues. Companies are integrating cloud mechanics and augmenting their platforms with additional features to quickly detect increasingly complex threats.
"The reality is, the bad guys aren't resting, either," he adds.
What are we up against?
Today's attackers are organized and well-funded, and they no longer operate alone, Forrester Research reports in its Endpoint Security Software Forecast. Between 20% and 80% of cybercrime is conducted by organized criminal groups.
However, only 46% of security decision-makers are highly concerned about an attack from non-state actors, and 43% were highly concerned about foreign government attacks.
Corporate data is a prime target. Nearly half of organizations surveyed reported at least one breach of sensitive data in the year prior, and 46% of security leaders whose businesses were hit with a breach said it targeted a corporate server. Nearly 40% said corporate-owned devices were targeted in external attacks.
Today's antivirus systems aren't advanced enough to protect against these threats. They consume system resources because they have to check each new file against millions of unknown threats, and they can't protect against fileless attacks.
"Traditional antivirus, and the elements of it, take up so much space," says John McClurg, vice president and ambassador at large for Cylance. "It almost turns endpoints into boat anchors. Solutions leave such a large footprint, they aren't viable candidates for entities that will make up the Internet of everything."
AV: New capabilities and integrations
"Certainly AV isn't dead," says Newman. "If you don't have AV, you have zero protection."
AV is shifting from stand-alone product to a feature in endpoint tools. It doesn't make sense to separate AV when you can have antivirus and more in one package, he notes.
Endpoint security software is poised to grow 4.5% annually over the next five years, according to Forrester. Double-digit growth is expected for both application integrity protection, and endpoint visibility and control, offsetting declines in traditional endpoint security systems.
"We expect these 'next-gen' solutions to be the main market drivers over the next five years," says Forrester senior forecast analyst Jennifer Adams. "While typically more expensive than traditional anti-malware, these newer products are more effective and limit the burden on system resources."
Michael Fey, president and COO at Symantec, says future systems will not be focused on defending against one particular attack vector. Defense will cover each endpoint and all of its assets, taking into account each organization's needs and characteristics.
"When you think about endpoint protection, good businesses see it as part of their layered defense model," Fey explains. "Businesses that are challenged see it as a checkbox. They're not using new solutions or leveraging what advanced vendors have built."
While signatures can be efficient, accurate, and lightweight, he continues, machine learning and artificial intelligence can "futureproof" your environment by identifying what's good and bad. They will integrate with host-based firewalls and detection technologies to deliver both a safe environment and positive end-user experience. "You have to walk a fine line" to bridge the two in a way that users get what they need and administrators can operate, he adds.
Both machine learning and AI will eliminate the human-intensive process of evaluating and collecting data, McClurg notes. The process of testing, ensuring there are no false positives, is a time-consuming process that often leaves the door open for adversaries.
"Every enterprise I talk to is keenly interested to know how effective what they have is," says NSS Labs' Spanbauer. Anyone who is cyber-insured, or business risk-insured, will have comprehensive desktop protection, he adds.
We're not at a perfect state, he continues. There is always room for improvement, whether it's in terms of time to protection or time to detection, and being able to discover in as close to real-time as possible. Detecting at machine speed, as opposed to human speed, will be key.
Tying it all together
Just how these capabilities will integrate is unclear.
"Over the last three years, there have been a lot of impressive and innovative efforts to trying to solve this problem," says Spanbauer, who anticipates a future in which vendors take steps to partner and drive organic system integration.
For example, EDR could simplify the process of consuming and sending data to SIEM, behavioral analytics, and security analytics systems. The endpoint could directly feed an active security control, by proxy of the cloud or another method that aggregates network insight.
"Integration is one of the keys to successfully protecting tomorrow's enterprise," he says, adding, "I wish it were easy." He advises businesses to understand their current gaps and know where they stand in relation to the cybersecurity framework.
Some current antivirus products are free, bundled with other tools; others are offered as a broader service. Newman believes the key will be to run antivirus at the lowest level of the operating system; at the lowest level of hardware.
"It's going to take time to get there," he says. "Within ten years, certainly." Microsoft and hardware vendors will be key players in building antivirus into machines, he notes.
Symantec's Fey anticipates vendors will combine protection, detection, and response capabilities into holistic offerings to simplify the implementation process. "Customers don't want to run more agents than they have to," he explains. "They only do it today where it's absolutely required … they want to deliver the whole product family in an endpoint protection suite."
How will you buy it?
The endpoint security market is still experimenting with new ideas for how companies will purchase new systems and capabilities. Most are comfortable with the annualized or desktop model, says NSS Labs' Spanbauer, and it's unclear whether one answer will be right.
"There hasn't been a major reset yet on endpoint protection pricing relative to the established or heritage vendors today," he explains. New vendors may price differently. If a business buys three endpoint tools from one vendor, or two vendors with a strong partnership, what is the discount value? "It will depend on an organization's individual needs," he says.
Forrester data indicates new endpoint protection tools will be expensive. Application whitelisting will cost $20 to $50 per endpoint, and application integrity protection could amount to $60 per endpoint, per year. Traditional antimalware tools cost $10 to $25 per endpoint, per year and could be much less - as low as $5 per year - for large businesses.