Do Enterprises Need AMP? An “Advanced Malware Protection” Market Assessment

Over the past few months I have been on an “advanced malware protection” (AMP) kick. I am fascinated by this topic because it ties together a set of market conditions that can be extremely challenging to navigate through, both for security architects and solution providers:

  1. Need. I choose the word “need” with caution, since, as you will find out below, it does not necessarily mean there is “demand” for a better solution. However, I don’t think techrisk professionals can deny that the malware dropping attack vector is alive and well. It is highlighted as the key to the Aurora attacks that catalyzed the “advanced persistent threat” concern.
  2. Varied Solutions. There are a number of vendors that have cropped up through the years with solutions to address the malware problem, and the techniques vary significantly. Whitelisters only allow identified executables to run; sandboxes isolate malware and/or identify actions; and real-time forensics track system calls and/or configured state.
  3. Mature Market. Even with an identifiable need and newer interesting solutions, the most powerful security market in the world – antivirus (nee antimalware) – operates in pseudo-commodity mode and dominates in endpoint security.

As an industry analyst, I have had the opportunity to interview over a dozen solution providers and even more enterprise security architects and executives on the state of antimalware in the enterprise. Here are a few of my conclusions:

  • Companies are moderately satisfied (and perhaps complacent) with their existing antimalware solutions. They acknowledge that these solutions are not blocking all malware but believe that every solution in the category has similar problems and so are reluctant to switch.
  • The only factor that could affect existing signature-base antimalware is price – a lower-cost solution (which many agree is unlikely) could have a strong-enough value proposition. Notably, a few organizations are evaluating Microsoft’s free antimalware solution as one of these alternative options.
  • Organizations are looking to gain more benefit from their existing antimalware solutions. Many are still focused on signature-based functionality and are now looking at more advanced capabilities. In addition, organizations are considering and employing new capabilities like Microsoft’s EMET functionality.
  • For those times when malware gets through and infects a system, re-imaging is the standard approach, though some organizations are mildly reluctant to do it. Most of these malware infections are not classified as “incidents” per se – there is an ad hoc evaluation process to decide whether any infection should be escalated into being classified as an incident.
  • Organizations are looking at architectural changes and not product changes when it comes to endpoint client-side security. This means they are focusing on BYOD and/or VDI (or even dumb terminals) as options in their client security strategies.
  • Control over (physical) clients continues to relax, with certain “pockets” of exceptions (kiosks or manufacturing systems). For some, this was after a long period of control strengthening (e.g. finally taking away local administrative rights).

As I mentioned at the start, the market dynamics fascinate me here. I don’t think there is a techrisk professional left that believes signature-based antimalware is “good enough” and yet we see its dampening impact everywhere. At this stage, it has simply become the “checkbox compliant” easiest approach.

As someone extremely interested in cybersecurity economics I am encouraged by the attention being given to the bottom line – organizations should be very careful about cost-benefit in their security programs. While some of the organizations I interviewed had done a comprehensive analysis, it appeared to me that a number of organizations had not undergone a thorough review of their strategies.

I will be addressing these issues at my “Drinking from the AMP Firehose” workshop in New York City in a couple of weeks. The workshop concept was driven by these ideas and aims to break through the logjam brought on by complacency and confusion. Regardless of the conclusions that individual organizations come to, I think the entire field will be better off for it.

Pete Lindstrom is Principal and VP of Research for Spire Security, LLC, a research and advisory firm. Learn more about Advanced Malware Protection by “Drinking from the Firehose” in New York City on 9/17/13. Details at