IDC tabs 'Specialized Threat Analysis and Protection' as new security segment

Products that can detect stealthy malware-based attacks aimed at cyber-espionage and data exfiltration should be considered a specialized area of the security market, according to research firm IDC, which has designated a new market category for them: "Specialized Threat Analysis and Protection."

STAP for short, this was not much more than a $200 million market worldwide last year, according to IDC, but it's expected to triple by next year and reach $1.17 billion by 2017. IDC is defining STAP as technologies that are primarily "signatureless," that is, not relying on malware signatures. These might include sandboxing, big data analytics and containerization to detect malicious activity.

And STAP products, whether they work on the network level, the endpoint or both, are scanning inbound and outbound traffic for anomalies, including botnet and command-and-control traffic that typically indicates a compromise. IDC says STAP products might also be used for reverse engineering and forensic analysis of discovered malware.

"Basically, enterprise security must constantly analyze all aspects of infrastructure for threats, assuming there is a compromise somewhere," says Phil Hochmuth, IDC program manager, security products.

Gartner: Cloud-based security as a service set to take off

STAP technologies work alongside traditional signature-based anti-malware and intrusion-detection and prevention systems (IDS/IPS), Hochmuth says. IDC expects that STAP will evolve a lot like the IDS/IPS market did, with enterprises deploying in a monitoring, "listening" mode at first and then move to a prevention model when "they're comfortable with the technology." IDC expects that STAP is going to become an important part of the "kill chain" concept of the advanced attack model, Hochmuth says.

IDC says the "key players" in STAP include Blue Coat, with its acquired Solera products; Bromium; CounterTack; Damballa; FireEye; HBGary; Invincea; Norman ASA; Palo Alto Networks with Wildfire; Proofpoint; Sourefire with FireAMP (acquired by Cisco); ThreatTrack Security; and Trend Micro with its Deep Discovery line.

Other vendors with recently introduced STAP technologies, sometimes embedded in their other security products, include AhnLab; Cognitive Security (acquired by Cisco); Cylance; Check Point Software with its Threat Emulation Blade; Fortinet; Mandiant; Intel's McAfee with its entry into sandboxing via the ValidEdge acquisition; EMC company RSA with its RSA Security Analytics (NetWitness Spectrum) and RSA Enterprise Compromise Assessment Tool. And finally, Websense, with its ThreatScope sandboxing, which the security firm now offers integrated into its Triton Enterprise gateways.

In fact, integration of STAP technologies into existing network, endpoint and content security products is expected to be commonplace going forward, IDC says. The incumbent security vendors are mostly seen as catching up to smaller STAP-focused providers, some new like Cylance but some around for several years, such as Damballa.

STAP is meant to detect zero-day attacks and data exfiltration by attackers, which can go on for weeks if not years. IDC believes STAP products today are used to augment more traditional network security and endpoint security products,. Early adopters are large financial institutions, large government agencies and large enterprises with "acute data protection requirements."

"Among enterprises, it appears extra budget is being allocated for STAP technology, as opposed to shifting spend to STAP from other solutions," an IDC report notes. IDC expects this trend to continue, saying it could help STAP-focused vendors grow while not directly competing with other parts of the security market, such as anti-virus. But IDC also cautions that STAP vendors will have to show they can somehow stay ahead of the attackers, who may use clever "sleep" techniques on malware, for example, to counteract STAP technologies such as sandboxing.

Will security vendors and customers start regularly using the expression STAP, which was coined by IDC earlier this year? That's unclear but IDC expects to continue keeping the running count going on how STAP evolves in its future reports on this market segment.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags IDSGartnerIDCsecurityIPSWide Area Networkanti-malware

More about ASABlue Coat SystemsCheck Point Software TechnologiesCheck Point Software TechnologiesCiscoEMC CorporationFireEyeFortinetGartnerIDC AustraliaIDGIntelIPSMcAfee AustraliaNormanNormanPalo Alto NetworksProofpointRSATrend Micro AustraliaWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place