Next-generation endpoint security tools ready to replace antivirus

The market for next-generation endpoint security tools has doubled each of the last two years

The market for next-generation endpoint security tools has doubled each of the last two years, and will continue to grow at a compound annual growth rate of 67 percent for the next five years -- but that growth could skyrocket if more vendors are certified as antivirus replacements.

Growth has been dramatic because most of the vendors are still very young, said David Monahan, research director at Enterprise Management Associates.

With new companies, even a small increase in revenues can translate to a high percentage growth rate.

"In addition, organizations recognize they need better prevention or detection and are buying at a break-neck pace to augment their current protection," he said. "The thought is that antivirus protects against nuisance threats and the new stuff can then focus on the rest."

Currently, the size of the next-generation market is about half a billion, according to a report released on Tuesday morning.

This compares to an IDC-estimated $9 billion for the traditional antivirus market, which translates to a relative ratio of about 5 percent.

If widespread certification happens, the cash cow the traditional vendors are still experiencing will be in jeopardy, and the relative size of the market could expand a hundredfold, said the report.

That means that either the next-generation market will grow dramatically, Monahan said, or it will grow not quite as much but the traditional market will shrink.

"Both are a possibility," he said. "If the auditors accept more of the solutions as antivirus replacement -- thus allowing business to buy the more effective solution instead -- they will then drop pay-for antivirus because it saves them money not to use two solutions when unnecessary."

In fact, two vendors, Carbon Black and SentinelOne, have already been certified as antivirus replacements.

"This was not a trivial exercise, but it offers an additional payoff for those companies," the report said. "If either of these companies gains proportionately more market share over the next year, other vendors may decide to make the investment in certification as well, but both will still have a head start of more than a year."

For example, the Payment Card Industry Data Security Standard requires that retailers and other organizations that deal with card payments have anti-virus software installed on all systems that can be infected by malware.

Coalfire Systems, which is certified to evaluate vendors for PCI DSS compliance, tested Carbon Black's Enterprise Protection product can be used instead of antivirus because it was able to block attempts to install malicious software, as well as stop cyber threats that evade antivirus using zero-day and targeted attacks.

Carbon Black uses application control -- a type of whitelisting -- to ensure that malicious software is never installed on user devices.

Companies can set policies allowing, say, only software from certain trusted organizations to be installed by end users, and other software can only be installed with permission from IT. Or they can allow certain types or groups of users to manually approve unauthorized software, but send a report to IT.

There are various possible levels of prevention, said Kevin Flanagan, director of corporate communications at Carbon Black.

"And IT doesn’t need to be responding all the time to requests for software approval," he added.

As a result, he said, Carbon Black doesn't just stop known malware, but brand-new malware, variations on old malware designed to slip past traditional antivirus, zero-day exploits, and targeted advanced attacks.

According to the EMA report, Carbon Black is currently the leading next-generation endpoint security vendor by revenue, with 24 percent of the total market.

In addition, Carbon Black is the leading vendor by licenses sold, with 16 percent of the market.

By comparison, 2-year-old SentinelOne, the other vendor to seek certification, has a much smaller share of the market -- 1 percent by revenue, and 1 percent by licenses sold.

It also takes a different approach to malware prevention than Carbon Black, looking at the behavior of applications.

"We operate within the kernel space, looking at all the kernel-level processes," said Scott Gainey, CMO at SentinelOne. "We try to identify malicious patterns."

The company was tested by AV-test last June, and it caught 100 percent of malware in the AV-test reference set of malware discovered in the previous month, compared to the industry average of 99.1 percent.

But AV-test doesn't do enough to evaluate vendors unknown threats, Gainey said.

"That's critically important," he added.

In February, Gartner named SentinelOne a "visionary" in the company's magic quadrant for endpoint protection platforms, saying, "the solution performs well in antivirus tests without relying on traditional signatures, indicators of compromise, or whitelisting."

However, as a new company, it's missing some of the extended features offered by more established players in the space, such as URL filtering, port protection, and enterprise mobility management.

Gartner also warned that attackers are always looking for new ways to avoid detection.

"As SentinelOne becomes more popular, its approach will come under more scrutiny from attackers," wrote Gartner analyst Peter Firstbrook in the report.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber security

More about CMOCSOEnterprise Management AssociatesGartnerGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place