Enterprise Endpoint Security: Anti-Malware Solutions
This report provides an overview of the market for Enterprise Endpoint Security: Anti-Malware Solutions and provides you with a compass to help you to find the Anti-Malware product that best meets your needs. We examine the market segment, vendor product and service functionality, relative market share, and innovative approaches to providing Anti-Malware solutions for enterprises.
Both malware and anti-malware solutions have been around for a long time. Accordingly, individuals and organizations have been using an ever-changing mix of anti-malware software on endpoints. The earliest anti-virus programs were designed to combat file-based malware, often delivered via floppy disks. With the widespread adoption of email, it became the primary vector for spreading computer viruses. Network worms were (and still are) created by malicious actors to distribute malware across networks without needing users to open files or email attachments. Worms jump from host to host by compromising services listening to well-known TCP or UDP ports. Malefactors also found that users could be easily infected by placing their malware on heavily used websites, corrupting commonly used applications, packaging malicious executables in otherwise innocuous-looking data, using macros in Office documents, etc.
In recent years, the ransomware phenomenon has risen to prominence. Ransomware is a type of malware that encrypts user files and directs the user to pay the malware author a ransom for the decryption keys, usually in Bitcoin. These types of attacks often arrive in Office docs with malicious macros. The best advice for end users and organizations is to not pay the ransom, as the authors don’t always deliver the decryption keys, and one shouldn’t encourage future bad behavior by compensating the programmers for their fraudulent efforts.
At the time of publishing this report in 2017, we are witnessing another phase in the evolution of malware. The perpetrators are innovating by employing the worm delivery technique for ransomware. With the Petya/NotPetya attack, we have seen a type of malware that mimics ransomware, but seems to be intended for mostly destructive purposes rather than for financial gain. Suffice it to say that the variations in malware types has increased exponentially over the last few decades and will continue to be a significant threat for the foreseeable future.
Who are the malefactors behind all these attacks? At a high level, the major malware creators are hacktivists, fraudsters, and state sponsors. Each group has different motivations for making malware, and often different intended targets. But as with their biological analogs, computer viruses often infect unintentional targets as well. Malicious actors have learned and applied the “as-a-service” model, and now malware can be purchased on the so-called dark web and deployed by those who are not proficient at coding. This increases the frequency of attacks, as the ability to launch them now does not require technical skills, just malicious intent.
In the early days, anti-virus vendors gathered virus samples and created signature files that could recognize the more limited number of virus patterns. The vendors delivered the signature file updates to their customers; at first infrequently, but as the volume of viruses grew, updates grew more frequent. For vendors using signature files today, their clients typically receive updates several times a day.
Signature-based scanning alone is an ineffective malware prevention measure today. Malware has become far more sophisticated, often using polymorphic techniques to change their appearance to fool signature-based scanners. In the endpoint security market, most vendors have added new detection capabilities to more efficiently and effectively prevent malware infections. These new approaches to malware detection will be discussed in more detail later in this report.
Malware detection and prevention can happen in many places within a computing environment: at the network perimeter, email gateways, web proxies, application firewalls, desktop, virtual desktop, etc. Contemporary security researchers and analysts describe the potential points of intercept in an attack as the “cyber kill chainTM”. A defense-in-depth approach is always recommended, thus anti-malware and related security solutions should be deployed at each possible point in the cyber kill chainTM and physical architecture to maximize detection/prevention and minimize risks.
Endpoint security products may contain more features than anti-malware, such as URL filtering, application whitelisting, backup, configuration management, patch management, disk and file encryption, etc. The focus of this report is on anti-malware solutions at the endpoint, specifically desktops and laptops running Microsoft Windows, Mac OS, and Linux variants. Most of the vendors considered herein provide solutions for servers, virtual desktops, and mobile devices. Mobile anti-malware solutions will be the subject of another report.
This KuppingerCole Leadership Compass provides an overview of the leading vendors in this market segment. Picking solutions always requires a thorough analysis of customer requirements and a comparison with product features. Leadership does not always mean that a product is the best fit for a customer and his requirements. However, this Leadership Compass will help identify those vendors that customers should look at more closely.
1.1 Market Segment
The anti-malware market is steady, with more than 1 billion devices deployed in the world. Mobile platforms are on the rise, and have overtaken PC-based hardware systems in popularity in recent years. Desktops and laptops and the concomitant need for protecting them against malware will persist into the foreseeable future, especially given the increasing frequency and complexity of malware attacks.
There are many vendors in the anti-malware market. There are quite a few that have been long-established in the space, dating back decades and providing the first signature-based anti-virus programs. In the last few years, new startups have emerged with new techniques to discover and prevent malware infections. In some cases, the small companies have been acquired by the major players in the space, with their technologies integrated into the suite vendors’ products.
1.2 Delivery models
Anti-malware solutions are made of two primary components: agents on the endpoint and one or more management consoles. Endpoint agents are designed per operating system, such as Microsoft Windows versions 7, 8, 10; Mac OSX; the various flavors of Linux, Virtual Desktops, and mobile devices. Management consoles are used by administrators to deploy, monitor, activate/deactivate certain features, push updates, review status, and start investigations. Management consoles for on-premises deployment are usually Windows Server based. Many vendors now offer management consoles in their proprietary clouds as SaaS. Licensing is generally per managed node.
1.3 Required Capabilities
Various technologies support all the different requirements customers are facing today. The requirements are
- Detect and prevent infection by
- Polymorphic malware
- Botnet malware
- JIT/File-less malware
- Unknown types of malware / Zero-day exploits
- Remove infections if discovered
- Agents self-protect by process obfuscation, kernel mode driver implementation
- Agents operate autonomously if disconnected from network
- Report telemetry to management console and SIEM or other security intelligence systems
- Deployment options for management console: On-premises or cloud.
- Multi-factor authentication for management console administrators: SmartCards, tokens, OTP, Biometrics, Mobile apps, etc.
- Delegated and role-based administration
- Activity dashboards and customizable reporting
Many organizations are feeling and responding to the pressure to provide a more robust defense against an increasing number of malware attacks, particularly ransomware. The criteria evaluated in this Leadership Compass reflect the varieties of use cases, experiences, business rules, and technical capabilities required by KuppingerCole clients today, and what we anticipate clients will need in the future. The products examined meet many of the requirements described above, although they sometimes take different approaches in solving the business problems.
When evaluating these products and services, besides looking at the aspects of
- overall functionality
- size of the company
- number of customers
- number of developers
- partner ecosystem
- licensing models
- core features of Anti-Malware technology
We considered a series of specific features. These functional areas, which are reflected in the spider charts for each company in Chapter 5 include:
- Enterprise Mgmt
The ability to deploy, update, assign policies, and collect telemetry from all nodes in an organization constitutes enterprise management. This also distinguishes enterprise solutions from consumer-grade solutions. Organizations need to be able to remotely deploy endpoint anti-malware agents, push updates, and define groups of nodes and apply different protection policies per group. Administrators also need to be able to collect information from covered nodes automatically. Typically, solutions in the space provide dashboards and reports for Security Operations Center (SOC) personnel. The best products have full integration with in-suite patch management, fully automated Endpoint Detection/Response (EDR), SIEM, and investigative analysis tools.
- Admin Security
Admin security encompasses two primary factors: authentication options for administrators and authorization models. Given the sensitivity and importance of enterprise anti-malware admin consoles, we believe that they should be protected by strong authentication methods, such as Smart Cards, USB keys, mobile out-of-band apps, or federated via SAML. Enterprise anti-malware solutions should also support role-based or delegated access controls, so that large organizations can delegate areas of responsibility to appropriate personnel without giving them more control than necessary to do their jobs.
- Test Results
Consolidation and analysis of multiple, independent anti-malware testing programs. Detection rates, false positive rates, and successful removal rates are considered here. Rates for effectiveness may vary widely between when agents can or cannot connect to their vendor’s cloud analytics services. Most threats are present while users are online, but simply being internet-connected is not enough to increase protection via the anti-malware solution: because there are occasions when malicious actors block access to security vendors’ services over public Wi-Fi. It is important to note that not all vendors submit their products for independent testing. Participation is key: not participating leaves a low or zero score.
- Pre-execution analysis
Examination of files and code prior to runtime execution using machine learning techniques. Scanner looks for potential malware based on known patterns of typical malware behavior, including specific API calls, memory allocation, testing for anti-malware, testing to determine if it is in a sandbox or virtual machine, etc.
- Runtime analysis
Includes several technical components, including sandboxing, micro-virtualization, and memory analysis.
Sandboxing is a malware detection technique that executes possible malware in a somewhat isolated environment to examine what its effects are and to determine whether or not the subject code is malicious. Sandboxes can be as simple as separate browser tabs, separate memory spaces governed by distinct threads or processes, or in many cases today, remotely “in the cloud” in the vendor’s environment. Sandboxes should emulate many environments or features within computing infrastructures, such as common software, browsers, and “the Internet” (providing expected feedback to the suspected malware as if it is on the Internet, contacting its command and control servers).
Micro-virtualization: Malware detection technique that executes possible malware in a virtual machine instance for greater containment. This technique is generally a more secure method but can result in usability concerns for users who need to download or upload content.
Memory analysis looks for patterns and attack signatures in memory, particularly for those function call sequences that may have no corresponding file or disk image.
File-less Malware Detection requires runtime analysis. File-less malware, code or scripts, can be injected into RAM from compromised sites unbeknownst to the user. Governments and companies in the finance industry have been primary targets of this type of attack. This malware can use tools such as PowerShell, SC, and netsh to assemble additional functions, modify registry entries, move laterally around a network, and capture and transmit data, all without being written as a file on a hard drive. This method evades all signature-based scanners and can only be detected by comprehensive runtime analysis: looking for memory-resident only code executing that hasn’t been loaded from disk image, code that attempts to inject other processes, and potential exfiltration attempts. In addition to detection, limiting the use of admin privileges helps thwart this technique.
Other runtime techniques involve looking for known exploit patterns and process injection attempts.
- Ransomware protection
The most prevalent forms of ransomware today encrypt users’ files. Anti-malware programs can use a number of different functions to detect, shut down, and in some cases, roll back changes made by ransomware. By monitoring for suspicious-looking calls to cryptographic functions via native APIs or in third-party libraries, security programs can interrupt potential ransomware attacks. For ransomware variants that bring their own crypto, other detection methods are needed, such as File System Monitoring.
Ransomware generates a large number of predictable read, copy-on-write (COW), and/or filename extension change requests on the filesystem. For example, many ransomware packages will attempt to read, encrypt, and rename every file in the “MyDocuments” folder. Most ransomware starts by enumerating all files of a certain type, such as .docx, .jpg, .mp3, etc. Anti-malware agents can monitor for these types of actions and shut down the offending process to lessen the damage, even for unknown ransomware variants.
Almost all ransomware types also attempt to delete the volume shadow copy of data files from the users’ hard drives. These are essentially backup copies of user data. If the user could simply restore these, there would be no need to pay the ransom. However, there is no reason a user or program should ever attempt to quietly delete the volume shadow copy, so anti-malware programs also look for programmatic calls to delete it and terminate the request.
- Rootkit prevention
Rootkits are low-level programs, usually implemented like device drivers, that can take over a system surreptitiously and allow the bad actor complete control over it. Rootkits can be used for keylogging, collecting user data and credentials, or for botnet activities. To protect against rootkits, anti-malware agents are usually implemented at the kernel level, mediating which device drivers load and when.
- Node OS Support
This is a measure of the variety of node operating systems supported. We consider Windows 10, 8, 7, Vista, XP, and Windows Server versions; Mac OSX, Debian, Red Hat, and SuSe Linux.
We believe that the use of multiple detection, prevention, and removal techniques increases the likelihood of malware detection, overall effectiveness and efficiency of the solution. For example, there is still value in signature-based scanning, though it is not effective at picking up polymorphic or other advanced malware types, as it usually less CPU intensive and can still detect certain types of threats.
Each of the categories above will be considered in the product evaluations below. We’ve also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market.
Please note that we only listed major features, but also considered other capabilities as well when evaluating and rating the various endpoint anti-malware products.