Good morning and welcome to our webinar on our leadership compass on endpoint security on anti malware. Before we begin, we'll just say a few things about Cooper and coal. We were founded in 2004, we're in independent Analyst organization with offices all around the globe. We offer neutral advice and expertise on our subject areas and thought leadership and try to provide good practical advice for all of our customers. And we support companies of many different sizes and industries, the corporate users, end users, system integrators, and software vendors with both tactical and strategic initiative ideas. We specialize in information security, identity and access management, identity governance, GRC, and any topic around the digital transformation.
So we have three major business areas. Number one is research. We do extensive research in the areas listed before like cybersecurity and identity management. We publish that research. We cover all the different vendors in the space where vendor neutral and we stay up to date so that we can provide subscription partners with the best information that we can and, and independent advice. We also provide advisory services, which for end user organizations might be things like helping with preparing RFPs, putting together short lists and doing readiness assessments on topics like GDPR and PST two or other capability and maturity assessments as well. We also do advisory for software vendors, helping them fine tune their product roadmaps. And lastly, we do events where we like to bring together the best and brightest people in industry to talk about specific subjects, disseminate information on best practices, meet the experts in person. And they really are really great networking opportunities to meet the people in the fields as well.
So about those conferences next month, May 15th through the 18th, we'll have our flagship event, the European identity and cloud conference. It's held Munich, Germany. We typically get over 800 attendees mini sponsors. We'll get lots and lots of excellent discussion on all the, the cutting edge topics in identity and cloud security. Today. We've also started a, a new conference series called consumer identity world tour. We did this last year. We're going to revise it and do it again this year. And that will be covering topics on consumer identity, GDPR, privacy, adaptive authentication, things like that. And we'll do that in Seattle, in September Amsterdam in October and Singapore and November. Then we're also launching a cybersecurity leadership summit this year, which will take place in Berlin and November. And we'll cover topics like this anti-malware leadership compass and other things that pertain specifically to cybersecurity.
So about the webinar itself, everyone's muted centrally. So you don't have to mute or unmute yourself. We will record it. The recording should be available tomorrow, and then we'll save some time for questions and answers at the end. And the go-to meeting control panel. You'll see a blank for questions so you can enter those questions you might have at any time. So today I wanna talk about the evolution of malware and anti-malware what the market is like. And then describe for you the methodology that we have for our leadership compass and talk about some specific anti-malware features and how we conducted the evaluation and then show you the graphic for the overall leaders in the space. And again, we'll have some Q and a at the end.
So I thought I'd start with talking about some of the major categories of malware viruses are probably the most well known in the field. They've been around for decades. They're typically delivered as files and, you know, there's thousands to millions of different kinds of viruses that have been discovered and blocked over the, the many years they've been in existence and anti-malware companies have been fighting them and they can be anything from annoying to incredibly destructive. So they've kind of become emblematic of the field and we tend to call it anti malware because there are so many other categories today, but many people still refer to anti malwares just antivirus, but there are other types here, including worms, worms are spread across the network on open TCP or UDP ports. They attack services running on servers, and they don't necessarily need a, a file to, to propagate across the network.
And though they were prevalent a couple of decades ago. They haven't been so much before lately until ransomware has started using worms in some cases where that methodology and then ransomware is captured a lot of attention today because it has become such a problem in the last couple of years. That's where a file or a worm will hit your computer and, and encrypt your files, and then pop up a screen saying, you know, you need to pay some money generally in Bitcoin or something, or Manero to the bad guys to get your files back, which they don't always give you the description key anyway. So it's not really a good idea to, to pay the ransom, but ransomware, isn't exactly new, even though it's become quite prevalent. Ransomware has been around for a decade or more. It's just that let's say cryptocurrency has facilitated the, the rise of ransomware because it makes it easier for the perpetrators to collect their pay in an untraceable way.
Then there are root kits. They live at the low levels of the operating system, kind of functioning like a device driver. They're very stealthy. They can sort of mediate access to all the different OS functions and, and spy on you and, and collect all the, the information you enter into the screen. They're also used for botnet, which will mention again, in a minute, they can be difficult to remove spyware again, that could kind of either be annoying or privacy, intrusive looking at all your cookies, where you visit what you do and they can, it can be much more malicious than that as well. Key loggers record all your keystrokes. This is how the bad guys capture your username and password, and then use it for fraud or for a P T crypto jacking. It's kind of a, a newer form. It's hitting mobile quite hard these days, too.
This is taking over your computer, your mobile phone for the purpose of mining cryptocurrency. And again, some might consider it an annoyance, but it's actually more than that. It's, it's stealing your power, stealing your CPU cycles to make money for somebody else. And it's like I said, it's becoming much more common. Unfortunately, think of it like, you know, taking over your computer, just for the purpose of, of making someone else money. That's much more than annoying. Then there are file list attacks like the name implies. It's not necessarily it doesn't use a file. The code can be downloaded from a malicious source outside of a file into memory. And often the bad guys in this case will use some of the freely available tools in the system like PowerShell or WMI. So anti malware vendors these days are looking for potential malicious uses of things like PowerShell or WMI. That's how they assemble the, the snippets of code and, and make it do something malicious on your system. And then botnets are where hundreds or thousands of machines are. Co-opted into either doing things like stealing money from the victims, perpetrating fraud, or even being sort of constrict conscripted into conducting distributed denial of service attacks.
So the targets of malware traditionally have been PCs, but obviously over the years, servers have become targeted. And that includes not just Windows-based PCs, but Mac and Mac and Linux as well. But the targets have expanded include things like VDIs, IOT, industrial IOT, SCADA servers, SCADA nodes, and now mobile as well. And although windows still leads in the number of types of malware that are available in the system. Android is second and malware is a real problem in terms of money too, from the various sources listed below in 2015, ransomware was estimated to have cost organizations worldwide 325 million. But in two years time, that's jump to 5 billion. And now total cyber crime costs are estimated for next year, 2019, maybe somewhere in the neighborhood of 2 trillion. And by 2021, you can see that's going up to 6 trillion. So it's a major source of loss and anti-malware is very important part of your overall architecture to help prevent that loss.
So since it is a, a growing concern for all of our clients and really everyone worldwide, we decided to do a comparative report or our leadership compass on anti malware for the endpoint. So I'll describe how the methodology works for doing a leadership compass. Here we start by identifying the criteria that we want to evaluate and putting together a list of relevant vendors in the field. We develop a technical questionnaire that goes into quite a bit of depth on exactly how the products work. Then we invite those vendors to participate, send them the questionnaire, get their responses back, get additional in-depth briefings, demos of how the products work and interview some active customers. Then we write up our objective ratings and publish the report.
So there are nine major categories that we look at when we do a leadership compass. First off here, we have security and by security in this case, I mean, internal product security, how well does the product protect itself? And this can include things like authorization authentication to the management console, the construction of the endpoint agent in this case. So it's really about the internal security. Then we look at functionality. What, what features does the product have? And of course, in this case with regard to detecting preventing and removing malware, and then how is it managed usability in cases like this, it's more than just end user usability. We consider how, how easy is it for administrators to run this product? How easy is it for them to deploy it to large numbers of clients and then manage patch up upgrades or, and reporting from an enterprise console.
Then in many cases, the anti-malware solution is part of an overall endpoint security suite. So how well does the anti-malware fun portion of the product integrate with the rest of the suite and interoperability, this pertains mostly to how does the product interoperate with other products outside of the, the vendor stack? Does it use standards that are relevant in the area and what kinds of features and complete security architectures can be built with the anti product? Then we look at things like innovation, you know, who's staying on the cutting edge, who's taking customer requests and doing the cutting edge research to build in the best anti malware protection into their product. We also consider market position. And that's in this case, you know, the things like how many endpoint notes are covered, how many customers do you have? And then also where in the world are the customers located? Because they, you know, a cus company can be very strong in one region of the world, but not have adequate support in others. So in order to be a market leader, you need to be global.
We also look at the financial health of the company. If it's a, you know, an established startup, what are the sources and amount of funding, if it's a, a well-established company, you know, how profitable are they? And then lastly, the ecosystem and by this, we mean things like the technical support that the vendor provides as well as do they have system integrator partners. And can you get that support again and in all the regions of the world that you might be operating in. So you can see here a list of the vendors that we surveyed for report bid defender, carbon, black, digital guardian CEP, F secure, Ky McAfee, Microsoft Sentinel, one Soos and Symantec.
So I wanted to list next, the key criteria that I use to evaluate, and first categories on enterprise management, I looked at deployment, how easy is it to deploy and update, assign policies and collect information back from all the nodes in the organization. These products also almost always have enterprise consoles. Sometimes that runs either on premise or in many cases, the vendor will host that in the cloud, but you know, what does the console look like? What kind of information does the dashboard provide? What kinds of reports are available? It's very useful when the vendor provides really good built-in reporting, but organizations also need to be able to customize reports, you know, for the specific needs of their organization. So we also look at the customizability factor as well, and then integration, you know, is it easy to manage the product in terms of, let's say agent upgrades and then how well does it fit in with other features that they may have such as EDR SIM and other, let's say forensic tools as well for administrative security.
I think it's imperative that let's say for the enterprise console, you've gotta be able to authenticate administrators strongly. So that would mean using smart cards, USB keys, mobile out of band apps, or maybe federated authentication via SAML because without strong authentication, if all you have to do is guess the admins use the name and password, then that's not very good security, also on authorization. It's good when they support either role based or some sort of delegated administration models. There are many organizations out there that are, let's say, large parent companies, and yet they have local administrators that need to be able to manage the endpoint security environments within their purview. So being able to have a, you know, a very granular delegated administrative access control model is helpful for those kinds of organizations. Plus, you know, adhering to the principle of least privilege. We don't wanna give administrators anymore control than they need to have to be able to do their jobs test results.
There are a number of different independent test test, antivirus testing agencies out there, and they're almost constantly running tests, evaluating all the different vendors in the field that submit their code for testing. They're also looking at the latest samples of viruses and other kinds of malware so that they can do testing. Occasionally I think there may be a little bit of gamification in the system, so they're changing their methodologies and algorithms to reflect the latest capabilities. So it's important to look at not only the detection rates there, but what are the false positive rates, and then also the successful removal rates for when malware is found. And you might find it interesting that there can be differences in the online versus offline results. Most products today in the endpoint security space do talk to the cloud, the vendors cloud, and they'll do things describe in more in a minute, but, you know, sandbox detonation, they get live updates from the cloud. So let's say there are differences in effectiveness between when the agent can talk to the cloud and when it can't. So it's really important to be able to see that if let's say you're gonna deploy endpoint security in an environment where, you know, it's gonna be offline a lot of the time, maybe, you know, maybe in a industrial setting or something like that. And I think it's important to participate in these kinds of tests. So in the, the details in the report, if somebody didn't participate and leaves a, a zero score in that category.
So looking at the key criteria around pre-execution, this is one of the methods that anti malware programs use for detecting malware. This is usually pattern matching. This is a place where they do machine learning to, you know, identify these patterns. And look for that many times, they're looking for a specific kinds of API calls, you know, especially in the case of ransomware, that's a, a heavily utilized technique, memory allocation. Some, some malware has special places that wants to go in memory and will try to inject itself there. Malware sometimes also tests for the presence of anti malware products. So that's a sign that, you know, something bad may be about to happen and sophisticated malware can also test to determine if it's running in a sandbox or a virtual machine, and those cases, it will simply behave itself so that it doesn't get caught. So that the technique there is to wait it out and, and see what happens or, you know, speed up the clock so that it, it fools the malware into thinking that time has passed than it has.
Then there's runtime analysis. Sandboxing. There are a number of different kinds of sandboxing types. There's, you know, full operating system, emulation browser, emulation network emulation. And the idea here is you send the malware either to, you know, a, a new process on the box, or in many cases now to the cloud, to the vendors cloud to evaluate it. So it will run it and see what happens and see if the code tries to do anything malicious. If it does, it will instruct the client not to allow it to execute any further micro virtualizations, kind of taking that one step further. It executes the malware in a completely virtual machine instance that protects the underlying OS. And then there are many well known exploits out there. So anti-malware programs today are looking for code that may be trying to use one of these exploits to do something that it shouldn't.
They also do memory analysis at runtime to look for either those known exploits for signs of attack or, or other nefarious kinds of code sequences, and then shut them down. This is also how the memory analysis is how anti malware companies look for this file with malware, because there's no image scan, you know, say with a signature file, or even to be able to do the pre-execution heuristics malware ransomware protection. Again, they're using crypto API calls for the most part. And that could be either, you know, within the native OS API or maybe it'll call some well known third party crypto libraries. In some cases, the malware will bring crypto along with it. So looking, you know, at the operating system level for use of crypto APIs and in suspicious ways is a good way to look for ransomware. Same thing with file system monitoring.
Many times ransomware will try to enumerate all the files in well known data folders, like my documents. For example, if a, a piece of code tries to do a large number of copy on rights or file extension changes all at once, that can signify that it's ransomware, that's about to encrypt files. So the anti-malware programs do look for that kind of behavior and, and shut it down. And then there's also the volume shadow copy. That's where you stick a good copy of the operating system, where you can go back to a certain break point and restore many types of ransomware. We'll go in and try to delete that before they start the rest of their encryption and, and file renaming. So there's really no good reason that any piece of code should ever try to delete the volume shadow copy. And if it does, that's a good sign. Some it's ransomware. So anti-malware programs shut that down.
Root kits are low level programs. Again, they're like device drivers. They kind of sit at the bottom of the operating system and mediate all user input activity. This is how they can collect your credentials or, you know, become part of a botnet. This is also why anti malware programs are generally implemented at the kernel level. So it can, you know, be down there looking for that kind of activity. And the sooner they load in the BootUp process, the more control they have over the loading of other device drivers, including different types of root kits. We also considered the different kinds of operating system nodes that are supported. Obviously windows 10 has a lot of good stuff built in that can prevent a lot of this, but many people are running eight, seven Vista. And, you know, there are lots of people, unfortunately still running XP.
And a lot of companies believe that, you know, they have to continue to do that because in some cases, XP is running, you know, some SCADA mode or some industrial control, or even, you know, in healthcare like MRI machines. So it's important that a lot of the third party vendors here do support all the flavors of windows all the way back to XP. And even though it's not as big a problem on Mac, having OSX support is really important. I think for most of the anti-malware vendors as is supporting the different flavors of Lennox and even VDI VDR. So here's a look at the overall leader section of our report. You can see that they're all pretty strong. We'll say, I mean, most of these companies are doing, I think, a really good job of providing support for detecting and removing malware. Some of the differences that you see in positioning are really more about some of those additional features like enterprise management, administrative security, you know, these cover the basic functionality really well. So with that, I'll open it up and we'll see if we have any questions.
Okay. So someone has noted mobile platforms are not included here. That's true for this report. I wanted to focus on just the endpoint anti-malware solutions. I think mobile anti-malware is important also, and I will be working on a leadership compass covering the, the mobile platforms as well, hopefully later this year. And then are there any differences in mobile malware detection versus PC? Yeah, actually there are there iOS is relatively closed as an operating system. There's not a lot that third party vendors can do with regard to, you know, scanning or, you know, doing runtime analysis, but that also makes it harder for the malicious actors to write bed code. So I guess we'll say it's a little less necessary, but as I mentioned earlier, you have Android. There's a lot of malware that's being written for that. And there are some differences in how the code executes and then also how anti malware vendors go about looking for malicious code and protecting devices that way. And I will try to get more in detail on that, in that upcoming report.
I also, I have a question about which areas were each one of the vendors strong and weak on, and I'll say that's probably best looked at inside the report itself, the leadership compass, I think it's, you know, close to 50 pages, we analyze it in a variety of different ways. We go into product leadership, market leadership, innovation leadership, and describe exactly what we mean by that. Didn't we also have overviews of each particular product analyzed. So there's a lot of detail in the report and I would encourage you to go sign up and take a look at it if you can. Okay. And with that, I don't see anymore questions and we're up at the end of the hour. So just wanted to thank everybody for attending. We do have related research here. These are again our conferences, but we do have an advisory note on ransomware protection buyers, guide leadership brief on defending against ransomware. And of course this leadership compass on anti malware. So with that, thank you for attending. And if you have any questions, please feel free to get in touch with us. Thank you.
