Stand-alone, signature-based, anti-virus is dead. The stand-alone anti-spyware market is over too, if it even existed!
Signature based AV isn’t protecting anyone anymore, it certainly wasn’t providing any protection against spyware or some of the nastier threats that have popped up recently. It didn’t stop blaster, or sasser, or slammer, it did nothing to help choicepoint, or the VA or the orgy of disclosure we have all become numb too. It was running happily along, updated and content on my mom’s machine when it turns out her Windows XP box was infected with some pretty nasty bits.
It offers limited protection against bots and their ability to detect rootkits is nearly non-existent. It can’t constrain the end-points, it doesn’t allow port or protocol blocking, it doesn’t protect data from theft, it does almost nothing to improve the security of the systems it voraciously consumes the resources of. It always seems to impact the performance of my, I mean my kids, video games. It is usually the first thing listed to turn off in the troubleshooting guides of 3rd party applications. It has become a vector of attack and hackers have shown increasing cunning in using AV product flaws as a launching point for attack, the AV vendors have also done a good job of breaking their own stuff too though, with bad dat signature files even.
Of course it is still a billion dollar industry and growing, and licenses will continue to be renewed, but this market is a changing since I worked on McAfee AV for Windows 95.
So what happens next?
Well AV becomes part of a converged security client, offering multiple capabilities including anti-spyware, personal firewall, and intrusion prevention as the foundation, which I have talked about (here). Of course this has already begun and the AV guys are shoving more and more technologies onto the desktop, including data leak prevention, end-point policy enforcement, patch and configuration management. They bundle it under some uber-agent, while the individual executables are fighting to claim your system resources. They offer some half-baked management console, slap a new coat of paint on some recent acquisitions, and complain anytime Microsoft attempts to improve their security if it in anyway affects their sacred AV cash cow.
Enterprises will still need to invest and deploy AV, but more out of a sense of fear than because they believe it is offering value. Organizations with mature IS departments, ones that are type A in their technology acquisition and process development, have already realized that AV is dead and are looking to strategically address client security in a new world. It includes a signature component, like AV, but it certainly will not be the cornerstone of end-point security for very much longer.
What should organizations do?
1. Spend less, demand more. Consolidate spending on multiple client solutions. Do not pay the same price for AV this year that you paid last year, ask for more security and operations function, but do not pay more. Demand more cow-bell! (here) – centralized management and administration becomes one of the key evaluation criteria.
2. Rip out your incumbent if they aren’t providing value, I did a study at Gartner and the costs of switching out an incumbent AV vendor is far less than people realize. I know my current company (here) can do it for your entire enterprise in about 5 minutes.
3. Security and operations are converging at the desktop and servers, look for operations vendors to provide more security functions. They generally have stronger systems management, centralized administration and scalability than the security folks.
Bottom Line: By the end of 2007 stand-alone AV will be dead, d-e-a-d, dead! Organizations need to evolve their client security programs or expect to see increased costs as the number of agents continues to rise.