The stream of bad information security news, from data breaches to ransomware to state-funded hacks, is fueling a virtual gold rush for companies developing security software. A new report from research firm Forrester predicts a healthy growth rate for the endpoint security market over the next five years, with some specific technologies expected to see double-digit growth.
Never mind whether the technologies will be able to stop attacks. Defending organizations has become so difficult and so complicated that few vendors would claim to be able to stop every attack. But there's a thirst for new technologies and approaches.
"The only dark spot in Forrester's report is its prediction for endpoint protection suites that primarily rely on signatures."
Forrester expects the endpoint security market - which focuses on defending individual computers and mobile devices from cyberattacks - to hit $4.7 billion this year. It's expected to grow to $5.9 billion by 2021, a compound annual growth rate of 4.5 percent.
"Many of the new entrants to the endpoint security space are starting to invest in product marketing and in large sales forces, which will also spur growth," write Forrester analysts Jennifer Adams and Chris Sherman. "The new emerging endpoint security solutions will drive growth."
Forrester's report covers subcategories of endpoint protection software, including application integrity protection; application control, or whitelisting; endpoint visibility and detection, also often referred to as endpoint detection and response; and application execution isolation.
Dark Spot: AV Signatures
The only dark spot in Forrester's report is its prediction for endpoint protection suites that primarily rely on signatures. Signatures are essentially a set of characteristics that describe a known piece of malware. The problem is that the same piece of malware can be altered slightly to fool AV scanners.
"Hackers change their signatures faster than traditional anti-malware software can be updated," according to the report. "New forms of malware can lay dormant for weeks or months before activating and morphing, making it more difficult to identify them."
Vendors have been trying to reduce reliance on signatures and spot bad files based on behavior or a file's likelihood of being malicious based on other traits.
Forrester expects security software suites that are still heavily reliant on signatures to shrink at a compound annual growth rate of 4.6 percent per year.
Another slower spot is expected in application control suites, where Forrester expects to see "steady but unspectacular growth" of 5.7 percent annually over the next five years. Also known as whitelisting, this software allows administrators to tightly control what applications are allowed to run on an endpoint. Applications that aren't allowed simply can't run, which makes it a strong defense. But Forrester points out that whitelisting annoys users.
"While application privilege management is effective at stopping zero-day malware, it can be frustrating for employees to lose administrative access," the analysts write.
Endpoint Detection and Response
The name for this category of products, which includes vendors such as FireEye and Crowdstrike, depends on the analyst house. Forrester calls it endpoint visibility and control, while IDC dubs it specialized threat analysis and protection, or STAP.
I wrote about EDR earlier this week based on an excellent presentation by Gartner analyst Eric Ouellet at the Security and Risk Summit in Sydney. These products collect fine-grained technical detail about what's happening on an endpoint (see The Lowdown on EDR Security Software: Do You Need It?).
The data can be either used to actively hunt and react to hackers or as a forensic tool to figure out the play-by-play behind a compromise. EDR products can also see areas where signature-based AV is blind, such as when attackers use in-memory malware.
"Endpoint security systems that are behavior-based, not signature-based, can help protect against these new fileless threats," they write.
Despite the high cost and technical expertise required to get the most out of EDR, Forrester expects the category to grow 23.5 percent in the next five years.
What to Expect
The growth of the industry means CIOs and CSOs can probably expect even more cold invites on LinkedIn and cold emails, for better or worse. But the new tools and technologies are allowing for deeper insights into attacks and a better chance of stopping them. And that, fundamentally, is good.