Products that can detect stealthy malware-based attacks aimed at cyber-espionage and data exfiltration should be considered a specialized area of the security market, according to research firm IDC, which has designated a new market category for them: "Specialized Threat Analysis and Protection."
STAP for short, this was not much more than a $200 million market worldwide last year, according to IDC, but it's expected to triple by next year and reach $1.17 billion by 2017. IDC is defining STAP as technologies that are primarily "signatureless," that is, not relying on malware signatures. These might include sandboxing, big data analytics and containerization to detect malicious activity.
And STAP products, whether they work on the network level, the endpoint or both, are scanning inbound and outbound traffic for anomalies, including botnet and command-and-control traffic that typically indicates a compromise. IDC says STAP products might also be used for reverse engineering and forensic analysis of discovered malware.
"Basically, enterprise security must constantly analyze all aspects of infrastructure for threats, assuming there is a compromise somewhere," says Phil Hochmuth, IDC program manager, security products.
STAP technologies work alongside traditional signature-based anti-malware and intrusion-detection and prevention systems (IDS/IPS), Hochmuth says. IDC expects that STAP will evolve a lot like the IDS/IPS market did, with enterprises deploying in a monitoring, "listening" mode at first and then move to a prevention model when "they're comfortable with the technology." IDC expects that STAP is going to become an important part of the "kill chain" concept of the advanced attack model, Hochmuth says.
IDC says the "key players" in STAP include Blue Coat, with its acquired Solera products; Bromium; CounterTack; Damballa; FireEye; HBGary; Invincea; Norman ASA; Palo Alto Networks with Wildfire; Proofpoint; Sourefire with FireAMP (acquired by Cisco); ThreatTrack Security; and Trend Micro with its Deep Discovery line.
Other vendors with recently introduced STAP technologies, sometimes embedded in their other security products, include AhnLab; Cognitive Security (acquired by Cisco); Cylance; Check Point Software with its Threat Emulation Blade; Fortinet; Mandiant; Intel's McAfee with its entry into sandboxing via the ValidEdge acquisition; EMC company RSA with its RSA Security Analytics (NetWitness Spectrum) and RSA Enterprise Compromise Assessment Tool. And finally, Websense, with its ThreatScope sandboxing, which the security firm now offers integrated into its Triton Enterprise gateways.
In fact, integration of STAP technologies into existing network, endpoint and content security products is expected to be commonplace going forward, IDC says. The incumbent security vendors are mostly seen as catching up to smaller STAP-focused providers, some new like Cylance but some around for several years, such as Damballa.
STAP is meant to detect zero-day attacks and data exfiltration by attackers, which can go on for weeks if not years. IDC believes STAP products today are used to augment more traditional network security and endpoint security products,. Early adopters are large financial institutions, large government agencies and large enterprises with "acute data protection requirements."
"Among enterprises, it appears extra budget is being allocated for STAP technology, as opposed to shifting spend to STAP from other solutions," an IDC report notes. IDC expects this trend to continue, saying it could help STAP-focused vendors grow while not directly competing with other parts of the security market, such as anti-virus. But IDC also cautions that STAP vendors will have to show they can somehow stay ahead of the attackers, who may use clever "sleep" techniques on malware, for example, to counteract STAP technologies such as sandboxing.
Will security vendors and customers start regularly using the expression STAP, which was coined by IDC earlier this year? That's unclear but IDC expects to continue keeping the running count going on how STAP evolves in its future reports on this market segment.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: [email protected]
Read more about wide area network in Network World's Wide Area Network section.