When making final considerations before choosing among antimalware tools, evaluate all you can about the provider, from its product packaging and the company's
research team to overhead and processing demands.
As much as antimalware technology is evolving, the market is still very mature, requiring a much different decision process than emerging and innovative technologies do. So let's take a look at some of the tradeoffs and work that goes into the process of making a decision between various antimalware products.
The first decision comes down to packaging. Most endpoint antimalware can be bought as a standalone or along with a suite of synergistic controls such as host firewalls and intrusion prevention, and full-disk encryption. There are clearly economies of scale to the bundled approach, both in terms of price and management integration, so we do see most organizations selecting a suite. On the downside, the more capabilities you add to the agent, the more of a drag it will be on the performance of the device.
Another consideration in selecting a suite (versus best of breed) traditionally involves sacrificing effectiveness for the sake of integration. But recall that endpoint protection is a mature market, so there isn't a lot of variance in performance, minimizing the impact of a best-of-breed selection.
For those looking at standalone endpoint antimalware products, the concept of free antivirus (AV) enters into the decision. To be clear, free AV is run largely by the same engine used by the commercial packaging, but does not have any sort of management capabilities, which usually makes those solutions great for Grandma's PC, but not so great for the thousands of devices you need to manage.
As you get down to decision time, you'll likely hear from each vendor about its "market-leading" effectiveness and how it takes the least time to block new attacks. These vendors will parade around their VB100 certificate and maybe an NSS Labs test or two to substantiate their capabilities in terms of effectiveness of catching both known and unknown (zero-day) malware. Let's just say most endpoint antimalware is clustered around a pretty bad effectiveness rating, especially for attacks they haven't seen before. Thus, you should consult some of the lab reports, as that would disqualify products that cannot compete. But among the top five to seven vendors, the variances in effectiveness will be minimal.
From the editors: More on antimalware products
Vendor tools for securing VMware environments
Implementing a Mac antimalware program
Limitations of antimalware products suites
A bigger consideration when comparing these offerings is the overhead and processing cost to run their agents. Many of the vendors have worked to make their antimalware products much more efficient, but if you are going to do any testing, you are best suited to test how much resource the antimalware engines actually consume on your machines. Benchmarks are fine, but you may have some unique applications or configurations that skew the resource consumption. The point of antimalware is to protect, not kill, the performance of the device.
It also makes sense to consider the size and breadth of the research team and the customer base of the vendor. This is mostly because analyzing malware nowadays requires access to a huge set of files and a large analysis capability to figure out which of those files show indicators of malware. This is not a startup game anymore, so the big will continue to get bigger.
Finally, consider the user experience to manage the antimalware technology and leverage with your other management tools, such as security information management; governance, risk and compliance; data loss prevention or other security policy management tools. The larger antimalware vendors also have products that you may use, and having an integrated console can make your life easier. The other trend to keep in mind is a cloud-based console, where you no longer need a dedicated management server for antimalware products; rather you manage via an interface on the Web. For a large and highly distributed environment, this could be very useful.
Sealing the deal: Final factors to consider
- Buying and negotiating price. Endpoint antimalware is a commodity, so price is king and vendors are incented to displace the incumbents, so you'll have significant pricing leverage.
- Mergers and acquisitions. The industry has seen a lot of mergers and acquisitions, so keep that in mind when selecting a vendor and opt for shorter contractual commitments, as there will remain a number of moving pieces in this industry.
- Migration to a new vendor. Given the amount of churn in the antimalware business, the tools in place to migrate from one antimalware suite to another are mature and plentiful, minimizing switching costs. Don't let a vendor scare you into thinking there are significant costs to pick someone else.
- Complementary antimalware engines. Endpoint antimalware remains a must-have (due more to compliance than effectiveness), but organizations should consider antimalware on the Web and email security gateways and within the network to push detection closer to the perimeter.
Editor's note: This article was originally published as premium content in 2012.
About the author
Mike Rothman is an analyst with and president of Securosis, an independent security research and advisory firm in Phoenix. Mike is also the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Reach Mike via email at firstname.lastname@example.org or follow him on Twitter @securityincite.
This was first published in May 2013