A new wave of security products known as breach-detection systems have made a splash in recent years by promising to detect threats that firewalls and intrusion detection systems often miss. Despite commanding some of the highest prices of any product category in the security industry, new research shows an increasing number of enterprises are turning to breach-detection systems in hopes of avoiding an expensive, high-profile data breach.
Independent infosec research and advisory firm NSS Labs Inc., based in Austin, Texas, recently released its 2014 Market Intelligence Brief for Breach Detection Systems, for which NSS analyzed the financial growth of the nearly two dozen vendors operating in the nascent security product category. What NSS researchers found was a market that has already grown dramatically in less than 36 months and shows no signs of slowing.
Breach-detection systems: Rapid market growth
In 2011 -- the year breach-detection systems were introduced -- vendors tallied only $70 million in combined revenue, but that figure had quadrupled by last year to $289 million. Now, NSS estimates that vendors in the space are projected to rake in $471 million in revenue for 2014, representing a more than 60% increase from the previous year.
And those numbers are only set to grow. By 2018, NSS Labs predicts that the breach detection systems market could represent a combined $1.39 billion in annual revenue while averaging double-digit yearly growth. In comparison, market research and consulting firm MarketsandMarkets expects the long-standing enterprise firewall market to exceed $8 billion in revenue within five years, but will only grow at less than 7% per year.
Mike Spanbauer, vice president of research for NSS Labs, said that enterprise interest in breach-detection systems has largely stemmed from the repeated failures of other security products to spot what are referred to as advanced threats. Though zero-days are most often thought of in relation to advanced threats, Spanbauer said most attacks that slip through enterprise security defenses undetected actually rely on old vulnerabilities. Attackers can use slightly altered legacy malcode with creative evasion and delivery mechanisms to exploit them.
Though few such attacks qualify as zero-days, Spanbauer said the attacks often work because traditional security products either rely too heavily on signatures to spot exploits, or don't have visibility into an entire enterprise network.
"Granted, there are zero-days out there and they are also something for these systems to protect against, but that's not necessarily the attack that the average enterprise needs to fear, because they're expensive, they're rare and they're more often employed for very specific targets versus just [being] used in the wild," said Spanbauer. "It's an existing [exploit] kit that is more likely to be the culprit of your breach than a zero day."
Breach detection systems, on the other hand, differ from firewalls, secure Web gateways and other products because they span an entire network architecture rather than one specific endpoint or instance -- an evolution that Spanbauer said was needed to keep pace with attackers.
"It is a product category defined by the activity it is seeking to protect versus the point in the network or specific technology that is used. It's a slight distinction, but I think reflects this trend toward security products [being] aligned to business needs versus architectural dictation," said Spanbauer. "That's part of the reason why these product names are evolving too … to reflect that change and need to be defined by product versus location."
Are breach-detection systems worth the investment?
The product offerings among breach-detection systems vendors are undoubtedly unique compared to traditional alternatives in the security space, and according to the NSS Labs research, that game-changing technology comes with a hefty price tag.
According to NSS Labs, in 2013 the average industry-wide price for a standalone, enterprise-caliber breach-detection product exceeded $85,000. Spanbauer emphasized that cost doesn't include the support and threat-intelligence subscriptions that play a large part in making the products effective. Those fees can total as much as 60% to70% of the initial cost, meaning the effective cost of a breach-detection system over the course of its life could exceed $300,000.
In addition to the directly associated costs, Spanbauer warned that breach-detection systems are also much more complex to deploy and maintain than traditional security products. Why? For one, breach-detection systems may require the installation of multiple devices across an enterprise's network, which enables greater network visibility, but may cause deployment challenges.
Breach-detection systems also require constant tuning to ensure that IT security staff members aren't being overwhelmed with alerts, which was reported to be the case when Target Corp. was breached, despite its use of a breach-detection product from FireEye Inc. This may necessitate adding highly trained staff that can dedicate time to the product, further adding to its overall cost.
Because the price tag can be daunting, Spanbauer said that breach-detection systems are only being adopted by larger enterprises, though vendors are working to offer virtual appliances and software-as-a-service offerings at lower price points to target small- and medium-sized businesses.
Still, he noted that those larger enterprises have yet to flinch at the high costs of breach-detection systems because, in many cases, they represent the best hope of securing environments that have either zero- or low-risk tolerance. For instance, Spanbauer noted the three industries that have spent the most on breach-detection systems have been financial, government/military and retail, all of which have been highly targeted by attacks and may possess large quantities of sensitive information.
"If you are high-profile victim, be it a banking institution, the military or a retailer, then you are a great candidate for breach protection," said Spanbauer "Each customer has to assess this themselves, and it comes down to risk tolerance and what you budgeted for."
Spanbauer cautioned some enterprises against thinking that a breach-detection system will cure all of an organization's security woes. Instead, such products should be used to augment an already effective security structure by catching the threats that other products can't.
As such, an enterprise shopping for a breach-detection system must first ensure that its environment is as secure as possible, and then select a breach-detection product that adds new capabilities rather than overlap with currently deployed products.
Still, Spanbauer added that for a large enterprise deploying such a product, the decision more often than not pays off financially. For instance, some experts have pegged the total cost of Target's breach at around $1 billion. Even with less expensive breaches, Spanbauer estimated that the cost of an incident could be five to 10 times more costly than the total price of a breach-detection system.
"All it takes is one breach and you would have paid for your entire product," concluded Spanbauer.
NSS Labs previously tested breach detection systems to determine which was the most effective, and vendors FireEye and Palo Alto Networks took issue with the results. Read our coverage to find out why.