Products that can detect stealthy malware-based attacks aimed at cyber-espionage and data exfiltration should be considered a specialized area of the security market, according to research firm IDC, which has designated a new market category for them: "Specialized Threat Analysis and Protection." (STAP)
STAP for short, this was not much more than a $200 million market worldwide last year, according to IDC, but it's expected to triple by next year and reach $1.17 billion by 2017. IDC is defining STAP as technologies that are primarily "signatureless," that is, not relying on malware signatures. These might include sandboxing, big data analytics and containerization to detect malicious activity.
And STAP products, whether they work on the network level, the endpoint or both, are scanning inbound and outbound traffic for anomalies, including botnet and command-and-control traffic that typically indicates a compromise. IDC says STAP products might also be used for reverse engineering and forensic analysis of discovered malware.
"Basically, enterprise security must constantly analyze all aspects of infrastructure for threats, assuming there is a compromise somewhere," says Phil Hochmuth, IDC program manager, security products.
STAP technologies work alongside traditional signature-based anti-malware and intrusion-detection and prevention systems (IDS/IPS), Hochmuth says. IDC expects that STAP will evolve a lot like the IDS/IPS market did, with enterprises deploying in a monitoring, "listening" mode at first and then move to a prevention model when "they're comfortable with the technology." IDC expects that STAP is going to become an important part of the "kill chain" concept of the advanced attack model, Hochmuth says.
IDC says the "key players" in STAP include Blue Coat, with its acquired Solera products; Bromium; CounterTack; Damballa; FireEye; HBGary; Invincea; Norman ASA; Palo Alto Networks with Wildfire; Proofpoint; Sourefire with FireAMP (acquired by Cisco); ThreatTrack Security; and Trend Micro with its Deep Discovery line.
Other vendors with recently introduced STAP technologies, sometimes embedded in their other security products, include AhnLab; Cognitive Security (acquired by Cisco); Cylance; Check Point Software with its Threat Emulation Blade; Fortinet; Mandiant; Intel's McAfee with its entry into sandboxing via the ValidEdge acquisition; EMC company RSA with its RSA Security Analytics (NetWitness Spectrum) and RSA Enterprise Compromise Assessment Tool. And finally, Websense, with its ThreatScope sandboxing, which the security firm now offers integrated into its Triton Enterprise gateways.
In fact, integration of STAP technologies into existing network, endpoint and content security products is expected to be commonplace going forward, IDC says. The incumbent security vendors are mostly seen as catching up to smaller STAP-focused providers, some new like Cylance but some around for several years, such as Damballa.
STAP is meant to detect zero-day attacks and data exfiltration by attackers, which can go on for weeks if not years. IDC believes STAP products today are used to augment more traditional network security and endpoint security products,. Early adopters are large financial institutions, large government agencies and large enterprises with "acute data protection requirements."
Sign up for CIO Asia eNewsletters.