We’re frequently asked about “Next Gen” antivirus companies, which is not surprising. They’ve been making a lot of noise and bold claims during the last couple of years (so, basically, since they were founded). So let’s take a look at what they’re all about.
Coopetition in the AV industry
But before getting into what “Next Gen” are up to, let’s take a brief stroll down memory lane. During the past three decades, vendors in the Endpoint Protection industry have adopted a system of “coopetition”, where vendors compete fiercely on the sales front while their analysts, developers, and engineers share information and cooperate for the greater good of cyber security. This cooperative competition has included sharing knowledge (through conferences and events), sharing samples, sharing threat intelligence, and agreeing on certain standards.
A few examples of this. In June 2004, VirusTotal was founded as a service for the industry to cooperate on the sharing of samples and verdicts. This service now facilitates the sharing of approximately half a billion samples daily, includes over fifty products, and is a great source of threat intelligence for many in the industry.
Here’s another example. Independent testing organizations, whose mandate was to ensure that products were actually providing the protection they claimed, were formed. It makes sense to hand this task to a set of independent organizations – consumers and businesses just don’t have the time, resources, or expertise to work with live malware, find freshly exploited sites, and conduct tests against dozens of different products just to make a decision about which solution they’ll purchase. I find it astonishing that some “next gen” companies actually recommend that the public perform their own AV testing. Anyways, in 2008, the Anti-Malware Testing Standards Organization (AMTSO™) was founded to facilitate just this.
This cooperative spirit didn’t just happen overnight – it’s been a slow and gradual process. In the old days, there was plenty more competition and rivalry between cyber security companies.
How to alienate yourself from Virus Total
But things changed a few years ago. Instead of joining the community, many of the “Next Gen” players (to be clear here, we’re talking about “Next Gen Endpoint Security”, or “antivirus” vendors, not EDR or breach detection products) took an altogether different route. They launched marketing campaigns designed to discredit incumbent security vendors by insinuating that their products are based on “signature-only” technologies.
The “data” that “Next Gen” vendors often rely on to present this argument is flawed. It’s based on comparing their full technology stack to competitor results from VirusTotal (which only test static file scanning capabilities). Despite the fact that Virus Total changed their policies regarding the use of their data after noticing these campaigns, “Next Gen” are still up to it. And it’s certainly provocative.
Welcome to the Big AV conspiracy
What might have led them to do this? It seems that some “Next Gen” companies claim that they’re unable to compete in an industry that is controlled by what they refer to as “Big AV”. Akin to stories of the Illuminati, they insinuate that a shadowy cabal of established InfoSec companies control the industry and are working to undermine their credibility.
When in doubt, blame QA
Just recently, “Next Gen” have turned their inaccurate marketing assault towards the independent AV testing industry. Numerous claims have been made insinuating that the independent AV testing industry is untrustworthy, biased, and paid-for.
We agree that independent testing methodologies aren’t perfect, and perhaps they haven’t evolved as fast as the technologies and threat landscape around them have. Not every technology in our own products factors into the tests they run. But the industry certainly isn’t rigged in favor of certain types of products or vendors.
Our main motivation behind working with independent testing organizations is to acquire valuable quality assurance data for our products and technologies. Testing organizations build and maintain complex infrastructure designed to search for the absolute latest threats in the wild, in an attempt to trip up the best endpoint protection technologies. We source multiple private tests every month and use the data from those tests to constantly improve our technologies and services. These organizations don’t exist to tell us our products are good – if they were, we’d find little value in utilizing their services.
Many “Next Gen” companies refuse to participate in independent testing – public or private. In fact, some “Next Gen” vendors go to great lengths to avoid having their products independently evaluated – they specifically refrain from selling their products to testing labs, and may even revoke a license key – without a refund – if they find out or suspect that it was bought anonymously by a testing lab.
Why do the work when you can get others to do it for you?
As I’ve said in the past, “Traditional AV” versus “Next Gen” is a concept that was coined by “Next Gen” marketing departments. And here’s why. Instead of investing resources into the technologies and infrastructure required by all other independent security companies, many “Next Gen” vendors outsource a lot of that work to third parties (often the very companies they’re calling “Traditional AV”). This outsourcing can include licensing feeds of verdicts from third parties (which are generated by, you guessed it, “Traditional AV” products) or even running competitor products in their own back end infrastructure.
We see about 500,000 new samples every day, and to analyze and categorize those samples, we’ve invested heavily into infrastructure, storage, and automation. Building and improving that infrastructure took over a dozen years. Without this infrastructure and the constant improvements we put into back end systems, sample analysis automation, and sample storage and categorization, we’d simply not be able to stay ahead of the threat landscape. Technologies are one thing, but they’re only as good as the rules, logic, samples, and metadata they’re fed. Which, in turn, relies heavily on providing relevant inputs. And those inputs have to come from somewhere.
Venture capital buys a lot of marketing
The money saved from skimping on proper data collection and infrastructure is funneled directly into “Next Gen” marketing departments. Equipped with these huge venture capital-backed marketing budgets, they’ve bombarded the press with the idea of “Traditional AV” versus “Next Gen”, spread mistruths that incumbent AV products are “signature only”, created bad press around independent testing organizations, and are probably working on new propaganda we haven’t seen yet.
It’s important to note that the term “Next Gen” has already seen widespread adoption in the industry, which is a shame, since it’s obviously biased. “Next Gen” implies newer and better, a notion that’s far from the truth. A more accurate and fair term would be “Anti Virus startup”.
If you want to know how you’re being protected, you’re going to have a hard time figuring out how most “Next Gen” products work; their blog posts and white papers are mostly just a string of marketing buzzwords. In many cases, their products are difficult to get hold of – you can’t simply buy a license and go download the installer. They claim it’s because they don’t want their intellectual property stolen. We have a term for that – security through obscurity.
What’s so “Next Gen” about ten year old ideas?
The fact is, all endpoint protection solutions use similar approaches (and again, I’m comparing all endpoint protection products here, not breach detection solutions, which are a totally different beast). Some products emphasize certain technologies or strategies more heavily than others. And although the technologies that are being dubbed “Next Gen” have been around for at least a decade, and were originally conceived and developed by “Traditional AV” vendors, “Next Gen” players are applying these technologies in their own way, and are doing a great job at it. Maybe by their own logic, we’re all “Next Gen”?
The fact is, “Next Gen” or not, these products are designed to protect endpoint systems against malicious attacks. And that’s great. Competition is good. Innovation is good. Attacking an old problem from a new angle is always welcome. It’s a positive thing for the industry that there’s a bunch of new players in the field. And they’ve done a great job at getting the word out to the general public that threats exist and protection is needed, especially with the growth we’ve seen in the cyber-crime industry and with targeted attacks becoming ever more widespread.
I’m not sure why “Next Gen” took it upon themselves to start out by fighting the industry. Regardless of their reasons, it’s not too late to change. I’d personally prefer we sit down, have a beer or three, share ideas, share data, and talk about how we can work together to make things safer and more secure for everyone.
Agree? Disagree? Tell me your opinion on Twitter!
Categories