No security solution can promise to identify every threat, block every zero-day exploit and scrub away every virus strain that strikes enterprise infrastructures, but with sufficient visibility into client performance, status and security posture, companies can better identify potential problems even if their anti-malware platform initially whiffs.
Administrators need real-time insight into the entire security posture of the systems under their charge, with status reports that extend beyond basic anti-virus or anti-spyware logging to help administrators identify a wide range of potential problems, such as firewall misconfigurations, missing patches (for both the operating system and applications), weak passwords, unnecessary services or incorrect encryption implementations. Ideally, these reports should be able to be correlated with the reports of other security solutions and should offer actionable response suggestions and processes.
As eWEEK Labs reviews of Microsofts FCS (Forefront Client Security), eEye Digital Securitys Blink Professional 3.0 and Kaspersky Labs Kaspersky Anti-Virus 6.0 show, some of the most interesting developments on this front are not coming from the usual suspects but from a collection of vendors coming at the problem from different backgrounds and through varied angles.
For years, a small cadre of anti-virus vendors has represented the lions share of enterprise anti-virus deployments. The anti-virus solutions from Symantec, McAfee, Trend Micro and CA have been the most prevalent, often in large part because the companies developed the most effective management platforms providing centralized policy control, signature distribution, and logging and alerting functionality for large organizations.
However, these companies have grown somewhat complacent through the years, and their technologies have gotten a little stale on their front-line security and management fronts. We believe these vendors efforts to expand their management offerings have been bogged down, in part, by the inevitable challenges inherent in choosing acquisition as a primary source for new core security technologies. These companies, in some cases, have had trouble shoehorning purchased technologies and products into their existing management infrastructures.
As an example of this ennui, Symantecs System Response Center has not changed significantly from versions 7.5 to 10.0 of the Symantec AntiVirus Solution—what seemed pretty good in 2000 doesnt meet customer needs in 2007. A few of the toptier vendors have taken steps to ameliorate the visibility gap through some key acquisitions of management technologies, but customers may grow impatient waiting for McAfee to bear fruit from Citadels Hercules assessment platform or for Symantec to figure out how Altiris fits into its already-overcrowded portfolio.
Healthy Competition
While the big boys slowly lurch toward the future, we are seeing a number of companies without much of an enterprise-grade anti-malware track record develop new technologies and foster new relationships that warrant a look from enterprise administrators who have grown dissatisfied with their existing solutions.
For Kevin Hayden, visibility into the infrastructure he oversees as desktop engineering manager for Analog Devices is of the utmost importance. Hayden requires automated reports and alerts to access the information he considers essential—for instance, high-level looks at infected machines across the network rather than infected files on particular machines. Although Hayden declined to reveal his previous solution provider, he indicated that his prior anti-virus vendor had once been known for its management platform but that the vendor could no longer provide his company with the insight it required.
Analog, of Norwood, Mass., is now halfway through a migration to Microsofts brand-new FCS anti-virus and anti-spyware platform. FCS relies heavily on several mature Microsoft management platforms to provide the level of management Hayden is looking for—Active Directory and Windows Server Update Services, for software and policy distribution, and MOM (Microsoft Operations Manager) and SQL Server, for data collection, alerting and reporting. According to Hayden, this collection of technology allows Microsoft to present him with a wide view of client security posture as well as drill-down details on malware infestations.
Soon after Haydens FCS pilot program started, Analog was hit with a new malware outbreak, which afforded Hayden the opportunity to compare the two solutions side by side. And Microsoft, with its reporting capabilities and nimble Premier Services support staff, won the showdown hands down.
“Forefront Client Security has been better than most other Microsoft Version 1 products weve tried,” said Hayden.
Smaller security companies, such as Kaspersky, have always faced a bit of a conundrum when it comes to the enterprise market. Kaspersky has led the charge to develop automated malware detection and signature creation tools and has implemented a lightning-fast response team that promises new signatures on an hourly basis. However, delivering these capabilities to enterprise customers requires a management infrastructure, and resources that Kaspersky spent developing that infrastructure meant fewer resources to devote to innovation on the security front. Now that Kaspersky has had a few generations to build out its central management platform (the Admin Kit), its solutions capacity for deploying client packages, malware signatures and policies has matured enough to meet enterprise customers expectations, as well as exceed expectations with beefed-up reporting capabilities.
In light of the time it takes to shepherd management components to maturity, we believe there are better avenues through which small security vendors should look to build out this functionality. For one, small security companies can strike up strategic partnerships to satisfy customer needs on the management side of things, perhaps by seeking an alliance with another security provider with a synergistic technology or with a security management purveyor such as BigFix. With these alliances, small security vendors can reinvest in their core competencies—security R&D.
To pursue this route, security vendors must commit to creating an open interface for their solutions that third parties can easily access via documented APIs. Vendors seeking partnerships should also try to adhere to commonly used operating system instrumentation, allowing third parties to get the lay of the land through common means.
In an example of this type of alliance, Norman recently partnered with eEye for the latest iteration of the Blink HIPS (host-based intrusion prevention system). The combination of Normans respected signature-based anti-malware detection and cleaning and eEyes vulnerability detection and HIPS prowess (not to mention its fine REM management platform) makes for a compelling aggregate solution.
Senior Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
