Endpoint security is changing at a breathtaking pace. For more
than a decade, signature-based antivirus was sufficient for most
companies.
A couple of years ago, spyware emerged as a business-level
threat, and pure-play companies like Webroot and PestPatrol (now
CA) scrambled to bring centrally managed products to market, while
traditional antivirus vendors played catch-up.
That was just the start of the endpoint security revolution.
While, spyware was initially considered more of production/help
desk issue than a security concern, the criminal world has turned
the threat environment on its ear.
"From two years ago, there was a 180 in how
malware and virus writers--kids working out of their basement
seeking notoriety--approached the industry," said David Frazer,
director of technical services at Helsinki-based AV firm F-Secure
Corp.F-Secure. "Now we have professional virus writers, they have
quality assurance, R&D, developing blended threats, targeted
attacks aimed at specific users."
Host-based
intrusion prevention systems (HIPS) are at the heart of the
security industry response. Traditional signature-based antivirus
and antispyware don't detect zero-day exploits or targeted,
custom-tailored attacks. There are several approaches; some
intercept calls to the OS when programs execute and develop a
baseline of normal activity; others use pre-execution protocol
analysis, while still others use a sandbox approach, letting
suspect programs execute in a protected environment. The common
theme is detection that goes beyond signatures.
Once a nice-to-have-if-you-can-afford-it technology featuring
players like Okena, Entercept, Harris and Sana Security, HIPS is
rapidly becoming a staple for desktop and server security.
All the major antivirus vendors, including Symantec and McAfee
(from Entercept), the 800-pound gorillas in the market, and
competitors like Trend Micro, CA, Sophos and F-Secure. In addition,
Cisco Systems (from Okena), eEye Digital Security and Internet
Security Systems (ISS, now part of IBM), have comprehensive
endpoint security solutions that include HIPS. eEye and ISS have
added signature-based detection to round out their packages.
Some companies offer HIPS a la carte or as part of a more or
less integrated endpoint security package, while others consider it
an integral part of their solution.
Those packages are typically one-stop shopping for your
endpoints. They typically include centrally managed client
firewall, application usage control and content filtering--and
sometimes antispam and antiphishing tools. The bottom line is one
product to manage.
Consider a metropolitan area health care organization, which
includes several hospitals, is about to put eEye's Blink on at
least 15,000 seats for desktops and servers.
"Blink adds number of additional protection measures from just
antivirus, to HIPS, identity theft protection, antiphishing,
identification and system firewall, application protection,
executable protection," said the organization's security manager,
who prefers to remain anonymous.
"A key point is local vulnerability assessment," he said.
"Machines can scan themselves and report home, and reporting that
assessment is very small payload compared to size over wire. It's
less intrusive than network scanning."
"There's a very palpable change in what administrators are
looking for in endpoint security offering," said Ron O'Brien,
Sophos senior security analyst. "At a recent show, they were
talking about having one company for antivirus, one for spyware,
one for productivity filter, one for application control--managing
different consoles, different agents. Using a single scan, looking
from a single seems to resonate."
Brian Troudy, senior network administrator for the Walnut Valley
(California) School District, decided his desktop antivirus wasn't
enough for his 4,000 desktops.
"It was more virus location software than antivirus--great at
detecting but miserable to remove them," said Troudy, who is
replacing his traditional antivirus with ISS Proventia Desktop on
both employee and school lab desktops. "I went to see what else was
there--something that offered more end-to-end desktop security and
help with desktop performance."
"We chose a non-traditional path, and it's proving very helpful
to us," said the health care organization security manager. "It
will complement antivirus in the beginning; it adds another layer,
defense in depth. But we've looking at replacement; we feel
comfortable that Blink is robust enough."
The ability to feed into network security tools is another sweet
spot for the new generation of endpoint products.
"The biggest thing for me was that Cisco had several systems
that works together—MARS (SIEM), ASA (Network) IPS," said Carl
Goodman, IS manager for California-based Premier Valley Bank, which
decided on Cisco Security Agent, along with the other Cisco
security tools. Other tools take reporting from CSA--from that
standpoint alone, it makes sense. False positives are eliminated.
The fact that we have it all tied together and reported at one
location, with 24x7 monitoring is pretty valuable."
"We're often asked about SIM/SEM," said John Engels, Symantec
group product manager. "That roll-up is important. Critical
Security's host IDS can send out real-time information to
SIMs."
"You need to think of endpoints in terms of the incredibly
valuable data coming from them," said Pat Booth, director for
threat management products, which recently launched its HIPS
product. Even if I stop something, I want to capture events and do
some analysis."
The initial market for early HIPS products were select
enterprises that tended to be on the cutting edge but that may be
changing as organizations start to see the benefits of HIPS and
other endpoint security applications rolled up with signature-based
tools.
It's been large enterprises among the customers we've been
seeing until late last year," said Symantec's Engels.
"Increasingly, it's been smaller and smaller customer."
"A lot of people know they need antivirus, but as threats get
more and more complex, they get a lot of noise," said Curtis
Cresta, F-Secure vice president and general manager for North
America. Enterprise customers get it--they have staff of security
people. It's harder towards mid-tier and SMB; they have constant
pressure to do whole bunch of things, only one of which is
security."
"Customers are struggling to understand--it's a difficult market
to understand; it's a lot more complex to parse this market than
the antivirus world," said eEye CEO Ross Brown. "The tribal
knowledge among security professionals and end users isn't quite
there yet. But go to customers with single agent that does security
at same price, and it's easy for them to wrap their heads
around."