When signature based antivirus isn't enough

Endpoint security is changing at a breathtaking pace. For more than a decade, signature-based antivirus was sufficient for most companies.

A couple of years ago, spyware emerged as a business-level threat, and pure-play companies like Webroot and PestPatrol (now CA) scrambled to bring centrally managed products to market, while traditional antivirus vendors played catch-up.

That was just the start of the endpoint security revolution. While, spyware was initially considered more of production/help desk issue than a security concern, the criminal world has turned the threat environment on its ear.

"From two years ago, there was a 180 in how malware and virus writers--kids working out of their basement seeking notoriety--approached the industry," said David Frazer, director of technical services at Helsinki-based AV firm F-Secure Corp.F-Secure. "Now we have professional virus writers, they have quality assurance, R&D, developing blended threats, targeted attacks aimed at specific users."

Host-based intrusion prevention systems (HIPS) are at the heart of the security industry response. Traditional signature-based antivirus and antispyware don't detect zero-day exploits or targeted, custom-tailored attacks. There are several approaches; some intercept calls to the OS when programs execute and develop a baseline of normal activity; others use pre-execution protocol analysis, while still others use a sandbox approach, letting suspect programs execute in a protected environment. The common theme is detection that goes beyond signatures.

Once a nice-to-have-if-you-can-afford-it technology featuring players like Okena, Entercept, Harris and Sana Security, HIPS is rapidly becoming a staple for desktop and server security.

All the major antivirus vendors, including Symantec and McAfee (from Entercept), the 800-pound gorillas in the market, and competitors like Trend Micro, CA, Sophos and F-Secure. In addition, Cisco Systems (from Okena), eEye Digital Security and Internet Security Systems (ISS, now part of IBM), have comprehensive endpoint security solutions that include HIPS. eEye and ISS have added signature-based detection to round out their packages.

Some companies offer HIPS a la carte or as part of a more or less integrated endpoint security package, while others consider it an integral part of their solution.

Those packages are typically one-stop shopping for your endpoints. They typically include centrally managed client firewall, application usage control and content filtering--and sometimes antispam and antiphishing tools. The bottom line is one product to manage.

Consider a metropolitan area health care organization, which includes several hospitals, is about to put eEye's Blink on at least 15,000 seats for desktops and servers.

"Blink adds number of additional protection measures from just antivirus, to HIPS, identity theft protection, antiphishing, identification and system firewall, application protection, executable protection," said the organization's security manager, who prefers to remain anonymous.

"A key point is local vulnerability assessment," he said. "Machines can scan themselves and report home, and reporting that assessment is very small payload compared to size over wire. It's less intrusive than network scanning."

"There's a very palpable change in what administrators are looking for in endpoint security offering," said Ron O'Brien, Sophos senior security analyst. "At a recent show, they were talking about having one company for antivirus, one for spyware, one for productivity filter, one for application control--managing different consoles, different agents. Using a single scan, looking from a single seems to resonate."

Brian Troudy, senior network administrator for the Walnut Valley (California) School District, decided his desktop antivirus wasn't enough for his 4,000 desktops.

"It was more virus location software than antivirus--great at detecting but miserable to remove them," said Troudy, who is replacing his traditional antivirus with ISS Proventia Desktop on both employee and school lab desktops. "I went to see what else was there--something that offered more end-to-end desktop security and help with desktop performance."

"We chose a non-traditional path, and it's proving very helpful to us," said the health care organization security manager. "It will complement antivirus in the beginning; it adds another layer, defense in depth. But we've looking at replacement; we feel comfortable that Blink is robust enough."

The ability to feed into network security tools is another sweet spot for the new generation of endpoint products.

"The biggest thing for me was that Cisco had several systems that works together—MARS (SIEM), ASA (Network) IPS," said Carl Goodman, IS manager for California-based Premier Valley Bank, which decided on Cisco Security Agent, along with the other Cisco security tools. Other tools take reporting from CSA--from that standpoint alone, it makes sense. False positives are eliminated. The fact that we have it all tied together and reported at one location, with 24x7 monitoring is pretty valuable."

"We're often asked about SIM/SEM," said John Engels, Symantec group product manager. "That roll-up is important. Critical Security's host IDS can send out real-time information to SIMs."

"You need to think of endpoints in terms of the incredibly valuable data coming from them," said Pat Booth, director for threat management products, which recently launched its HIPS product. Even if I stop something, I want to capture events and do some analysis."

The initial market for early HIPS products were select enterprises that tended to be on the cutting edge but that may be changing as organizations start to see the benefits of HIPS and other endpoint security applications rolled up with signature-based tools.

It's been large enterprises among the customers we've been seeing until late last year," said Symantec's Engels. "Increasingly, it's been smaller and smaller customer."

"A lot of people know they need antivirus, but as threats get more and more complex, they get a lot of noise," said Curtis Cresta, F-Secure vice president and general manager for North America. Enterprise customers get it--they have staff of security people. It's harder towards mid-tier and SMB; they have constant pressure to do whole bunch of things, only one of which is security."

"Customers are struggling to understand--it's a difficult market to understand; it's a lot more complex to parse this market than the antivirus world," said eEye CEO Ross Brown. "The tribal knowledge among security professionals and end users isn't quite there yet. But go to customers with single agent that does security at same price, and it's easy for them to wrap their heads around."