IT overhaul results in cheaper, better endpoint security management

Mark Hardcastle recently had the opportunity to try out new products and rebuild his IT systems from scratch. After much research, one endpoint security suite stood out from the others because it was easy to manage.

It is not often that companies get a chance to do a root-and-branch review of all their security tools, but a management buyout at GB Building Solutions Ltd provided an opportunity for a complete overhaul of its IT systems.

The buyout came about four years ago, when senior staff bought the building management business from parent company MJ Gleeson Group Plc. As part of the deal, they had use of Gleeson's IT systems for a year, but after that, they were on their own.

IT Manager Mark Hardcastle was recruited to develop the systems that would support the new business, which operates across approximately 30 sites, with 400 computer users. He undertook a major refresh of systems, removing the collaborative GroupWise platform from Novell Inc., moving to Microsoft Exchange, and installing an ERP system from Sage (UK) Ltd.

That kept him so busy that he stuck with existing security systems until this year, when they had reached the end of their three-year contracts.

Hardcastle had inherited antivirus systems from McAfee Inc., as well as Web security products from SurfControl Plc and email security services from MessageLabs Inc. Looking for ways to possibly trim costs, however, he decided to go out to the market and see if he could improve on what he had.

Although Hardcastle researched many multifunction security products, he focused on three popular vendors, in particular: McAfee Inc., Symantec Corp. and Sophos Plc. All three offer a combination of security features aside from antivirus, including email and Web filtering, plus endpoint protection. As Hardcastle admits, all of the products could have done the job.

He eventually selected the new integrated bundle of products from Sophos, called Sophos Security and Data Protection, which incorporates endpoint control features and encryption tools that Sophos added earlier this year when it partnered with German security company Utimaco Inc.

Although Hardcastle bought a single bundle from Sophos, the package itself consists of distinct products for each function -- the WS1000 Web security appliance, the PureMessage email security product, which integrates with Exchange, and the Endpoint Security product that is deployed on all PCs and handles antivirus and network access control.

NAC and endpoint security: The hard questions

Joel Snyder covers challenging endpoint security questions and explains how NAC technology can address them.

Because the Sophos WS1000 appliance manages all Web filtering, it meant Hardcastle could dispense with SurfControl, which he says "brought our costs down dramatically." Hardcastle, however, decided to maintain its MessageLabs email service along with PureMessage to both minimise the amount of spam hitting the mail server and provide a second line of defence.

As well as saving money, he says the main reason for choosing the Sophos products was ease of use, and the simple management consoles for Web, email and endpoint security. "We were looking for the easy management of our estate," says Hardcastle. "We wanted something that was easy to deploy, and we wanted to be able to tell if our computers had proper protection or not.

"The [Sophos product] tells us if there are any infections or suspicious files around. With the old McAfee products, we had to manage it a lot more. But now we find that with the Sophos management console, you can get to most things you want to do in one click from the front screen."

At the moment, each of the functions (email, endpoint and Web security) have their own management screens, although Sophos says these will be integrated into a single one in version 9.5, due out next April.

Hardcastle, though, is particularly impressed by the simplicity of the management consoles, which allow him to set granular Web access and endpoint policies within a couple of hours. For instance, he blocks Facebook during working hours, but allows it at lunchtimes. And he is slowly phasing in file encryption, starting with senior staff.

With 70% of the organisation's PCs being laptops, most users tend to work from different offices, on trains and in hotel rooms, and are provided with a 3G Vodafone connection via a VPN back to the corporate network. When they log on to the GB Building Solutions network, their systems are immediately checked to ensure patches and AV are up to date.

If the endpoint protection system detects that AV is out of date, the machine will be updated immediately. If no AV is detected, the machine is blocked and a message is sent to the user to contact the IT department.

The approach to patching is more relaxed. Provided that long-standing patches are not missing from users' computers, they are allowed to connect to the network and work without interruption. In the background, the systems checks with GB's Windows Server Update Services (WSUS) server to see if any new patches have been approved for release, and they will be applied while the user works.

No guest machines are allowed to connect to the network. "If someone comes from outside and needs a PC, we'll lend them one of ours to use," Hardcastle says.

With the new software in place, Hardcastle says he feels most of the transition work is now done. He may tweak some of the policies over time - including an extension of file encryption to more users - but he says the cost-saving and improved ease of management have made the project worthwhile.

Read more on Endpoint security