Many organizations are not only facing increased security risks but also increased regulatory compliance such as that of HIPAA or PCI, both of which mandate that certain security measures be taken. These two factors result in increased attention being paid to security on all levels and all sizes of organizations. In addition, as security plays a greater role in IT purchasing and implementation decisions, there is an increase in centralized management and reporting to provide a holistic picture of corporate information security.
Endpoint security products are typically software suites that include anti-malware (anti-virus, anti-spyware), desktop firewall, host-based intrusion prevention (HIPS), device control, and application control features. The software runs on desktops, servers, laptops, and increasingly on handhelds such as Blackberries and Windows mobile devices. These products also feature a central management console that can be used for reporting and policy updates.
The general trend in the endpoint security market is to consolidate many separate security software products into one suite that can be centrally managed.
Can the market keep pace with the threats? The majority of spyware is propagated by spam or phishing emails pumped out by botnets, or by users unwittingly accessing webpages that that automatically download malicious script files to exploit OS and application vulnerabilities and plant malware. According to Cyvellance, over 50% of today’s web-borne malware goes undetected by today’s best selling AV products.
My company, Sarrel Group, conducted an in-depth competitive analysis of endpoint security products offered by Cisco, McAfee, Trend Micro, eEye Digital Security, and Symantec in February 2008. Overall, we are pleased with recent advances in the market, particularly in increasing the robustness of solutions and adding greater centralized management and reporting capabilities.
As a result of the declining effectiveness of traditional AV solutions, configuration management and application white-listing/blacklisting are taking the endpoint protection market by storm. IT departments are sick of having to push signature updates with increasing frequency. Users are sick of suffering through decreased system performance caused by traditional AV products getting more and more bloated. According to a report from Forrester Research, “with the rate of new malware emerging, soon the updating signature approach will no longer be fast enough or scalable enough. It is without question the time to look for alternative approaches. “
Application white-listing, the process of protecting systems by preventing installation and execution of unapproved applications, is gaining momentum. The technology has been around for about 10 years but was traditionally considered too intrusive to be deployed to the general end-user population. White-listing is, in some ways, the opposite of traditional AV: instead of allowing anything to run except the known bad, white-listing only allows the known good. This not only prevents stealthy malware installation, but installation of any application not pre-approved by IT.
While application white-listing may be a cumbersome solution for power users who require multiple applications, it is an excellent fit for environments that can be locked down without impeding users. The average user would be perfectly happy with only business productivity applications such as MS Office, an email client such as MS Outlook, and a Web browser such as Firefox or Internet Explorer. In retail, there is no reason for a point-of-sale system to run anything other than POS software, so lock that puppy down with application white-listing. The same goes for call centers where employees only require access to a few Web-based apps.
Just like traditional AV apps, application white-listing is not a perfect solution. This is because white-listed applications can still be exploited. For example, Internet Explorer vulnerabilities can be exploited in memory. For this reason, defense-in-depth—combining AV scanning, HIPS, white-listing, vulnerability assessment, and patch management to protect endpoints—is the strongest solution to current and future malware problems.
Sarrel’s Vendor Short List – Current Leaders
Endpoint Protection 11 – Symantec, www.symantec.com
No discussion of endpoint protection would be complete without mentioning Symantec. EPP 11, as the product is affectionately called, wraps anti-virus, anti-spyware, firewall, HIPS, and device and application control in a single endpoint agent. The first iteration of EPP 11 suffered from client performance issues, but Symantec has streamlined processes to offer first rate protection more efficiently. The client agent is highly configurable via the centralized management console. Security policy can be applied by user, group, or machine type giving you the ability to dictate, for example, that laptops can only connect to secured access points. Administrators can also build application white-lists and blacklists.
VirusScan Enterprise – McAfee, www.mcafee.com
McAfee offers a slew of products that can be combined to offer solid endpoint protection. These include McAfee AntiSpyware Enterprise, McAfee Host Intrusion Prevention, McAfee Network Access Control, McAfee Policy Auditor, McAfee VirusScan, and McAfee Application Control. This allows for a flexible approach to endpoint protection, but also creates unnecessary complexity. Everything gets managed centrally from McAfee ePolicy Orchestrator 4.5. I find the ePO interface to be unintuitive, but McAfee has built a loyal customer base over the years so obviously someone likes it. Application control is a mature application white-listing module that ensures only trusted software can run on endpoints.
Trend Micro Enterprise Security Platform – Trend Micro, us.trendmicro.com
The success of Trend Micro Enterprise Security solutions is driven by the Smart Protection Network—a Cloud-client infrastructure that combines reputation technology, feedback loops, and research from TrendLabs to deliver real-time protection from today’s blended threats. Endpoints protection is available in several separate modules that can be clustered together to provide anti-malware, HIPS, DLP, web threat protection, firewall, and patch and power management. Everything can be managed from a central Web-based console. Interestingly, Trend Micro is the only company listed here that doesn’t include application white-listing features.
Sarrel’s Vendor Short List – Three Disruptors
Retina CS – eEye Digital Security, www.eeye.com
eEye Digital Security has been a force in the vulnerability assessment market for year. The combination of vulnerability assessment, application white-listing, configuration management, anti-virus, and HIPS, plus the snazzy new Flash-based management interface for Retina CS, cause me to reclassify eEye as a disruptor rather than a traditional AV vendor. This is a single solution that is comprehensive enough to create its own defense-in-depth strategy.
Bouncer – CoreTrace, www.coretrace.com
The principle behind CoreTrace’s Bouncer is to only allow known good applications to run on endpoints and to do this in a way that is less obtrusive to users and easier to centrally manage by IT staff. The solution is being quickly adopted in the electrical utility space to secure control systems. The solution is rolled out as a 2u rack-mounted appliance that is managed via RDP over the network. A key component of Bouncer’s success is TrustedChange, a feature which allows IT departments to predefine conditions under which new applications can be automatically white-listed. This eases the administrative burden of implementing an application white-listing solution.
FireEye Malware Protection System – FireEye, www.fireeye.com
The FireEye Malware Protection System is not directly an endpoint security solution, but the technology that it uses to protect your endpoints makes it a disruptor that should be on your radar. A large and growing threat to endpoint security is botnet related—bots download malware to infect local machines and then report back to a command and control infrastructure where they can be used to infect other machines or send spam and phishing attacks. The FireEye Malware Protection System inspects network traffic to capture suspicious packets and reassemble them for inspection and evaluation. Attacks are then replayed in virtual machines to determine whether they should be blocked or not. So, it is live malware testing in a simulated endpoint environment running on a network appliance. This makes it a strong complement to any of the other endpoint security products mentioned here.
Whichever solution or solutions you choose to run may not be as important simply choosing to run a solution. The different approaches to fighting malware on the market today may or may not work for your business. And, as much as we’d all like to have a single solution with a single management interface for protecting endpoints, you must evaluate each solution within the context it will be used and pilot test it before rolling it out widely.
Matt Sarrel is executive director of Sarrel Group, a technology product test lab, editorial services and consulting practice specializing in gathering and leveraging competitive intelligence. He has over 20 years of experience in IT and focuses on high-speed large scale networking, information security, and enterprise storage. E-mail [email protected], Twitter: @msarrel.