Security Vendors Revamp Desktop Suites

Five security vendors--Cisco Systems, Check Point, IBM, McAfee, and Symantec--have spent more than $3.7 billion over the past two years acquiring companies and products to support their vision of holistic threat management. This frenzy stems from the spurious notion that your entire infrastructure, your applications, your policies, your processes, and your people can mesh into a unified threat management framework that will ward off intruders, malicious insiders, petulant auditors, and ignorant users.

It's a compelling vision and an ideal goal. It's also impossible.

Threats change, new compliance initiatives emerge, companies launch new businesses that entail new risks, and startups create innovative alternative products. As vendors spend billions of dollars to snap up new capabilities and stitch them together, the market continues to fragment.

Consider Symantec's Endpoint Protection Software, launched with great fanfare in September. Version 11, a complete overhaul of the vendor's host security software, tightly integrates a set of disparate functions--including malware blocking, a personal firewall, host intrusion prevention, application control, and device control--into a single agent.Endpoint Protection 11 was designed to compete with McAfee's endpoint security software, thanks to improved integration of the various software components and a smaller footprint that consumes fewer system resources than previous versions. However, because version 11 must be installed and the previous version removed, other vendors have seized the opportunity: If a customer is going to pull a product off the desktop anyway, why not look at other options? Anti-malware vendor Sophos, for instance, announced in June that General Electric had chosen its Endpoint Security and Control 7.0 to run on up to 350,000 PCs and servers. What wasn't announced was that GE swapped out Symantec.

There's a strong undercurrent of discontent with the incumbent security vendors, strong enough that large customers are more open to products from what have been considered second-tier vendors, including Kaspersky Lab, Panda Security, and Sophos. "Everyone in the enterprise world is saying, 'I thought this was fixed,' but it isn't fixed," says Nick Selby, research director for the enterprise security practice of the 451 Group. "We are getting infected by things we've never been infected by before."

Big enterprises, Selby adds, can often get better customer service and faster support from smaller vendors, and even more "efficacious product."

A security executive at a publicly traded cosmetics company rattled off a litany of complaints against Symantec AntiVirus Corporate Edition 10.2, including difficulties keeping laptops updated when they were off the corporate network. With Sophos, he reports that 99% of his machines are up to date.

He also says the Symantec product's reporting was horrendous. "Simple things like how many machines are infected or how many viruses did we stop: Without Herculean effort, it was impossible to find that out," he says. Note that independent reviews of Endpoint Protection 11 have described significant improvements in management and reporting interfaces over previous versions.To be fair, Sophos has also engaged in its share of FUD. John Shaw, the vendor's director of product management for endpoints, claims that customers can't run an older version of the Symantec software while they install version 11, leaving the machines unprotected. Symantec says that's simply not true.

Sophos will have to do more than make claims to topple Symantec, which still leads all security vendors on the desktop, with 38% of the worldwide market for antivirus software, according to Gartner. But GE's move is a punch in the gut for Symantec as well as McAfee, which also has lost at least one large customer to Sophos. And more blows may follow. "GE is just the tip of the iceberg," says Selby.

But the market is demanding far more than just classic antivirus protection as the very nature of threats has changed. Polymorphic viruses and malware can't be stopped by signature matching and require anomaly detection; data privacy regulations require that laptops and smartphones be locked down to prevent data loss, and enterprise customers want to manage it all with a single agent on a laptop run from a single management console.

Top Illustration By Mick McGinty

STOPPING DATA LEAKERSSo how do incumbent vendors plan to hold their ground? With open checkbooks. Check Point, Cisco, McAfee, and Symantec have invested heavily in data leak prevention (DLP) over the past two years and are working feverishly to integrate the technology into their threat management portfolios. With good reason: More than 216 million personally identifiable data records have been exposed in the United States since 2005, according to the Privacy Rights Clearinghouse.

Symantec's $350 million purchase of Vontu brought network- and endpoint-based DLP technology into its portfolio. McAfee's $20 million purchase of Onigma and its endpoint DLP protection complements its internally developed network DLP product.

Both Symantec's and McAfee's network and host DLP products create fingerprints of sensitive data. The products then monitor outbound traffic for content that matches the fingerprint database and apply administrator-defined policies, such as quarantining. The endpoint products provide the same function and can be used to enforce leak policies even when the machine isn't connected to the company network.

These fingerprint-based DLP products aren't specifically mandated by regulations, but vendors are positioning them as compliance-friendly. Symantec also hints that DLP should be part of an information life-cycle management system, the domain of its Veritas storage products. Indeed, organizations face just as many requirements for information storage and archiving as they do for protecting live data. In Symantec's vision, administrators will be able to set policies on information as it's created and used by employees and partners, as well as policies that follow the same data through to its final disposition in an archive, where it will be stored according to requirements for e-discovery and record retention.

Like holistic risk management, global data life-cycle management is a grand vision and an ideal goal, but one whose implementation will require massive integration among myriad products.Check Point and McAfee also have spent big--nearly $1 billion combined--on software that can encrypt local drives and control the use of removable media, such as USB drives. These technologies work hand in glove with DLP to protect data on roving devices. Encryption requirements also are found in most regulations, including PCI and the Health Insurance Portability and Accountability Act. Many state breach notification laws also include an encryption exemption.

McAfee's data protection product suite leads the pack, with coverage for the network and endpoints. McAfee offers endpoint encryption as well, though the company has yet to integrate SafeBoot, the encryption software, into E-Policy Orchestrator, its flagship management console. Symantec lacks an endpoint encryption capability of its own.

Check Point Software Technologies says it focused first on endpoint encryption because more and more organizations are issuing laptops to users, and lost or stolen laptops are one significant way that sensitive data is lost. The company is working to integrate the software of recently acquired Pointsec with its Integrity Secure client, an endpoint security product that includes host intrusion prevention, a firewall, anti-spyware, and remote network access. It also plans to have Pointsec integrated into SmartCenter, the centralized management console for Check Point products, by the second half of 2008.

Of course, once the Pointsec integration is complete, Check Point will likely have more capabilities to add. Without fingerprint-based DLP technology, the vendor can't claim to have a robust leak prevention capability.

Check Point plans to have fingerprint-based DLP products, whether through acquisition or internal development. The company declined to provide specifics, other than to say Check Point would make an announcement in the first half of 2008.

Cisco's $830 million acquisition of messaging gateway vendor IronPort was driven in strong measure to help bring a DLP product to its portfolio. IronPort can scan outbound traffic for structured data, such as credit card numbers. It can also enforce policies, by encrypting messages, for instance, that contain sensitive data.

The Cisco Security Agent, which is host intrusion-prevention software, also includes DLP capabilities. The agent can block users from copying sensitive data from a local protected file store to another document or an e-mail. It also includes device-control capabilities to stop users from saving data to removable media.

THE PCI GRAVY TRAIN

Mention PCI compliance to security vendors and watch them salivate. In an attempt to stem the flood of stolen credit card numbers, the major credit card brands have developed a list of requirements to be met by any organization that takes credit cards or processes credit card transactions. Entities that fail to meet those standards can be fined by their merchant banks.

PCI's strongest impact is on retailers, which often lack on-site security and IT professionals to implement and manage the standards. Security vendors are stepping in to help customers map existing security processes to regulations and mandates, and see where they may need entirely new technologies.

PCI lays out a checklist of technologies, including antivirus software, firewalls and intrusion-detection systems, encryption, and vulnerability assessment. In contrast, regulations such as HIPAA are broadly written and thus more open to interpretation (and consulting) as to what constitutes "compliance."

Thanks to PCI's explicit instructions, product vendors smell gold. But they're careful in what they promise. For instance, Cisco notes that deploying its PCI compliance platform, built on Cisco products and aimed at the retail sector, doesn't automatically bring a company into compliance--it's just an important step.IBM also is getting into the PCI game, but at a steep price: It paid $1.3 billion to acquire Internet Security Systems, including the company's consulting, managed services, and product lines. IBM has further equipped its compliance portfolio by buying Consul, which provides auditing and compliance software and services, and Watchfire, a Web app vulnerability scanner.

IBM last month announced a program that blends its products and services to bring customers into compliance with PCI. The offering is services-oriented, including consulting work and network scanning.

On the product side, it has updated the ISS Proventia Network Scanner with PCI-specific vulnerability assessments. It also says its Proventia Network Multifunction Security unified threat management product can address 10 of the 12 PCI requirements in one product.

IBM maintains that more companies are looking to security vendors as strategic partners. Case in point is Hughes Network Systems. Hughes provides managed network services for retail stores, restaurants, and other businesses. These networks, which include wired, wireless, and satellite connections, carry credit card data and must therefore meet PCI requirements.

Hughes consults with IBM to ensure that its various network architectures meet PCI standards. Matt Kenyon, the senior director of network infrastructure and security at Hughes, says the company already was doing everything required by the standard. IBM helped Hughes to formalize its policies and procedures so it could more easily report its PCI compliance. IBM ISS also provides the external scans required by the standard.

Kenyon notes that customers are always requesting changes to the network infrastructure, adding wireless services for customers or allowing managers to access a franchise location from a home office. IBM consultants help Hughes facilitate such requests without breaking compliance requirements.Companies must file quarterly and annual reports and run ongoing security scans, which means Hughes has signed on for the long haul with IBM consultants.

THE COMPLIANCE SHUFFLE

Complying with one standard usually implies best practices for complying with others. "Not a day goes by that someone isn't asking for something," says Bernie Donnelly, VP of quality assurance at the Philadelphia Stock Exchange. From the Securities And Exchange Commission to his own internal audit team, Donnelly lives and breathes compliance.

To that end, Donnelly has learned to think strategically instead of tactically. When auditors requested additional checks and balances to the stock exchange's back-end batch-processing systems, Donnelly figured auditors would eventually make the same requests for its check ledgers.

"If you need it in one system, you'll need it in others," Donnelly says. "Rather than fixing piecemeal what's only being asked, look at the true cause of the problem. You get a better business practice as a side effect."Smart security pros don't confuse compliance with security. Says Kenyon: "Compliance is third-party validation of what you do every day." Like an athlete winning a gold medal, the point-in-time compliance designation is the result of daily effort, and that effort could be greatly simplified as the vendors build better threat management suites. While it's unlikely that just one product can do everything needed, increased functionality and simplified management are welcome enhancements for security architects.

Continue to the sidebar:
The Realities Of Risk Management