| The primary reason for an organization to buy an | | | | representative testing include AV-Test.org3, |
| endpoint security solution is to protect its network, | | | | AV?Comparatives.org4, Virus Bulletin5, ICSA Labs6, |
| systems and data from malware. It is tempting, | | | | Cascadia Labs7, and West Coast Labs8.question 2 |
| therefore, to base an assessment of potential solutions | | | | Do you have integrated visibility of all threat sources? |
| largely on malware detection rates. | | | | The increased use of blended threats shows how |
| In reality, however, detection tests – no matter how | | | | important it is for vendors to have integrated visibility of |
| thorough – provide only a snapshot of a security | | | | spam, virus and web-based threats in order to ensure |
| vendor’s ability to provide ongoing manageable | | | | a rapid response to new malware as it is released. For |
| protection. There are several other equally important | | | | example, vendors without anti-spam capabilities will not |
| criteria that should be takeninto account. It is in the | | | | see the email that is used to propagate the link to an |
| vendors’ approach to these extended security | | | | infected website. |
| factors that the clearest difference between | | | | Similarly, without a web-monitoring capability, a vendor |
| competing products emerges, allowing a viable shortlist | | | | cannot tell when an infected website is established or |
| to be created for further evaluation. | | | | get early insight into new malware made available |
| First, however, it is important to have an understanding | | | | through that website – and with one infected |
| of the changing security environment, in which | | | | webpage every 14 seconds2 this lack of visibility is |
| increasingly open networks and a rapidly evolving | | | | critical. |
| threat landscape are presenting IT with new and | | | | Even if the vendor does have this cross-threat |
| significant challenges. | | | | capability, it needs to be supported by integrated |
| The dissolving IT perimeter | | | | research laboratories with information being rapidly and |
| It used to be relatively easy to secure the corporate | | | | automatically passed between them to ensure a quick |
| network. It was a physically connected entity used only | | | | response to all new threats. |
| by internal users. Web browsing was not generally | | | | Assessing endpoint security solutions: why detection |
| available at the desktop, and data was transferred | | | | rates aren’t enoughquestion 3 |
| only by removable media or email. | | | | How good is your proactive, zero-day protection? |
| Today, networks as we once understood them are | | | | Today’s criminally motivated, targeted, fast-moving |
| disappearing as the network perimeter has become | | | | threats have decreased the time available for security |
| blurred by the prevalence of new technologies and | | | | vendors to react to new threats before they have |
| business practices. Instant Messaging (IM), Voice Over | | | | their malicious impact. This problem is exacerbated by |
| IP (VoIP), peer-to-peer (P2P) file-sharing software, and | | | | the sheer volume of threats, with vendors’ |
| wireless and mobile devices all offer new ways of | | | | research labs having to protect against hundreds of |
| transferring data. Network access is given to remote | | | | thousands of new threats every year. |
| workers, business partners and contractors. | | | | Such large volumes of rapidly mutating malware |
| These changes fulfil the real business need to remain | | | | require proactive, zero-day protection, against malware |
| competitive, but they also increase the risk of malware | | | | that the vendor has not yet seen or analyzed. |
| and other threats infecting the network via unsecured | | | | Vendors need to offer both: |
| hardware and unmonitored communication channels. | | | | Pre-execution analysis – examines the behavior and |
| The changing nature of security threats | | | | characteristics of files before the file is run to find traits |
| Malware is now big business and large criminal gangs, | | | | commonly found in malware. |
| with considerable IT resources, have replaced | | | | Runtime protection – analyzes the behavior of files |
| fame-seeking teenagers as the primary source. The | | | | and processes as they are running, checking for |
| threats they create are low-profile, silent and targeted | | | | suspicious activity. |
| to avoid the attention of their victims and security | | | | Strong proactive protection reduces the number of |
| vendors alike. These threats do not crash computers | | | | individual threats that a research lab needs to analyze, |
| or delete files; they stealpasswords and financial | | | | enabling the rapid creation of new signatures and |
| information. | | | | protection where necessary.question 4 |
| Detection tests provide only a snapshot of a security | | | | Is your solution easy to manage across my network? |
| vendor’s ability to provide ongoingmanageable | | | | A security solution will only protect the network if it is |
| protection. | | | | correctly configured, deployed and updated across the |
| Assessing endpoint security solutions: why detection | | | | whole network. So its ease of use and ease of |
| rates aren’t enough | | | | management should be given almost as much weight |
| In addition, today’s threats change with increasing | | | | as its detection capabilities in the evaluation process. |
| frequency, looking to avoid detection. Over the course | | | | The vulnerabilities created by security solutions that are |
| of 2007, around 50,000 variants of the Storm (aka | | | | difficult to manage are highlighted by surveys variously |
| Dorf or Dref) worm were seen.1 There has also been | | | | indicating that between 43 percent and 84 percent of |
| a significant change in the routes used by malware for | | | | large businesses suffered from a malicious code |
| attack. A move away from infected email | | | | infection in 2005/6, even though 100 percent had |
| attachments – in 2005, 1 in 44 emails had an | | | | implemented an anti-virus solution. |
| infected attachment, compared with 2007’s 1 in | | | | Similarly, on replacing one solution with another |
| 909 – has been matched by an increase in the use | | | | vendor’s solution, it is common for an organisation |
| of blended threats, which use several different | | | | to find a large amount of malware on the network |
| technologies to spread their malicious payload. | | | | – not because the earlier solution could not detect |
| The challenge for IT | | | | the malware but because it had not been kept up to |
| The changes in network environment and the speed | | | | date or managed properly. |
| and complexity of threats raise major new security | | | | In addition to offering visibility of the network, some |
| challenges for IT. Solutions are needed that go far | | | | security solutions support the management task |
| beyond simply installing up-to-date anti-virus software | | | | further by automatically identifying endpoint computers |
| at regular intervals. They need to address the much | | | | that are out of date with security software or policy, |
| wider issues that now exist: | | | | or by automatically deploying anti-malware software to |
| More infection routes and more types of endpoint | | | | new endpoint computers logging on to the |
| device need securing | | | | network.security solutions: why detection rates |
| All endpoint computers need assessing and controlling | | | | aren’t enough |
| Compliance with security policy needs monitoring | | | | Other solutions also ease the administrative burden by |
| Fast-moving, zero-day threats demand effective | | | | making management actions that cannot be |
| proactive protection. | | | | automated easier and quicker to perform. By reducing |
| One answer to the problem is to buy numerous point | | | | the need for administrators to understand and write |
| solutions but, on the whole, IT budgets are not | | | | complex rules for determining suspicious behavior, |
| increasing to meet the new requirements. | | | | these products help make the network more secure |
| Another drawback is that point solutions increase the | | | | and free up more time to be spent on other IT |
| total cost of ownership since more security solutions | | | | matters.question 5 |
| mean: | | | | What added value does your solution offer? |
| More initial purchase and set-up costs | | | | Higher volumes and increasing complexity of threats |
| Slower networks | | | | are not mirrored by a similar trend in the IT budgets set |
| More management effort Increased support issues | | | | out to counter them. Adding ever more point products |
| (especially when the solutions conflict). | | | | and IT staff to combat these additional risks and |
| For these reasons, there is an increasing trend away | | | | protect increasingly open networks is not realistic. |
| from point solutions towards more consolidated | | | | So an important question to ask is, “How will this |
| products. Yet despite getting “total protection” | | | | vendor’s security solution allow me to get more out |
| from “integrated solutions” businesses are still | | | | of my existing budget?” The answer lies in how |
| getting infected. | | | | successfully the solution will defend against the new |
| So how does an organization ensure best protection? | | | | set of threats posed by user behavior and poorly |
| 6 critical questions to ask vendors | | | | configured or non-compliant computers, in particular |
| To ensure that a vendor not only provides best | | | | how far it lets organizations control who and what is |
| protection now, but is also best placed to address the | | | | on the network. |
| IT challenges an organization will face going forward, | | | | Capabilities to look for beyond straightforward |
| there are a number of important questions that should | | | | protection against malware include: |
| be asked.question 1 | | | | Restricting use of legitimate but non-businesscritical |
| How good is your malware detection? | | | | software applications – like VoIP, IM and |
| Totally reliable malware detection remains the primary | | | | P2P software – that can cause productivity, |
| driver behind any decision to buy an endpoint security | | | | support and security issues. |
| solution. | | | | Reducing the risk of infection by ensuring security |
| Since the risks involved make testing possible solutions | | | | policy is being complied with by all computers – not |
| against real malware infeasible, organizations have to | | | | just those owned and managed routinely by the |
| rely on word-of-mouth, reviews, and results from | | | | company but also those unmanaged guest computers |
| independent testing organizations. | | | | connecting to the network. |
| How blended threats work – an example | | | | Assessing and certifying systems before and after |
| An email is spammed out containing a link to an | | | | they connect to the network, ensuring, for example, |
| infected webpage. | | | | that security software is in place and properly |
| When the link is clicked on by the recipient, a script on | | | | configured, and operating system and application |
| the webpage triggers the download of a Trojan onto | | | | patches are up to date. |
| the user’s computer. TheTrojan being downloaded | | | | In addition to protection from malware and control of |
| might change several times a day to avoid detection. | | | | applications and network access, an endpoint security |
| Once downloaded, the Trojan might download more | | | | solution might offer device control and data leakage |
| files and malware to the infected computer – which | | | | prevention. By offering some, if not all, of these |
| might in turn download more malware before delivering | | | | capabilities a good endpoint security solution will reduce |
| the actual payload. | | | | the financial, network performance and management |
| Assessing endpoint security solutions: why detection | | | | costs, and increase efficiency through being one |
| rates aren’t enough | | | | product to understand, deploy and manage.question 6 |
| Malware detection tests can regularly be found in the | | | | What level of support can I expect? |
| media and they can be very useful in comparing the | | | | Vendor support is an important aspect of the |
| performance of rival security vendors. | | | | successful implementation of endpoint protection. |
| However, care should be taken to understand what is, | | | | Although hard to test it needs to be taken into account |
| and is not being tested – what malware collection | | | | during the evaluation process. |
| methodologies have been used, has the product been | | | | Help might be needed from the vendor at various |
| used with its default settings or specifically configured, | | | | times over the lifetime of the license, either to do with |
| and so on. In drawing up a shortlist of potential vendors, | | | | the product itself, for example to do with deployment, |
| it is also important to look at several tests and not to | | | | configuration, or updating, or over a related issue, such |
| rely on one test alone. | | | | as the discovery of a suspicious file on the network |
| A good test should include the following: | | | | that needs analyzing. Given that security may be at |
| On-access testing. Tests that simply scan a set | | | | risk until the matter is resolved, it is important to |
| number of malware samples in on-demand mode, do | | | | understand the vendor’s policy towards support |
| not accurately reflect the real world threat from | | | | – is 24/7 support standard or is this something that |
| malware or the real detection capabilities of solutions | | | | requires extra payment? Some vendors will limit the |
| that incorporateruntime analysis or HIPS (Host Intrusion | | | | number of contacts that are allowed to call with |
| Prevention System) functionality. | | | | technical queries, which is not helpful where a quick |
| Several thousand malware samples. With over 5 million | | | | resolution is required. Some – especially those with |
| unique malware samples seen in 20072, any test with | | | | large consumer customers to support – will use |
| fewer than 1000 samples cannot be considered to be | | | | off?shore support centers to provide economies of |
| statistically significant. | | | | scale, but these often prove unpopular with businesses. |
| All types of malware. Tests that analyze single types | | | | One further area that should be investigated is how |
| of malware, such as looking only at traditional viruses, | | | | integrated product support is. Will a single support |
| give no indication of the products’ ability to detect | | | | analyst be able to address issues across the |
| the wide variety of other malware. Some tests, for | | | | vendor’s entire product range or will different |
| example, do not include Trojan horses even though | | | | products require separate, time-consuming |
| they account for the vast majority of malware seen | | | | conversations? |
| today. | | | | Conclusion |
| False-positive testing. Most endpoint security solutions | | | | Detection of malware is at the heart of any endpoint |
| can score 100% detection in particular tests. The | | | | security solution and comprehensive published |
| important issue is that they do not at the same time | | | | detection rates are a valid source of information. |
| quarantine clean files. | | | | However, good malware detection rates alone will not |
| Proactive/zero-day detection tests. The changing | | | | guarantee the best protection. |
| nature of threats makes proactive detection the first | | | | The most successful solutions are easy to manage, |
| line of defense against today’s malware, ensuring | | | | provide proactive protection against zero-day threats, |
| protection from threats before they have been seen | | | | and offer other security capabilities, such as HIPS, |
| and analyzed by experts in the vendor’s labs. | | | | application control, firewall, and network access control. |
| Response times. Signatures to protect against specific | | | | Underlying these should be 24-hour threat analysis |
| viruses and other malware remain a significant part of | | | | from integrated global research labs, and technical |
| successful protection, and the speed with which the | | | | support from crossproduct experts. By assessing |
| vendor creates and deploys them is important. A | | | | potential products against all these criteria, |
| combination of response times and proactive detection | | | | organizations will go a long way to ensuring they |
| gives a comprehensive indication of the real protection | | | | choose the right endpoint security solution to protect |
| a particular solution will provide. | | | | them against today’s rapidly evolving threats and |
| Although no one test organization is perfect, | | | | increasingly open network environment. |
| organizations that provide more comprehensive and | | | | |