Article

When signature based antivirus isn't enough

Neil Roiter

Endpoint security is changing at a breathtaking pace. For more than a decade, signature-based antivirus was sufficient for most companies. A couple of years ago, spyware emerged as a business-level threat, and pure-play companies like Webroot and PestPatrol (now CA) scrambled to bring centrally managed products to market, while traditional antivirus vendors played catch-up.

    Requires Free Membership to View

The fact that we have it all tied together and reported at one location, with 24x7 monitoring is pretty valuable.

Carl Goodman,
information security manager, Premier Valley Bank

That was just the start of the endpoint security revolution. While, spyware was initially considered more of a production and help desk issue than a security concern, the criminal world has turned the threat environment on its ear.

"From two years ago, there was a 180 in how malware and virus writers--kids working out of their basement seeking notoriety--approached the industry," said David Frazer, director of technical services at Helsinki-based AV firm F-Secure Corp. "Now we have professional virus writers, they have quality assurance, R&D, developing blended threats, targeted attacks aimed at specific users."

Host-based intrusion prevention systems (HIPS) are at the heart of the security industry response. Traditional signature-based antivirus and antispyware fail to detect zero-day exploits or targeted, custom-tailored attacks. There are several approaches; some intercept calls to the OS when programs execute and develop a baseline of normal activity; others use pre-execution protocol analysis, while still others use a sandbox approach, letting suspect programs execute in a protected environment. The common theme is detection that goes beyond signatures.

Once a nice-to-have-if-you-can-afford-it technology featuring players like Okena, Entercept, Harris and Sana Security, HIPS is rapidly becoming a staple for desktop and server security.

All the major antivirus vendors, including Symantec and McAfee (from Entercept), the 800-pound gorillas in the market, and competitors like Trend Micro, CA, Sophos and F-Secure. In addition, Cisco Systems (from Okena), eEye Digital Security and Internet Security Systems (ISS, now part of IBM), have comprehensive endpoint security solutions that include HIPS. eEye and ISS have added signature-based detection to round out their packages.

Some companies offer HIPS a la carte or as part of a more or less integrated endpoint security package, while others consider it an integral part of their solution.

Those packages are typically one-stop shopping for your endpoints. They typically include centrally managed client firewall, application usage control and content filtering--and sometimes antispam and antiphishing tools. The bottom line is one product to manage.

Consider that a metropolitan area health care organization, which includes several hospitals, is about to deploy eEye's Blink on at least 15,000 seats for desktops and servers.

"Blink adds number of additional protection measures from just antivirus, to HIPS, identity theft protection, antiphishing, identification and system firewall, application protection, executable protection," said the organization's security manager, who prefers to remain anonymous.

Intrusion prevention

Don't let trends dictate your network security strategy: As with most industries, the information security field has certainly seen its fair share of trends come and go. While some, like network access control, prove to be beneficial, others have proven to be risky.

10 emerging malware trends for 2007: From phishing threats to zero-day flaws, hackers have certainly developed many sophisticated ways to exploit vulnerabilities for their gain.

Intrusion prevention management packages: Networks are continually under attack from hackers and viruses. Firewalls, anti-virus software and anti-spyware software prevent most attacks from doing any damage.

Intrusion Prevention Fundamentals: Signatures and Actions: Before buying an IPS device, it's important to understand exactly what you're getting. Different products may claim to have the same features, but because marketing terminology isn't industry-standardized, they might be offering two very different things.

"A key point is local vulnerability assessment," he said. "Machines can scan themselves and report home, and reporting that assessment is very small payload compared to size over wire. It's less intrusive than network scanning."

"There's a very palpable change in what administrators are looking for in endpoint security offering," said Ron O'Brien, a senior security analyst at Sophos. "At a recent show, they were talking about having one company for antivirus, one for spyware, one for productivity filter, one for application control--managing different consoles, different agents. Using a single scan, looking from a single seems to resonate."

Brian Troudy, a senior network administrator for the Walnut Valley (California) School District, decided his desktop antivirus wasn't enough for his 4,000 desktops.

"It was more virus location software than antivirus--great at detecting but miserable to remove them," said Troudy, who is replacing his traditional antivirus with ISS Proventia Desktop on both employee and school lab desktops. "I went to see what else was there--something that offered more end-to-end desktop security and help with desktop performance."

"We chose a non-traditional path, and it's proving very helpful to us," said the health care organization security manager. "It will complement antivirus in the beginning; it adds another layer, defense in depth. But we've looking at replacement; we feel comfortable that Blink is robust enough."

The ability to feed into network security tools is another sweet spot for the new generation of endpoint products.

"The biggest thing for me was that Cisco had several systems that works together—MARS (SIEM), ASA (Network) IPS," said Carl Goodman, an information security manager for California-based Premier Valley Bank, which decided on Cisco Security Agent, along with the other Cisco security tools. "Other tools take reporting from CSA--from that standpoint alone, it makes sense. False positives are eliminated. The fact that we have it all tied together and reported at one location, with 24x7 monitoring is pretty valuable."

"We're often asked about SIM/SEM," said John Engels, Symantec group product manager. "That roll-up is important. Critical Security's host IDS can send out real-time information to SIMs."

The initial market for early HIPS products were select enterprises that tended to be on the cutting edge but that may be changing as organizations start to see the benefits of HIPS and other endpoint security applications rolled up with signature-based tools.

It's been large enterprises among the customers we've been seeing until late last year," Engels said. "Increasingly, it's been smaller and smaller customer."

"Customers are struggling to understand--it's a difficult market to understand; it's a lot more complex to parse this market than the antivirus world," said eEye CEO Ross Brown. "The tribal knowledge among security professionals and end users isn't quite there yet. But go to customers with single agent that does security at same price, and it's easy for them to wrap their heads around."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: