News Stay informed about the latest enterprise technology news and product updates.

Is stand-alone AV finally dead? The debate goes on

Bill BrennerWith all the consolidation we’re seeing in the security market, many experts have been predicting the eventual demise of standalone security products. Some of the more noteworthy examples:

— At the RSA Security conference in San Francisco last February, Art Coviello, president of EMC Corp.’s RSA Security division, predicted the vast array of standalone security devices on the market today will go the way of the dinosaur in the next three years.

— At Gartner’s IT Security Summit last June in Washington D.C., the big theme was what the research firm called Security 3.0, the notion that security is increasingly being integrated into the IT infrastructure produced by the likes of Microsoft, IBM and Cisco.
Security Blog Log

This week, I see the debate continuing in the blogosphere, particularly the question of whether standalone antivirus software is already a relic of the past.

Amrit Williams, CTO of BigFix and a former Gartner analyst, notes in his Observations of a Digitally Enlightened Mind blog that before leaving Gartner, he predicted standalone antivirus would be D-E-A-D by the end of 2007. Based on some new analysis coming out of Gartner, he said his prediction has proved correct:

“My prediction has come true as Gartner has officially declared a new category ‘Endpoint Protection Platform’ in the latest Information Security Hype Cycle for 2007,” he wrote. “This followed an earlier announcement that the Personal Firewall Magic Quadrant and the Anti Virus Magic Quadrant would be collapsed into a single Endpoint Securty Magic Quadrant.”

According to the 2007 Information Security Hype Cycle, Williams notes, Gartner defines EPP as “the convergence of desktop security functionality into a single product that delivers antivirus, antispyware, personal firewall and other styles of host intrusion prevention (for example, behavioral blocking) capabilities into a single and cohesive policy-managed solution.”

Based on this turn of events, he offered IT professionals three suggestions:

1. Spend less, demand more. “Consolidate infrastructure management and spending for multiple point solutions into a converged platform,” he advised. “Do not pay the same price for AV this year that you paid last year, ask for more security and operations function, but do not pay more. Demand more cow-bell!”

2. Rip out your incumbent if they aren’t providing value. “Do not be afraid to tell McAfee and Symantec to take a walk if they are unable to deliver an endpoint protection platform with enterprise scalable central management, rumor has it that Symantec may actually deliver something at the end of 2007, but who knows,” he continued.

3. Security and operations are converging at the desktop and servers, so look for operations vendors to provide more security functions. “They have stronger systems management, centralized administration and scalability than the traditional security vendors, unless they acquired an operations vendor, in which case you will have to wait for the integration dust to settle,” he said.

Computer scientist Kurt Wismer rails against Williams’ assessment in his Anti-Virus Rants blog,writing that rumors of the antivirus’ demise are greatly exaggerated.

“So long as people still want best-of-breed there will still be a market for stand alone AV,” he wrote. “Just because Gartner changed the way they model the playing field (a necessity given the evolution, not death, of AV), and just because vendors are gradually making the components of their security suites play nicer together (imagine that, they’re actually managing to improve their products), doesn’t mean standalone AV is going anywhere.”

I agree with Wismer that there will always be a market for standalone antivirus. There will always be IT shops somewhere in the world that rely on standalone security tools for one reason or another. But Williams and the folks at Gartner are right that the vast majority of enterprises want more of their security baked into the larger IT infrastructure.

In the long run, it makes sense to take the more mature security tools and integrate them with the larger IT infrastructure. That certainly makes life more manageable for bigger companies, and it means a more efficient defense.

But the threat landscape keeps evolving and that’ll require the development of new security tools in the future. Such innovation will almost always start out as a standalone offering.

Let’s keep this discussion going. Write in and tell me where you see things headed.

Lessons of TD Ameritrade breach

As my colleague Dennis Fisher reported last week, hackers accessed a database that houses personal information belonging to customers of TD Ameritrade Holding Corp., parent company of one of the larger retail brokerages in the country, with stolen data including names, addresses and phone numbers.

We’ve written and read reams of advice as to how a company should proceed in the event of a security breach. This week the Emergent Chaos blog has a pretty good analysis of TD Ameritrade’s response.

Adam Shostack suggests the company at least deserves some credit for its response. “It appeared that no SSNs, account numbers, or other information was stolen,” he wrote. “So why is Ameritrade announcing it, and what can information security professionals learn from this? It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they’re shaping the news by sending out a press release.”

Secondly, he wrote, “They’re shaping their customer response. Rather than hear about this from someone in a state with a broad disclosure notice, and worrying “was I affected, too” they’re telling everyone. That allows them to appear proactive and caring, rather than reactive and hiding.”

The company probably kept costs down by not paying a law firm to analyze their requirement to disclose under a variety of laws, he said, concluding that the company was smart about the breach early and separated their customer data from the deeply sensitive stuff which was in a different database.

“So what can someone who’s just been breached learn from this? First, segment your data now. It pays off, probably more than a lot of products you might buy,” he wrote. “Second, when you encounter an incident, think about taking control of the situation, rather than letting the situation control you. Spending time planning for a variety of breaches will pay off, both for the the companies that are ready, and for the leader who initiated the process.”

Not everyone agrees, of course. In fact, Shostack admitted in a follow-up entry that he may need to re-think his position based on some of the comments he’s received, including this one from a fellow named Ram:

“This breach happened quite a while ago. I use custom email addresses and confronted them on it months ago. This is the second time they’ve leaked my email address. The FAQ is careful to distinguish between TDA and TDA-Waterhouse. Presumably most readers here know that they would have a hell of a time knowing if someone read data from their DB. I conclude that they are late to report, possibly in response to a threatening letter from a (California?) customer’s lawyer. Further they are strictly spinning the position for TDA non-W clients (of which I am one). If TD deserves kudos it is for an effective snow job rather than effective security or integrity.”

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.