Information Security staff
Published: 03 Dec 2004
Seasoned security pros recognize that security isn't just about products; it's about people, process and policy. But products are inarguably the most visible, tangible and accessible tools of IT risk management. They are the mechanisms for carrying out the strategic policies and processes that drive security's success in any organization.
Information Security's "2004 Products of the Year" is a compilation of the best commercial products across 13 categories. Unlike other security product awards, the judge for these awards was you, the information security practitioner.
Information Security and our research partner, TheInfoPro, conducted 416 in-depth interviews of security managers working in 273 companies, evaluating a total of 1,239 products.
The rating for each gold, silver and bronze winner is a composite score based on the following criteria: vendor's brand or reputation, quality of product, delivery of product as promised, quality of technical support, technical innovation, strategic vision, competitive positioning of the product, quality of the sales team, interoperability and ease of doing business with the vendor.
ISM 2004 Products of the Year: Antivirus/Antiworm
Sophos Anti-Virus, Sophos
Sophos continues to compete with the antivirus giants through an effective combination of technical know-how, expedient response to new malware and good, old-fashioned customer service. Sophos Anti-Virus isn't just winning the gold award, it's setting the standard for AV excellence.
"Sophos makes an excellent product; it's very focused on AV signature generation, " says the corporate security manager at a telecommunications company.
Fighting viruses has become a speed game. As attacks keep increasing in volume and severity, AV companies have to continuously update their products and signature databases. Sophos uses a series of internally developed approaches to rapidly identify new viruses, including code emulation, online decompression for scanning, and an engine for detecting and disabling macro viruses. It scans incoming documents not by extension but by analyzing their format, making the scanner harder to trick.
Sophos developed its real-time InterCheck technology to counter viruses regardless of their delivery medium: email, CD, floppy disk, instant message or network share. InterCheck scans for infections upon access to a system. Sophos also uses a Remote Update feature to protect machines not regularly connected to the corporate network. Business users rate both features highly.
And they appreciate that Sophos doesn't employ the hype or jargon that other vendors use to blow new viruses out of proportion. A senior security analyst at a large financial services firm says, "Sophos uses plain English to tell me what something does and how it does it, which is more than some other AV vendors."
Enterprise customers also cite Sophos' antispam capability in its email server/gateway products, PureMessage and MailMonitor. "It effectively quarantines spam," says the director of information security at a large consumer goods company.
Symantec AntiVirus Enterprise Edition, Symantec
USER COMMENT: "It catches viruses, the definitions are updated pretty well, and Symantec has good resource pages for downloading remote tools."
VirusScan Enterprise, McAfee
USER COMMENT: "McAfee is as good as other vendors, but with more timely delivery of virus definitions."
ISM 2004 Products of the Year: Network Firewalls
PIX 500 Series, Cisco Systems
The PIX 500 Series of robust, feature-rich firewalls and the ubiquity of Cisco's networking equipment produce a powerful security/ networking combination. It's no wonder that PIX earned the highest rating among network firewalls.
With the interoperability problems of mixed-vendor environments, Cisco's homogeneity is a definite security management draw. Many users have echoed the words, "We're a Cisco shop," expressed by an engineering technologist, who adds, "We have been migrating steadily to PIX over the past two years."
Moreover, Cisco shops can leverage PIX VPN capabilities with Cisco routers and VPN concentrators to implement highly scalable remote-access and site-to-site VPN services across their enterprises.
Cisco has a lot more to sell than one-stop shopping. The PIX 500 Series, ranging from SOHO devices to large-enterprise appliances, has grown to meet the security demands of a Web-centric world. PIX augments its stateful packet filtering with application-aware services that inspect traffic at layers 4 through 7 and provides URL and content filtering. It also offers options for authenticated access through its own or third-party databases.
"Cisco is doing a good job of improving its firewall and is making its products more usable and more manageable by non-Cisco router geeks," says a senior security architect.
PIX offers an impressive security package that supports the high-performance and media apps, such as VoIP, that businesses are rapidly implementing.
As with many companies that not only maintain but hold a leadership position, Cisco has built an excellent reputation.
"They are the market leader," says one IT manager. "They have the expertise that others don't."
FireWall-1 GX, Check Point Software Technologies
USER COMMENT: "Check Point is a well-understood firewall, and the software has a good frontend."
Sidewinder G2 Security Appliance, Secure Computing
USER COMMENT: "Secure Computing has really good customer service. We have no major issues with the firewall."
ISM 2004 Products of the Year: Intrusion Detection Systems
Dragon Intrusion Defense System, Enterasys Networks
Regardless of where you come down in the "IDS is dead" debate, you have to admit that intrusion detection's role in enterprise security has changed. While perimeter firewall and IPS vendors con- tinue to chip away at the IDS market, IDSes are enjoying a rebirth of sorts as post-hack forensics and real-time threat management tools.
Enterasys' Dragon, our gold winner for IDS, epitomizes the transition of IDSes from "reactive detection" to "proactive correlation." Rather than firing off thousands of alerts based on single-node scanning, Dragon uses multiple virtual sensors to correlate event data from across the network and compare it to collected data on the network's vulnerability posture. The process, managed through Enterasys' Dynamic Intrusion Response (DIR) system, results in more accurate and timely intrusion management, as well as fewer false positives.
IPS vendors have long touted the benefits of stopping, not just detecting, malicious traffic. But many enterprises are reluctant to implement full-scale inline IPS for fear of blocking legitimate traffic. Some users suggest that Dragon's passive scanning combined with DIR attack correlation is a more sensible approach.
"We don't want anything inline but firewalls, routers and load balancers," says a government IT security manager. "So far, the Enterasys IDS has worked best for us."
Not to be overshadowed in the IDS vs. IPS discussion is the importance of customer support. By virtue of being first, IDS vendors have had more experience fine-tuning their support and service to well-identified customer needs. Enterasys has transformed Dragon from a stand-alone IDS to the cornerstone of its network security architecture strategy.
"Enterasys is an innovative company that understands security and how to protect you," says the CISO of another government agency. "It is willing to work with diverse organizational needs."
Cisco IDS, Cisco Systems
USER COMMENTS: "Cisco does a good job of understanding where our threats are coming from and changing its products to address them."
"Technology-wise, it leads most of the network vendors."
RealSecure Network, Internet Security Systems
USER COMMENTS: "ISS has a proven IDS infrastructure."
"It's the leader in the IDS market.
ISM 2004 Products of the Year: Intrusion Prevention Systems
Before there was the ubiquitous term "intrusion prevention," there was TippingPoint and its Unity-One inline appliance. TippingPoint's grand vision for automatically stopping attacks as they happen, as well as its unique lineage as a company, makes UnityOne a deserving gold award winner.
Unique among security startups, TippingPoint entered the IPS market as a publicly traded company. Its founders had a history of using their management framework as an incubator for new networking technologies, many of which were sold to infrastructure players.
TippingPoint set its sights on the security market in 2001 with the launch of UnityOne, one of the first inline traffic monitoring and automated response devices. There's no ambiguity about TippingPoint's value proposition: It's an IDS on steroids, with blazingly fast inspection and throughput speeds.
"It's the first IPS system that we can stick in front of any workload," says one director of information security. "It stops the bad stuff and lets the good stuff through at lightning speed."
TippingPoint is improving upon its foundation through the release of a number of appliances to fit the needs of various-sized enterprises. Its R&D team continues to innovate by producing an increasingly broad attack signature database, an optimized detection engine and more reliable automated response measures. While many enterprises shy away from depending on the auto-response capabilities of their IPSes, UnityOne shops use the appliance with a high degree of confidence.
"TippingPoint's engineers know what they are doing," says the CSO of a government agency. "The company is letting them drive the product instead of the sales people."
While the big boys of security and networking continue to build and acquire IPSes, TippingPoint's UnityOne remains in a class of its own. "It's a strong product that has lot of capabilities that suit our enterprise's needs," says a network specialist.
USER COMMENT: "IntruVert's technology has been very mature since early on."
USER COMMENT: "ManHunt is a best-of-breed solution that fits our IPS needs."
ISM 2004 Products of the Year: Virtual Private Networks
Cisco VPN 3 Series Concentrator, Cisco Systems
Regardless of their form, VPNs are enterprise workhorses for remote and site-to-site connectivity. Users rated Cisco System's VPN 3 Series Concentrator tops in its class for one reason: ease of use.
Enterprise managers rave about how it combines robust overall technical excellence with a setup process so straightforward that even users can handle it.
"It's basically self-installed by many of our users," says a network security specialist at a large enterprise. With users having the ability to install VPN clients, VPN 3 Series takes significant stress off IT and the help desk.
Security managers particularly like Cisco's Scalable Encryption Processing modules, which allow customers to do field upgrades of the appliance. These modules, according to security professionals, put the VPN 3 Series in a class by itself.
The VPN Series 3 Concentrator covers all the protocols you would expect for VPNs, supporting IPSec, PPTP, L2TP and SSL. Users say that it's stronger at IPSec than SSL, and most managers give it high marks for its versatility and manageability. In fact, Cisco's ability to automatically route new users and manage bandwidth is a boon for enterprise managers.
"The key feature for us is that every switch port on our network, every dial-in, every VPN, every wireless connection will be tested to determine whether it's one of our computers and whether it meets all of the policies," says a CISO at a mid-sized manufacturer, who also likes having the ability to manage his network at the switch level.
Such flexibility and effective integration, coupled with innovative use of technology, makes it clear why Cisco stands out as a gold winner.
VPN-1 Pro, Check Point Software Technologies
USER COMMENT: "Check Point makes my job easier by tailoring its offerings to my business needs."
Aventail EX 1500 SSL VPN, Aventail
USER COMMENT: "It's super easy to use. I also like Aventail's exclusive focus on SSL; it's not a one-off product."
ISM 2004 Products of the Year: Security Appliances
NetScreen-5XT and 5GT, Juniper Networks
Juniper Networks' NetScreen 5 series firewall/VPN appliances hit the bull's-eye for remote offices and broadband telecommuters; they're inexpensive and powerful enough to protect distributed infrastructures.
Network gear vendor Juniper gave its security initiative instant credibility when it acquired NetScreen Technologies earlier this year.
"NetScreen is well-positioned and well-managed, with products that are just good stuff," says a VP for enterprise security. "Its products work. They're high performing and highly reliable."
The 5XT and 5GT offer the features enterprises look for in high-end boxes. An ASIC provides accelerated firewall, encryption, authentication and PKI processing. Its stateful filtering and "Deep Inspection" engine detects more than 250 application attacks and protocol anomalies; the 5GT also features embedded Trend Micro AV protection. The appliances protect networks against worms, viruses, port scans and DoS and DDoS attacks.
The IPSec VPN supports redundant gateways, NAT traversal and AES data encryption. NetScreen PKI support includes all major certificate authorities. RSA Security's SecurID, LDAP, RADIUS and Active Directory are supported for multifactor authentication.
The appliances support 10 simultaneous tunnels and 2,000 concurrent sessions. Management is handled through a command-line or Web-based GUI, or NetScreen's Security Manager central management console. Its management dashboard highlights critical, logging and attack alerts, and features graphs and device statistics.
"NetScreen delivers as promised," says a telecom technical advisor. "We've been really putting machines behind it every week in the last year, and we're still pretty pleased after a lot of experience with it."
USER COMMENT: "Nokia is a big organization and has a lot of industry tie-ins to its products. It leverages its product into other areas."
M50, Internet Security Systems
USER COMMENT: "The product is best of breed and has a great feature set."
ISM 2004 Products of the Year: Patch Management
BigFix Patch Manager, BigFix
BigFix Patch Manager and its underlying "fixlet" technology continue to wow the security market. Its ease of use, customization and platform independence make it a top choice among enterprises and Information Security's gold award winner for patch management.
"BigFix is simply comprehensive," says a CISO of a large financial service company.
Automated patching has been around for a few years, but the reach and reliability has hampered many deployments. Most service Windows environments well, but have a harder time reaching across to other platforms and applications. Capabilities have proven problematic, since not all tools can discover, push and verify patch installations with a high degree of accuracy. Enterprises have been forced to use either homegrown or multiple COTS tools to fill their needs.
What enterprises like about BigFix is that it's fully automated and customizable, can push patches to specific machines automatically or on demand, and can analyze and generate reports for measuring patching successes. Even better, it can change configuration settings, making it a good instrument for hardening boxes and employing workarounds if a patch isn't available.
Fixlets are the things that make BigFix work so well. They monitor a machine for vulnerabilities and configuration settings. They communicate with the server, which will push appropriate fixes to either patch the system or bring its configuration into compliance with defined security policies.
This is more than just some client-server architecture. Fixlets are more like applets, and that small footprint makes them easy to deploy, update and manage. Each fixlet can carry a broad range of instructions, making them extremely flexible in implementing changes. Enterprises praise BigFix because it gives them the ability to use either fixlets provided by BigFix or, using an editor, create their own.
Security managers appreciate the tremendous degree of control and information they get from fixlets, providing a wealth of intelligence about the enterprise's or a particular machine's security posture.
With this kind of flexibility and reach, it's easy to see why BigFix Patch Manager has become one of the most popular security tools on the market.
PatchLink Update, PatchLink
USER COMMENT: "PatchLink Update is easy to use. PatchLink (the company) is responsive to customers' needs and has a commitment to excellence."
Windows Update Service, Microsoft
USER COMMENT: "Microsoft's patch management might lack a couple of features, but it's good enough overall, and it's free."
ISM 2004 Products of the Year: Security Management Systems
Secure Enterprise, Sygate
Security management systems come in many shapes and sizes: enterprise security management (ESM), policy enforcement/updating, security information/event management (SIM/SEM), remote device control, configuration management, etc. Our security management category encompasses all of these solutions because the industry hasn't yet settled on the best approach. While none of these tools is deployed in the majority of organizations, the majority of organizations deploy at least one. Among the nominees, three products emerged as best-in-class in this broad category.
Our gold winner, Sygate's Secure Enterprise, is among an emerging class of technologies that address the challenge of endpoint security. Secure Enterprise performs a security "health check" on untrusted hosts attempting to access the network via RAS, wireless or VPN.
Using a server/agent architecture, the system evaluates security-critical parameters on the client, such as patch levels, OS and application configurations, and AV and personal firewall status. Based on this assessment, the Sygate Management Server permits the client an appropriate level of access. Endpoints that pass the health check are granted access to authorized resources, based on domain policy; those that don't are either blocked or quarantined until they can be updated.
The result is a defense-in-depth architecture that extends beyond the core network.
One user was impressed with Sygate's "multilayered personal machine defense strategy." Another called Secure Enterprise "the most exciting product we've seen recently."
In a world of ubiquitous connectivity, danger lurks in semitrusted devices. Sygate's Secure Enterprise performs a critical function by ensuring that the productivity gains of virtual computing aren't undermined by a "default permit" access policy.
ePolicy Orchestrator 3.5, McAfee
USER COMMENTS: "Orchestrator has been out for years, and it's phenomenal."
"It allows us to centrally manage our AV globally very inexpensively."
Tripwire for Servers, Tripwire
USER COMMENTS: "Very stable product; it does an outstanding job."
"It's very well known. With a little training, you can get it up and running in a day."
ISM 2004 Products of the Year: Vulnerability Management
SmartRisk Analyzer, @stake (acquired by Symantec)
Love is rarely an emotion displayed for an infosecurity product. But enterprise managers love @stake's SmartRisk analyzer service. They gush over its effectiveness at finding vulnerabilities in their network infrastructure, its ability to plug the holes and its quality service support. Such passion made SmartRisk Analyzer the clear gold award winner.
"You can't do better than @stake. I wouldn't say that about any other vendor I work with," says a security manager at a large telecommunications provider.
Unfortunately, this is a good product that's future is uncertain. @stake was acquired this fall by Symantec, which wanted the consultancy's professional services unit and expert talent. It has since discontinued SmartRisk Analyzer, making this the only award winner that's no longer supported.
SmartRisk Analyzer users swore by @stake's support and people, whose technical and relationship skills, they say, were second to none.
"@stake's technical competence was just top notch. Its people knew network security better than anyone," says a telecommunications security manager.
Being able to tap experts on the shoulder at will created a personal security blanket for @stake customers, and they obviously appreciated it. They never felt ignored in the way that they sometimes do with big consultancies.
"@stake was best of breed in its space because it was easy to work with and it responded to customers," says a corporate security officer at a large government agency.
These glowing user remarks reflect well for both SmartRisk Analyzer and @stake's customer service. It's no wonder Symantec wanted @stake's human capital.
nCircle IP360, nCircle
USER COMMENT: "nCircle has great technology, and it's very flexible."
USER COMMENT: "QualysGuard runs remotely, so I don't have to do anything. It's like a shoot-and-forget missile."
ISM 2004 Products of the Year: Identity Management
Control-SA, BMC Software
The umbrella of identity management covers a lot of ground: passwords, authentication, access control, provisioning and auditing. Probably the most powerful tool in identity management remains BMC Software's Control-SA, which gives enterprises broad control over user accounts.
Here's the problem facing enterprises: You must provide users with access to multiple systems on different platforms, have the ability to monitor and audit their access to systems, and revoke permissions and accounts on a moment's notice. Control-SA was one of the first tools on the market to address these bedeviling problems.
"BMC Software has a mature product," says the VP of risk management at a large financial services firm. "It has a lot of functionality, and it covers a lot of platforms."
Control-SA's features give enterprises extensive power to provision, control and audit access to IT systems on different platforms. It uses group-based rules to provide users with access based on their departmental assignments, but also has the power to provide exceptions so certain users will have greater or lesser rights.
Managing user accounts also means periodic maintenance and modification. Control-SA has tools for adjusting access rights, such as removing certain permissions when a user changes jobs or requires special access for projects. It also automates account revocation, ensuring that an account is closed as a user's employment is terminated.
Auditing is critical to good identity management, especially in this age of Sarbanes-Oxley compliance. Control-SA comes with tools for identifying unauthorized use, improper permission and inactive accounts. This gives enterprises the ability to lock down accounts and demonstrate the strength of their security and integrity programs to regulators.
An added benefit is Control-SA's self-service password management system, which allows users to reset passwords across multiple platforms and cuts help desk costs.
"The self-service password reset works great," says a CISO. "There are a lot of cost-savings on the help desk."
Other vendors offer similar, worthy products, but BMC's Control-SA remains the leader and well-deserving of the gold award.
SSL Certificates, VeriSign
USER COMMENT: "It integrates well with other products. VeriSign is world class and good for secure communication."
Sun Java System Identity Manager (formerly Lighthouse), Waveset (a subsidiary of Sun Microsystems)
USER COMMENT: "Sun has a great LDAP server integrating with Waveset's identity management solution; they seem to work well together."
ISM 2004 Products of the Year: Content Filtering
Postini Perimeter Manager, Postini
Making spam disappear is what makes Postini the Houdini of email management for enterprises. Its Perimeter Manager service is highly effective, and its broad set of features has impressed enterprise users, earning it Information Security's gold award for content filtering.
"Postini is a home run," says a global IT security director at a large pharmaceutical company. It smashes spam without impeding legitimate messages. Security managers say that Postini has a more than a 99 percent success rate at blocking spam and rarely generates a false positive.
The power of Postini is in its PreEMPT technology, which automatically feeds legitimate email through while either quarantining or tagging suspicious email before it reaches the company's perimeter. The scanning and policy enforcement all happen on Postini's infrastructure, making it extremely effective against DDoS attacks, directory harvesting and malware.
"Postini offers a wide variety of features, and we don't have to configure it, tune it, or be the experts -- they're the experts, and we benefit from it," says a security manager at a medium-sized retailer.
Postini's formula for success is simple: Stop malware before it reaches its customers' mailboxes, offer no-brainer management features and keep servers humming smoothly and messages flowing freely.
MessageLabs Content Control, MessageLabs
USER COMMENT: "Quality of service is very high. It's very transparent."
Websense Enterprise, Websense
USER COMMENT: "Websense is sound and easy to deploy. Pop it in a box, and you're done."
ISM 2004 Products of the Year: Authentication and Authorization
SecurID, RSA Security
It's impossible to think of two-factor authentication without thinking of RSA Security and its SecurID. Since 1986, SecurID has defined AAA (authentication, authorization and accounting), making it an obvious choice for our gold award.
Multifactor authentication depends on more than a token that can't be reverse-engineered and won't break when users fling them on the kitchen table with their keys and spare change. The SecurID system offers the application support, management/deployment capabilities and reputation for reliability and technical support that give it real-world utility in every type of enterprise.
"RSA fills the obvious security niche for two-factor authentication," says a director of operations security. "It does a particularly good job of implementation and making it easy to manage."
Organizations can deploy SecurID through a variety of hardware and software tokens for Windows workstations, and a variety of handheld devices and wireless phones. But it's what's behind those tokens that attracts and keeps customers, and makes SecurID an enterprise-caliber product of choice. With widespread interoperability with major IT and security companies, SecurID offers authenticated access to data and applications through VPNs, wireless networks, email, intranet/extranet and Web servers. Its agent software extends support to proprietary apps.
SecurID's scalability is a critical factor, enabling large enterprises to deploy and manage authentication for millions of users and hundreds of apps through its Authentication and Deployment managers. The bundled Deployment Manager is automated, Web-based provisioning software that enables quick token deployment. Its self-service capability reduces the drain on IT staffs and help desks.
Beyond SecurID's attractive features, confidence in RSA Security may be the product's biggest selling point.
"Out of any vendor I've ever dealt with, RSA has the best technical support. It's amazing," says a director of security operations.
Active Directory, Microsoft
USER COMMENTS: "Active Directory is a stable and secure method of authentication throughout the corporate infrastructure."
Tivoli Identity Manager, IBM Tivoli
USER COMMENTS: "Tivoli is an enterprise standard and a great ID management tool. "
ISM 2004 Products of the Year: Emerging Technologies
Skybox View 2.0, Skybox Security
Information security, as a market, is as dynamic as the infrastructures it protects. Picking winners in the established security categories is relatively simple; identifying the products that enterprises will embrace tomorrow is a little harder.
In reviewing the numerous products that have entered the security market over the last year, the editors of Information Security picked the three most promising for the emerging technologies category. Topping our list is Skybox Security's View 2.0, a clear leader in the emerging automated risk measurement and management space.
Skybox View vividly and intelligently calculates and demonstrates risk. Much like a SIM, Skybox pulls data from various sources -- firewalls, routers, IDSes, scanners, servers and applications -- and normalizes it, munching through its risk models and comparing the composite against business objectives and policies. The result is a clear picture of an enterprise's risk exposure. With that intelligence, enterprises are able to act on risk, adjusting their posture and building better event contingency plans.
Skybox View offers many benefits. For starters, the monitoring will tell you when you have increased or unacceptable risk exposure. It will identify and forecast potential exploitable weaknesses, and it accurately measures regulatory and policy compliance. The security intelligence it generates is contextual to the enterprise's unique environment and requirements, making its forecasts and recommendations more reliable.
In the latest release, Skybox has added metrics for assigning value to various network assets, a means for identifying metrics that fall under security regulations such as Sarbanes-Oxley, risk trending and tracking tools, and the ability to measure risk change over time.
Automated risk measuring and modeling is still a nascent space. Skybox and its rivals will continue to develop and refine these tools into more comprehensive risk management platforms. Skybox has shown that it will compete as a leader and visionary in this field.
Prexis, Ounce Labs
Ounce Labs' Prexis family of products is among the first to provide reliable, automated source code reviews. Prexis will find security and quality issues in common software languages, providing developers and enterprises with valuable intelligence on how to fix problems that could cause a breach, before code is compiled.
CounterPoint C-245 (formerly Mi40 Inverted Firewall), Mirage Networks
The CounterPoint C-245 is an excellent example of the new breed of security solutions that incorporates signature and anomaly detection, IPS and ingress/egress traffic monitoring and control.