Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
A Buyer’s Guide to Endpoint Protection Platforms

In This Issue:                          The evolution of e...

Examine the formula that fuels success in the
competitive security and data protection market
Sophos CEO in the spotl...

Explore life without comprehensive data protection


Understand the total cost of ownership
for endpoint security solutions
A TCO white paper
Executive summary           ...

Key sources of cost                                Cost Example
The cost savings of switching to the                  ...

     (the labor costs were 3X to 4X more                                                            rely solely on the...

Sophos,	90%	less	than	the	cost	would	                                                           cost	was	$6,683,	which...

    experts can remediate on their own                                                           is smaller with Sopho...

Overall costs                                  was $1.3 million. In comparison, the         provided by the companies ...

From the Gartner Files

A Buyer’s Guide to Endpoint Protection Platforms
The traditional “point” markets for         ...

scorecards to differentiate products             boards to configurations of different           tor or help desk vie...

                                                  endpoints may be useful, particularly for    •	 The	management	syst...

•	 A	configuration	backup	utility	and	con-           should seek clarity on what’s actually          Retrospective te...

       ware is significantly more complex         and to configure protection to reflect the      to	“buy	time”	to	pr...

        tions as a service, similar to current      based on connection type — different        an encryption compone...

   options for protecting data by blocking         information can be moved to the top of       •	 EPP	offerings	shou...
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection Platforms
Upcoming SlideShare
Loading in …5

Buyers Guide to Endpoint Protection Platforms


Published on

Traditional markets for dedicated endpoint security products have been eclipsed by endpoint protection platforms. The Evolution of Endpoint Security featuring the Buyers Guide to Endpoint Protection Platforms explores how the traditional methods for endpoint security should evolve. In it, you'll learn how the lack of data protection can affect your bottom line and gain insight into the true costs involved in migrating and managing an endpoint security product. Finally, learn how Sophos's acquisition of Utimaco affects the security and data protection market.

Published in: Business, Technology
  • Be the first to comment

Buyers Guide to Endpoint Protection Platforms

  1. 1. Featuring: A Buyer’s Guide to Endpoint Protection Platforms In This Issue: The evolution of endpoint security Examine the formula Welcome to this complimentary copy of Gartner’s Buyers that fuels success in the Guide to Endpoint Protection Platforms. This newsletter competitive security and data explores how the traditional methods for endpoint protection market. . . . . . . . 2 security should evolve. You’ll learn how Sophos’s recent integration of Utimaco affects the highly Explore life without competitive security and data protection market. You’ll find out how the lack of data protection comprehensive can affect your bottom line, and lastly, gain insight into the true costs involved in migrating and data protection . . . . . . . . . . 3 managing an endpoint security product. Understand the Traditional markets for dedicated endpoint security products — particularly anti-virus tools and total cost of ownership for personal firewalls — have been, according the report, eclipsed by endpoint protection platforms. endpoint security solutions: Sophos now offers a unique solution, Sophos Endpoint Security and Data Protection, which A TCO white paper . . . . . . 4 provides simplified cross-platform security, centralized management, full-disk encryption and control of devices, applications and network access. From the Gartner Files A Buyer’s Guide to Endpoint We invite you to learn more about simply securing your business at every level, and how to reduce Protection Platforms . . . 10 the risks associated with non-compliant, unmanaged and unauthorized computers. Visit for more information. Featuring research from
  2. 2. 2 Examine the formula that fuels success in the competitive security and data protection market Sophos CEO in the spotlight with Sophos CEO Steve Munford recently sat With the increase external and internal down with’s Senior threats, limited IT staff, tighter budgets, Sophos offers proven proactive Technology Editor, Neil Roiter to discuss and mounting industry and government Genotype protection backed by the formula behind Sophos’s success compliance and regulatory mandates, it’s SophosLabs™ expertise and our in the competitive security and data clear that businesses today are facing HIPs technology. Here’s a snapshot of protection market, and what the future more security challenges than ever before. what they have discovered in the past holds for the company. six months: However with the latest encryption In this interview, Munford explained how offerings post Utimaco acquisition, Sophos • 23,500 new infected webpages are Sophos is aggressively taking market share customers can further achieve regulatory discovered every day. That’s one away from Symantec and McAfee, and and compliance mandates while getting every 3.6 seconds, four times worse examined how — even in the economic more value for their budget. than the same period in 2007. downturn — Sophos continues to experience • 40,000 new suspicious files are year-over-year growth and its channel Listen to the Newsmaker every day. podcast with Sophos • 15 new bogus anti-virus vendor web- partners are achieving double-digit growth. CEO Steve Munford. sites are discovered every day. This number has tripled, up from an average of five detected per day, during 2008. • 89.7% of all business email is spam. • Approximately 6,500 new spam-related websites are discovered every day — accounting for one new website every 13 seconds, 24 hours a day. This fig- ure is almost double the same period in 2008. Source: Sophos mid-year threat report
  3. 3. 3 Explore life without comprehensive data protection Hear from those that have Sophos Endpoint Security and Data 109,000 pension holders at risk. The gotten more with Sophos Protection defends against data loss laptop contained names, addresses, “Selecting Sophos Endpoint Security through full disk encryption and information dates of birth, National Insurance num- & Control just made sense as we were security encryption for removable storage bers, employer names, salary details able to meet all of our needs and top devices and portable media. Learn why and bank account information. security solution. Prior to Sophos, we were using a separate anti-adware this is important, how data loss can affect • June 530,000 Virginia patients were solution along with a security solution your bottom line — and more importantly individually notified that their Social to stop viruses and spyware. This approach worked, but by consolidating — what businesses can do to stop it: Security Numbers had potentially been into one solution, we improved the Data leakage remains a top concern in exposed after a hacker gained access efficiency of the workstation and to the Virginia Prescription Monitoring manageability for the administrators, 2009, with scandals continuing to dominate therefore lowering our TCO.” the headlines. Many corporations and Program 14. – Pramesh Naik, enterprise support • June Authorities arrested a former manager at Kilpatrick Stockton government institutions have failed to protect their confidential information — Goldman Sachs employee who upload- “From the Sophos console, you including the identities of their workforce, ed the company’s secret source code to manage every aspect of security as an FTP server based in Germany. well as endpoint control. Any malware customers and general public. detected shows an alert so you know It is not only the threat of negative publicity Encryption which computer needs attention and The most important step in stopping data what to do. In many cases, you can that is driving interest in data protection, but do it from within the console, and also concern that the organization is failing to leakage is to encrypt sensitive information, if not, you know immediately which comply with regulatory security standards. laptops and removable storage devices. machine to go to. During normal operation, the Anti-virus and Anti- If data is encrypted with a password, it A variety of techniques are being used by spyware is updated hourly — that’s cannot be deciphered or used unless right, hourly. In the event of an corporations around the world to prevent the password is known. This means that outbreak somewhere in the world, it data loss in a mobile connected world. These will update even more often.” even if all other security measures fail – Dave Coe, Independent Security include anti-virus software, encryption and to prevent a hacker from accessing your Specialist, Longmont Toyota firewalls, access control, written policies and most sensitive data, he or she will not be improved employee training. “The Sophos endpoint solution able to read it and so compromise the simplified management for Ferrellgas, Nevertheless, users are routinely using confidentiality of your information. enabling threats to be monitored at and sharing data without giving enough the desktop level. Technicians can The second step is controlling how users automatically deploy and manage the thought to confidentiality and regulatory treat information. You want to stop any assessment, control and protection requirements. This has led to numerous from one console. This has enabled risky behavior, such as transferring incidents of data loss in the first six us to be proactive in confronting unencrypted information onto USB sticks issues, which in turn has increased months of 2009 — some accidental, some and via email. Organizations should extend end-user confidence in our abilities.” malicious: – Greenwood Leflore Hospital their anti-malware infrastructure in order to: • May Hackers broke into a Virginia gov- • Protect data in motion and data in use “Sophos has an intimate ernment website, stealing the details of • Guarantee efficient operations understanding of the complexity of the almost 8.3 million patients, and threaten- university environment and the need • Ensure that they meet regulatory ing to auction them to the highest bidder. to manage multiple threats through an requirements integrated solution, while allowing a • May The theft of a single laptop in high degree of user control.” the UK put the personal identities of Source: Sophos mid-year threat report – University of British Columbia
  4. 4. 4 Understand the total cost of ownership for endpoint security solutions A TCO white paper Executive summary before switching to Sophos Endpoint The results show that the value of Organizations considering moving to an Security and Control. Real data from switching to and managing endpoint endpoint security solution often assume customers’ experiences was collected to security with Sophos is immediate and that the costs of switching from their compare the true and complete costs of significant. The overall TCO costs of current anti-virus vendor will be greater switching to and managing with Sophos switching to Sophos are actually less than upgrading with that vendor. To shed versus upgrading and managing with the than upgrading with the existing vendor. some light on this issue, Sophos, a leading current vendor. Moreover, there are no net new cost endpoint security vendor, commissioned areas in switching to Sophos that would Companies interviewed in depth, and an independent research study to uncover not be still be incurred in upgrading with whose costs were analyzed, included: and quantify all of the cost areas involved the existing vendor. A sample company • Amica Mutual Life Insurance in migrating (upgrading or replacing) to an with 3,400 users can save $110,000 in • Lincoln Public Schools endpoint security product and managing Year one and a total of $504,000 over • AW Chesterton the solution to gain a total cost of five years by switching to Sophos. The • British Services Company ownership (TCO) comparison between the chart below shows the present value of • Central Ohio Primary Care Physicians leaders in the field. the total costs for Symantec and McAfee • US Healthcare Provider (collectively referred to as the installed The nine companies interviewed for • CGH Medical Center endpoint protection vendors in this study) this study had previously been running • German Company and Sophos over five years. Symantec’s or McAfee’s anti-virus product • Escambia County School District
  5. 5. 5 Key sources of cost Cost Example The cost savings of switching to the COST AREA SPECIFIC COSTS Sophos Endpoint Security and Control Upgrade or replace • Licensing solution rather than upgrading with an • Additional Hardware and Software installed endpoint protection vendor • Upgrade or replacement effort (specifically Symantec Endpoint Protection and McAfee Total Protection for Enterprise) Manage / Ongoing operations • Infrastructure management are clear and compelling. Based on • Help desk team interviews with technical decision-makers • Escalation team and influencers at a number of corporate • End user productivity and public sector organizations in the US and Europe, the cost savings fall into two These costs will be fully explained and In addition, the sample company required main categories: supported in the next section. an extra physical server for both scenarios • Upgrade or replace (Year 1 costs) (upgrading with the current vendor and The following TCO example illustrates • Manage/ Ongoing operations (Annual switching to Sophos). No other extra the potential cost savings of switching to costs) hardware (physical or virtual servers) or Sophos Endpoint Security and Control for These two cost areas can be further software (server licenses) was needed for a sample corporation with 3,400 users and broken down into a set of specific costs. migration. the expected operational statistics post upgrade for one of the installed endpoint Cost source 1: Upgrade or protection vendors: replace TCO Example 1. Licensing (software and technical Cost Element Sample Company support). Interviewees consistently Time to manage endpoint security 20 hours per week cited licensing costs as the key rea- son why they switched to Sophos Help Desk calls related to endpoint security 75 calls per month Endpoint Security and Control rather (Tier 1 issues) than upgrading to Symantec Endpoint # of endpoint security detections (spyware, 20 detections per week Protection or McAfee Total Protection adware, viruses, etc.) prior to execution for Enterprise. However, licensing typi- Time to remediate Tier 2 issues 3 hours per week cally only represents 20% of the TCO Time to remediate Tier 3 issues 10 hours per week # of annual service interruptions due to 1 interruption per year “McAfee proved to be endpoint security issues more expensive from # of users affected per interruption 10 users the point of view that it Hours of downtime per interruption 6 hours charged for every module. Lost productivity due to downtime and 15 minutes per user per week When we reviewed Sophos bandwidth reduction it was all part of one purchase and the price Tier 1 issues have arisen before and the solutions have been documented for the help desk team to follow. was less than for McAfee.” Tier 2 issues are common threats that can be handled by internal technical staff. – Technical Services Manager, Tier 3 issues are new threats that require vendor support to remediate. British Services Company
  6. 6. 6 (the labor costs were 3X to 4X more rely solely on their infrastructure manag- significant). The Sophos license price “Sophos was the only er to do this work while others purchase was lower even for customers who professional services contracts with the solution that didn’t care were comparing it against the upgrade vendor to alleviate the workload on the if clients are Macs price for their current vendor (no new infrastructure manager. Interviewees licenses). Customers also mentioned or PCs — it was the only described upgrading to an endpoint that the pricing was more straightfor- cross platform solution security product with Symantec as a ward with Sophos because it included at the time.” daunting task. This was primarily due all six endpoint security components – Director of Technology, to the difficulty in removing all of the (anti-malware, HIPS, application control, Lincoln Public Schools old versions of the product, which is device control, client firewall and basic required before installing an endpoint network access control) in one price security solution. management console centrally deploys whereas the installed endpoint protec- Customers found replacement easier than and manages endpoint security for tion vendors charged separately for sev- upgrading because of the effectiveness of Windows, Mac and Linux whereas the eral of these security components. Sophos’ client removal tool and the ability installed endpoint protection vendors For the sample corporation with 3,400 to deploy the solution automatically from either require multiple consoles or do users, a three-year deal with Sophos a single console. Companies interviewed not support these platforms. The com- cost $117,300, 10% less than the cost estimated that it would take 1 hour to panies interviewed for this study did of upgrading with the current vendor. upgrade 10 endpoints with Symantec and not meet these criteria so the additional McAfee. For medium to large enterprises Impact for sample company: hardware and software costs were not with 2,000 to 20,000 users that adds $12,648 Year 1 cost savings significant whether upgrading with the 200 to 2,000 hours to the Infrastructure Standard technical support is included current vendor or switching to Sophos. Manager’s workload. On the Sophos side, in the license price and there is an addi- To calculate these costs in the model the replacement process takes 35 hours tional charge for a higher level of sup- the following industry averages were regardless of the number of users. port for both Sophos and the installed used: $8,000 for a physical server, endpoint protection vendors. The com- $2,000 for a virtual server and $1,000 The infrastructure manager at the sample panies included in this study did not for a server license. company spent 35 hours to migrate the evaluate the higher levels of support so The additional hardware and software company’s 3,400 users to Sophos. This this cost was not a factor in the TCO. cost was the same for the two options same effort would have required 340 hours 2. Additional hardware and software. (upgrading or replacing) for the sample with Symantec or McAfee. With an annual For the companies interviewed the cost company. In both cases one additional salary of $80,000 this totaled $1,400 for of additional hardware and software to virtual server was required at a cost of migrate to an endpoint security prod- $8,000. uct was not significant. These costs Impact for sample company: “Sophos has saved me include: console, messaging and updat- a lot of time with their ing servers as well as server licenses. Year 1 cost is the same for the two options administration tools. The The cost of additional hardware and 3. Upgrade or replacement effort (inter- deployment is easier and software can be significant for organiza- nal and external professional ser- tions that need to manage platforms I’ve been impressed with vices). Migrating to an endpoint security other than Windows (educational institu- solution involves planning, building the the client removal tool, it tions) or multiple platforms as well as infrastructure, deploying the new prod- removes Symantec well.” large numbers of remote users. uct and post-deployment cleanup of any – IT Manager, With Sophos a single, automated CGH Medical Center remaining detections. Some companies
  7. 7. 7 Sophos, 90% less than the cost would cost was $6,683, which was 66% less have been to upgrade with the existing “The Sophos console than the cost for the former vendor. vendor. provides a snapshot Impact for sample company: This cost savings enabled the sample of what’s going on at $13,567 annual cost savings company to purchase onsite professional a glance. Symantec is 3. Escalation team. The companies services from Sophos to assist the definitely not easy to use. included in this study admitted they infrastructure manager in this effort and had a false sense of security with the We need to see at a still resulted in a lower cost than if the installed endpoint protection vendors. glance if there’s company upgraded with its current vendor The first evidence of this was when (with no professional services included). something wrong.” Sophos detected issues during the — Technical & Operations Impact on sample company: replacement process that the former Security Administrator, US Healthcare Provider vendor missed. A key reason for switch- $1,600 Year 1 cost savings ing to Sophos was better protection Cost Source 2: Manage/ ongoing per year for Sophos, resulting in a 75% and companies have experienced a operations cost savings. 50% increase in the number of detec- 1. Infrastructure management. The key Impact for sample company: tions prior to execution with Sophos. tasks that fall under managing endpoint Sophos detects viruses, spyware and $30,000 annual cost savings security are: adding new users, manag- adware, suspicious behavior and files, 2. Help desk team. The help desk team ing policies, managing updates, manag- removable storage devices and unau- is responsible for fielding user calls, ing upgrades, troubleshooting, reporting, thorized applications. Sophos definition collecting user data and remediating managing multiple platforms and man- file updates are small and are released issues. They deal with Tier 1 issues that aging remote users. Companies inter- as frequently as every five minutes for have arisen before and the solutions viewed for this study universally agreed fast protection with low impact on net- have been documented for the help that it is easier to do these tasks from work resources. Additionally, Sophos’s desk team to follow. Interviewees have the Sophos management console than HIPS prevention provides detection experienced a much smaller volume from Symantec or McAfee’s console. that automatically guards against new of help desk calls related to endpoint The single Sophos console centralizes and emerging threats. In a 2007 study security issues with Sophos compared and automates the key tasks involved conducted by Cascadia Labs, Sophos to Symantec and McAfee. With Sophos in managing endpoint security and the detected 86% of newer threats com- the infrastructure manager has greater dashboard provides instant visibility of pared to 43% for McAfee and 51% for central control and visibility into the the protection status for all Windows, Symantec. The Escalation Team deals protection status of all users therefore Mac and Linux users so that it’s easy with Tier 2 and Tier 3 issues. Tier 2 potential security flaws, like out-of-date to identify machines that require atten- issues are ones that internal technical anti-virus protection or a disabled fire- tion. If the infrastructure manager needs wall, are addressed before they impact vendor support, Sophos offers unlimited access to in-house support experts the user. “The high volume of calls The sample company’s help desk 24x7x365. to our IT Department with team was used to getting 75 endpoint The infrastructure manager at the McAfee was one of the key security calls per month with one of sample company spent 5 hours per the installed endpoint protection ven- reasons why we switched week managing endpoint security with dors. With Sophos that number has to Sophos.” Sophos. In comparison this would decreased to 25 calls per month. The – Head of Global System require 20 hours per week with either & Security Solutions, average Tier 1 call takes 45 minutes to Symantec or McAfee. With an annual German Company resolve and at $25 per hour the Sophos salary of $80,000 this totaled $10,000
  8. 8. 8 experts can remediate on their own is smaller with Sophos than McAfee or while Tier 3 issues require vendor sup- “The time I spent Symantec. As companies begin to track port to resolve. The breakdown of Tier resolving spyware and this metric the magnitude of the cost 2 and Tier 3 issues is typically 75% savings will likely grow. adware issues with and 25% respectively, according the to With 3,400 users and an average salary interviewees. Symantec will be cut in of $50,000 the sample company saved Not only does Sophos detect more half or more with Sophos.” $1,500 a year since it did not experience issues before they execute but it also – IT Manager, CGH Medical Center any service interruptions with Sophos requires less effort to handle them. (compared to one annual interruption that The visibility provided by the Sophos Sophos, 24% less than the cost for the affected 10 users for 6 hours with the management console enables the installed endpoint protection vendor. former vendor). escalation team to easily find machines Impact for sample company: The company’s 3,400 users also regained that need attention and in many cases $39,725 annual cost savings 5 minutes per week in lost productivity issues can be resolved remotely from For companies that are not large enough with Sophos. The cost was $10,625 with the console. For Tier 3 issues, such as to have an escalation team this work is Sophos and 50% less than the cost with new threats that require a new definition handled by the infrastructure manager. the installed endpoint protection vendor. file, Sophos’ in-house technical experts are available 24x7x365 and the intervie- 4. End user productivity. While end user Impact for sample company: wees have seen a 50% improvement in productivity has not historically been $12,125 annual cost saving response time with new definition files measured, the companies interviewed with Sophos compared to Symantec have seen an improvement with Sophos and McAfee. in two areas: i) downtime due to infec- tions and version upgrades, and ii) the “Right out of the gate bandwidth reduction due to definition Sophos was finding more file updates and the memory required vulnerabilities. There “With Sophos we’re to run the endpoint security solution. is the potential for less being proactive rather With the installed endpoint protection downtime at the individual than reactive. We’re trying vendors companies typically experience desk. Sophos is finding to avoid infections so we one service interruption per year, which affects 10 users for about 6 hours on more things up front so don’t have to spend time average. Companies did not have a there is less potential for cleaning them up.” – Network Administrator Manager, single downtime event with Sophos due issues at the endpoint.” AW Chesterton to its ability to catch more threats, espe- – Network Operations cially new and emerging threats with its Section Manager, Amica Mutual Life Insurance HIPS technology. The number of endpoint security detec- Sophos definition file updates are small tions pre execution increased 50% to (2K-70K) and frequent (every 5 minutes) “Sophos’s memory 30 per week when the sample com- so they provide more protection with less footprint and program pany switched to Sophos. Conversely, impact on the end user. McAfee and Symantec updates are sent out once a day footprint are much smaller the time to resolve these detections decreased by 50% to 1.5 hours (Tier 2) so they are larger and expose the network than Symantec’s.” and 5 hours (Tier 3) with Sophos. With to more potential threats. In addition to – Network Administrator, the impact of the updates, the memory Central Ohio Primary Care an annual salary of $60,000 the total Physicians escalation team cost was $129,675 with footprint when the program is running
  9. 9. 9 Overall costs was $1.3 million. In comparison, the provided by the companies interviewed. For the sample company, the present total cost of switching to and managing In total there is a $504,000 cost savings value of the total costs of upgrading to Sophos Endpoint Security and Control in switching to and managing Sophos the endpoint security product for the over five years was $880,000. The costs Endpoint Security and Control. installed endpoint protection vendors and were calculated based on licensing, managing the solution over five years infrastructure and operational data Source: Sophos The chart below shows the extent to which years. The labor and licensing costs were of the TCO at 3x to 5x the licensing fee each of the cost categories contributes to the major costs and the Sophos costs are for Sophos and the installed endpoint the total costs for Sophos and the installed 2/3 of the costs for Symantec and McAfee. protection vendors respectively. endpoint protection vendors over five The labor costs represent the lion’s share Source: Sophos
  10. 10. 10 From the Gartner Files A Buyer’s Guide to Endpoint Protection Platforms The traditional “point” markets for • If you haven’t already instituted a full- protection technologies, such as DLP and antivirus (AV) tools and personal disk encryption program for mobile full-disk encryption. The demand for holistic firewalls have been eclipsed by broader clients, then do so immediately for NAC solutions and the management suites of related security technologies, notebook computers carrying sensitive requirements of large enterprises are also which Gartner has identified as data. Consider encryption from your forcing EPP suite vendors to replicate endpoint protection platforms incumbent end-node protection vendor, some PC operations infrastructure, such (EPPs). The choice of an EPP will because common management, estab- as security configuration management, depend heavily on enterprise-specific lished client-side presence and suite patching and software management. By requirements, so chief information pricing may make this option attractive. combining multiple technologies into a security officers (CISOs) and other • Consider the need for data loss preven- single management framework, EPPs offer security professionals evaluating EPP tion (DLP) capabilities in endpoint pro- the promise of increased security while offerings should use Gartner’s guidance tection. The ability to simplify client-side simultaneously lowering complexity, cost to identify their most-likely current and agents with a common management and administrative overhead. future needs, and select the EPP that framework is an advantage, but this 1.0 Basic EPP Component will most-effectively address them. consideration will often be outweighed Features and Functionality by broader enterprise DLP require- Key Findings The basic components of an EPP are ments. • The market for EPP suites is marked by an anti-malware signature database • Resist vendor “packaging” that includes a broad range of solutions, with signifi- (containing information on malicious code, gateway protection with endpoint pro- cant differentiation among vendors and such as viruses, trojans and spyware), tection. Focus on the client and server their offerings. an HIPS and a personal firewall, linked as one domain, and gateways as a • No single vendor leads in all functional by a common management and reporting separate domain. Resource-constrained areas, so buyers need to prioritize their console. An EPP may also include full-disk small and midsize businesses (SMBs) requirements to address the needs of encryption and DLP tools. Increasingly, may want to consider the advantages their specific business, technical and EPP management capabilities will of centralized management of both regulatory environments. emulate and integrate with operational domains, but they must also place high- tools to provide security configuration Recommendations er priority on the unique requirements of management, vulnerability assessment, • Make plans to phase out point products each domain. application control and remediation tools for AV and anti-spyware tools, host- ANALYSIS for resilient infections. As data security based intrusion prevention systems The traditional markets for dedicated and reimaging remediation become more (HIPSs) and personal firewalls, and endpoint security products — particularly pervasive, EPP suites will begin offering replace them with an EPP suite as sup- AV tools and personal firewalls — have managed backup services and tools. port contracts expire. been eclipsed by broader suites of related • Demand that your current AV technol- security technologies, which Gartner 2.0 Advanced EPP Component ogy vendor identify the HIPS techniques has designated as “endpoint protection Features and Functionality included in its base AV client and detail CISOs and other enterprise security platforms.” An EPP suite typically includes its road map. Deploy full-blown HIPS decision makers should consider advanced AV and anti-spyware tools, a personal capabilities for systems with high secu- component features, which are becoming firewall, and may also offer network rity requirements, but prepare for some available, when designing RFPs or access control (NAC) capabilities and data increases in administration requirements.
  11. 11. 11 scorecards to differentiate products boards to configurations of different tor or help desk view), preferably with under evaluation. No EPP will have all elements. This is especially important users’ ability to adjust their default these features, and buyers must focus because suite vendors often grow by views. on the specific features they consider acquisition, and, as a result, the degree • A customizable “toolbox” element that most important for their enterprises. of management and reporting integra- allows the consolidation of common The following list isn’t intended to be tion into a common, centralized man- tasks into a single user-defined menu is comprehensive, but rather representative of agement console may vary. useful. advanced functions that may compose part • Granular role-based administration • “Globalization” capabilities — including of a more-appropriate EPP solution. should ideally include predefined roles global support, centralized management as well as the ability to customize and and reporting, and necessary language 2.1 Manageability and Scalability support for the management interface add/remove options. Capabilities and the end-user interface — are impor- • The EPP should offer the capability to Reduced administration is one of the most- tant for enterprises with operations create different management GUI work critical concerns of EPP administrators, across multiple regions. space views (for example, administra- and improved manageability and greater scalability will help reduce it and the associated overhead. A well-designed, task-oriented graphical user interface Note 1 (GUI) and a comprehensive management Examples of Common Tasks interface will deliver lower total cost of • Review the home page dashboard and pay particular attention to the placement of ownership (TCO). Gartner recommends indicators that illustrate negative changes in the security posture of endpoints. Look for direct links to more information, recommendations and action steps to resolve that when security professionals evaluate events. EPPs, they should develop a list of the • Tour the report center, create a custom report, and schedule it for delivery to an top 10 to 20 most-common or most-critical e-mailbox or Web server/portal. • Show alert configuration capability and integrate an alert with an external subscriber endpoint security tasks (see Note 1), and identity module. use this list as a guideline for comparison • Show real-time data that lists clients on a network that doesn’t have an EPP agent installed. testing and demonstration of solutions. • Create or edit the policy elements that can be delegated (or restricted) to end users. The necessary management capabilities • Create or edit the policy for client update distribution. will depend heavily on enterprise-specific • Create or edit the policy to automatically push the EPP client to an endpoint that doesn’t have it installed. needs and available technical skills. • Configure scheduled scans for endpoints. Focus on the ability to limit CPU use, and The following representative list details delegate the ability for end users to delay scan execution. advanced EPP management capabilities as • Create or edit the port (that is, USB, CD or infrared) control configuration, and pay particular attention to the granularity of the restrictions, the linkage to file types, and well as the factors influencing them. encryption, if any. • Create or edit a VPN policy (that is, deny split tunneling) for a specific Active 2.1.1 Management GUI Directory group. • Create or edit a location-based policy, and pay attention to the level of automation in • A task-oriented (not feature-based) man- selecting when a policy should be invoked. agement GUI can simplify management • Create or edit a Wi-Fi-specific policy. by hiding unnecessary complexity from • Create or edit a whitelisting and/or lockdown configuration for a certain group of PCs. Add a new executable program to the whitelist. Autogenerate a whitelist from the less-sophisticated users, but enable installed applications on a PC. Authorize a software distribution method and directory more-technically skilled users to drill as a whitelisted source of applications. down to granular details (see Note 2). • Show a single-page summary of client configuration information and print it for review. • Management pages should ideally have • Review the HIPS policy configuration and step through the false-positive handling a consistent look and feel, as well as process, including deactivating a specific HIPS rule for a specific application. • Edit role-based administration and hierarchical administration to add a new role. the ability to switch over from dash-
  12. 12. 12 endpoints may be useful, particularly for • The management system should be Note 2 SMBs. able to automatically detect new or Task-Based System • The ratio of management servers to rogue endpoints that don’t have an EPP A task-based system can be evaluated clients is an important consideration client installed. This is a function that by creating a list of common tasks and for large enterprises, and one that will may be integrated into the enterprise’s comparing the number of steps required to impact the TCO. For smaller business- NAC system, but shouldn’t be depen- complete each task. es, the management server should work dent on NAC, and should be able to on a shared server. detect clients that have already joined the domain. • EPP vendors are gradually adding PC 2.1.3 Reporting and Dashboards life cycle tools (such as asset discovery, • Buyers should look for a real-time home 2.1.4 Policy Management configuration management, vulnerability page dashboard that enables rapid • A “wizard type” installation mecha- assessment and software management) troubleshooting of security events or nism with optimal default settings for as a way to inoculate PCs against server issues — ideally with actionable different-size environments can reduce unknown threats that target known dashboard elements that make it pos- deployment complexity. vulnerabilities. Buyers should evaluate sible to click on an event or graph and • A single-page policy with intelligent their needs with regard to the integra- initiate steps that enable better under- drop-down “pick lists” and fields that tion of these tools and consider the standing of the issues involved and the change based on previous optional strategic direction of prospective EPP steps required for alert resolution. selections (without multiple pop-up win- vendors. • Threshold alerting capabilities may use dows or the need to visit several tabs delivery mechanisms such as e-mail, to create a single policy) make policy 2.1.2 Scalability Short Message Service (SMS) and development easier and more intuitive. • Centralized management with automatic Simple Network Management Protocol • There should be an option to view or configuration and policy synchronization (SNMP), with threshold alerts for dash- print a human-readable policy sum- among management servers may be board statistics and policy thresholds. mary that greatly simplifies auditing and particularly useful in large deployments. • The appropriate range of client informa- troubleshooting. • Native management-server redun- tion that can be collected and reported • A complete audit log of policy changes dancy — for example, using load bal- to the management server is grow- is essential, especially for organiza- ancing active/active clustering within ing in importance as a differentiator. tions that take advantage of extensive and across LANs, or automatic active/ Most EPP suites collect information role-based administration and delegated standby failover without a single point only about the status of the EPP suite. end-user administration to ensure audit of failure, such as a designated master/ However, as endpoint hygiene becomes compliance. slave — can be a useful differentiator. more critical, information about the • The ability to stage signatures or poli- • EPPs should include multiple directory status of patch levels, configurations, cies and to quickly roll back changes is integration options — including Active software inventories and vulnerabilities increasingly important because fewer Directory and Lightweight Directory is becoming more important. enterprises are testing signatures before Access Protocol (LDAP) — as well • The management server should be deploying them. as the ability to integrate with multiple capable of collecting client status infor- • The EPP suite policy must allow off- directories and traverse directories to mation in real time, rather than in sched- LAN clients to automatically update from find user groups and authentication uled delta updates. The ability to collect the EPP vendor’s primary database for information. information from mobile endpoints that signature and HIPS updates, when the • A software-as-a-service- (SaaS-) based aren’t connected to the network hosting enterprise server is unreachable or oth- managed console that eliminates the the management server can be a signifi- erwise unavailable. need for a dedicated server to manage cant competitive differentiator.
  13. 13. 13 • A configuration backup utility and con- should seek clarity on what’s actually Retrospective testing (that is, testing old figuration preservation between version supported and what back-end process- signature databases against new vari- upgrades can save administration time es have been changed. It’s important ants of old malware) is the best way to and resources. to ensure that the vendor’s support per- evaluate this capability. sonnel are properly trained, that its labs • Ideally, EPP solutions should provide 2.1.5 Client Agents are appropriately configured and that much-faster identification and rapid dis- • The number of required clients and the its software products are certified for tribution of signatures for new threats. client disk and memory footprint are virtualization. Most host-based software However, this is a difficult benchmark good indicators of the level of integra- provides no protection for the hypervi- to test. Some solutions will have slower tion among EPP components and the sor layer. signature distribution for a new threat, efficiency of the client. Ideal solutions because their generic signatures or will provide a single consolidated agent 2.2 Malware Detection HIPS rules are already effective in with component parts that can be Capabilities blocking that threat. remotely enabled and disabled. The quality of the malware scan engine • Signature databases should include all • The ability to natively distribute the full — the “anchor” solution of an EPP suite types of malware (including spyware, client agent and remove competing — should be a major consideration in adware, viruses, trojans, keystroke log- products is a useful differentiator. Some any RFP. The following are some of the gers, droppers, back doors and hacking solutions simply provide a multisourcing advanced malware-oriented features of tools) in a single database, with a single service integrator (MSI) file (Windows EPPs that buyers should be looking for: update mechanism and a single scan Installer package) for use by other soft- • Most enterprises’ IT security engine agent. ware distribution tools, while other solu- organizations’ capability to accurately • The capability to detect rootkits and tions won’t remove other AV products, test malware engines in real-world other forms of low-level malware, once which can create conflicts. situations is limited, at best. Test they’re resident in enterprise systems, • The client interface should be adaptable results from organizations such as is a significant consideration. Some to allow for a full range of delegated and solutions’ functionality is limited to end-user control. Advanced solutions are useful guides of scanning accuracy catching rootkits as they install, while enable administrators to delegate or (including false positives) and scanning others have the ability to inspect raw restrict any client option. speeds. In the absence of other infor- PC resources and compare them to • Scheduled scans are one of the most- mation, good test scores are better than Windows file tables, seeking discrepan- problematic aspects of signature-based poor test scores, but buyers should be cies that will indicate the presence of anti-malware tools. Options that limit the aware that these tests don’t accurately rootkits. client impact of scheduled scans are a reflect how users encounter malware • Malware engines should continuously significant EPP differentiator. Advanced in the real world. Moreover, they don’t monitor system resources (for example, features include the ability to delay test all proactive techniques for blocking host file, registry, Internet Explorer set- scans based on battery life, running malware, such as HIPS, vulnerability tings and dynamic-link-library changes) process or CPU usage. More rare is the detection and configuration manage- for changes that might indicate the pres- ability to “wake and scan” PCs during ment. Buyers should be very wary of ence of suspicious code: off-hours. Scheduled memory scans vendor-sponsored tests and not put too • Malware removal features and should be independent of disk scans. much weight on specific test results. outbreak filters to stop propagation • Specific features and licensing for virtu- • Signatures should be as broad as pos- are important differentiators among alized environments, such as VMware, sible so they can detect new variants vendors and their offerings. These Citrix and Hyper-V, remain rare, but are of old threats without new signatures, capabilities should be understood increasing in importance. EPP buyers and, thus, avoid causing false positives. and tested, because modern mal-
  14. 14. 14 ware is significantly more complex and to configure protection to reflect the to “buy time” to propagate patches to all than that of previous generations, enterprise’s overall tolerance for risk endpoints. and often involves multiple compo- and administrative overhead. • The simulation of unknown code before nents with sophisticated “keep alive” • Despite the need for fine-tuning capa- the code is executed to determine mali- routines. bilities, the best solutions will provide cious intent, without requiring end-user • EPP solutions should include client- preconfigured “out of the box” templates interaction with the unknown code (for based URL filtering to block clients for common application and system example, using static analysis, simula- from visiting Web sites that are known configurations, as well as a learning tion or reverse compilation techniques) security risks, because malware is mode for enterprise environments and is another deterministic technique, but increasingly shifting to Web distribution the ability to test policy in a log-only it can be highly resource-intensive and methods. mode. should be used selectively. • HIPS techniques have no standard • Buffer overflow memory protection is 2.3 Advanced HIPS Capabilities terminology; therefore, it’s essential common, and should address heap- AV/anti-spyware databases are 90% to that buyers ask vendors to list and and-stack memory. 99% effective at detecting well-known, describe the HIPS techniques in detail, • Application control capabilities (for widely circulated threats, but only 20% so that buyers can create a standard- example, application whitelisting, also to 50% are effective at detecting new or ized list of techniques and compare known as lockdown) are gaining signifi- low-volume threats. Security effectiveness their breadth and depth across vendors. cant interest as the volume of malware is significantly enhanced by HIPS, but Buyers should also understand which begins to surpass the volume of “good” there’s no generally accepted method of techniques are included in the base cli- corporate applications. There is signifi- testing the HIPS effectiveness of different ent, which are optional, and what other cant R&D in this area, and this capabil- solutions. charges, if any, are required for addi- ity will be an important differentiator in EPP buyers should take the time to tional protection styles. the future. Application control features understand how many and which of the • Some vendors offer only binary control that EPP buyers should investigate nine HIPS protection styles are included in over HIPS, which allows administra- include: the base malware signature engine that’s tors to turn them on or off. Enterprise • How applications are identified and used to detect and block unknown threats IT organizations are unlikely to concern prevented from executing (for exam- (zero-day or targeted threats), and which themselves with every setting in detail, ple, do they block the installation of are additional HIPS capabilities that can but it’s important to have granular con- applications or only the execution?) often increase the administration burden trol that makes it possible to turn off is an important differentiator. due to management of false positives. certain rules for specific applications to • The mechanisms available for cre- For these reasons, Gartner recommends accommodate false positives. ating a whitelist will be critical to focusing on ease-of-management • One very effective HIP technique is lower the administration overhead. functions, which make HIPS adaptable “vulnerability shielding” — the ability Administrators should, for example, enough for the enterprise network: to inspect and drop attacks based on be able to automatically autho- • The HIPS solution must, as a core knowledge of the specific vulnerabili- rize applications that are properly principle, enable the administrator to ties they exploit. This technique allows signed, or come from trusted loca- choose and tune the styles of protection protection against attacks and against tions, processes or installers. that are needed, based on the require- known vulnerabilities before the vendor • Solutions should ideally provide ments and resources of the endpoint, releases a patch, and makes it possible signatures of known-good applica-
  15. 15. 15 tions as a service, similar to current based on connection type — different an encryption component of an EPP suite: malware databases. network interface cards (NICs) or dif- • EPP solutions should provide the ability • Application control should extend ferent networks — as well as the ability to create policies to control the broadest to the execution of browser helper to dynamically apply policies based on range of devices and device formats — objects/controls within the context of network location — for example, Wi-Fi for example, CD, DVD, USB, Bluetooth, Internet Explorer and other browsers. policy, on-corporate-LAN policy and 3G and general packet radio services public Internet policy. 2.4 Personal Firewall Capabilities — with policies defined, at minimum, by • The integration of a client (IPsec) VPN device class. Basic personal firewall functionality is useful for enforcing remote access • The level of granularity that makes it (inbound port defenses) are available in the policies. Ideally, EPP solutions should possible to distinguish among device Windows XP Professional, Windows 2003 allow unfettered Internet authentication, classes (for example, a mouse from a and Windows Vista operating systems. The and then enforce VPN startup to direct data storage device), and potentially Vista firewall has bidirectional capabilities, remote access traffic back to the LAN. to distinguish specific devices by serial although outbound is turned off by default • The ability to enforce a “one active NIC number or manufacturer, is a worth- and activation requires significant setup. at a time” policy to block network bridg- while differentiator. The Windows firewall is adequate for most ing is a useful feature, and options that • Policies will ideally be file-type-aware desktop PCs that also have the benefits allow the disabling of inactive NICs are so that they can allow or restrict access of network firewalls and network-based ideal. based on file type and action (for intrusion prevention. However, notebook • Application profiles that define normal example, allowing “read only” access computers and PCs with higher security application behavior, and can restrict or allowing only document file types), requirements require more-comprehensive, network access for applications that and so that they can restrict application two-way protection that adapts to multiple aren’t approved or are potentially com- execution (for example, blocking auto- network contexts. Personal firewalls are promised, are useful application control execute or all execution from a data differentiated by the flexibility of their features. drive). policies (for example, an autosensing • A firewall must have the ability to • EPP offerings, when combined with location-based policy), the breadth of their block malicious attacks and end users encryption solutions, often allow policies application profile policies (for example, attempting to disable the firewall. to force encryption — for example, with the ability to prevent applications from • Log data — especially related to secu- “allow write but encrypt” and “password- exhibiting unusual network behaviors), the rity incidents — should be extensive, protect files written to USB or CD stor- virtual private network (VPN) integration searchable and accessible via the report age” provisions. and the range of ports (for example, engine to enable forensic investigation. • To minimize help-desk interaction, it’s Universal Serial Bus [USB], FireWire, infrared, Wi-Fi and Bluetooth) they can 2.5 Port Control useful to enable remote workers to “self protect: Enterprises are increasingly concerned authorize” device usage, and to allow about USB ports as a channel for privileged end users to use devices, but • The ability to manage the Windows fire- accidental or malicious data loss, or as warning them that it’s against policy and wall and a more-advanced personal fire- an access point for malware, such as the that they should log their usage. At a wall in the same management console recent Conflicker worm. For this reason, minimum, EPP solutions should allow is a distinct advantage, because some granular port control is becoming a remote help desk activation of ports for enterprises will adopt the Windows fire- common feature of the personal firewall or users with administrator passwords. wall for on-LAN PCs. • Advanced solutions will also include • EPP solutions should offer the abil- ity to create different firewall policies
  16. 16. 16 options for protecting data by blocking information can be moved to the top of • EPP offerings should include the ability to the “cut/copy/paste,” “print screen” and the page. Display options (for example, import or export data and alerts with secu- “print” commands. pie charts, bar charts and tables) should rity information and event management also be configurable so that information systems, or other reporting systems. 2.6 Reporting Capabilities can be displayed in the format that spe- • The reporting engine should have the Reporting capabilities are a significant cific administrators need. capability to run on-box for smaller solu- differentiator for EPP offerings, and • Reports and dashboards should include tions, or move to a centralized reporting can make a significant difference in the trending information against customiz- server for consolidation and storage of administration overhead that’s associated able parameters. For example, it should multiple management servers’ log infor- with them. Buyers should consider “point be possible to create a dashboard view mation, without changing the look and in time” reporting, as well as “real time” or a report that shows percentage com- feel of the reports. dashboard capabilities: pliance against a specific configuration • The reporting engine should also have • The dashboard should provide a real- policy over time. the capability to create custom reports time graphical and table-based view of • Dashboards should be configurable for (in the HTML, XML comma-separated system events, including system infor- different roles so that each administra- value and PDF output types), save mation, version information and action- tor can create a role-specific view. them and schedule them for distribution able alerts. • Information should be aggregated, and via e-mail or FTP, or by moving them to • EPP solutions will ideally provide holis- should also allow single-management the network directory. tic security information about the current server, cluster, LAN, geographical • The database must enable rapid report security status of endpoints, not simply or global views in the same window, queries and the ability to preserve his- the status of the EPP components. This depending on administrator options and torical data for long-term storage in a may, for example, include information role limitations. standard format. about vulnerabilities, compliance viola- • Dashboard information should always • Reporting functionality should include tions and unpatched machines, for man- allow administrators to drill down to the active filtering to narrow the results in aged and unmanaged machines on the necessary level of detail with one click, longer reports so that specific events network. instead of forcing them to switch to the can be identified. • Dashboards that offer Really Simple reporting application, manually select • Reporting engines should facilitate the Syndication (RSS) feeds with relevant the appropriate report and re-create the creation of completely ad hoc reports, external news — for example, concern- parameters that include the condition similar to SQL queries, rather than just ing global malware activities and vulner- they want to investigate. modify the parameters of predeveloped abilities — are desirable. External trend- • Dashboards should also offer quick reports. ing information allows administrators to links to remediation actions (for exam- • Multiple chart types (such as pie charts better understand internal activity levels ple, clean quarantine, patching and soft- and bar charts) should be supported, as and compare them to global events. ware distribution), as well as quick links well as summary data. • The dashboard should be administrator- to malware encyclopedia information to • Summary reports should include active configurable so that the most-relevant resolve alerts. links that allow drill-down into detailed reports, as well as back-navigation that makes it easy to return to the top-level view.