ENDPOINT PROTECTION Understanding the Challenges and Evaluating a Solution

Transcription

1 ENDPOINT PROTECTION Understanding the Challenges and Evaluating a Solution A Paper Sponsored by Microsoft Author: Martha Vazquez, Network Security Analyst

2 TABLE OF CONTENTS TABLE OF CONTENTS Introduction 3 The Challenging Security Landscape 3 A Look at the Evolution and History of Endpoint Security 6 Current Business Security Challenges 7 Administration Challenges 7 Implementation Challenges 8 Effectiveness 8 Operational Complexities 8 Total Cost of Ownership (TCO) 9 The Viewpoint 9 About Microsoft Forefront Client Security 10 Unified Protection 10 Simplified Management 11 Reporting and Visibility 12 Overall Performance and Effectiveness 12 Reduced Total Cost of Ownership (TCO) 15 Conclusion 15 2

3 INTRODUCTION As security threats continue to increase and become more sophisticated, IT administrators are faced with the challenge of protecting all endpoints on the network while keeping dayto-day business processes running effectively in an organization. The implementation of security technologies to fight current threats is important, but the management of these technologies must also be easy and straightforward. IT administrators must alleviate the volume of threats in the enterprise caused by remote workers, partners, and external and internal employees. One of the most significant challenges for IT administrators is the constant flux of the security environment, which can be exacerbated by a lack of administrative resources to effectively manage security technologies. Installing a security solution can be especially difficult if productivity is affected as a result of a slow implementation process. A simplified and integrated solution can help IT administrators minimize the burden that most organizations face when implementing a security technology. Some of the business challenges faced today as a result of the evolving security landscape include problems with implementation, administration, effectiveness, and operational complexities. Microsoft Forefront Client Security (FCS) can help alleviate these challenges because of its unified protection, simplified administration, and comprehensive reporting capabilities. Microsoft Forefront Client Security proves to help reduce Total Cost of Ownership (TCO) through enhancement of performance measures. In addition, independent reviews from AV-Test.org and West Coast Labs, as well as a survey from Value Prism Consulting, prove that when using FCS, IT administrators are able to concentrate on business objectives while security challenges are reduced. THE CHALLENGING SECURITY LANDSCAPE The security landscape has changed dramatically in the past five years. In the past, hackers developed attacks for fun and recognition, but the paradigm has shifted away from pranks and now embraces hacking for profit. Hackers are increasingly involved in international organized crime and as a result, attacks have become more focused on obtaining specific types of data. Thus, threats are more advanced, application-oriented, and frequent. An example of the security threat landscape can be seen in the December 2007 Security Intelligence Report from Microsoft. The research offers an in-depth perspective on unwanted malicious and vulnerability software trends including the following statistics: The second half of 2007 showed a 15% decline in new vulnerability disclosures, but high severity vulnerabilities continue to increase. Malicious software has become a tool used by skilled criminals to target millions of computer users worldwide. 3

4 Once largely an -based phenomenon, the number of phishing attempts on social network sites is increasing million pieces of potentially unwanted software were detected between July 1 and December 31, 2007, resulting in 71.7 million removals. These figures represent increases of 66.7% in total detections and 55.4% in removals over the first half of Adware remained the most prevalent category of potentially unwanted software in the second half of 2007, increasing by more than 66%, from 20.6 million detections to 34.3 million detections. Although the number of reported vulnerabilities decreased in 2007, Internet threats from adware and phishing attempts continue to rise. Prevalent applications such as operating systems and mainstream software were targeted less, and the focus has shifted to customized, in-house applications or web applications. This has attracted the attention of hackers mainly due to the shift in focus in traditional network security. Phishing and adware attacks continue to remain a popular route to attack individuals, and the use of social network websites is an increasing threat to organizations. High severity vulnerabilities continue to increase and account for approximately 67% of all reported vulnerabilities. Chart 1.1 shows the number of vulnerabilities reported from the World Vulnerability Research Market study reported by quarter for the period Chart 1.1: Number of Vulnerabilities Reported (Global) Number of Vulnerabilities Years by Quarter Note: All figures are rounded; the base year is Source: 4

5 Chart 1.2 shows the world vulnerability research market by severity in 2006 and Chart 1.2: Global Vulnerabilities Reported for 2006 and 2007 by Severity Number of Reported Vulnerabilities High Medium Low Type of Severity Note: All figures are rounded; the base years are 2006 and Source: As the security landscape continues to evolve, it presents difficult challenges for IT administrators who are charged with protecting client data from numerous advanced threats. While doing this, they are challenged by the changing workforce that requires access to information from multiple endpoints. As a result, IT administrators must work in a proactive rather than reactive mode. This can be particularly difficult since organizations are increasingly in a position where employees utilize technologies that the organization is not ready to support. At the same time, IT administrators have to be able to allow access to corporate information and manage all the endpoints effectively. To protect critical information from attacks, organizations have rushed to implement several infrastructure silos such as anti-malware, anti-spyware, firewalls, and network access control (NAC). The implementation and management of these siloed solutions has significantly increased operational complexity for IT administrators. Another challenge that IT administrators continually face is the increased need for compliance within regulatory environments. As attacks become more sophisticated, organizations are forced to find new ways to protect consumer and financial information. To achieve that goal, it becomes necessary to secure all endpoints from data corruption or from data loss, while also managing the systems on a daily basis in a manner that provides wide visibility into the managed systems. 5

6 A LOOK AT THE EVOLUTION AND HISTORY OF ENDPOINT SECURITY The endpoint security market has evolved as a result of new threats, but it has also resulted in confusion for IT administrators. In the 1990 s, anti-virus software emerged in response to malware and evolved to include endpoint security. The first virus appeared in the 1980 s followed by worms, macro viruses, and spyware. Polymorphic viruses soon appeared and anti-virus vendors had to address threats at the application layer versus the operating system. Behavior techniques were addressed over signature-based applications. In 2005 botnets arose on a rapid global scale and provided the tools that propelled a dramatic increase in cyber crime. As complex threats and attacks continued to rise; the endpoint security market emerged to combat the newer and more sophisticated threats. With the increasing complexity of threats, systems can be infected by a variety of malware, namely: Bots through spyware and adware, bots install malware on a computer and use it as their zombie to send spam or attack other computer systems. Phishing through adware or spyware, people are directed to malicious sites that look legitimate, such as a small bank or social networking site. Criminals have been found to target smaller, less-popular sites with data-theft (phishing) scams. However, large companies are becoming tougher and riskier to target as they are responding quickly to phishing attempts by providing increased security. Drive-by Download sites hosting exploits can install adware, spyware, bots, or other malware without the knowledge of the computer user. Drive-by downloads can happen simply by visiting the wrong website, viewing an message, or by clicking on a deceptive popup window. Spam spam can be used to seed malware or spyware directly as an attachment, or point the user to a site hosting an exploit to do the same. Today s most common malware attacks include: phishing, botnets, instant messaging, online gaming, windows vulnerabilities, and adware. Security vendors have implemented various technologies to protect against malware, but have also increased the level of confusion among IT administrators needing to manage the endpoint security network. Thus, a more holistic approach to endpoint security is needed that will continue to protect and manage an organization s network, while simplifying the management of the solution. Chart 1.3 shows the various technologies included in endpoint security. 6

7 Chart 1.3: Various Technologies Included in Endpoint Security Antivirus Data Leakage Prevention (DLP) Antispyware Application and Device Control Host Intrusion Prevention System (IPS) AntiSpam Endpoint Security Firewall Anti Phishing Network Access Control (NAC) Back Up Storage Source: IT administrators continue to be frustrated by the wide variety of threats that they must be prepared for and as they try to implement multiple technologies to protect endpoints on the network this proposes several strategic business challenges. CURRENT BUSINESS SECURITY CHALLENGES Administration Challenges The demands for IT administration to protect all endpoints on the network while maintaining usefulness of the endpoints as flexible business tools can be challenging. One has to wonder how this can be done as IT administrators face numerous challenges on a daily basis due to drastic increases in the administration workload over the past 15 years. IT objectives have also changed from the time when a basic security perimeter could protect an organization from most threats. Today, a basic security perimeter is merely the starting point for the IT administrator who not only deals with concentric circles of security, but also with regulatory compliance, as well as complex and hidden internal and external threats. As technology development continues to advance at a rapid pace, the recommended list of technologies to deploy for endpoint security is growing and keeping up with the changes is a daunting task. Implementing a variety of technologies for each endpoint can be timeconsuming and the availability of IT personnel to perform the implementation is frequently a concern. A solution that requires fewer time-consuming tasks and provides better 7

8 manageability of the various endpoint security technologies could help organizations better utilize limited numbers of IT personnel, while also increasing endpoint security. Implementation Challenges Many organizations struggle to implement adequate security measures and the challenge becomes even greater at large organizations with tens of thousands of users. While organizations understand the importance of implementing endpoint security technologies, they continue to be challenged by the negative impact on productivity, IT complexity, and operational costs associated with the need to implement security solutions from multiple vendors at different times. The implementation of client security solutions can cause fragmentation of security technology as a result of too many point products, poor interoperability, and lack of integration, which makes it difficult to respond to threats accordingly. Since many security solutions have their own management infrastructure, related management costs can be ongoing. Implementation of the various silos should be easily achieved without forgoing security. For these reasons, a holistic, multilayered defense and in-depth security approach will help reduce risk and better manage a network infrastructure. Effectiveness An effective security solution must address the evolving security landscape that consists of blended threats and zero-day threats. As threats continue to evolve, the ideal endpoint security solution for an organization needs to be one that does not slow performance and can deal effectively with certain types of malware. When malware is found, a user with an ineffective solution will suffer disruption in work, thus inhibiting productivity. An ineffective endpoint security solution can cause IT administration frustrations if it uses high system resources usage and slow boot times. With an effective solution, a user should not suffer from increased system lag when performing day-to-day operations on their office machine. Moreover, administrators can focus on critical business objectives, productivity enhancement, and reducing operational costs. Operational Complexities Anti-virus, anti-spyware, NAC, and other security solutions help protect an organization from threats, but managing multiple solutions for all endpoints that connect to the network remains a difficult task. Implementing several management consoles, each of which are responsible for running different policies and reports, can be overly complex and difficult to manage effectively. Ideally, the administrative control used by IT departments should reduce complexity and costs related to deploying multiple security solutions. 8

9 Total Cost of Ownership (TCO) The effects of using an inefficient solution can, over time, significantly increase overhead costs in the IT department and negatively impact employee productivity across the organization. Common organizational problems include: Reduced employee productivity as a result of slow application performance and downtime, Increased administrative overhead costs as a result of managing multiple endpoints, consoles, and reports, Increased risk of losing business-critical information, and Increased cost of infrastructure investments. Organizations can be negatively impacted by one or all of these problems if an adequate security endpoint solution fails to address all of the issues listed above. THE FROST & SULLIVAN VIEWPOINT believes there are a few guidelines that should be followed in order to help address endpoint security challenges in the enterprise. To begin with, an IT department needs to determine if the solution can provide the level of performance required to ensure that business applications run smoothly. If the product does not match specific business needs, it is not worth purchasing. The next important step is to determine if the endpoint solution can be easily managed and integrated with existing infrastructure software. Finally, the solution should provide IT administrators with insight into a system by permitting detailed reports on specific clients in order to focus on what is important. As increasing importance is placed on performance, speed, and accuracy of endpoint security, finding and implementing a solution that addresses these factors can be critically important. Some solutions can reduce system performance as a result of high CPU usage. During peak working hours, it is important that system resources are minimally impacted. System lags can also be detrimental when performing day-to-day operations; when malware is found, the user should experience minimal disruption to his or her work. Accuracy rates are increasingly important as they effectively detect viruses, which will enable faster response times. As threats continue to grow in size, a solution that consistently achieves accurate catch rates can easily reduce false positives and therefore enhance the effectiveness of a system. Security management and reporting continues to be a challenging drain on IT administrator time, organizational costs, and employee productivity. Real-time reporting allows immediate identification of current threats that require prompt attention. A solution that addresses these challenges can alleviate the complexities involved in deploying and managing various silos into the infrastructure. believes that Microsoft Forefront Client Security fits the needs of organizations seeking a simplified solution that addresses a variety of endpoint security problems faced by administrators. Microsoft Forefront Client Security 9

10 offers an integrated, comprehensive, and simplified solution that can be easily integrated into existing infrastructure software and widens an administrator s visibility and control of the network. It requires less memory and uses fewer resources, while simultaneously improving protection against advanced threats. Through the use of Forefront Client Security, administrators are able to eliminate administrative overhead through a single, easy-to-use management console. ABOUT MICROSOFT FOREFRONT CLIENT SECURITY Microsoft Forefront Client Security improves endpoint security and enhances productivity while minimizing operational costs. The solution includes unified protection from viruses and spyware for the client and server operating system. It also simplifies administration through a central management console, includes visibility and control of security reports, and also protects worker productivity across an enterprise. Unified Protection Forefront Client Security offers unified malware protection for business desktops, laptops, and server operating systems by providing an integrated anti-virus and anti-spyware engine to scan endpoints in real time. Advanced protection is accomplished through a variety of technologies including static analysis and emulation, heuristics, tunneling signatures, advanced system cleaning, and event flood protection. According to independent research conducted by AV-Test.org, Forefront Client Security is greatly effective against malware and its detection rates are extremely competitive. AV-Test.org found that Microsoft had a detection rate of 96.1% in November 2007 and in March 2008, the detection rate increased to 97.9%. Chart 1.4 details the malware detection rates of various vendors according to AVTest.org in November Chart 1.4: Analysis of the Effectiveness of Malware Detection Rates of Various Vendors, November 2007 Source: AV-Test.org 10

11 Chart 1.5 details the malware detection rates of various vendors according to AV-Test.org in March Chart 1.5: Analysis of the Effectiveness Malware Detection Rates of Various Vendors, March 2008 Source: AV-Test.org The detection rates clearly show that Forefront Client Security is very competitive in its ability to effectively detect malware. Simplified Management Forefront Client Security offers simplified management that allows enterprise-wide policy deployment through a single management console. The ability to offer a solution that easily integrates into other Forefront security solutions enhances administrators control. One policy is used to manage client protection agent settings such as scan schedules, signature update frequency, security state assessment settings, and alert levels. Forefront Client Security can also configure alerts, specifying the type of alert, level control type, and volume. Alerts alone will notify administrators of high-priority incidents including malware detection, a failure to remove malware, a malware outbreak, and if malware protection has been disabled. Through this simplified management, organizations can use fewer personnel resources to manage security issues and help desk calls. When organizations need to implement over 10,000 multiple client security users in the enterprise, implementing the Forefront Client Security Enterprise Manager eases the administration load. Through Enterprise Manager, IT administrators can centrally manage multiple client security deployments easily in the enterprise environment. Enterprise Manager consists of several main features including: Aggregation of reporting and alerting information from multiple client security deployments. Aggregated information is viewable in a single console and reports are generated from the aggregated information. 11

12 A single location for management of client security policies. A single location for initiation of enterprise-wide, anti-malware scanning. Reporting and Visibility The management console provides one dashboard visibility into threats and vulnerabilities across the organization. Insightful, prioritized reports can be produced that provide administrators better control over malware threats. The dashboard provides a snapshot of the current malware security status using real-time data and current malware trends. Reports also allow administrators to drill down to critical information and gather additional details such as which machine on the network has a malware problem. Through security state assessment, scanning alerts provide detailed reports that will summarize which PCs have not had the latest security patches and/or have not connected to the network recently. This assessment reporting can answer questions related to compliance, vulnerability trends, and risk. Overall Performance and Effectiveness Unlike other endpoint security solutions, Microsoft Forefront Client Security offers a solution that provides adequate performance measures. According to a study by West Coast Labs, a series of performance benchmarking tests and metric-based process evaluations found that Microsoft Forefront Client Security had the best performance on average. The products tested included: Microsoft Forefront Client Security Trend Micro OfficeScan Client/Server edition Symantec Endpoint Protection McAfee VirusScan Enterprise The objective of the test was to determine performance measures of Microsoft Forefront against market leaders such as Symantec and McAfee. Testing was performed from a network of Microsoft Windows Vista Business Ultimate clients and a Windows 2003 server. According to West Cost Labs, the Microsoft Forefront Client Security installation routine was both rapid and informative, providing a reasonable degree of customization. The results show that scanning times were faster than the average value for other vendor solutions being tested. There was a lack of impact on client system resources, which enabled increased efficiency in productivity. In addition, when malware was found, much of the reporting was processed on the server(s). The immediate benefit of this feature, and not found in the other solutions tested, was that the user experiences minimal work disruption. Charts 1.6 and 1.7 show the rankings based on the average results for the four endpoint security solutions test, with the best performing product shown first. 12

13 Chart 1.6 provides a performance comparison study by West Coast Labs of servers and clients of Microsoft Forefront Client Security against current competitive products. Chart 1.6: Microsoft Forefront Client Security vs. Legacy Competitive Products Product Name/ Capability Memory Footprint 1 Microsoft Forefront Client Security McAfee Active VirusScan with epo Symantec Corporate AntiVirus 10.2 TrendMicro OfficeScan Client/Server 7.3 Server 56.5 Mbs 42.2 Mbs 58.6 Mbs 52.3 Mbs Client 57.9 Mbs 40.5 Mbs 66.3 Mbs 20.2 Mbs Avg Usage, CPU & Memory 2 % Server Avg 2.0% 20.4% 30.5% 0.4% % Client Avg 11.1% 3.2% 29.4% 10.1% Boot time 4.5% Avg increase 45% avg increase 62% avg increase 3.2% avg increase increase 3 Scanning time (quick, full) Network 1 (Avg) min min min min Network 2 (Avg) min min min min AV-Test.org (March 2008) 4 % malware detected in 1+ M sample size 97.8% 95.6% 95.7% 98.7% Source: AV-Test.org, West Coast Labs 1 Blank scan, new network 2 Blank scan, network 2 3 Post-installation 4 Test of consumer anti-virus products using a malware sample covering approximately the last three years. 13

14 Chart 1.7 shows a performance comparison conducted by West Coast labs of infected and uninfected clients of Microsoft Forefront Client Security against latest competitive products. Chart 1.7: Microsoft Forefront Client Security vs. Latest Competitive Products Product Name/ Capability Microsoft Forefront Client Security McAfee VirusScan Enterprise Symantec EndPoint Security Trend Micro OfficeScan Client/Server edition Memory Footprint 5 Client uninfected 522 Mbs 492 Mbs 536 Mbs 521 Mbs Client- infected 495 Mbs 538 Mbs 593 Mbs 590 Mbs Avg Usage and CPU Memory 6 %Client uninfected 79.9% 82.96% 82.37% 67.37% %Client- infected 81.6% 77.73% 88.56% 81.2% Scanning time (quick, full) Uninfected client min min min min Infected client min min min min Application Startup time Starting Word sec 3.4 sec sec sec With No AV Starting IE 2.6 sec 3.75 sec 3.6 sec 2.3 sec With no AV AV-Test.org (March 2008) 7 % malware detected in 1+ M sample size 97.8 % 95.6% 95.7% 98.7% Source: AV-Test.org, West Coast Labs Key findings from the study show that on average, Microsoft Forefront Client Security benefits include: Less system resource usage on clients Faster boot time for clients Faster quick scans Faster full scans Less CPU and memory usage on clients uninfected and infected Microsoft Forefront Client Security clearly shows that the solution will address strategic business objectives by enhancing productivity and simplifying administrative burdens. 5, 6, 7 Ibid page 12 14

15 Reduced Total Cost of Ownership (TCO) The overall effectiveness and performance measure of Microsoft Forefront Client Security enables the solution to affect significant total cost of ownership (TCO) reductions. According to a current TCO study performed by Value Prism Consulting on Forefront Client Security customers, noticeable savings and cost reductions were seen. Value Prism Consulting surveyed eight customers that switched to Forefront Client Security and measured TCO changes. According to the participants in the survey, many of these savings were a direct result of Microsoft Forefront Client Security unified protection, simplified administration, and enhanced visibility and control. Chart 1.8 shows the TCO highlights found from eight organizations that switched to Forefront Client Security. Chart 1.8: TCO Highlights TCO Highlights 85% average reduction in security issues 75% average security issue response time reduction $24.00 average annual TCO savings per desktop Overall, user downtime significantly reduced Source: Value Prism Consulting CONCLUSION As the endpoint security market continues to evolve, organizations will continue to face many strategic business challenges and IT administrators will need to implement layers of defenses that protect corporate data. An endpoint security solution that eases this complexity will enable administrators to focus on the core business objectives of the organization rather than spend increasing amounts of time and resources managing a complex matrix of siloed endpoint solutions. A solution that offers features such as simplified management, easy integration, enhanced performance, as well as visibility and control, will ensure that businesses continue to operate effectively. Microsoft Forefront Client Security addresses many of the business challenges related to implementation, administration, effectiveness, operation complexities, and TCO. With Forefront Client Security, the ability to offer unified protection with simplified management through enhanced reporting and visibility proves to be an effective enterprise endpoint protection solution. 15

16 Silicon Valley 2400 Geng Road, Suite 201 Palo Alto, CA Tel Fax San Antonio 7550 West Interstate 10, Suite 400, San Antonio, Texas Tel Fax CONTACT US London 4, Grosvenor Gardens, London SWIW ODH,UK Tel 44(0) Fax 44(0) Palo Alto New York 877.GoFrost San Antonio Toronto Buenos Aires São Paulo London Oxford Frankfurt Paris Israel Beijing Chennai Kuala Lumpur Mumbai Shanghai Singapore Sydney ABOUT FROST & SULLIVAN Based in Palo Alto, California, is a global leader in strategic growth consulting. This white paper is part of s ongoing strategic research into the Information Technology industries. regularly publishes strategic analyses of the major markets for products that encompass storage, management, and security of data. Frost & Sullivan also provides custom growth consulting to a variety of national and international companies. The information presented in this publication is based on research and interviews conducted solely by and therefore is subject to fluctuation. takes no responsibility for any incorrect information supplied to us by manufacturers or end users. This publication may not be downloaded, displayed, printed, or reproduced other than for noncommercial individual reference or private use within your organization, and thereafter it may not be recopied, reproduced or otherwise redistributed. All copyright and other proprietary notices must be retained. No license to publish, communicate, modify, commercialize or alter this document is granted. For reproduction or use of this publication beyond this limited license, permission must be sought from the publisher. For information regarding permission, write: 2400 Geng Rd., Suite 201 Palo Alto, CA , USA Tokyo