The traditional security point product

The traditional point product antivirus, anti-spyware and personal firewall markets have been eclipsed by broader suites of related security technologies, which Gartner has labeled the EPP. Basic component technologies in EPP suites include antivirus, anti-spyware, HIPS and a personal firewall. Advanced EPP suites will include network access control (NAC) and data protection technologies, such as DLP and full-disk encryption. The requirements for holistic NAC solutions and the demanding management needs of large enterprise are also forcing EPP suites to replicate some PC configuration life cycle management tasks, such as security configuration management, asset discovery, patching and software management. By combining multiple co-related technologies into a single management framework, EPPs have the promise of increasing security while lowering complexity, cost and administrative overhead.

Spyware and virus threat databases and scan engines have largely merged into a single signature-based anti-malware agent. Although there are subtle differences in the speed and detection rates of anti-malware databases, this component is largely viewed as a commodity by buyers. Even the best signature databases can miss the wild threats 2% to 10% of the time, and most have less than a 50% chance of catching completely new threats. Signatures are extremely ineffective against targeted threats and “zero day” threats. HIPS and personal firewalls are increasingly critical to improve overall security. The convergence of these functions into a common management framework should increase the adoption of HIPS and desktop personal firewalls.

Enterprise interest in stand-alone personal firewalls has declined considerably as the capability of EPP suite firewalls has improved and given that Microsoft’s entry-level personal firewalls are already included with Windows. Security-conscious enterprises want more-advanced firewall functionality at least for their mobile population.

Advanced features that define more-visionary firewalls include:

• Audit capabilities and protections to ensure that the firewall policy is active
• Detailed event logs
• Verified updates to firewall settings
• Coordinated use of firewall in conjunction with malware protection for the rapid defense of unpatched vulnerabilities
• Wireless firewall policies, such as enforcing one active network interface card (NIC) to avoid LAN-to-wireless-LAN bridges
• Firewall policies applied locally to application network traffic and rights management

Organizations should evaluate EPP firewalls and plan to phase out stand-alone personal firewall solutions.

HIPS technologies are critical to secure endpoints from more-evasive, targeted and zero-day threats. Advanced HIPS solutions use various protection styles to provide layers of defense at endpoints, including:

• Protocol anomaly detection
• Deep-packet inspection for known network attack signatures or vulnerability attack signatures
• Simulation of potentially malicious code before it executes by using static analysis, code simulation or virtual machines
• Genetic heuristics, which is the use of broad signatures to detect variants using common malware family characteristics
• Comprehensive buffer overflow and program flow control protection
• Advanced application control to determine which applications are allowed to execute and to restrict system resource access
• “Sandboxing” and other virtualization techniques to inspect and isolate potentially malicious code from causing damage to the endpoint
• Behavior-based analysis of executing code to determine whether it is behaving maliciously and providing the capability to undo the damage and remove the malware

Visionary HIPS solutions must enable selection and configuration/tuning to balance the security level, transparency to end users and administration overhead. Solutions should provide preconfigured out-of-the-box templates for common application and system configurations, as well as a learning mode for custom applications.

The management capability of EPP suites is a substantial differentiator. Simply maintaining the security status for large PC fleets that are increasingly mobile for long periods of time is difficult. As NAC becomes an integrated feature of EPP suites, management capability has been forced to expand from simply maintaining the security posture of the EPP components to checking the security configuration, software inventory and patch levels. The new EPP management consoles are beginning to add PC configuration life cycle management capabilities to ensure the security and integrity of clients. Meanwhile, some PC life cycle operations vendors are starting to add defensive security tools to their offerings. These two markets will continue to slowly converge, although it will not be until after 2010 that a significant percentage of the market will buy completely integrated tools from a single vendor.

Market Definition/Description

Enterprise antivirus, anti-spyware, personal firewall and desktop HIPS products make up the majority of endpoint security spending. The combined revenue of these segments was more than $2.2 billion in 2005, and we anticipate that the EPP market will grow to nearly $3.6 billion by 2010.

This market is still dominated by the market share of the big three traditional antivirus vendors (McAfee, Symantec and Trend Micro), which represent roughly 85% of the market share. However, many nimble vendors are beginning to challenging the status quo with innovative EPP solutions and a higher level of customer focus.

Microsoft’s impact on the enterprise market is still nascent; however, we expect it to have a growing market share, starting primarily in Microsoft-centric SMBs.

Despite the introduction of new players, the displacement of incumbents is still a significant challenge. The biggest impact of the challengers and visionaries is to push the dominant players in the market to invest in new features and functionally and to keep pricing rational.

Related posts

• Zero day protection (1)
• Zero dat vulnerability (0)
• What is zero day attack or exploit (0)