RSAC 2010 Guide: Endpoint SecurityBy Mike Rothman
The fun is just beginning. We continue our trip through the Securosis Guide to the RSA Conference 2010 by discussing what we expect to see relative to Endpoint Security.
Anti-virus came onto the scene in the early 90’s to combat viruses proliferated mostly by sneakernet. You remember sneakernet, don’t you? Over the past two decades, protecting the endpoint has become pretty big business, but we need to question the effectiveness of traditional anti-virus and other endpoint defenses, given the variety of ways to defeat those security controls. This year we expect many of the endpoint vendors to start espousing “value bundles” and alternative controls such as application whitelisting, while jumping on the cloud bandwagon to address the gap between claims and reality.
What We Expect to See
There are four areas of interest at the show for endpoint security:
The Suite Life: There are many similarities between current endpoint security suites and office automation suites in the early part of the decade. The applications don’t work particularly well, but in order to keep prices up, more and more stuff you don’t need gets bundled into the package. There is no end to that trend in sight, as the leading endpoint agent companies have been acquiring new technologies (such as full disk encryption and DLP) to broaden their suites and maintain their price points. But at the show this year, it’s reasonable to go to your favorite endpoint agent vendor and ask them why they can’t seem to “get ahead of the threat.” Yes, that is a rhetorical question, but we Securosis folks like to see vendors squirm, so that would be a good way to start the conversation. Also be on the lookout for the folks offering “Free AV” and talking about how ridiculous it is to be paying for AV nowadays. Just be aware, the big booths with the Eastern European models don’t come cheap, so they will get their pound of flesh in the form of management consoles and upselling to more full-featured suites (which actually may do something).
The Cloud Messiah: Endpoint vendors aren’t the only ones figuring the ‘cloud’ will save them from all their issues, but they will certainly be talking about how integrating malware defenses into the ‘cloud’ will increase effectiveness and keep the attackers at bay. This is another game of three-card monty, and the endpoint vendors are figuring you won’t know the difference. After you’ve asked the vendor why they can’t stop even simplistic web attacks or detect a ZeuS infection, they’ll probably start talking about “shared intelligence” and the great googly-moogly malware engine in the sky. At this point, ask a pretty simple question: “How do you win this arms race?” With 2-3 million new malware attacks happening this year, how long can this signature-based approach work? That should make for more interesting conversation.
Control Strategies: Given that traditional anti-virus is mostly useless against today’s attacks, you are going to hear a number of smaller application whitelisting vendors start to go more aggressively after the endpoint security companies. But this category (along with USB device control technology) suffers from a perception that the technology breaks applications and impacts user experience. As with every competitive tete-a-tete, there is some truth to that argument. So challenge the white listing vendors on how they impact the user experience (or don’t) and can provide similar value to an endpoint security suite (firewall, HIPS, full disk encryption, etc.).
Laptop Encryption: You’ll likely also be hearing about another feature of most of the endpoint suites: full disk encryption (FDE). There will be lots of FUD about the costs of disclosure and why it’s just a lot easier to encrypt your mobile devices and be done with it. For once, the vendor mouthpieces are absolutely right. But this brings us to the question of what features you need, whether FDE should be bundled into your endpoint suite, and how you can recover data when users inevitably lose passwords and devices are stolen. So if you have mobile users (and who doesn’t?), it’s not an issue of whether you need the technology – it’s the most effective way to procure and deploy.