In 2010, there was broad acknowledgement that most of the endpoint protection deployed was more about passing PCI (yes, it’s still a requirement) than actually stopping attacks. Unfortunately, at the show we’ll continue to hear about all the advances happening in malware detection, and we’ll laugh again. The traditional signature-based model is broken, no matter how many clouds we see inserted into the mix. But with the AV cash cow continuing to moo uncontrollably, the industry will continue trying to convince customers to maintain their investments. So the real question is: who will show some type of innovation in terms of endpoint malware detection. Anyone? Anyone? Bueller? Bueller?

What We Expect to See

There are some areas of interest at the show for endpoint security:

  • You get what you pay for (or do you?): Given the clear issues around endpoint malware detection, we’ll be hearing a lot from the Free AV crowd. They’ll be talking about the hundreds of millions of folks who use the free engines, just before they try to upsell you to their paid offerings. The reality is that you need management, because these tools involve deploying software agents to many endpoints. But you should pay the least amount possible. So see who seems the hungriest on the show floor. If they aren’t foaming at the mouth, they likely aren’t hungry enough to win your business.
  • Cloudy with a chance of hyperbole: You will also hear a lot about cloud signatures and crowd sourcing to address the limitations of the traditional AV signature model. To be clear, moving a lot of signatures to the cloud is a good thing. But it’s not an answer. The model of matching bad stuff is still broken, and no amount of cloudy stuff will change that. The idea of crowd sourcing is interesting so check out the folks, like Sourcefire/Immunet and Webroot/PrevX, who are doing this in practice. Ask them how they shorten the window from the time an issue is discovered to distributing an update to the rest of the network. This is yet another option to keep the broken AV model running a bit longer.
  • AWL MIA: What you probably won’t see a lot of is application white listing (AWL). Why? Because the technology remains a niche. It is a core aspect of our Positivity security model, but both perception and reality are still slowing deployment of AWL. Not that the handful of vendors offering these solutions won’t be trying to make some noise. But they have no chance to stand out against the status quo, which represents billions in revenue and spends like drunken sailors at RSA. But this remains an important technology, so you should search out the vendors who offer it and learn how they are working to address the deployment and scaling issues.
  • Signs of the iPocalypse: You will see a lot of vendors giving away iPads and iPhones. Why not? If you don’t have one, you want one. If you already have one, you want another one. Or ten. But the reality is these devices are big, and consumerization is taking root. That means you need to figure out how to control them. OK, maybe not control, but at least manage. So check out the configuration management folks and those with specific mobile technologies to reign in the chaos. OK, maybe not reign in, but at least ensure that when they get lost (and they will), you won’t be in career jeopardy.
  • Man(ning) up: One of the other major stories in 2010 was WikiLeaks, spearheading by Bradley Manning, your friendly neighborhood data leaker. So you’ll hear a lot of vendors talking about the importance of controlling USB ports and doing content control/analysis on the endpoint. Try to figure out how they scale. Try to understand how they classify sensitive data and actually do anything without killing the performance of the endpoint. Yeah, it would be good to figure out whether and how they can play nice with any DLP/device control technologies you already have implemented.

We’ve hit the halfway point in our RSA Guide posts. I know you are waiting with baited breath for the Virtualization and Cloud section, but patience is a virtue. That post will be up later today.