By Stephen J. Bigelow, Features Writer
Security has grown far beyond the simple need for virus checking or intrusion defense. Today businesses of all sizes must guard against a laundry list of potential threats and attacks that cannot adequately be stopped at the network level. Software makers have responded by bundling security features into comprehensive packages -- integrated endpoint security suites -- that can be deployed on every system in the enterprise. Read on to learn more about these security suites and their capabilities, limitations, challenges and opportunities for solution providers and value-added resellers (VARs).
The basics of integrated endpoint security suites
There are two essential attributes of an integrated endpoint security suite product -- the "suite" and the "endpoint." First, you need to recognize that these products perform numerous security functions to protect your client against myriad threats. Typical suites include antivirus, antispyware, antispam, firewall and intrusion detection and prevention features. Other security suites build on this basic feature set with advanced capabilities such as Web filtering, VPN clients, vulnerability scanning, integrity monitoring, device control (aka drive access control) and even encryption. Most suites do not provide add-on components, so feature sets are normally fixed.
Second, these products are intended to protect the endpoints in your client's network rather than the network itself, so the target systems include laptops, desktops, workstations and servers. Implementing security at the endpoints fills a crucial gap in network security.
"There are certain security features that are extremely, if not completely, impossible to implement at the network level," said Andrew Plato, president of Anitian Corp., an enterprise security solution provider in Beaverton, Ore. "And there are certain types of traffic and behaviors that no amount of network scanning will ever detect." One example of a network threat that firewalls and intrusion protection features cannot stop is malicious code embedded in an encrypted channel (such as a VPN or HTTPS).
Understanding integrated endpoint security suites
Integrated endpoint security suites have generally evolved from single security products. Most suites can trace their lineage back to early antivirus or firewall/intrusion products. For example, Symantec's Norton security suites evolved from early Norton AntiVirus products, while the BlackIce family from Internet Security Systems (now part of IBM) originated from intrusion prevention products. Over time, product developers recognized new threats and realized the need to add functionality. Developers responded by creating (or acquiring and integrating) new features into their respective suites.
Bundling multiple features into single software packages also simplifies installation at the client's site, reduces the number of software agents on client systems, and generally demands fewer system resources than individual security products. However, the quality and performance of each feature can vary between manufacturers, so a suite that originated from antivirus tools may be stronger in signature-based detection techniques than one that arose from intrusion protection. VARs must weigh the strengths of each suite against the needs of their clients.
The nature of endpoint security suites has also evolved over time to reflect the transient nature of mobile or remote network users. For example, mobile workers may connect their laptop to a remote location and contract a virus or spyware. Similarly, the remote user may not be connected to the corporate network when essential patches or updates are pushed out -- posing potential vulnerabilities when they do reconnect.
"Who knows where it's been plugged in and tied to and what's happened to it and what's been loaded on it?" said Adam Gray, chief technology officer of Novacoast Inc., an IT professional services and product development company in Santa Barbara, Calif. "As [a mobile device] comes back in, you need a way to show compliance." Network access control (NAC) functionality checks patch requirements, antivirus signatures, firewall settings and other critical security issues before allowing the mobile user back into the greater network. In effect, NAC really protects the other network users rather than the mobile user.
In addition to access control, integrity monitoring and device control are emerging as important security features. Integrity monitoring basically watches for changes to system disk files, alerting users when any attempt is made to alter or replace critical files. Device control can manage the USB devices that a user is able to connect, restricting or blocking USB hard drives, thumb (flash) drives, and other USB devices that may potentially contain infected files or be used to steal corporate data.
The pros and cons of selling integrated endpoint security suites
As security suites mature and their features become more sophisticated, VARs are finding it easier to sell the products to their clients. Traditional core security features like antivirus scanning and firewalls are now being overshadowed by advanced security features like device control and network access control. Clients are more aware of the need for advanced security features, and VARs can sometimes match security features to the regulatory compliance requirements of their specific vertical markets.
"The customers are coming to us and saying, 'Come talk to me about NAC' or 'How would you deploy device control in my environment?'" Gray said. "The last several years of that [vendor security] message changing have greatly influenced our ability to up-sell additional services and pieces on top of those [traditional] security areas."
The biggest problem with integrated endpoint security suites is the low profit margin. In spite of the universal need for endpoint security, suites and their annual update subscriptions are highly commoditized and very competitive, leaving precious little product sales revenue for the VAR. Your real revenue will come from services like deployment site analysis and preplanning, installation, configuration and management tasks. Endpoint management can be significantly more demanding and time-consuming than network device management -- the demands are multiplied by each feature that is deployed.
"[Clients] don't provide the resources to keep an eye on [endpoint security] infrastructure," Plato said. "They push it out there, they deploy it, and then it just withers and dies and starts to rot." Overwhelmed clients eventually ignore management and don't respond to security events. This offers a significant opportunity for VARs with a security staff that is savvy enough to provide ongoing security management or other professional services.
Solution providers can also be challenged to recommend the right security suite for their clients. For example, VARs like Plato and Gray urge caution when matching clients to integrated endpoint security suites. They cite a lack of maturity and poor integration of some features -- often in code bases that a developer acquires and cobbles into their existing suite. Poor integrations can easily lead to performance issues, and code that isn't optimized can cause an unnecessarily large memory footprint (known as "code bloat") on endpoint systems.
Remember that even when a security suite is well coded and properly integrated, each feature makes the software suite bigger, requiring more memory and processing power from the host system. This proliferation of security features only makes sense if your client is actually going to use them, so there may be circumstances when it is more efficient to use multiple separate security products that address the client's core security needs rather than a single ubiquitous security suite that installs features that won't be implemented. Still, solution providers like Gray see revenue potential in unused features, noting that it's easier to enable idle features that already exist in the security agent rather than install additional software later.
VARs will also need to evaluate the client's current security strategy and make recommendations for timely transitions to new or upgraded security suites. Unfortunately the move from one security suite to another is rarely ever convenient, and many companies fail to deploy new products properly when performed internally. The key issue is resources -- having the available labor and expertise to implement the transition properly while minimizing disruptions to the business. "A new solution that is poorly managed is worse than an old solution that is well managed," Plato said.
Security upgrades are another area where knowledgeable VARs can find additional revenue opportunities, sometimes bundling security upgrades with other nonsecurity software upgrades across the client's enterprise.
Changes in integrated endpoint security suites
Plato and Gray both agree that the current trend of security feature integration and refinement will continue. New features will invariably appear to counter emerging threats, but the suite's design should also evolve to improve stability, performance and compatibility with other software. Today's advanced features like intrusion protection, device control and network access control will continue to mature. Whole disk encryption should eventually appear as an integrated security feature.
Virtualization will also affect endpoint security. As virtualization splits physical systems into multiple virtual machines, each VM will require the same endpoint security protection as physical servers. Vendors will need to accommodate the move to virtualization with smaller and better products using much smaller resource footprints. "Virtualization will drive the need to have more efficient and more comprehensive agents that can be quickly provisioned and managed and put into the policy environment," Plato said.
This was first published in May 2008