When I was still at Gartner I wrote a blog post entitled “One agent to rule them all and through a console bind them” (here) in which I discussed the evolution of desktop management technologies and the convergence of security and operational agents resulting in an epic battle between good and evil or more accurately a bunch of security and operations vendors spending a lot on marketing and R&D. Near the end of 2006 and shortly after announcing that I was leaving Gartner as a security analyst I made a bold prediction that stand-alone AV would be dead, D-E-A-D, by the end of 2007 (here). Well my prediction has come true as Gartner has officially declared a new category “Endpoint Protection Platform” in the latest Information Security Hype Cycle for 2007, this followed an earlier announcement that the Personal Firewall Magic Quadrant and the Anti Virus Magic Quadrant would be collapsed into a single Endpoint Securty Magic Quadrant. According to the 2007 Information Security Hype Cycle Gartner defines EPP as “the convergence of desktop security functionality into a single product that delivers antivirus, antispyware, personal firewall and other styles of host intrusion prevention (for example, behavioral blocking) capabilities into a single and cohesive policy-managed solution.” To be clear and also to ensure that Kurt Wismer doesn’t freak out and write horrible things about me let me repeat exactly what I said at the end of 2006 – so don’t be ranting Mr. AV
AV becomes part of a converged security client, offering multiple capabilities including anti-spyware, personal firewall, and intrusion prevention as the foundation, which I have talked about (here). Of course this has already begun and the AV guys are shoving more and more technologies onto the desktop, including data leak prevention, end-point policy enforcement, patch and configuration management. They bundle it under some uber-agent, while the individual executables are fighting to claim your system resources. They offer some half-baked management console, slap a new coat of paint on some recent acquisitions, and complain anytime Microsoft attempts to improve their security if it in anyway affects their sacred AV cash cow.
Enterprises will still need to invest and deploy AV, but more out of a sense of fear than because they believe it is offering value. Organizations with mature IS departments, ones that are type A in their technology acquisition and process development, have already realized that AV is dead and are looking to strategically address client security in a new world. It includes a signature component, like AV, but it certainly will not be the cornerstone of end-point security for very much longer.
So what should organizations do today:
1. Spend less, demand more. Consolidate infrastructure management and spending for multiple point solutions into a converged platform. Do not pay the same price for AV this year that you paid last year, ask for more security and operations function, but do not pay more. Demand more cow-bell! (here) – driven by IT demands to reduce costs, improve operational efficiency and operationalize security, centralized management and administration become one of the key evaluation criteria.
2. Rip out your incumbent if they aren’t providing value, do not be afraid to tell McAfee and Symantec to take a walk if they are unable to deliver an endpoint protection platform with enterprise scalable central management, rumor has it that Symantec may actually deliver something at the end of 2007, but who knows. I did a study at Gartner and the costs of switching out an incumbent AV vendor is far less than people realize. I know my current company (here) can do it for your entire enterprise in about 5 minutes.
3. Security and operations are converging at the desktop and servers, look for operations vendors to provide more security functions. They have stronger systems management, centralized administration and scalability than the traditional security vendors, unless they acquired an operations vendor, in which case you will have to wait for the integration dust to settle.
This is technology evolution, this is innovation, this is the market driving change in how vendors address endpoint security, this is how it is all supposed to work right? Well we still have a long way to go as the Hoff points out in his post on Endpoint Security Software Sprawl (here) but this is a positive step forward in addressing an ever increasing flood of disparate agent technologies.
Disclaimer: I am the CTO of BigFix (here), an enterprise software vendor that happens to offer an endpoint protection platform, among other solutions. BigFix essentially provides an extremely enterprise scalable, single server, single agent solution for real-time visibility and control across operational, security and compliance domains allowing organizations to eliminate multiple disparate agents into a single policy driven platform. This doesn’t make my predictions or this post wrong, no, in fact I think it shows my ability to analyze market requirements and align myself with an organization that clearly shares my strategic vision (my Mom isn’t the only person who says nice things about me, sometimes I say nice things about myself)
Something, something this way blogs 
Super Agents.
Suckage and elation, all in one breath:
http://rationalsecurity.typepad.com/blog/2007/09/we-used-to-worr.html
Is the “one agent to rule them all” the answer to the problem or the beginning of another. I maintain it’s the latter.
Bloatware Monoculture, I say. We *all* know what happens when you install one of today’s “super agent” AV suites — like Symantec’s. The system slows to a crawl, stuff stops working and it plays poorly with everything else.
Where do I sign up!?
/Hoff
Yes, Symantec is a great example of how NOT to do this, whereas BigFix is a great example of how to do this well…there will definitely be pain as the vendors work to optimize and integrate but the important thing is that it will force the vendors to implement changes and these changes will hopefully result in operationally efficient agents that support a wide set of desktop systems and security management solutions.
It is like when all the UTM vendors would just toss a bunch of crap on a box with no real integration or management and a lot of conflicts and impact on performance but then were able to drive greater efficiencies in their offerings.
It is progress…
I like what you are saying here, you are actually sounding like Sophos and eEye as far as AV goes.
Pingback: Is stand-alone AV finally dead? The debate goes on — Security Bytes
I’d like to first say that I also work at BigFix and work on the endpoint solution.
However I’d have to say that AV isn’t dead. AV has evolved. AV used to be “endpoint protection”. Endpoints have changed and with it the type of protection you need for your endpoint has grown to fit the new networked world.
Back before people were on the internet, usb sticks, before there was ad based spyware etc , bot nets, all that was needed was AV. From a management standpoint I’d have to say that the BigFix endpoint product in its true integration with the BigFix platform just makes it easier to manage than say the Symantec equivalent as its just a hassle to juggle different consoles etc.
Yes I am patting BigFix on the back, and I also happened to use to work for Symantec. They do some things fairly well and have a lot of smart people , etc but making it “easy” and less complicated is not one of them.
Anyhow, Symantec delivered on 27 september 2007 the one and only “Symantec Endpoint Protection 11.0” One true Agent and one single webbased console. Agent includes standard! firewall, AV, anti Xware, Application control, device control, IPS network, IPS kernel, behavioural. Agent has been written from scratch and delivers good performance.
Once I found out that that I would need to have a server with 2 gig of physical memory for the product to hog up, I was screwed. Foolish me had already purchased it and started installing stand alones on some hard to get to users when they flew into the office for 30 seconds. The whole point of the centralized console is easy of management. The software takes up 700 meg. You’ll need a server license of some type as workstations are limited to 10 concurrent connections which will drive u crazy due to the fact that you can only see some of your clients some of the time and some others @ different times, unless u have it on a server as intended. You can connect to the server with a console but only through a client that attaches to your stand alone server. This product is clearly intended for huge networks but not marketed as such. I upgraded from 10.1 which worked ok but was a pain to configure as it needed 2 ports opened. The new 11 functions through port 80. So go ahead and waste some more time closing the ports on all of your workstations from the old. The product documentation leads u in a circle like all symantec stuff does. So I will either be going back a version to 10.2 but this is unlikely due to the fact that I removed my old setup and don’t care to mess with it again. It looks like 25 stand alone clients for me. I’m really moving forward aren’t I?
Ha, more cowbell…love it.
I agree with amritw, Bigfix does do a good job but some of the other companies out there shouldn’t be overlooked. Fiberlink for example is a good alternative that sometimes offers more service and value.