NOTE: No offense to the special olympics – I support the organization and think they are an indispensible part of what makes humanity good, and increases my faith that we are not doomed to roam a post-apocalyptic wasteland with shotguns and broom handles fighting radioative zombies, and scavenging for scraps of food.
Anyway I was glancing through the Forrester Wave: Enterprise Anti-spyware, Q1 2006 report, expecting some hard-hitting analysis, keen onservations on strengths and weaknesses of the various vendors and how they stack up against their main constituency – the Enterprise. The bulk of the report echos what I believe to be the state of the market back in late 2005, early 2006, integrated suites, point solution vendors, security configuration management companies adding spyware capabilties, etc…that’s all fine, but the vendor analysis, the Wave, as they call it, lists everyone as a strong performer or a leader…
btw – well I am writing this an unnamed antispyware product, I will just say they call themselves the root of the web, just started scanning my system and basically ground my productivity to a halt…sometimes I like to step back and watch the various anti-malware products fight it out for control of my cpu and memory, it is sort of like watching cockfights just without the tamales and flying feathers.
Back to the “Wave”…maybe I am reading it wrong, but given that we are talking about enterprise anti-spyware and that the enterprise requires integrated security functionality (anti-virus, anti-spyware, pfw, and HIPS), centralized management and reporting due to the problems of managing multiple desktop agents, it seems odd that point solution AS vendors would be considered strong performers when they are weak in these functions…the Wave itself lists these as important.
My prediction: there will be no anti-spyware market beyond 2006 (assuming there is actually an ant-spyware market now)
The only reason there is a spyware market at all is because the AV vendors completely dropped the ball and allowed it to happen, they should have been on top of this problem 3-4 years ago. They were in the best position to offer a solution since they had research teams in place, had a presence on corporate desktops, had a mechanism for centralized management, updating and reporting, and most folks look at spyware and viruses as the same thing – bad things getting on to desktops in an automated way.
There are two areas of focus; the desktop and the network.
From the perspective of the desktop:
a. Signature based AV isn’t really protecting the desktop anymore
b. To protect the desktop from the majority of threats an organization would need to run anti-virus, anti-spyware, personal firewall (for port/protocol blocking or containment of the end-point itself), and host-based IPS (blocking code execution and other malware that bypasses the other mechanisms)
c. Running 4 best of breed products (AV, AS, PFW, HIPS) at the desktop is a management nightmare, the resources required to keep these updated, configured correctly, not to mention the logistical problems with support and licensing drive many organizations to look for a single vendor solution that offers good enough protection across the 4 disciplines with a centralized management and reporting console.
d. All desktop security vendors are looking to provide all of these defense mechanisms in a single offering (McAfee 8.0i with ePO, Symantec CSS, with companies like Checkpoint and ISS looking to expand into the 4 areas)
e. As I stated, I don’t believe, that there will be an enterprise anti-spyware desktop market in the next 1-2 years. I believe what we will have is an integrated desktop security market that includes the 4 main areas of malware protection (with many variants of HIPS within them)
f. Any viable spyware solution must be able to do three things; detect spyware, defend against spyware execution, and clean spyware that is resident on a host, with the defense being the most important. The AV vendors are lagging in the defense and cleaning side of spyware which has allowed companies like webroot to take advantage.
from the perspective of the network:
a. Network/gateway protection should be the first line of defense. If you look at organizations that have deployed anti-virus or anti-spam at the perimeters and gateways they see very little occurrence of virus or spam incidents actually making its way to a host. Clearly you would expect to see a similar pattern with spyware protection at the gateway or perimeter.
b. Similar to the desktop the network requires multiple forms of protection. Many companies ship all in one appliances that provide IPS, AV, VPN, firewall, web filtering, and spyware will become a component through 2006
c. Network, gateway, and perimeter protection should be the first line of defense, however it will never provide enough protection to make desktop protection mechanisms obsolete.