Getting the right information
NetIQ, Microsoft, and Compaq recently hosted a series of conferences throughout Australia and New Zealand on Windows security. 220 companies attended, of which 98 percent use antivirus software, 73 percent firewalls and 43 percent security policy configuration. 54 percent reported using three or more security tools.
Michael Mychalczuk, security manager at NetIQ, suggests organisations will get the most from their security tools by installing a management cockpit--security management software that lets administrators manage the various tools from a central point.
"Maintaining a secure infrastructure requires managing multiple security programs across numerous platforms. Without an efficient security management tool, the various products are typically unable to share information, representing a costly, inefficient and insecure way of protecting a company's assets," says Mychalczuk.
NetIQ's Security Manager for Anti-Virus integrates with Network Associates (McAfee), Symantec (Norton) and Trend Micro products to provide administrators with real-time notification of a virus attack and the status of the distributed antivirus software.
While Symantec's LiveUpdate service (which delivers software updates as well as new virus definition files and firewall rules) is designed to scale from the smallest to the largest installations, it also works with enterprise management tools such as those from Hewlett-Packard, IBM, and CA, Donovan says.
Trend Micro isn't too keen on third party management products. "It is difficult to develop a third-party product for managing antivirus, because AV is a constantly evolving industry and AV vendors are yet to standardise interfaces for central control. This is a reason why AV vendors cannot yet effectively manage competitive products--it's just too hard," says Montgomery.
But satisfactory central consoles do exist, he says. Features to look for include a secure, browser based interface ("so an administrator can manage a virus outbreak from home in the event of a 3am wake-up call"), platform independence, and the ability to manage all antivirus products across the network.
McAfee's ePolicy Orchestrator handles the deployment and ongoing management of the company's security software, and is highly scalable, according to senior marketing manager Allan Bell: "from one server, you can manage 250,000 machines."
It can also be used to manage Symantec's desktop products, which is an advantage following a merger between two companies using different software, he adds.
Nokia's approach dramatically reduces the maintenance load on IT staff, Whitely suggests. WebShield for Nokia Appliance is based on McAfee software, and automatically downloads any updates as long as a software subscription agreement is in place.
"You don't have to touch it," he says. But when configuration changes are needed, that can be done remotely with the aid of Nokia's Voyager Web-based management tool.
Protection alone isn't sufficient, because a new virus may hit you before your antivirus vendor releases an update. Tony Liddy, managing director of Elantra (a value-added distributor focusing on business continuity and data protection), says organisations also need "tried and tested recovery solutions."
For desktop systems, this means a backup system such as Connected TLM that allows rollback to a "known good" state. "At the server, timeliness is critical and a good disaster recovery strategy must be in place with critical data being at least replicated to an alternative location. Smart intrusion detection and management systems should also be employed to minimise server attacks and ensure patch updates are current," he says.
Some antivirus vendors are taking steps to reduce the window of vulnerability between the release of a virus and the corresponding pattern file update. For some time, antivirus software has had the ability to warn of virus-like behaviour.
However, this doesn't help when you are trying to detect viruses at a gateway or server because the code isn't being executed. Trend Micro's SMTP scanner uses rules as an interim measure.
The company's server can be polled for new rules at intervals as short as every 15 minutes. For example, a rule might block any messages with a particular subject and body text that also have an attachment of a certain name.
The company can provide new rules more quickly than new pattern files. "The Outbreak Prevention Policy is the first indication of a new generation of antivirus whereby antivirus vendors will contribute to an organisation's antivirus policies and strategies, rather than providing technology alone," says Montgomery.
While a lot of work is being done to automate the process of maintaining antivirus software, some companies take extra effort to ensure administrators are advised of threats.
One example is F-Secure's Radar subscription service that can use different notification methods including SMS, e-mail, fax, or phone according to the severity of the threat, the time of day and the day of the week.
Some people suggest using a mix of products from different vendors for best protection. "It is very important that there is no single point of failure in the IT environment," observes Biviano. "Antigen employs multiple scan engine technology using the highest performance engines at the e-mail server to provide maximum protection."
Or as Smith puts it, "there's merit in having more than one vendor involved" by using one product at the gateway and another for individual PCs.
Biviano adds: "Using a suite approach--using a single antivirus vendor for protection at all points--is a common approach that is seen as cost effective, but very often costs business far more as it is a single point of failure. Suite products rely on the same virus definition files to protect all points of entry."
That's not strictly true--Dozortsev pointed out that CA has avoided putting all its customers' eggs in one basket by acquiring two antivirus product teams (Australia's Vet and Israel's iRiS) and maintaining them as two separate operations.
CA customers can mix and match antivirus engines, for example using iRiS on servers and Vet on desktops, yet control them through a single management interface.
It is even possible to hot-swap the engine running on a particular system without requiring a reboot.
Smith also observed that some organisations choose to outsource the management of their gateways, "typically tied in with that [outsourcer] managing intrusion detection and firewalls," partly because they regard it as a specialist matter and partly as a matter of risk transference.
McAfee recently published the results of a March 2002 survey carried out in the UK by Vanson Bourne, which found that although 82 percent of companies had suffered a virus attack in the last 12 months and 35 percent had suffered virus induced downtime, 92 percent of IT managers still believed they had sufficient resources to manage security.
Bell suggested that IT managers gain kudos from projects that contribute directly to the bottom line, whereas senior management only notices antivirus measures when they fail--so it makes sense to outsource antivirus efforts (for example, with McAfee's ASaP Online Services which provide managed security services covering antivirus, firewall and other filtering technologies), and get better protection at a reduced total cost, while concentrating in-house resources to more visible and productive projects.
Biviano points out that it is difficult to ensure antivirus software on notebook computers is kept up to date if they aren't connected to the corporate network for an extended period. "By protecting all the other points of entry into a network, keeping notebooks and desktops up to date is slightly less critical," he says.
According to Foggo, Adelaide University uses a Symantec tool that packages the latest updates and distributes the result by e-mail. "That's a good method to keep mobile users updated," he says. In any case, when notebooks are reconnected to the network the antivirus software is automatically updated.
"Integration [of antivirus software] into the main security suite has become one of the main issues," says LAN Systems' Nixon. Buyers are starting to look for a single product to take care of all their security requirements, or at least a "one-screen view" of security.
LAN Systems is aligned with OpSec, one of the biggest security partnerships. Over 300 partners provide tools that fill different parts of the security picture and integrate together, he says.
Hello, I have to you very odd request. My name is Jiri Kurka and I'm from Czech Republic. You writed in your article about some specialist name's Jan Chrbolka. I'm looking forward my forepast classmate and friend from school and his family emigrate from CZ. I suppose that this Jan Chrbolka is he. Do you have some contact to this man? Can you help me please?
Thank you very much for you answer.
Jiri Kurka, Czech Republic