Worm out of virus management

The rules of virus management have changed dramatically during the past three years. Even enterprises with a great deal of internal security expertise and generous budgets to tackle the problem have found it hard to protect themselves from an onslaught of virus threats.

Viruses and malicious-code programs are now more frequent and effective in their mission. Malicious-code programs are infecting the enterprise at an unprecedented, rapid-fire rate--often before the antivirus vendor can create an update or before the enterprise can distribute the update to its Simple Mail Transfer Protocol (SMTP) gateway and desktops. Moreover, most small and medium businesses (SMBs) don’t have the resources of larger enterprises to institute 24x7 internal testing and distribution of new updates.

The means of virus infection is also changing. E-mail systems remain the most dominant method by which enterprises are infected. However, as Nimda and Code Red demonstrated--and as instant messaging vulnerabilities and the advent of Web services portend--Web servers, Web applications, and active content eventually will have to be protected from malicious-code attacks.

The already-strained method of signature-based detection used on desktops, file servers, and at the Internet gateway will not suffice for these newer threats. However, through 2003, e-mail will remain the primary vector for malicious-code infections for most companies.

The antivirus campaign
To keep your company safe from future virus attacks you will need a good antivirus program in place. Buying and installing the appropriate software is not the total solution, instead it is just the beginning. Effective protection comes from the management of the software.

And of course antivirus software should not be your total solution, there are also firewalls to consider, as well as intrusion detection systems and many other security solutions on offer; antivirus software is just one part of an overall security strategy-- albeit an important and time-consuming part.

The amount of time you should invest in managing your antivirus software will vary from company to company--depending on the size of the organisation, whether you are protecting from the gateway or desktop, or both, and how much of a priority you place on antivirus systems. While some IT managers may spend 10 minutes a week on antivirus management, others will spend two hours a day.

If you are spending more time than you care to admit managing your company’s antivirus protection solution, or if perhaps the security space is getting too complex to handle, outsourcing is an option you shouldn’t overlook.

Consider outsourcing

While antivirus software has been around for a while now, the managed hosting of antivirus solutions isn’t so mature, but it is a market on the rise. Andrew Grace, of antivirus and security software company Trend Micro, thinks it is the way of the future, going as far to say that in five years time the people who are still managing security inhouse will be the odd ones out.

The reasons to outsource the security functions of your business are much like the reasons to outsource any other parts of your business--such as receiving 24x7 protection, exposure to expert staff, cost savings, and more effective time management.

At Symantec, senior director worldwide planning and strategy, Kerrie Turner, is finding customers really appreciate the access to expertise. “Security professionals are hard to get on the market, all over the world—they are hard to get, hard to keep, and very expensive,” she says. “SMEs have IT managers wearing all different hats, customers look to us for expertise.”

These sentiments are shared by Zento’s CEO Arthur Argyropoulos. “It is hard to find people with the proper accreditations and it is hard to retain them,” he says. Zento is a managed service provider specialising in McAfee and Trend Micro antivirus solutions.

For SMEs the problem of finding experienced security staff is real, as they don’t have the company numbers nor the budget to entice the experts. This is just one reason why Network Associates sees the small to medium businesses as the key market for outsourcing security solutions.

“Managed antivirus is a great idea but it isn’t for everyone. Antivirus is not core to your business but it is a critical part,” says McIntyre. “The larger enterprises have very heavy investment in IT anyway, and it isn’t really what they are looking for from their outsourcing partner.”

If the price is right
Of course a large factor in the decision to outsource is the cost. Some things to keep in mind are the ongoing costs of antivirus management, the cost of skilled staff, as well as taking into consideration the potential costs of business downtime if a virus worms its way into your system.

McIntyre estimates that buying antivirus software only accounts for 20 percent of the total cost of the antivirus solution, with the other 80 percent being management of the software. “How do you quantify the cost of the software--exactly how long is a piece of string?” he says. “The real cost is the distraction, keeping it up to date.”

Like most security solutions, the cost benefit can’t be derived from how much you are spending, but how much you think the company brand or a day’s work is worth--both of which are in jeopardy if a harmful virus infects your system. Most vendors are loath to give a out a price estimate, saying it is different for each company. Also it would be rare for a company to implement an antivirus solution alone, instead the cost of antivirus would just be a part of the total security solution. However, to give you an idea of pricing, Zento says it has solutions starting at US$500 a month.

Evaluating antivirus vendors

Trend Micro doesn't provide the services itself, but partners with Zento and Telstra to deliver the managed service. Whether you are looking for just the antivirus software or for the whole managed offering, the following criteria may help you find the right partner:

• Product quality on a specific platform--eg, Windows 2000 or Lotus Notes.
• Elements to consider include how often product patches are released for that product version, as well as performance/compatibility.
• Management and distribution functionality within the antivirus solution--ie, what mechanisms are available for easy and automated updating of desktops and other systems. Also assess how the antivirus vendor makes available updates, especially in outbreak situations. For example, if the vendor provides updates only from its Web site, you may be unable to download the update because of high demand at the site. If no alternative method of obtaining an update exists, you should ask what highavailability solutions the antivirus vendor uses on its Web site and demand service levels for obtaining the update from the site in an outbreak situation.
• Research and customer support and service--eg, how quickly does the antivirus vendor typically produce an update in an emergency situation? Are alert and virus intelligence services included, as well as customer support contacts (especially in outbreak situations)? The quality of the updates will be critical if you don't have the capability to test updates. Negotiate firm service level agreements to ensure quality updates.
• Incident-response plan--name a manager as the virusalert and incident-response liaison to your antivirus vendors and solution providers, and outfit key enterprise and vendor contacts with pagers or other alert devices. Also ensure that as soon as the new update is available from the antivirus vendor, the SMTP gateway is updated immediately.

Whether you are a small business of three people or a large enterprise with 3000 people, the importance of having an effective antivirus solution in place cannot be underestimated. Without wanting to be a scaremonger, security vendors have all sorts of scary statistics on the amount and types of attacks, future threats and the cost to businesses. As the threats increase and become more complex, so too do preventative measures. It isn't enough to kill the virus when it arrives on your doorstep, now you have to make sure it doesn't even get a look in. If your business doesn't have the time to devote to finding new solutions and posting software upgrades, outsourcing may be just the answer you are looking for.

Who's out there
Following is a guide to the providers that we spoke to for this article. This list is by no means exhaustive, there are many service providers who specialise in the security space and the large outsources such as CSC and EDS will also provide security services as part of their offering. Also remember that security service providers will usually offer more than just an antivirus solution.

McAfee
McAfee, with its ASaP managed services, offers three different packages for antivirus management. VirusScan ASaP is suitable for any sized business and is a simple antivirus manager, Virus-Screen is a service which scans emails for viruses and either cleans or quarantines infected messages, and lastly, Managed Virus Defense ASaP is the more advanced version of VirusScan ASaP, adding protection for the file server, groupware server, and gateway. McAfee also offers vulnerability assessment and firewall management.
www.mcafeeb2b.com

Symantec
Symantec is on its way to being a one-stop shop for security services, offering software, and both professional and managed services. It provides solutions for antivirus, firewalls, intrustion detection systems, virtual private networks, as well as vulnerability assessments and Internet content and email filtering.
www.symantec.com.au

Trend Micro
Trend Micro is one of the leading antivirus software vendors in Australia. It offers managed services through its partners Telstra and Zento--see information on Zento below.
www.trendmicro.com.au

Zento
Managed security service provider Zento offers managed services for antivirus, intrustion detection systems, and firewallsââ,¬"specialising in Trend Micro and McAfee products. Antivirus management services start from $500 a month.
www.zento.com.au

Subscribe now to Australian Technology & Business magazine.