Malware is that group of threats for which we never seem to have enough protection. Next to insider threats, malware may well be the greatest security challenge we face in securing the enterprise. We see components for malware protection in endpoint security products, IDS/IPS solutions, and purpose-built desktop offerings for things like anti-virus, anti-spam, phishing and web content filtering. This first Group Test looks at the products that deliver another layer of protection for malware. These products deploy and defend at the gateway against email, web and application threats, such as viruses, worms, spam, spyware, adware, phishing, keyloggers, trojans, rootkits, downloaders and various levels of zero-day threats. Malware prevention is truly a layered defense worthy of a holistic multitiered approach. That said, personally, I would prefer to have a strong gateway solution so email and web-based threats can be stopped before ever making it inside the environment.
The products we review address some or all of the threats listed above. There are products that are stronger or focus more on email and/or web content. Most of the solutions we reviewed address both. Most of the products came to us as an appliance, while the others were delivered as software or software ISO versions [an image file on a DVD loaded onto hardware]. Regardless of the offering, all the products this month were fairly easy to get installed and running. Most had very simple setups for basic network connectivity and default protection. There were some that still used a command line initial setup, which did surprise us a bit since this is such a mature product category.
There are differences in the deployment methodologies that should be considered. Some products support a bridged/pass-through operation, others support a proxy-based deployment, while some support both options. Performance versus level of protection has to be weighed when choosing the best deployment method. You'll also want to look for clustering options for those products working in proxy mode. Most of the tools did support some enterprise features, such as high-availability deployment configurations and the ability to send configuration and log data to external sources.
We found that alerting and reporting did differ greatly in the products, so you will want to pay particular attention to what you need in this area when evaluating these products for yourself. The tools all shipped with their version of the dictionaries/libraries needed for identifying, quarantining or removing the threats they know about. One thing we looked at was the ability to easily create policies for unknown, blended or zero-day style threats.
We did not assess the products for their catch rates or throughput performance. We evaluated the implementation process, the usability of the products once installed, the amount of protection provided, the enterprise capabilities of the solutions, visibility and presentation of the data, reporting, logging and alerting capabilities and, finally, value for the price and support offerings. We found solutions that deployed very quickly with little impact to the enterprise infrastructure and required very little technical savvy, while still delivering quite a bit of protection.
There is no magic wand for defending against threats, so this is an area you will want to spend some time evaluating.
You will also want to evaluate whether an integrated web and email offering is better for you than a separate, dedicated web and email solution. Additionally, you should understand if the product you choose is capable of scanning both incoming and outgoing traffic. Most of the products will boast about the advantages that their threat and vulnerability databases/libraries bring them. I believe it is more important for the products to provide your technical team with the ability to be able to determine from the data what the real threat is and then provide the tools to customize a remediation. In the end, you'll have some tough choices to make. These were all good products.