I was recently roped in as an Independent consultant to help evaluate, design / architect and then implement a robust Security Solution for a Unit of the Defense Services in India. Can’t take names and place locations due to NDA's in effect with them, but can say this much that they deal with some pretty sensitive material and data, and they were having a hellish time in keeping Viruses and worms off their networks.
I was specifically tasked along with 4 other independent consultants, for evaluating other security solutions, which Included Symantec solutions as well since the authorities were concerned with the growing portability of USB data devices, and their main concern was that the smaller the device, the harder it is to try and detect it and prevent someone from waltzing in and making merry with their critical data, AND also introducing say a targeted threat / Trojan on the network, and continue to siphon the data / info away.
We were given the following software’s to test, evaluate and recommend:
- Sophos
- Trend Micro
- McAfee
- Quick Heal
- Symantec
- Microsoft Forefront
- CA
- GFI
- ESET
Now all of these software solutions are pretty good in their functioning and the type of features that they provide, but the main criteria we used for evaluating the software against one another were as follows.
- Price
- Scan Engine effectiveness
- Number of Scan engines employed in the software
- Heuristics
- Integrity Checking
- Behavior Based threat identification
- Access Control
- Firewall Capabilities (whether it is integrated or separately installed and managed)
- Reporting capabilities
- Threat Detection ratio
- Threat Disinfection Ratio
- Support Capabilities (Proactive or Reactive)
- Software capabilities to protect self from being attacked
- Does it meet US DoD standards for Security Software?
- Does it meet the Cyber Security Policy of the Defense Services?
- Is the Software capable of being installed and maintained in a Resilient Mode?
- What are the software's Disaster Recovery Capabilities?
- Percentage of False Positives
- Percentage of False Negatives
The tests that we conducted were done with payloads customized by the Services staffs who were involved with us in the testing phase. We also used several commonly available threat samples for the testing phase.
Though most of the software fared pretty well, the following three won hands down in terms of pricing, features, workable capabilities and Ease of Use.
- Microsoft Forefront
- Symantec
- Sophos
These software solutions were then again evaluated in terms of Pricing, Support factors, and detailed capability analysis.
Symantec and Microsoft Forefront won hands down in terms of the following features:
- 1. Heuristics
- 2. Scan engines
- 3. Behavior based threat detection
- 4. Reporting Capabilities
- 5. Price
The primary reason why Symantec (SEP) won hands down was because of 2 major culminating factors:
- Infrastructure requirement
- Access Control viz, in terms of enforcing Application and Device based restrictions on the systems, thence preventing any new / unknown / custom threats from coming onto the networks.
The Unit CO who was sitting in the evaluation brief with us was pretty impressed by the Heuristics in SEP, and the capability to block ANY USB or such device based on device ID's and more so by the inbuilt NTP feature with IPS.
Still, we had to give the benefit of doubt to the other software, as questions were raised on 2 of us chaps being Impartial, as I was previously a Symantec Employee, and the other chap was an ex-employee of a Gold Partner for Symantec :). So for the sake of impartiality, we went ahead and performed some rigorous testing on both Forefront and SEP.
We went ahead and performed a POC with an approximate 100 clients ranging from Windows 2000, Windows XP to Windows Vista based systems, and Server OS's including Windows 2000, Windows Server 2003 and Windows Server 2008, all in a virtual environment.
Despite say, some initial hiccups with deployment to Windows Server 2008 based systems with SEP, and the issue with the file shares dropping randomly, when we got down to brass tacks and started testing with the threat samples, it was pretty obvious who was the winner.
"SYMANTEC" ! Ta Da.....!
Forefront is pretty good, but the issues lie with the Infra requirement. 3 Seperate servers just to install one Management console for managing, reporting and so on. Simply weird I'd say, and they also claim to have 0% False Positives !!!!! No vendor claims 0% false positives. They simply fell flat on their face.
The Unit got some pretty competitive pricing with respect to the competing software, and we started the process of implementing SEP in the environment in the next 2 weeks. I've since handed over the implementation to the local Unit IT team, and am in touch with them for some queries that they may come up with from time to time.
The primary considerations that they had and have been addressing are as follows:
1. A single point management interface, with a failover and replication configuration setup in place to tackle issues if one server goes down.
2. Application and device control have been successfully implemented and all USB based device, except for HID devices have been blocked ensuring that critical and sensitive data and files cannot be copied to USB devices and leaked outside.
3. Single point for updating the clients. We put in place a system of manually downloading the JDB files, and then pushing them thru the SEPM t the clients to ensure Server integrity. A bit tedious, but as per the prevailing Info Security policies at the Unit.
4. Testing for System Lockdown is ongoing at present, and most possibly will Go Live in a few months from now.
5. Tests with custom IPS signatures are also ongoing to block specific threats.
I'm looking forward to when my NDA ends (4 more years) before I can start telling the exact architecture deployed as part of Case Studies for Successful implementation and deployment of the SEP productline.