Selecting an Enterprise Security Solution

2ndchance

Our contract with our current AV comes up later this year. I am going to review several Enterprise Security solutions to do my best to pick the right fit for our organization. I am building a form that will help me identify and quantify the most important aspects of each product. Here is what I have thus far;

* Cost per host
* Ease of setup/management
* Reporting and alerting options
* Resource footprint on clients
* Track record for detecting and curing attacks
* Additional features such as HIPS, anti-spyware

I currently plan to evaluate the following solutions:

* Computer Associates
* Sophos
* Kaspersky
* Norton

Any advice/personal experiences will be greatly appreciated.

steve13ad

We use a product called LANDesk. Run pretty well, and their pretty quick to correct any bugs found in the software.

it_consultant

I really liked Sophos when I used it 1.5 years ago. My Symantec clients are going to get migrated to Microsoft as soon as there 2010 product is out of beta.

Paul Boz

It’s funny you mention this. I’m currently working on an RFP for a firewall management solution so maybe I can provide some insight in your task. Basically you want to define what your goals are for the solution, define the capability requirements, define your security requirements, define your integration requirements, and define your reporting and overhead requirements. I want to know several things. How much time is it going to take to implement the solution, how much resources it will take to implement the solution, what the features are, and how I can manage it. I also care about how secure the solution is in my network. Many people skip this step and wind up with stuff like Blackberry Enterprise Servers with default SA accounts on the backend databases.

Basically here is what I would look for if I was evaluating an anti-virus or endpoint security solution. I would put this into an excel document and email it to your prospective vendors, then combine them into a matrix at the end to see who offers the best solution for your environment.

Does your solution provide a centralized Management Interface (MI) to manage all the devices on which end points?
What’s the maximum number of clients which can be managed from MI ?
If yes, what are the infrastructure, hardware and software requirements of MI?
Does the MI allow centralized deployment of the product to the endpoints? Explain.
Does the MI receive real time or near realtime status of a client? (Assuming the client is connected to the network all the time). Explain.
Does the MI allow management of other end point tools provided by your company? (Ex: Application whitelisting, firewall, disk encryption, DLP, etc)
Does the MI allow centralized policy enforcement and monitoring ? Explain.
Does the MI use any database backends? Explain and provide a list of all supported databases.
Does the MI provide dashboards for different user types? (Ex: Operations, Support, Security, etc)
Is your product capable of capturing audit log events from the end point? If yes, does the MI play a role in it? Explain.
Is your product capable of integrating with SIEM tools?


What are the alerting capabilities built into your product? Explain each in detail.
Does your MI come with a web interface? If yes, explain.
What ports are used by the MI and server components?
What ports are used by the client components?
Is the web component modular? Can it be installed on a different host other than the core MI server/appliance? Explain
Explain the auditing and reporting capabilities available on the MI, specific to MI activity and not end point.
Does the MI hold any authentication keys/attributes locally on the application? If yes, explain the technicalities of this setting. If no, how does it achieve the functionality? Explain.
Does your MI product support High Availability or Failover Architectures?
What client Operating systems are supported and managed centrally?
What mobile clients are supported and can these managed via the same console?
How does your product treat a virtual machine client? Do you have any unique technology to address dormant virtual machines?
How does your product integrate with a virtual environment ? Please explain
What is the licensing model of your Management Interface? Explain how it ties with end point licensing.


How many agents/process are required to detect and clean systems from viruses, spyware, rootkits and other malware threats in real time?
What features does your product provide to contain a virus outbreak?
Does you product allow prioritising signature updates from MI or other locations? Explain
How are the signature updates delivered? (ex: DAT file) What the average file size and what are the network bandwidth requirements?
Does your provide automatic protection to stop malware from email, web or removable media?
Can location specific policies be enforced on the endpoint? (Ex: trusted network rules, public network rules, vendor/partner/home rules, etc)
What are the alerting and reporting capabilities built into your endpoint agent? Explain each in detail.
Does your product block an end-user/malware from stopping a antirvirus service?
How does your client react when a client service is stopped? Does restart automatcially?
Does your product produce web protection? Please explain in detail
Does you product provide application control ?
Does your system support the ability to provide onscreen notifications to users?
What is the resource footprint of your endpoint firewall client?
What components are required to deploy and manage your complete solution?
Please describe all installers, in order, that are required to deploy your solution. Are there any specific applications that must be installed as prerequisites that require special skills/training?
How many processes will be running on a system if we deploy (AV, spyware,rootkit, firewall, IPS/IDS, application control, disk encryption, removeable media encryption, web protection?


Does your solution support role based access model? Please explain.
Can a role be defined to not have viewing rights to certain components?
Does the system allow user authentication to be controlled in an external directory, e.g. Active Directory?
Can AD (Domain) Groups be mapped to application groups/roles to provide authorization?
What access methodology does this application use, least restrictive or most restrictive?
Can application authentication be turned off completely?


Can your system provide custom report filtering using different variables and paramaters?
Can users or sets of users “subscribe” to sets of AV incident reports that match specific criteria and receive a scheduled email delivery daily, weekly, or monthly?
Is there a ”dashboard” view designed for use by executives that can combine information from spyware, malware and web threat events in a single view?
Does your system come with a prepackaged set of reports? Please provide a complete list
Can your system generate a list of systems which were infected and cleaned based on specific dates?


Many of these requirements would be common to any solution I planned to implement.

RTmarc

2ndchance wrote: »

Our contract with our current AV comes up later this year. I am going to review several Enterprise Security solutions to do my best to pick the right fit for our organization. I am building a form that will help me identify and quantify the most important aspects of each product. Here is what I have thus far;

* Cost per host
* Ease of setup/management
* Reporting and alerting options
* Resource footprint on clients
* Track record for detecting and curing attacks
* Additional features such as HIPS, anti-spyware

I currently plan to evaluate the following solutions:

* Computer Associates
* Sophos
* Kaspersky
* Norton

Any advice/personal experiences will be greatly appreciated.

I would add both Microsoft and ESET (NOD32) to your list to evaluate.