I believe the folks at Gartner put a lot of research and effort into their Magic Quadrant analysis. That said, I can’t help but conclude that “vision” and “execution” don’t quite do it for me when it comes to identifying appropriate candidate solutions to address a problem. They just seem to be too much about marketing, which is very important to the companies but only ancillary to an enterprise’s needs. Sure, they want a solution that will be viable for the long-term, but other than that it is pretty insignificant.

To address this issue, I have put together a set of questions in 4+1 evaluation categories that I believe provide more insight into the important attributes of a solution. The first round of categories was introduced at AMP NYC a month ago. Here is my second revision. Opinions and advice are welcome.

1. Company/Product Information: What level of confidence does the company information provide that the company and product will remain viable for your organization?

Consider:
• What year was the company founded?
• What is the background of the management team?
• How many employees does the company have?
• What is the funding status/source of finances?
• What is the product name and version?
• How many customers does the company have for the pertinent product?
• What certifications and tests were done on the product?
• What other 3rd party reviews, awards, or other supporting evidence exists about the product?
• What is the pricing model for the solution?

2. Functional Operation: What level of benefit does the functional operation of the product have?

Consider:
• Primary operation – scan memory state, scan configuration/file system/network state, monitor/record system call activity, monitor/record network traffic, isolate memory, isolate system activity, isolate network communications.
• Trigger action – detect “known good” execution, detect “known good” activity, detect “known bad” execution, detect “known bad” behavior, detect anomalous execution, detect anomalous behavior.
• Response options – allow, deny execution, kill process, kill network connection, reroute network communication, log event, notify user, notify admin (alert), other.
• Recovery options (post-infection) – Restore config to known good state, remove bad files/objects, identify similar issues across network, notify/update other control solutions.

3. Architecture & Administration: How well does the product’s architecture fit in with your organization’s existing security processes? How likely is it to provide benefits? What features does it have to support implementation and administration?

Consider:
• Where/how are any product sensors or agents deployed throughout an enterprise (endpoint, network, cloud, other)? How are they protected?
• Where/how does the product admin/management function work? How is it protected? (endpoint, network, cloud, other)
• Where/how does the product log/data/storage function work? How is it protected? (endpoint, network, cloud, other)
• How is information shared a) with the solution components; and b) with others?
• How does the solution get installed/implemented in the environment?
• How customizable is the configuration and interface?

4. Technical Integration: How well does the solution integrate into the IT ecosystem? How easy will it be to implement and maintain?

Consider:
• How does the solution integrate with other products from the same company?
• How does the solution integrate with 3rd party security solutions?
• How does the solution integrate into an IT architecture?
• What are the prerequisites for user directories, management servers, etc?
• What standards, communication protocols, platforms, languages, frameworks, etc. are supported?
• How robust is the API for third party access?

The final category is actually a rollup of the other four, since the differentiators and value come from the previous specifics being identified.

Key Differentiators / Overall Value Proposition
When looking at the complete picture of the solution, how strong are the overall benefits derived from the individual evaluation categories?

I believe these evaluation categories more properly reflect the needs of the enterprise. What do you think?

1. Application Control / Whitelisting Solutions. Whitelisting solutions change the security approach from one that allows software to install/run unless otherwise specified on a “blacklist” (“default allow”) to one that requires explicit permissions on a “whitelist” for software to be executed (“default deny”).

Clearly, the goal of whitelisting is to reduce the number of malware infections by preventing unidentified software from running thus saving the aforementioned recovery costs. Given the common predisposition for organizations to consider infections separately from incidents, whitelisting solutions also are intended to reduce the likelihood of a bigger incident.

The tradeoff for whitelisting solutions is determining whether costs associated with false positives – legitimate software that is kept from running – will offset these additional benefits. Generally speaking, the more dynamic and decentralized an organization is, the larger the problem. Nowadays, whitelisting solutions have varying ways to deal with this known issue.

2. Sandboxes and Virtual Machines. Perhaps the most varied set of solutions addressing malware these days are the sandboxes and virtual machines. Some sanboxes – primarily on the network – are designed simply to provide an out-of-band (and sometimes near-real-time) environment to execute suspicious software and determine whether it is malware. As with whitelisting, the goal is to identify more malware more quickly, thereby reducing costs.

Other solutions – focused on the endpoint – actually isolate the production operating environment to reduce recovery costs by reducing the downtime associated with re-imaging a solution, and/or reduce the impact by containing malware in an environment separate from other production resources.

There are some tradeoffs in the sandbox/virtual arena depending on the architecture. Network solutions may not see as much traffic in highly mobile environments. Endpoint solutions have performance considerations and/or architectural dependencies to consider.

3. Active Forensics. Recently, a number of solutions have arisen to offer a near-real-time approach to forensics. By recording system calls and/or scanning system state looking for anomalies, their goal is to identify malware infections within shorter time periods than existing methods can.

Active forensics solutions look to reduce the costs of recovery by providing detailed information on changes that were made by malware so a responder can recover more quickly. In addition, the solutions provide comprehensive information so that recovery may be possible without re-imaging. In environments where users can install their own software, this could significantly reduce end-user productivity losses associated with recovery techniques. In addition, active forensics attempt to reduce the time-to-discovery such that further exploit and escalation chances are reduced.

The tradeoff with active forensics is determining whether the detailed information is enough to ensure completeness of recovery so that recovery without re-imaging is a possibility. On the risk side, enterprises must determine whether the new insight provided will lead to a fast enough response time to offset the cost of the solution.

Each of these product categories (as well as others) have a value proposition that may provide benefits to organizations looking to augment their antimalware protection programs. The key is for companies to understand exactly what benefits they provide and decide for themselves which particular type of solution, if any, is likely to have the largest benefit.

Pete Lindstrom is Principal and VP of Research for Spire Security, LLC, a research and advisory firm. Learn more about Advanced Malware Protection by “Drinking from the Firehose” in New York City on 9/17/13. Details at www.regonline.com/AMPFirehoseNYC. Complimentary access for those who qualify. Contact petelind@spiresecurity.com for details.

In addition, every qualified participant will receive their choice of an ARDUINO or RASPBERRY PI “security architect” Kit (while supplies last).

AMP Workshop, In Brief:

A bakeoff of whitelist, sandbox, active forensics vendors using a consistent model for evaluation of their ability to help stop 0days, “advance persistent threats,” and any other “malware that gets through”. Collaborate with peers and determine your own need (or lack thereof) with a custom anti-malware protection economic model.

Benefits of the Workshop:

- Get real, specific clarity about the costs and benefits of key AMP solutions.

- Get key feedback from your peers and colleagues pursuing similar goals.

- Customize your own economic model and vendor scorecard based on your needs.

- Compare and contrast vendors using the same framework.

Logistics:

WHEN: September 17th, 9am-5pm (8am coffee)

WHERE: Times Square, NYC (1601 Broadway in Crowne Plaza building – Executive Conference Center)

REGISTER: http://www.regonline.com/AMPFirehoseNYC

Read about the issues, decision points, and conclusions from an enterprise perspective at http://spiresecurity.com/?cat=18.

Can’t make the workshop, but would like the “Spire AMP Economic Model” to review? Contact Pete Lindstrom petelind@spiresecurity.com.

The first stage of this process is to understand the costs and benefits of your existing program. This is a 4-step process:

1. Determine the probability and (economic) impact of being compromised by malware. This is the overall risk an organization is trying to address with anti-malware solutions.
2. Collect the total cost of ownership of *all* of your anti-malware solutions.
3. Estimate the amount of risk reduced by the current anti-malware solutions in the IT environment.
4. Compare the amount of risk reduced in step 3 to the total cost of ownership in step 2. A simple comparison should show higher benefits than costs (if not, you are doing it wrong). More advanced comparisons (division!) can provide your “risk reduced per unit cost” for your current anti-malware program.

These four steps are notionally simple but TechRisk professionals will recognize that any non-trivial environment will have challenges developing some of the estimates. It may be worth perusing my website or contacting me directly to discuss some useful ways to do this.

Once the assessment of the current situation is complete, it is time to review both the TCO information and the remaining (or “residual”) risk to determine if it is worthwhile to modify the program in any way. Given that there are existing costs to work with, a new solution may provide opportunities to reduce the existing TCO along with the ultimate objective to reduce the residual risk.
To evaluate the value of new solutions, it is beneficial to delve a little deeper into costs and the amount of risk reduced. This is especially true since many solutions shift costs from operating expenses to a capital investment.

Taking a page out of the “activity-based costing” book can help an organization evaluate its cost structure more effectively. To do this, an organization should allocate its costs to a set of identified anti-malware activities. A new solution may help lower these costs by, for example, reducing the number of infections that must be cleaned over time.

On the risk side, new solutions may reduce the likelihood of an infection or incident by identifying more malware prior to infection. They also may provide a means to reduce the impact of an infection by lowering the response and recovery costs or addressing some other aspect of loss.

Understanding risk and costs is a crucial aspect of managing a security program. In addition to recognizing the value provided by an existing anti-malware program, performing this analysis may highlight areas of inefficiency or weakness.

Pete Lindstrom is Principal and VP of Research for Spire Security, LLC, a research and advisory firm. Learn more about Advanced Malware Protection by “Drinking from the Firehose” in New York City on 9/17/13. Details at www.regonline.com/AMPFirehoseNYC. Complimentary access for those who qualify. Contact petelind@spiresecurity.com for details.

1. Need. I choose the word “need” with caution, since, as you will find out below, it does not necessarily mean there is “demand” for a better solution. However, I don’t think techrisk professionals can deny that the malware dropping attack vector is alive and well. It is highlighted as the key to the Aurora attacks that catalyzed the “advanced persistent threat” concern.
2. Varied Solutions. There are a number of vendors that have cropped up through the years with solutions to address the malware problem, and the techniques vary significantly. Whitelisters only allow identified executables to run; sandboxes isolate malware and/or identify actions; and real-time forensics track system calls and/or configured state.
3. Mature Market. Even with an identifiable need and newer interesting solutions, the most powerful security market in the world – antivirus (nee antimalware) – operates in pseudo-commodity mode and dominates in endpoint security.

As an industry analyst, I have had the opportunity to interview over a dozen solution providers and even more enterprise security architects and executives on the state of antimalware in the enterprise. Here are a few of my conclusions:

• Companies are moderately satisfied (and perhaps complacent) with their existing antimalware solutions. They acknowledge that these solutions are not blocking all malware but believe that every solution in the category has similar problems and so are reluctant to switch.
• The only factor that could affect existing signature-base antimalware is price – a lower-cost solution (which many agree is unlikely) could have a strong-enough value proposition. Notably, a few organizations are evaluating Microsoft’s free antimalware solution as one of these alternative options.
• Organizations are looking to gain more benefit from their existing antimalware solutions. Many are still focused on signature-based functionality and are now looking at more advanced capabilities. In addition, organizations are considering and employing new capabilities like Microsoft’s EMET functionality.
• For those times when malware gets through and infects a system, re-imaging is the standard approach, though some organizations are mildly reluctant to do it. Most of these malware infections are not classified as “incidents” per se – there is an ad hoc evaluation process to decide whether any infection should be escalated into being classified as an incident.
• Organizations are looking at architectural changes and not product changes when it comes to endpoint client-side security. This means they are focusing on BYOD and/or VDI (or even dumb terminals) as options in their client security strategies.
• Control over (physical) clients continues to relax, with certain “pockets” of exceptions (kiosks or manufacturing systems). For some, this was after a long period of control strengthening (e.g. finally taking away local administrative rights).

As I mentioned at the start, the market dynamics fascinate me here. I don’t think there is a techrisk professional left that believes signature-based antimalware is “good enough” and yet we see its dampening impact everywhere. At this stage, it has simply become the “checkbox compliant” easiest approach.

As someone extremely interested in cybersecurity economics I am encouraged by the attention being given to the bottom line – organizations should be very careful about cost-benefit in their security programs. While some of the organizations I interviewed had done a comprehensive analysis, it appeared to me that a number of organizations had not undergone a thorough review of their strategies.

I will be addressing these issues at my “Drinking from the AMP Firehose” workshop in New York City in a couple of weeks. The workshop concept was driven by these ideas and aims to break through the logjam brought on by complacency and confusion. Regardless of the conclusions that individual organizations come to, I think the entire field will be better off for it.

Pete Lindstrom is Principal and VP of Research for Spire Security, LLC, a research and advisory firm. Learn more about Advanced Malware Protection by “Drinking from the Firehose” in New York City on 9/17/13. Details at www.regonline.com/AMPFirehoseNYC.

On the protection side of the equation, although antimalware solutions provide a basic (and compliant) level of protection, security professionals are well aware of the limitations of signature-based approaches. Solutions that have been around for a while, such as host intrusion prevention and whitelisting, have gained renewed interest. Other approaches like network or endpoint sandboxes for isolation and/or analysis or active forensics for near-real-time analytics are coming on strong.

The challenge is determining whether the additional cost is worth it, deciding whether a new solution will significantly reduce the problem, and identifying which type of solution(s) are best.

While it is easy for security professionals to claim they will spend “whatever it takes” to address technology-related risk, that assertion is easily deflated through extreme examples (millions? billions? trillions?). While the intentions are valiant (and I get the point), no organization has an unlimited supply of money to spend on security. Therefore, it is crucial to make good decisions about how and where to spend money.

Any business decision is accompanied by some sort of justification, and cybersecurity is no different. In security, we typically evaluate total cost of ownership of the solution and compare it to our notion of how much risk is reduced. At the very least, every purchasing decision is supported by a claim that the spending “is worth it.” At best, a more formal cost-benefit approach should be employed.

Evaluating the cost-benefit of an “advanced malware protection” solution can be extremely challenging. Dropping malware (in the form of viruses and worms) onto systems is one of the oldest methods of attacking and compromising computing environments. Because of this, all enterprises already have controls in place that attempt to protect against malware infection. In addition, there are a number of techniques that can be used to address the problem.

Regardless of the challenge, conducting an economic analysis of newer AMP solutions may lead to some surprising conclusions. Here are six key considerations for conducting your analysis.

1. Ignore the “Advanced” Part of Advanced Malware Protection

The first distinction you should make in reviewing your needs for “advanced” malware protection is that the “advanced” part is extremely nebulous – the bar keeps changing in defining exactly which techniques are advanced and which aren’t advanced. Accordingly, the first takeaway is “evaluate your AMP solutions in concert with all antimalware efforts in your organization.”

This should not be a radical thought.

2. Cover All the Antimalware Bases

Diving a bit deeper into costs, enterprises should consider the costs of all capabilities – the capital investments made on hardware and software, maintenance costs, and personnel costs. The vendor solution (capital investment) side of antimalware protection can include endpoint antimalware, email or gateway-based antimalware, intrusion detection (potentially), and secure web gateways. On the operational expense side, organizations should consider the personnel costs associated with identification, prevention, mitigation, response, and recovery activities associated with malware infections and incidents.

3. Allocate Partial Costs of Broader Solutions

Focusing on the costs associated with one type of threat – in this case, malware – can be challenging. Some solutions, like endpoint antimalware, focus directly on the problem while others provide varying levels of accompanying support. In my research, for example, secure web gateways were cited as a means for detecting malware infections that were undetected by endpoint antimalware solutions, but secure web gateways provide more capability than malware infection detection.

The key in the analysis is to allocate costs based on the proportional value provided by the broader solution. If 10% of the ongoing value of the solution comes from antimalware detection, then 10% of the future costs should be allocated to antimalware.

4. Ignore Sunk Costs

The maturity level of antimalware makes it likely that capital investments to address the problem have already occurred. Any spending that occurred in the past should be excluded from the analysis, though any current and future operational expenses should be included. In contrast, a decision involving a future capital investment should include that amount allocated (either amortized or depreciated) over its lifetime as well as the operational costs.

5. Factor in Employee Productivity

The second economic issue to consider is the productivity of employees. The productivity costs associated with the impacted worker should be considered along with the costs associated with the IT triage person. If it takes four hours to recover an infected system, then four hours of the worker’s lost productivity should be included (nothing fancy here – use a single average number based on salary for all workers).

6. Use a Breakeven Approach

Perhaps a bigger challenge in justifying antimalware spending is in determining the amount of potential losses. That “it is worth it” decision means that the security professional spending $100,000 on a security solution believes the solution will offset at least $100,000 in risk.

While some cringe a bit at the realization that spending reveals the minimum expectation of risk reduction, it also provides an opportunity to conduct a standard financial breakeven analysis. Rather than attempting to figure out the exact amount of financial loss at stake, you need only consider the total amount being spent and determine whether it is less than the potential losses. So as long as you’ve properly accounted for all costs, an appropriate decision can be made.

The AMP solution decision is not an easy one – with a handful of controls at different maturity levels in the organization already and a variety of newer solutions vying for attention. Some organizations may even come to the conclusion they don’t need to augment their existing capabilities. Others will find out they really do. Regardless, enterprises should be conducting the necessary analysis to make the best decision for its needs.

Pete Lindstrom is Principal and VP of Research for Spire Security, LLC, a research and advisory firm. Learn more about Advanced Malware Protection by “Drinking from the Firehose” in New York City on 9/17/13. Details at www.regonline.com/AMPFirehoseNYC.

Key Benefits: 

• Create and use an economic/risk model to justify your need for Advanced Malware Protection (AMP).
• Cut through the confusion of biased vendor presentations to identify the l functional benefits of AMP solutions.
• Evaluate vendors based on an objective model (i.e., your needs) customized to match your requirements.
• Benefit from collaboration and feedback of your peers who face the same challenges at their organizations.

With an economic model in hand, participants will hear from up to 10 vendors (maximum  10 minutes each) as they provide details on how their AMP solutions address current needs and conforms with the requirements in the scorecards. After vendors are excused, participants will discuss and debate capabilities and ultimately assign their own scores. The process is akin to speed-dating, but with group feedback (and no alcohol).

Each participant takes away the proceedings, along with their economic model (a quantitative risk assessment) and vendor scorecard,  that includes their unique values and scores, as well as the group summary scores.