« TJX Gets Slap on the Wrist | Main | Data Breaches Grow Bigger and Badder »

***Editor's Note: Get up-to-speed on the strengths and weaknesses of today's identity architecture and the tools you'll need to secure identity and access for tomorrow by signing up for this webinar.

Listen to or download the 11:06 minute podcast below:

Download file

What follows is a transcript of my discussion with John Shaw, the Director of Endpoint Security and Control and Sophos. John drives the inception, development, and launch of new products at Sophos, and together we discuss the current vulnerabilities, what's wrong with most security products today, what John thinks about Microsoft Vista, along with his take on Bruce Schneier's comment that standalone security will one day cease to exist, and much, much more.

What security threats do companies need to be most concerned with today?

So there's obviously a whole range of threats out there. I think that whenever we talk to businesses and hear what they're most concerned about, the traditional issues of viruses, and worms, and so on are still very much front of mind. Increasingly, of course, there are issues such as data leakage, and more generally, just control over the kind of use that's being made of corporate assets and where data is going are clearly very hot topics as well.

When it comes to the kind of the nature of the threat, we're seeing sort of a couple of key changes going on. One, is that the Web has a big part to play in a huge proportion of the threats we're seeing these days in terms of spyware, in particular, both the way that people get infected, also the way that information gets stolen back out of an organization.

And the other factor that we're really seeing is that because threats are being very commercially driven these days that they're much harder to detect, they're much more under the radar, they're much more targeted. And what this means is that the kind of traditional methods of using signature-based antivirus are no longer enough to protect against those kind of threats. It's no longer enough to wait until one company has been infected and produce a signature to protect everyone else.

What is Sophos doing exactly to address these threats?

So something we've been doing for the last couple of years now around the nature of this sort of targeted, rapidly changing threats is to do much more in terms of proactive protection. So we've moved beyond signature-based protection. Signature-based is still very much at the heart of what we do, but we've doing much more in terms of behavioral-based detection so you're able to detect and stop new threats before they've been seen by anyone, before signature is being produced and we're stopping around 80% of the new pieces of adware, spyware, virus and so on that we see coming out. Around 80% are beings stopped by our proactive technology, if you like, today.

And then the recent announcement is really around us going even further than that. Where we see the biggest hole now in people's defenses is actually around being confident that that kind of proactive software, antivirus software is actually running on each of your computers and that the computers are properly patched and so on. So these days what were offering customers -- what we've just announced is the ability to do what we're calling "preventive protection".

So this is about, rather like preventive health, this is about making sure that computers on a company's network are properly protected, are running up-to-date software, are running the right patches, are running the right service packs and so on, so that when a threat targets them, a business can be confident that the computer's actually going to be protected.

Gotcha. Now, what you think is wrong with most companies security solutions today?

Well, I think that -- really, that last issue I was talking is probably the biggest concern, you know. When we look at why it is that businesses continue to have an issue with being infected with malware, with having data stolen from their networks, it's often because it's very hard for an IT manager these days to be confident that the computers on the network or running the right software and are up-to-date; so that's about two things.

One, it's about that pesky problem of the end-user and the end-user changing stuff. So, you know, it's hard for an IT admin to keep control of the way that their computer's are setup and configured so end-user inevitably want to fiddle things and change things. And the other challenge that's there is really around the management solution for security solutions and the visibility they provide. It's very hard actually to have a tool that is simple to use and simple to show you the state of protection on your computers; how compliant your computers are. So those are probably the big challenges that we see businesses facing today in terms of their current security solutions.

Now, I saw with your announcement -- tell me what exactly is the advantage of integrating NAC with Endpoint Security Protection?

So, yeah, as you say, what we've done is integrated NAC or network access control type technologies. And the advantage of doing that as well as now doing the job of protecting each computer, we're looking at the kind of network as a whole and ensuring that every computer on the network is healthy and protected.

Now, why does it need to be done, you know, by the same solution? It really comes to a couple of things. One is the issue of agent pollution. What we find is that IT managers really don't want to keep on putting yet more and more bits of software onto their computers; it creates a headache in terms of management, and it slows computers down, and it can be very invasive. So agent pollution is one issue so they really don't want to go to yet another vendor and put yet another agent on every computer in order to ensure that computers are healthy.

And the other piece is around management. Again, as you know, particularly in the current and economic climate, IT teams budgets are not getting any bigger, they're probably being asked to do more stuff but with a budget that isn't rising. And there's such demand on IT managers time that they really don't want to be learning new complex management tools. So the approach we've taken is to say it's a single deployment.

We don't ask you to do any sort of separate agent deployment onto the computer, it's part of the job of doing antivirus we're already doing, and we're letting you manage this stuff through the same management toolset that our customers are already using to manage antivirus and endpoint security.

Awhile ago, there was some disagreement between security companies over Microsoft Vista. What's your opinion on Vista today?

Well, you know, I view Vista as definitely an advance from Microsoft in terms of the security of the operating system, so it is a more secure operating system than Windows XP and that is absolutely a positive development. I think there have been some debate around some of our competitors around Microsoft shutting security vendors out of Vista in some way. Because they -- part of the locking down that Microsoft has done had made it hard for some security software to run.

We actually felt even at the time that actually Microsoft had done the right thing, that was, you know, better net benefit to the customer that operating system is more secure and that it really it was up to security vendors to make their software work in the right way. We've also seen from with Microsoft with Vista Service Pack 1, some good developments in terms of opening up in a properly secure way more interfaces for third-party security vendors. So, basically, what we think is that Vista is going from a security perspective at least much [0:06:51] the right things with Vista.

Gotcha. Now, security guru Bruce Schneier believes that at some point security will no longer be a separate solution but will be coupled with whatever application or service you're using. What's your take on that?

Well, again, I think, as always, the truth is always somewhere in between. It's certainly the case that there is a trend towards, for example, vendors such as Microsoft putting more emphasis on security and putting more security features into their products and that can only be a good thing. So, you know, taking Vista as an example, yes, Vista is more secure but is it the case that you no longer need to run security software on it? Of course not.

So there's still clearly a job to be job for a vendor that's coming in with expertise around the threat space; the kind of threats that are out there to give you the extra sort of confident that you're protected against malware, viruses, worms, Trojans, viruses etc. etc. etc. in case of airspace. And, I think, it's unlikely that in most cases customers are ever going to get to a point where they're going to rely purely on the original vendor for security and not look at any security solution on top of that; particular, when you look at that actively, you know, these days a security solution needs to look right across the network not just on one particular vendor's piece.

So the reality is that very few of our customers are just running the latest Windows operating system, for example, they're running older Windows, they're running Macs, they're running UNIX, they're running Linux, they're running OpenVMS even. So there's a whole range of operating systems out there. So there's clearly a role to be played for someone who's looking at things from a security perspective and providing a complete security solution on top of the security that's in each product.

That makes a lot of sense to me, actually. So now what you see for the future of security both in terms of threats and where the industry is going?

That's a great question. In terms of threats, unfortunately, we see that the number and type of threats out there is just continuing to expand. So the reality is these days that threats are largely very commercially motivated, there's money to be made out of stealing information, there's money to be made out of blasting information such as, you know, spam that's then got to kind of sale attached to it so that there's lot money to be made out of the kind of threats that are out there.

And where there's money to be made, there will be an innovation. There will continue to be innovation. So as I mentioned at the beginning, the Web is paying a large part in threats these days. We're beginning to see things, for example, using things like USB keys, were beginning to see occasionally things now targeting Macs where as originally that it had been always entirely targeted at Windows.

So as technology adapts, as new technologies come in, the malware offers will continue to find innovative ways of using those new technologies and they will continue to find ways of bypassing the defenses that are in place. So I'm afraid it's bad news from that point of view, I think. How does the industry need to handle that? Well, we think it's absolutely crucial that the vendor in this space take a holistic view of the threats rather than trying to pick, you know, viruses as an area specialty or spam as an area of specialty.

So it's absolutely vital to look at the range of threats as a whole so that you're not blindsided as malware offers start to use new techniques. And I think the other piece is that really what we owe to our customers is to give them solutions that are simple and don't start reintroducing these problems of agent pollution. So we can't keep coming up with new point solutions and trying to extract more money out of out of customers for solving the new types of threats that come out there; that's not a reasonable thing to ask of IT managers.

So the industry needs to get its act together and that's certainly what we're doing in terms of providing a simple to use solution that doesn't pollute computers with a lots of different agents and that does provide complete protection against all the different kinds of unwanted stuff that's out there.

Posted by pschooff in Podcast |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/3314