Traditional markets for dedicated endpoint security products have been eclipsed by endpoint protection platforms. The Evolution of Endpoint Security featuring the Buyers Guide to Endpoint Protection Platforms explores how the traditional methods for endpoint security should evolve. In it, you'll learn how the lack of data protection can affect your bottom line and gain insight into the true costs involved in migrating and managing an endpoint security product. Finally, learn how Sophos's acquisition of Utimaco affects the security and data protection market.

1. Featuring:
A Buyer’s Guide to Endpoint Protection Platforms
In This Issue: The evolution of endpoint security
Examine the formula
Welcome to this complimentary copy of Gartner’s Buyers
that fuels success in the
Guide to Endpoint Protection Platforms. This newsletter
competitive security and data
explores how the traditional methods for endpoint
protection market. . . . . . . . 2
security should evolve. You’ll learn how Sophos’s recent integration of Utimaco affects the highly
Explore life without competitive security and data protection market. You’ll find out how the lack of data protection
comprehensive can affect your bottom line, and lastly, gain insight into the true costs involved in migrating and
data protection . . . . . . . . . . 3 managing an endpoint security product.
Understand the Traditional markets for dedicated endpoint security products — particularly anti-virus tools and
total cost of ownership for personal firewalls — have been, according the report, eclipsed by endpoint protection platforms.
endpoint security solutions: Sophos now offers a unique solution, Sophos Endpoint Security and Data Protection, which
A TCO white paper . . . . . . 4 provides simplified cross-platform security, centralized management, full-disk encryption and
control of devices, applications and network access.
From the Gartner Files
A Buyer’s Guide
to Endpoint We invite you to learn more about simply securing your business at every level, and how to reduce
Protection Platforms . . . 10 the risks associated with non-compliant, unmanaged and unauthorized computers.
Visit www.sophos.com for more information.
Featuring research from

2. 2
Examine the formula that fuels success in the
competitive security and data protection market
Sophos CEO in the spotlight with SearchSecurity.com
Sophos CEO Steve Munford recently sat With the increase external and internal
down with SearchSecurity.com’s Senior threats, limited IT staff, tighter budgets, Sophos offers proven proactive
Technology Editor, Neil Roiter to discuss and mounting industry and government Genotype protection backed by
the formula behind Sophos’s success compliance and regulatory mandates, it’s SophosLabs™ expertise and our
in the competitive security and data clear that businesses today are facing HIPs technology. Here’s a snapshot of
protection market, and what the future more security challenges than ever before. what they have discovered in the past
holds for the company. six months:
However with the latest encryption
In this interview, Munford explained how offerings post Utimaco acquisition, Sophos • 23,500 new infected webpages are
Sophos is aggressively taking market share customers can further achieve regulatory discovered every day. That’s one
away from Symantec and McAfee, and and compliance mandates while getting every 3.6 seconds, four times worse
examined how — even in the economic more value for their budget. than the same period in 2007.
downturn — Sophos continues to experience • 40,000 new suspicious files are
year-over-year growth and its channel Listen to the Newsmaker every day.
podcast with Sophos • 15 new bogus anti-virus vendor web-
partners are achieving double-digit growth.
CEO Steve Munford.
sites are discovered every day. This
number has tripled, up from an average
of five detected per day, during 2008.
• 89.7% of all business email is spam.
• Approximately 6,500 new spam-related
websites are discovered every day —
accounting for one new website every
13 seconds, 24 hours a day. This fig-
ure is almost double the same period
in 2008.
Source: Sophos mid-year threat report

3. 3
Explore life without comprehensive data protection
Hear from those that have
Sophos Endpoint Security and Data 109,000 pension holders at risk. The gotten more with Sophos
Protection defends against data loss laptop contained names, addresses,
“Selecting Sophos Endpoint Security
through full disk encryption and information dates of birth, National Insurance num- & Control just made sense as we were
security encryption for removable storage bers, employer names, salary details able to meet all of our needs and top
devices and portable media. Learn why and bank account information. security solution. Prior to Sophos, we
were using a separate anti-adware
this is important, how data loss can affect • June 530,000 Virginia patients were solution along with a security solution
your bottom line — and more importantly individually notified that their Social to stop viruses and spyware. This
approach worked, but by consolidating
— what businesses can do to stop it: Security Numbers had potentially been
into one solution, we improved the
Data leakage remains a top concern in exposed after a hacker gained access efficiency of the workstation and
to the Virginia Prescription Monitoring manageability for the administrators,
2009, with scandals continuing to dominate therefore lowering our TCO.”
the headlines. Many corporations and Program 14. – Pramesh Naik, enterprise support
• June Authorities arrested a former manager at Kilpatrick Stockton
government institutions have failed to
protect their confidential information — Goldman Sachs employee who upload-
“From the Sophos console, you
including the identities of their workforce, ed the company’s secret source code to manage every aspect of security as
an FTP server based in Germany. well as endpoint control. Any malware
customers and general public.
detected shows an alert so you know
It is not only the threat of negative publicity Encryption which computer needs attention and
The most important step in stopping data what to do. In many cases, you can
that is driving interest in data protection, but
do it from within the console, and
also concern that the organization is failing to leakage is to encrypt sensitive information, if not, you know immediately which
comply with regulatory security standards. laptops and removable storage devices. machine to go to. During normal
operation, the Anti-virus and Anti-
If data is encrypted with a password, it
A variety of techniques are being used by spyware is updated hourly — that’s
cannot be deciphered or used unless right, hourly. In the event of an
corporations around the world to prevent
the password is known. This means that outbreak somewhere in the world, it
data loss in a mobile connected world. These will update even more often.”
even if all other security measures fail – Dave Coe, Independent Security
include anti-virus software, encryption and
to prevent a hacker from accessing your Specialist, Longmont Toyota
firewalls, access control, written policies and
most sensitive data, he or she will not be
improved employee training. “The Sophos endpoint solution
able to read it and so compromise the
simplified management for Ferrellgas,
Nevertheless, users are routinely using confidentiality of your information. enabling threats to be monitored at
and sharing data without giving enough the desktop level. Technicians can
The second step is controlling how users automatically deploy and manage the
thought to confidentiality and regulatory
treat information. You want to stop any assessment, control and protection
requirements. This has led to numerous from one console. This has enabled
risky behavior, such as transferring
incidents of data loss in the first six us to be proactive in confronting
unencrypted information onto USB sticks issues, which in turn has increased
months of 2009 — some accidental, some
and via email. Organizations should extend end-user confidence in our abilities.”
malicious: – Greenwood Leflore Hospital
their anti-malware infrastructure in order to:
• May Hackers broke into a Virginia gov-
• Protect data in motion and data in use “Sophos has an intimate
ernment website, stealing the details of
• Guarantee efficient operations understanding of the complexity of the
almost 8.3 million patients, and threaten- university environment and the need
• Ensure that they meet regulatory
ing to auction them to the highest bidder. to manage multiple threats through an
requirements integrated solution, while allowing a
• May The theft of a single laptop in
high degree of user control.”
the UK put the personal identities of Source: Sophos mid-year threat report – University of British Columbia

4. 4
Understand the total cost of ownership
for endpoint security solutions
A TCO white paper
Executive summary before switching to Sophos Endpoint The results show that the value of
Organizations considering moving to an Security and Control. Real data from switching to and managing endpoint
endpoint security solution often assume customers’ experiences was collected to security with Sophos is immediate and
that the costs of switching from their compare the true and complete costs of significant. The overall TCO costs of
current anti-virus vendor will be greater switching to and managing with Sophos switching to Sophos are actually less
than upgrading with that vendor. To shed versus upgrading and managing with the than upgrading with the existing vendor.
some light on this issue, Sophos, a leading current vendor. Moreover, there are no net new cost
endpoint security vendor, commissioned areas in switching to Sophos that would
Companies interviewed in depth, and
an independent research study to uncover not be still be incurred in upgrading with
whose costs were analyzed, included:
and quantify all of the cost areas involved the existing vendor. A sample company
• Amica Mutual Life Insurance
in migrating (upgrading or replacing) to an with 3,400 users can save $110,000 in
• Lincoln Public Schools
endpoint security product and managing Year one and a total of $504,000 over
• AW Chesterton
the solution to gain a total cost of five years by switching to Sophos. The
• British Services Company
ownership (TCO) comparison between the chart below shows the present value of
• Central Ohio Primary Care Physicians
leaders in the field. the total costs for Symantec and McAfee
• US Healthcare Provider
(collectively referred to as the installed
The nine companies interviewed for • CGH Medical Center
endpoint protection vendors in this study)
this study had previously been running • German Company
and Sophos over five years.
Symantec’s or McAfee’s anti-virus product • Escambia County School District

5. 5
Key sources of cost Cost Example
The cost savings of switching to the COST AREA SPECIFIC COSTS
Sophos Endpoint Security and Control Upgrade or replace • Licensing
solution rather than upgrading with an • Additional Hardware and Software
installed endpoint protection vendor • Upgrade or replacement effort
(specifically Symantec Endpoint Protection
and McAfee Total Protection for Enterprise) Manage / Ongoing operations • Infrastructure management
are clear and compelling. Based on • Help desk team
interviews with technical decision-makers • Escalation team
and influencers at a number of corporate • End user productivity
and public sector organizations in the US
and Europe, the cost savings fall into two
These costs will be fully explained and In addition, the sample company required
main categories:
supported in the next section. an extra physical server for both scenarios
• Upgrade or replace (Year 1 costs) (upgrading with the current vendor and
The following TCO example illustrates
• Manage/ Ongoing operations (Annual switching to Sophos). No other extra
the potential cost savings of switching to
costs) hardware (physical or virtual servers) or
Sophos Endpoint Security and Control for
These two cost areas can be further software (server licenses) was needed for
a sample corporation with 3,400 users and
broken down into a set of specific costs. migration.
the expected operational statistics post
upgrade for one of the installed endpoint
Cost source 1: Upgrade or
protection vendors:
replace
TCO Example 1. Licensing (software and technical
Cost Element Sample Company support). Interviewees consistently
Time to manage endpoint security 20 hours per week cited licensing costs as the key rea-
son why they switched to Sophos
Help Desk calls related to endpoint security 75 calls per month
Endpoint Security and Control rather
(Tier 1 issues)
than upgrading to Symantec Endpoint
# of endpoint security detections (spyware, 20 detections per week
Protection or McAfee Total Protection
adware, viruses, etc.) prior to execution
for Enterprise. However, licensing typi-
Time to remediate Tier 2 issues 3 hours per week cally only represents 20% of the TCO
Time to remediate Tier 3 issues 10 hours per week
# of annual service interruptions due to 1 interruption per year “McAfee proved to be
endpoint security issues more expensive from
# of users affected per interruption 10 users the point of view that it
Hours of downtime per interruption 6 hours charged for every module.
Lost productivity due to downtime and 15 minutes per user per week When we reviewed Sophos
bandwidth reduction it was all part of one
purchase and the price
Tier 1 issues have arisen before and the solutions have been documented for the help desk team
to follow. was less than for McAfee.”
Tier 2 issues are common threats that can be handled by internal technical staff. – Technical Services Manager,
Tier 3 issues are new threats that require vendor support to remediate. British Services Company

6. 6
(the labor costs were 3X to 4X more rely solely on their infrastructure manag-
significant). The Sophos license price “Sophos was the only er to do this work while others purchase
was lower even for customers who professional services contracts with the
solution that didn’t care
were comparing it against the upgrade vendor to alleviate the workload on the
if clients are Macs
price for their current vendor (no new infrastructure manager. Interviewees
licenses). Customers also mentioned or PCs — it was the only described upgrading to an endpoint
that the pricing was more straightfor- cross platform solution security product with Symantec as a
ward with Sophos because it included at the time.” daunting task. This was primarily due
all six endpoint security components – Director of Technology, to the difficulty in removing all of the
(anti-malware, HIPS, application control, Lincoln Public Schools old versions of the product, which is
device control, client firewall and basic required before installing an endpoint
network access control) in one price security solution.
management console centrally deploys
whereas the installed endpoint protec- Customers found replacement easier than
and manages endpoint security for
tion vendors charged separately for sev- upgrading because of the effectiveness of
Windows, Mac and Linux whereas the
eral of these security components. Sophos’ client removal tool and the ability
installed endpoint protection vendors
For the sample corporation with 3,400 to deploy the solution automatically from
either require multiple consoles or do
users, a three-year deal with Sophos a single console. Companies interviewed
not support these platforms. The com-
cost $117,300, 10% less than the cost estimated that it would take 1 hour to
panies interviewed for this study did
of upgrading with the current vendor. upgrade 10 endpoints with Symantec and
not meet these criteria so the additional
McAfee. For medium to large enterprises
Impact for sample company: hardware and software costs were not
with 2,000 to 20,000 users that adds
$12,648 Year 1 cost savings significant whether upgrading with the
200 to 2,000 hours to the Infrastructure
Standard technical support is included current vendor or switching to Sophos.
Manager’s workload. On the Sophos side,
in the license price and there is an addi- To calculate these costs in the model
the replacement process takes 35 hours
tional charge for a higher level of sup- the following industry averages were
regardless of the number of users.
port for both Sophos and the installed used: $8,000 for a physical server,
endpoint protection vendors. The com- $2,000 for a virtual server and $1,000 The infrastructure manager at the sample
panies included in this study did not for a server license. company spent 35 hours to migrate the
evaluate the higher levels of support so The additional hardware and software company’s 3,400 users to Sophos. This
this cost was not a factor in the TCO. cost was the same for the two options same effort would have required 340 hours
2. Additional hardware and software. (upgrading or replacing) for the sample with Symantec or McAfee. With an annual
For the companies interviewed the cost company. In both cases one additional salary of $80,000 this totaled $1,400 for
of additional hardware and software to virtual server was required at a cost of
migrate to an endpoint security prod- $8,000.
uct was not significant. These costs
Impact for sample company:
“Sophos has saved me
include: console, messaging and updat- a lot of time with their
ing servers as well as server licenses. Year 1 cost is the same for the two options
administration tools. The
The cost of additional hardware and 3. Upgrade or replacement effort (inter- deployment is easier and
software can be significant for organiza- nal and external professional ser-
tions that need to manage platforms I’ve been impressed with
vices). Migrating to an endpoint security
other than Windows (educational institu- solution involves planning, building the
the client removal tool, it
tions) or multiple platforms as well as infrastructure, deploying the new prod- removes Symantec well.”
large numbers of remote users. uct and post-deployment cleanup of any – IT Manager,
With Sophos a single, automated CGH Medical Center
remaining detections. Some companies

7. 7
Sophos, 90% less than the cost would cost was $6,683, which was 66% less
have been to upgrade with the existing “The Sophos console than the cost for the former vendor.
vendor. provides a snapshot Impact for sample company:
This cost savings enabled the sample of what’s going on at $13,567 annual cost savings
company to purchase onsite professional a glance. Symantec is 3. Escalation team. The companies
services from Sophos to assist the definitely not easy to use. included in this study admitted they
infrastructure manager in this effort and had a false sense of security with the
We need to see at a
still resulted in a lower cost than if the installed endpoint protection vendors.
glance if there’s
company upgraded with its current vendor The first evidence of this was when
(with no professional services included). something wrong.” Sophos detected issues during the
— Technical & Operations
Impact on sample company: replacement process that the former
Security Administrator,
US Healthcare Provider vendor missed. A key reason for switch-
$1,600 Year 1 cost savings
ing to Sophos was better protection
Cost Source 2: Manage/ ongoing per year for Sophos, resulting in a 75% and companies have experienced a
operations cost savings. 50% increase in the number of detec-
1. Infrastructure management. The key Impact for sample company: tions prior to execution with Sophos.
tasks that fall under managing endpoint Sophos detects viruses, spyware and
$30,000 annual cost savings
security are: adding new users, manag- adware, suspicious behavior and files,
2. Help desk team. The help desk team
ing policies, managing updates, manag- removable storage devices and unau-
is responsible for fielding user calls,
ing upgrades, troubleshooting, reporting, thorized applications. Sophos definition
collecting user data and remediating
managing multiple platforms and man- file updates are small and are released
issues. They deal with Tier 1 issues that
aging remote users. Companies inter- as frequently as every five minutes for
have arisen before and the solutions
viewed for this study universally agreed fast protection with low impact on net-
have been documented for the help
that it is easier to do these tasks from work resources. Additionally, Sophos’s
desk team to follow. Interviewees have
the Sophos management console than HIPS prevention provides detection
experienced a much smaller volume
from Symantec or McAfee’s console. that automatically guards against new
of help desk calls related to endpoint
The single Sophos console centralizes and emerging threats. In a 2007 study
security issues with Sophos compared
and automates the key tasks involved conducted by Cascadia Labs, Sophos
to Symantec and McAfee. With Sophos
in managing endpoint security and the detected 86% of newer threats com-
the infrastructure manager has greater
dashboard provides instant visibility of pared to 43% for McAfee and 51% for
central control and visibility into the
the protection status for all Windows, Symantec. The Escalation Team deals
protection status of all users therefore
Mac and Linux users so that it’s easy with Tier 2 and Tier 3 issues. Tier 2
potential security flaws, like out-of-date
to identify machines that require atten- issues are ones that internal technical
anti-virus protection or a disabled fire-
tion. If the infrastructure manager needs
wall, are addressed before they impact
vendor support, Sophos offers unlimited
access to in-house support experts
the user. “The high volume of calls
The sample company’s help desk
24x7x365. to our IT Department with
team was used to getting 75 endpoint
The infrastructure manager at the McAfee was one of the key
security calls per month with one of
sample company spent 5 hours per
the installed endpoint protection ven- reasons why we switched
week managing endpoint security with
dors. With Sophos that number has to Sophos.”
Sophos. In comparison this would
decreased to 25 calls per month. The – Head of Global System
require 20 hours per week with either
& Security Solutions,
average Tier 1 call takes 45 minutes to
Symantec or McAfee. With an annual German Company
resolve and at $25 per hour the Sophos
salary of $80,000 this totaled $10,000

8. 8
experts can remediate on their own is smaller with Sophos than McAfee or
while Tier 3 issues require vendor sup- “The time I spent Symantec. As companies begin to track
port to resolve. The breakdown of Tier resolving spyware and this metric the magnitude of the cost
2 and Tier 3 issues is typically 75% savings will likely grow.
adware issues with
and 25% respectively, according the to With 3,400 users and an average salary
interviewees.
Symantec will be cut in
of $50,000 the sample company saved
Not only does Sophos detect more half or more with Sophos.”
$1,500 a year since it did not experience
issues before they execute but it also – IT Manager, CGH Medical Center
any service interruptions with Sophos
requires less effort to handle them. (compared to one annual interruption that
The visibility provided by the Sophos Sophos, 24% less than the cost for the affected 10 users for 6 hours with the
management console enables the installed endpoint protection vendor. former vendor).
escalation team to easily find machines Impact for sample company:
The company’s 3,400 users also regained
that need attention and in many cases $39,725 annual cost savings
5 minutes per week in lost productivity
issues can be resolved remotely from
For companies that are not large enough with Sophos. The cost was $10,625 with
the console. For Tier 3 issues, such as
to have an escalation team this work is Sophos and 50% less than the cost with
new threats that require a new definition
handled by the infrastructure manager. the installed endpoint protection vendor.
file, Sophos’ in-house technical experts
are available 24x7x365 and the intervie- 4. End user productivity. While end user Impact for sample company:
wees have seen a 50% improvement in productivity has not historically been $12,125 annual cost saving
response time with new definition files measured, the companies interviewed
with Sophos compared to Symantec have seen an improvement with Sophos
and McAfee. in two areas: i) downtime due to infec-
tions and version upgrades, and ii) the
“Right out of the gate
bandwidth reduction due to definition Sophos was finding more
file updates and the memory required vulnerabilities. There
“With Sophos we’re
to run the endpoint security solution. is the potential for less
being proactive rather With the installed endpoint protection
downtime at the individual
than reactive. We’re trying vendors companies typically experience
desk. Sophos is finding
to avoid infections so we one service interruption per year, which
affects 10 users for about 6 hours on more things up front so
don’t have to spend time
average. Companies did not have a there is less potential for
cleaning them up.”
– Network Administrator Manager,
single downtime event with Sophos due issues at the endpoint.”
AW Chesterton to its ability to catch more threats, espe- – Network Operations
cially new and emerging threats with its Section Manager,
Amica Mutual Life Insurance
HIPS technology.
The number of endpoint security detec- Sophos definition file updates are small
tions pre execution increased 50% to (2K-70K) and frequent (every 5 minutes)
“Sophos’s memory
30 per week when the sample com- so they provide more protection with less
footprint and program
pany switched to Sophos. Conversely, impact on the end user. McAfee and
Symantec updates are sent out once a day footprint are much smaller
the time to resolve these detections
decreased by 50% to 1.5 hours (Tier 2) so they are larger and expose the network than Symantec’s.”
and 5 hours (Tier 3) with Sophos. With to more potential threats. In addition to – Network Administrator,
the impact of the updates, the memory Central Ohio Primary Care
an annual salary of $60,000 the total
Physicians
escalation team cost was $129,675 with footprint when the program is running

9. 9
Overall costs was $1.3 million. In comparison, the provided by the companies interviewed.
For the sample company, the present total cost of switching to and managing In total there is a $504,000 cost savings
value of the total costs of upgrading to Sophos Endpoint Security and Control in switching to and managing Sophos
the endpoint security product for the over five years was $880,000. The costs Endpoint Security and Control.
installed endpoint protection vendors and were calculated based on licensing,
managing the solution over five years infrastructure and operational data
Source: Sophos
The chart below shows the extent to which years. The labor and licensing costs were of the TCO at 3x to 5x the licensing fee
each of the cost categories contributes to the major costs and the Sophos costs are for Sophos and the installed endpoint
the total costs for Sophos and the installed 2/3 of the costs for Symantec and McAfee. protection vendors respectively.
endpoint protection vendors over five The labor costs represent the lion’s share
Source: Sophos

10. 10
From the Gartner Files
A Buyer’s Guide to Endpoint Protection Platforms
The traditional “point” markets for • If you haven’t already instituted a full- protection technologies, such as DLP and
antivirus (AV) tools and personal disk encryption program for mobile full-disk encryption. The demand for holistic
firewalls have been eclipsed by broader clients, then do so immediately for NAC solutions and the management
suites of related security technologies, notebook computers carrying sensitive requirements of large enterprises are also
which Gartner has identified as data. Consider encryption from your forcing EPP suite vendors to replicate
endpoint protection platforms incumbent end-node protection vendor, some PC operations infrastructure, such
(EPPs). The choice of an EPP will because common management, estab- as security configuration management,
depend heavily on enterprise-specific lished client-side presence and suite patching and software management. By
requirements, so chief information pricing may make this option attractive. combining multiple technologies into a
security officers (CISOs) and other • Consider the need for data loss preven- single management framework, EPPs offer
security professionals evaluating EPP tion (DLP) capabilities in endpoint pro- the promise of increased security while
offerings should use Gartner’s guidance tection. The ability to simplify client-side simultaneously lowering complexity, cost
to identify their most-likely current and agents with a common management and administrative overhead.
future needs, and select the EPP that framework is an advantage, but this
1.0 Basic EPP Component
will most-effectively address them. consideration will often be outweighed
Features and Functionality
by broader enterprise DLP require-
Key Findings The basic components of an EPP are
ments.
• The market for EPP suites is marked by an anti-malware signature database
• Resist vendor “packaging” that includes
a broad range of solutions, with signifi- (containing information on malicious code,
gateway protection with endpoint pro-
cant differentiation among vendors and such as viruses, trojans and spyware),
tection. Focus on the client and server
their offerings. an HIPS and a personal firewall, linked
as one domain, and gateways as a
• No single vendor leads in all functional by a common management and reporting
separate domain. Resource-constrained
areas, so buyers need to prioritize their console. An EPP may also include full-disk
small and midsize businesses (SMBs)
requirements to address the needs of encryption and DLP tools. Increasingly,
may want to consider the advantages
their specific business, technical and EPP management capabilities will
of centralized management of both
regulatory environments. emulate and integrate with operational
domains, but they must also place high-
tools to provide security configuration
Recommendations er priority on the unique requirements of
management, vulnerability assessment,
• Make plans to phase out point products each domain.
application control and remediation tools
for AV and anti-spyware tools, host-
ANALYSIS for resilient infections. As data security
based intrusion prevention systems
The traditional markets for dedicated and reimaging remediation become more
(HIPSs) and personal firewalls, and
endpoint security products — particularly pervasive, EPP suites will begin offering
replace them with an EPP suite as sup-
AV tools and personal firewalls — have managed backup services and tools.
port contracts expire.
been eclipsed by broader suites of related
• Demand that your current AV technol-
security technologies, which Gartner 2.0 Advanced EPP Component
ogy vendor identify the HIPS techniques
has designated as “endpoint protection Features and Functionality
included in its base AV client and detail CISOs and other enterprise security
platforms.” An EPP suite typically includes
its road map. Deploy full-blown HIPS decision makers should consider advanced
AV and anti-spyware tools, a personal
capabilities for systems with high secu- component features, which are becoming
firewall, and may also offer network
rity requirements, but prepare for some available, when designing RFPs or
access control (NAC) capabilities and data
increases in administration requirements.

11. 11
scorecards to differentiate products boards to configurations of different tor or help desk view), preferably with
under evaluation. No EPP will have all elements. This is especially important users’ ability to adjust their default
these features, and buyers must focus because suite vendors often grow by views.
on the specific features they consider acquisition, and, as a result, the degree • A customizable “toolbox” element that
most important for their enterprises. of management and reporting integra- allows the consolidation of common
The following list isn’t intended to be tion into a common, centralized man- tasks into a single user-defined menu is
comprehensive, but rather representative of agement console may vary. useful.
advanced functions that may compose part • Granular role-based administration • “Globalization” capabilities — including
of a more-appropriate EPP solution. should ideally include predefined roles global support, centralized management
as well as the ability to customize and and reporting, and necessary language
2.1 Manageability and Scalability support for the management interface
add/remove options.
Capabilities and the end-user interface — are impor-
• The EPP should offer the capability to
Reduced administration is one of the most- tant for enterprises with operations
create different management GUI work
critical concerns of EPP administrators, across multiple regions.
space views (for example, administra-
and improved manageability and greater
scalability will help reduce it and the
associated overhead. A well-designed,
task-oriented graphical user interface Note 1
(GUI) and a comprehensive management Examples of Common Tasks
interface will deliver lower total cost of • Review the home page dashboard and pay particular attention to the placement of
ownership (TCO). Gartner recommends indicators that illustrate negative changes in the security posture of endpoints. Look
for direct links to more information, recommendations and action steps to resolve
that when security professionals evaluate
events.
EPPs, they should develop a list of the • Tour the report center, create a custom report, and schedule it for delivery to an
top 10 to 20 most-common or most-critical e-mailbox or Web server/portal.
• Show alert configuration capability and integrate an alert with an external subscriber
endpoint security tasks (see Note 1), and identity module.
use this list as a guideline for comparison • Show real-time data that lists clients on a network that doesn’t have an EPP agent
installed.
testing and demonstration of solutions.
• Create or edit the policy elements that can be delegated (or restricted) to end users.
The necessary management capabilities • Create or edit the policy for client update distribution.
will depend heavily on enterprise-specific • Create or edit the policy to automatically push the EPP client to an endpoint that
doesn’t have it installed.
needs and available technical skills. • Configure scheduled scans for endpoints. Focus on the ability to limit CPU use, and
The following representative list details delegate the ability for end users to delay scan execution.
advanced EPP management capabilities as • Create or edit the port (that is, USB, CD or infrared) control configuration, and pay
particular attention to the granularity of the restrictions, the linkage to file types, and
well as the factors influencing them. encryption, if any.
• Create or edit a VPN policy (that is, deny split tunneling) for a specific Active
2.1.1 Management GUI Directory group.
• Create or edit a location-based policy, and pay attention to the level of automation in
• A task-oriented (not feature-based) man-
selecting when a policy should be invoked.
agement GUI can simplify management • Create or edit a Wi-Fi-specific policy.
by hiding unnecessary complexity from • Create or edit a whitelisting and/or lockdown configuration for a certain group of PCs.
Add a new executable program to the whitelist. Autogenerate a whitelist from the
less-sophisticated users, but enable
installed applications on a PC. Authorize a software distribution method and directory
more-technically skilled users to drill as a whitelisted source of applications.
down to granular details (see Note 2). • Show a single-page summary of client configuration information and print it for
review.
• Management pages should ideally have • Review the HIPS policy configuration and step through the false-positive handling
a consistent look and feel, as well as process, including deactivating a specific HIPS rule for a specific application.
• Edit role-based administration and hierarchical administration to add a new role.
the ability to switch over from dash-

12. 12
endpoints may be useful, particularly for • The management system should be
Note 2
SMBs. able to automatically detect new or
Task-Based System • The ratio of management servers to rogue endpoints that don’t have an EPP
A task-based system can be evaluated clients is an important consideration client installed. This is a function that
by creating a list of common tasks and for large enterprises, and one that will may be integrated into the enterprise’s
comparing the number of steps required to impact the TCO. For smaller business- NAC system, but shouldn’t be depen-
complete each task. es, the management server should work dent on NAC, and should be able to
on a shared server. detect clients that have already joined
the domain.
• EPP vendors are gradually adding PC 2.1.3 Reporting and Dashboards
life cycle tools (such as asset discovery, • Buyers should look for a real-time home 2.1.4 Policy Management
configuration management, vulnerability page dashboard that enables rapid • A “wizard type” installation mecha-
assessment and software management) troubleshooting of security events or nism with optimal default settings for
as a way to inoculate PCs against server issues — ideally with actionable different-size environments can reduce
unknown threats that target known dashboard elements that make it pos- deployment complexity.
vulnerabilities. Buyers should evaluate sible to click on an event or graph and • A single-page policy with intelligent
their needs with regard to the integra- initiate steps that enable better under- drop-down “pick lists” and fields that
tion of these tools and consider the standing of the issues involved and the change based on previous optional
strategic direction of prospective EPP steps required for alert resolution. selections (without multiple pop-up win-
vendors. • Threshold alerting capabilities may use dows or the need to visit several tabs
delivery mechanisms such as e-mail, to create a single policy) make policy
2.1.2 Scalability
Short Message Service (SMS) and development easier and more intuitive.
• Centralized management with automatic
Simple Network Management Protocol • There should be an option to view or
configuration and policy synchronization
(SNMP), with threshold alerts for dash- print a human-readable policy sum-
among management servers may be
board statistics and policy thresholds. mary that greatly simplifies auditing and
particularly useful in large deployments.
• The appropriate range of client informa- troubleshooting.
• Native management-server redun-
tion that can be collected and reported • A complete audit log of policy changes
dancy — for example, using load bal-
to the management server is grow- is essential, especially for organiza-
ancing active/active clustering within
ing in importance as a differentiator. tions that take advantage of extensive
and across LANs, or automatic active/
Most EPP suites collect information role-based administration and delegated
standby failover without a single point
only about the status of the EPP suite. end-user administration to ensure audit
of failure, such as a designated master/
However, as endpoint hygiene becomes compliance.
slave — can be a useful differentiator.
more critical, information about the • The ability to stage signatures or poli-
• EPPs should include multiple directory
status of patch levels, configurations, cies and to quickly roll back changes is
integration options — including Active
software inventories and vulnerabilities increasingly important because fewer
Directory and Lightweight Directory
is becoming more important. enterprises are testing signatures before
Access Protocol (LDAP) — as well
• The management server should be deploying them.
as the ability to integrate with multiple
capable of collecting client status infor- • The EPP suite policy must allow off-
directories and traverse directories to
mation in real time, rather than in sched- LAN clients to automatically update from
find user groups and authentication
uled delta updates. The ability to collect the EPP vendor’s primary database for
information.
information from mobile endpoints that signature and HIPS updates, when the
• A software-as-a-service- (SaaS-) based
aren’t connected to the network hosting enterprise server is unreachable or oth-
managed console that eliminates the
the management server can be a signifi- erwise unavailable.
need for a dedicated server to manage
cant competitive differentiator.

13. 13
• A configuration backup utility and con- should seek clarity on what’s actually Retrospective testing (that is, testing old
figuration preservation between version supported and what back-end process- signature databases against new vari-
upgrades can save administration time es have been changed. It’s important ants of old malware) is the best way to
and resources. to ensure that the vendor’s support per- evaluate this capability.
sonnel are properly trained, that its labs • Ideally, EPP solutions should provide
2.1.5 Client Agents
are appropriately configured and that much-faster identification and rapid dis-
• The number of required clients and the
its software products are certified for tribution of signatures for new threats.
client disk and memory footprint are
virtualization. Most host-based software However, this is a difficult benchmark
good indicators of the level of integra-
provides no protection for the hypervi- to test. Some solutions will have slower
tion among EPP components and the
sor layer. signature distribution for a new threat,
efficiency of the client. Ideal solutions
because their generic signatures or
will provide a single consolidated agent 2.2 Malware Detection
HIPS rules are already effective in
with component parts that can be Capabilities
blocking that threat.
remotely enabled and disabled. The quality of the malware scan engine
• Signature databases should include all
• The ability to natively distribute the full — the “anchor” solution of an EPP suite
types of malware (including spyware,
client agent and remove competing — should be a major consideration in
adware, viruses, trojans, keystroke log-
products is a useful differentiator. Some any RFP. The following are some of the
gers, droppers, back doors and hacking
solutions simply provide a multisourcing advanced malware-oriented features of
tools) in a single database, with a single
service integrator (MSI) file (Windows EPPs that buyers should be looking for:
update mechanism and a single scan
Installer package) for use by other soft-
• Most enterprises’ IT security
engine agent.
ware distribution tools, while other solu-
organizations’ capability to accurately
• The capability to detect rootkits and
tions won’t remove other AV products,
test malware engines in real-world
other forms of low-level malware, once
which can create conflicts.
situations is limited, at best. Test
they’re resident in enterprise systems,
• The client interface should be adaptable
results from organizations such as
is a significant consideration. Some
to allow for a full range of delegated
AV-Comparatives.org and AV-Test.org
solutions’ functionality is limited to
end-user control. Advanced solutions
are useful guides of scanning accuracy
catching rootkits as they install, while
enable administrators to delegate or
(including false positives) and scanning
others have the ability to inspect raw
restrict any client option.
speeds. In the absence of other infor-
PC resources and compare them to
• Scheduled scans are one of the most-
mation, good test scores are better than
Windows file tables, seeking discrepan-
problematic aspects of signature-based
poor test scores, but buyers should be
cies that will indicate the presence of
anti-malware tools. Options that limit the
aware that these tests don’t accurately
rootkits.
client impact of scheduled scans are a
reflect how users encounter malware
• Malware engines should continuously
significant EPP differentiator. Advanced
in the real world. Moreover, they don’t
monitor system resources (for example,
features include the ability to delay
test all proactive techniques for blocking
host file, registry, Internet Explorer set-
scans based on battery life, running
malware, such as HIPS, vulnerability
tings and dynamic-link-library changes)
process or CPU usage. More rare is the
detection and configuration manage-
for changes that might indicate the pres-
ability to “wake and scan” PCs during
ment. Buyers should be very wary of
ence of suspicious code:
off-hours. Scheduled memory scans
vendor-sponsored tests and not put too
• Malware removal features and
should be independent of disk scans.
much weight on specific test results.
outbreak filters to stop propagation
• Specific features and licensing for virtu-
• Signatures should be as broad as pos-
are important differentiators among
alized environments, such as VMware,
sible so they can detect new variants
vendors and their offerings. These
Citrix and Hyper-V, remain rare, but are
of old threats without new signatures,
capabilities should be understood
increasing in importance. EPP buyers
and, thus, avoid causing false positives.
and tested, because modern mal-

14. 14
ware is significantly more complex and to configure protection to reflect the to “buy time” to propagate patches to all
than that of previous generations, enterprise’s overall tolerance for risk endpoints.
and often involves multiple compo- and administrative overhead. • The simulation of unknown code before
nents with sophisticated “keep alive” • Despite the need for fine-tuning capa- the code is executed to determine mali-
routines. bilities, the best solutions will provide cious intent, without requiring end-user
• EPP solutions should include client- preconfigured “out of the box” templates interaction with the unknown code (for
based URL filtering to block clients for common application and system example, using static analysis, simula-
from visiting Web sites that are known configurations, as well as a learning tion or reverse compilation techniques)
security risks, because malware is mode for enterprise environments and is another deterministic technique, but
increasingly shifting to Web distribution the ability to test policy in a log-only it can be highly resource-intensive and
methods. mode. should be used selectively.
• HIPS techniques have no standard • Buffer overflow memory protection is
2.3 Advanced HIPS Capabilities
terminology; therefore, it’s essential common, and should address heap-
AV/anti-spyware databases are 90% to
that buyers ask vendors to list and and-stack memory.
99% effective at detecting well-known,
describe the HIPS techniques in detail, • Application control capabilities (for
widely circulated threats, but only 20%
so that buyers can create a standard- example, application whitelisting, also
to 50% are effective at detecting new or
ized list of techniques and compare known as lockdown) are gaining signifi-
low-volume threats. Security effectiveness
their breadth and depth across vendors. cant interest as the volume of malware
is significantly enhanced by HIPS, but
Buyers should also understand which begins to surpass the volume of “good”
there’s no generally accepted method of
techniques are included in the base cli- corporate applications. There is signifi-
testing the HIPS effectiveness of different
ent, which are optional, and what other cant R&D in this area, and this capabil-
solutions.
charges, if any, are required for addi- ity will be an important differentiator in
EPP buyers should take the time to
tional protection styles. the future. Application control features
understand how many and which of the
• Some vendors offer only binary control that EPP buyers should investigate
nine HIPS protection styles are included in
over HIPS, which allows administra- include:
the base malware signature engine that’s
tors to turn them on or off. Enterprise • How applications are identified and
used to detect and block unknown threats
IT organizations are unlikely to concern prevented from executing (for exam-
(zero-day or targeted threats), and which
themselves with every setting in detail, ple, do they block the installation of
are additional HIPS capabilities that can
but it’s important to have granular con- applications or only the execution?)
often increase the administration burden
trol that makes it possible to turn off is an important differentiator.
due to management of false positives.
certain rules for specific applications to • The mechanisms available for cre-
For these reasons, Gartner recommends
accommodate false positives. ating a whitelist will be critical to
focusing on ease-of-management
• One very effective HIP technique is lower the administration overhead.
functions, which make HIPS adaptable
“vulnerability shielding” — the ability Administrators should, for example,
enough for the enterprise network:
to inspect and drop attacks based on be able to automatically autho-
• The HIPS solution must, as a core knowledge of the specific vulnerabili- rize applications that are properly
principle, enable the administrator to ties they exploit. This technique allows signed, or come from trusted loca-
choose and tune the styles of protection protection against attacks and against tions, processes or installers.
that are needed, based on the require- known vulnerabilities before the vendor • Solutions should ideally provide
ments and resources of the endpoint, releases a patch, and makes it possible signatures of known-good applica-

15. 15
tions as a service, similar to current based on connection type — different an encryption component of an EPP suite:
malware databases. network interface cards (NICs) or dif- • EPP solutions should provide the ability
• Application control should extend ferent networks — as well as the ability to create policies to control the broadest
to the execution of browser helper to dynamically apply policies based on range of devices and device formats —
objects/controls within the context of network location — for example, Wi-Fi for example, CD, DVD, USB, Bluetooth,
Internet Explorer and other browsers. policy, on-corporate-LAN policy and 3G and general packet radio services
public Internet policy.
2.4 Personal Firewall Capabilities — with policies defined, at minimum, by
• The integration of a client (IPsec) VPN device class.
Basic personal firewall functionality
is useful for enforcing remote access • The level of granularity that makes it
(inbound port defenses) are available in the
policies. Ideally, EPP solutions should possible to distinguish among device
Windows XP Professional, Windows 2003
allow unfettered Internet authentication, classes (for example, a mouse from a
and Windows Vista operating systems. The
and then enforce VPN startup to direct data storage device), and potentially
Vista firewall has bidirectional capabilities,
remote access traffic back to the LAN. to distinguish specific devices by serial
although outbound is turned off by default
• The ability to enforce a “one active NIC number or manufacturer, is a worth-
and activation requires significant setup.
at a time” policy to block network bridg- while differentiator.
The Windows firewall is adequate for most
ing is a useful feature, and options that • Policies will ideally be file-type-aware
desktop PCs that also have the benefits
allow the disabling of inactive NICs are so that they can allow or restrict access
of network firewalls and network-based
ideal. based on file type and action (for
intrusion prevention. However, notebook
• Application profiles that define normal example, allowing “read only” access
computers and PCs with higher security
application behavior, and can restrict or allowing only document file types),
requirements require more-comprehensive,
network access for applications that and so that they can restrict application
two-way protection that adapts to multiple
aren’t approved or are potentially com- execution (for example, blocking auto-
network contexts. Personal firewalls are
promised, are useful application control execute or all execution from a data
differentiated by the flexibility of their
features. drive).
policies (for example, an autosensing
• A firewall must have the ability to • EPP offerings, when combined with
location-based policy), the breadth of their
block malicious attacks and end users encryption solutions, often allow policies
application profile policies (for example,
attempting to disable the firewall. to force encryption — for example, with
the ability to prevent applications from
• Log data — especially related to secu- “allow write but encrypt” and “password-
exhibiting unusual network behaviors), the
rity incidents — should be extensive, protect files written to USB or CD stor-
virtual private network (VPN) integration
searchable and accessible via the report age” provisions.
and the range of ports (for example,
engine to enable forensic investigation. • To minimize help-desk interaction, it’s
Universal Serial Bus [USB], FireWire,
infrared, Wi-Fi and Bluetooth) they can 2.5 Port Control useful to enable remote workers to “self
protect: Enterprises are increasingly concerned authorize” device usage, and to allow
about USB ports as a channel for privileged end users to use devices, but
• The ability to manage the Windows fire-
accidental or malicious data loss, or as warning them that it’s against policy and
wall and a more-advanced personal fire-
an access point for malware, such as the that they should log their usage. At a
wall in the same management console
recent Conflicker worm. For this reason, minimum, EPP solutions should allow
is a distinct advantage, because some
granular port control is becoming a remote help desk activation of ports for
enterprises will adopt the Windows fire-
common feature of the personal firewall or users with administrator passwords.
wall for on-LAN PCs.
• Advanced solutions will also include
• EPP solutions should offer the abil-
ity to create different firewall policies

16. 16
options for protecting data by blocking information can be moved to the top of • EPP offerings should include the ability to
the “cut/copy/paste,” “print screen” and the page. Display options (for example, import or export data and alerts with secu-
“print” commands. pie charts, bar charts and tables) should rity information and event management
also be configurable so that information systems, or other reporting systems.
2.6 Reporting Capabilities
can be displayed in the format that spe- • The reporting engine should have the
Reporting capabilities are a significant
cific administrators need. capability to run on-box for smaller solu-
differentiator for EPP offerings, and
• Reports and dashboards should include tions, or move to a centralized reporting
can make a significant difference in the
trending information against customiz- server for consolidation and storage of
administration overhead that’s associated
able parameters. For example, it should multiple management servers’ log infor-
with them. Buyers should consider “point
be possible to create a dashboard view mation, without changing the look and
in time” reporting, as well as “real time”
or a report that shows percentage com- feel of the reports.
dashboard capabilities:
pliance against a specific configuration • The reporting engine should also have
• The dashboard should provide a real-
policy over time. the capability to create custom reports
time graphical and table-based view of
• Dashboards should be configurable for (in the HTML, XML comma-separated
system events, including system infor-
different roles so that each administra- value and PDF output types), save
mation, version information and action-
tor can create a role-specific view. them and schedule them for distribution
able alerts.
• Information should be aggregated, and via e-mail or FTP, or by moving them to
• EPP solutions will ideally provide holis-
should also allow single-management the network directory.
tic security information about the current
server, cluster, LAN, geographical • The database must enable rapid report
security status of endpoints, not simply
or global views in the same window, queries and the ability to preserve his-
the status of the EPP components. This
depending on administrator options and torical data for long-term storage in a
may, for example, include information
role limitations. standard format.
about vulnerabilities, compliance viola-
• Dashboard information should always • Reporting functionality should include
tions and unpatched machines, for man-
allow administrators to drill down to the active filtering to narrow the results in
aged and unmanaged machines on the
necessary level of detail with one click, longer reports so that specific events
network.
instead of forcing them to switch to the can be identified.
• Dashboards that offer Really Simple
reporting application, manually select • Reporting engines should facilitate the
Syndication (RSS) feeds with relevant
the appropriate report and re-create the creation of completely ad hoc reports,
external news — for example, concern-
parameters that include the condition similar to SQL queries, rather than just
ing global malware activities and vulner-
they want to investigate. modify the parameters of predeveloped
abilities — are desirable. External trend-
• Dashboards should also offer quick reports.
ing information allows administrators to
links to remediation actions (for exam- • Multiple chart types (such as pie charts
better understand internal activity levels
ple, clean quarantine, patching and soft- and bar charts) should be supported, as
and compare them to global events.
ware distribution), as well as quick links well as summary data.
• The dashboard should be administrator-
to malware encyclopedia information to • Summary reports should include active
configurable so that the most-relevant
resolve alerts. links that allow drill-down into detailed
reports, as well as back-navigation that
makes it easy to return to the top-level
view.