Security: A year of reassessment

Anti-virus nears breaking point, IPS tests limits, and the worm still turns

New products and press fascinations come and go (mobile worms, anyone?), but IT security managers will stick with what works -- until it doesn’t. A few years from now, we may look back on 2006 and 2007 as that kind of turning point, when enterprise IT security folks took a good hard look at some of the products that were mainstays of their defensive strategy and asked whether they are pulling their weight.

Anti-virus software is likely to get the most scrutiny. In addition to being haunted by Microsoft’s entry into the anti-virus software market, the likes of Symantec and McAfee face an even bigger challenge in the enterprise: namely, a sense among security experts and enterprise IT staff that anti-virus software, as we’ve known it, has lost its edge against sophisticated malware that exploits previously unknown (“zero day”) software vulnerabilities. Look for more CISOs to seek alternative forms of protection in 2007 -- such as the use of behavioral analysis to spot compromised machines -- to try to get in front of zero days and other threats.

IT developments in the government space don’t typically foretell those in the private sector. But the government’s push to implement Homeland Security Presidential Directive (HSPD) 12 could have a spillover effect in the enterprise space, according to security experts. That directive, which went into force in October, requires a single, secure form of identification for all federal workers that can be used for both physical and logical access. It also affects defense contractors that do business with the government, and those companies may find it more affordable to standardize on some form of HSPD 12-compliant ID than to try to create a special ID just for their government contractors.

Intrusion detection and prevention is another area where enterprise security folks will be pressed to make the numbers add up. After sinking millions into IDS and IPS deployments over the past few years, companies have found themselves wading through vast seas of events that, in some cases, actually obscured attacks. In the case of IPS, security managers found themselves wary of turning their new hardware into “block” mode for fear of slowing or disrupting legitimate network traffic. With the stakes of network intrusions and data loss higher than ever, look for enterprises to ask their IDS and IPS vendors to put up or shut up (literally) when it comes to spotting and blocking attacks.

On the threat landscape, anti-virus peddlers have been making much of the shift from worms and virus outbreaks to lower profile attacks. But all that talk masks a sad truth: Worms and viruses never really went away; Nyxem and Warezov were two major worm outbreaks in 2006, amid a sea of smaller ones. In 2007, however, self-replicating code will be harder to ignore. Even if enterprises are well prepared, social networking Web sites MySpace and Facebook serve as great mediums to spread malicious code, and application-based attacks like those that infected unpatched Symantec anti-virus installations and the Skype VoIP application can easily go unnoticed. After all, the underlying economics that gave birth to the mass mailing worm and the Internet worm haven’t changed one iota: Compromised systems are valuable launching pads for botmasters and spammers, and worms continue to be a fast and effective way to build networks of compromised systems.

Finally, the past year has brought plenty of news on promising NAC (network access control) technology, but surprisingly little clarity. The picture got a bit clearer in June, when Cisco and Microsoft announced progress on integration between Cisco Network Admission Control and Microsoft’s Network Access Protection architecture, a key component of its coming Longhorn server. But Cisco’s insistence on major LAN or WAN infrastructure updates to realize the NAC features built into its routers and switches will be hard to swallow for many enterprises. Microsoft has been playing both sides of the field, as well, working with Cisco on NAC-NAP integration, while also saying it will support the open Trusted Network Connect architecture in Longhorn. The problem cries out for cooperation, but the indecision around NAC is likely to continue in 2007.