There has been some interesting response to the previous blog post entitled “Time to Put Your Antivirus Software on a Diet”. In the short time since the posting there has been some interesting news that intersects nicely with the conversation.
Microsoft announced (ZDNet article here) that it has finished the Release Candidate test build for its Forefront Protection software. Forefront is Microsoft’s endpoint protection offering for business of all sizes for Windows based machines, but is based on the Microsoft Essentials AV engine that tested comparably in a recent group test report by NSS Labs on anti-malware products. Microsoft literature and third party evaluations indicate that the Forefront offering will have the centralized command and control that an enterprise would require to administer the product across an organization.
Microsoft is also making waves (CNet article here) by adding a feature to their OS update service to offer home users the option of providing Microsoft Essentials to machines when the update service senses there is no AV software running on the machine. This is not an automatic download – the user must opt in. This change to the update process started on November 1 in the U.S. and is raising the ire of other AV vendors who focus on the home/consumer market. These vendors believe that MS is using the unfair competitive advantage of their OS update process to plant non-OS software on machines. The fact that MS Essentials is free and could significantly cut into the consumer revenue for these vendors may also be a factor.
While neither of these news items are earth shattering I think they are indicators of a trend: AV software is on the track toward commoditization and that track is gaining speed and momentum daily. You simply cannot ignore the evidence – I can assure you the adversary has not and will gladly exploit those organizations that are slow to see the signals.
My point in the previous blog post was that organizations might want to take a fallback position on AV software and look for options that place less of a burden on the endpoint machines and less of a burden on the IT security budget. I made that recommendation based on two facts: 1) Attacks get past AV at a steadily increasing rate 2) The layers the AV companies have put on top of AV are not slowing down the decline and are costing your organization money and slowing down the machines. The new math of endpoint protection has to include prevention (such as AV) and detection. Apply the money saved by putting your AV on a diet toward a solution that does not require signatures or any other form of prior knowledge. Your organization becomes better protected, the end user gets better performance, and you get both of these benefits for the same or less investment.
Now for the disclaimers. I am not an industry analyst and Triumfant is one of those no signatures, no prior knowledge type of alternatives, so the recommendation is definitely not from a neutral source as I would clearly like for Triumfant to be the alternative of choice. Triumfant did not perform the broad testing on the AV software, and I personally have not done testing of either MS Essentials or MS Forefront. Triumfant is not an MS partner and we have absolutely no vested interest in the adoption of their products.
These disclaimers may color my opinions, but they do not change the evidence around you. For example, the MSS study is one of many that show declining malware detection rates. At the very least, it is time to start the conversation and coming into a new year’s budget cycle is great time to start. Examine your protection strategy and get comfortable about adding detection capabilities. Evaluate the spend on prevention and determine if you are getting real value for that spend.
And please, don’t look toward the AV vendors for advice, as the results there will be highly predictable. The AV market has been a lucrative cash cow for some time and it is not one they are looking to give up without a fight.