Re: End Point Security - relying on one vendor's product a weakness in itself?

When it comes to an Agent on the server or desktop, I would say better
1 agent that runs FW, HIPS, Buffer overflow protection, AV than 2
different agents that may or may not conflict with eachother.

I agree though on diversity on the network IPS/IDS protection, maybe
one vendor is better than the other.

Saludos

Albert

On 5 Mar 2008 18:47:02 -0000, <krymson@xxxxxxxxx> wrote:
If you have 50,000 workstations all running Windows XP, for instance, you're already pretty homogenous. One vuln in Windows and they're all vulnerable. :)


In that case, it might not add significant risk to go with one product to rule them all. You could try to say there is added security value in running multiple products at different levels (AV on the desktop and some other AV on the gateway), but I'm not sure here is really good difference in most products. An IDS might be a better place to diversify, HIDS vs NIDS, plus different NIDS at different places in your network (DMZ<->internet and private<->DMZ, e.g.).


This really comes down to the total value this will give you, above and beyond just the security value. Will your staff save time learning multiple pieces of a similar look-and-feel product? Will you avoid possible incompatibilities between other products that result in lots of homegrown glue to make work? Can one reporting engine pull and correlate all these products into nice, pretty reports? All of this is value to the IT/security department and thus the company.


Will the value of a consistent, predictable, and centrally controllable environment be more valuable than the risk of that product having some fundamental flaw later on? Perhaps.


Thankfully there are some examples of these issues. Symantec has had at least one agent-based vulnerability in the past couple years. Symantec and McAfee have also released buggy signatures that either misreported benign files as malicious or threw false alarms when web browsing. Run through the scenario and see how much pain that might cause you. (Yup, it can be a lot!)


I can only ask questions and give thoughts, but I really think this ends up being a question whose answer only lies with the company constituents themselves. Yes, some people will deride you for being homogenous with an all-in-one product that may not be the best-of-breed in any individual space and could leave you open to attack. But there are also people who realize there is value in standardizing and efficiency of operations and that value can outweigh security concerns.


In the end, companies are economic entities, despite how much we sec geeks might want as much security as we can possibly get away with.




<- snip ->



Our company is looking into using one vendor's product to manage our

workstations end-point security which consists of:


Antivirus/Spyware

Managed Firewall

IPS

Application Control

Buffer Overflow

Device Control (USB, PDA, Phones etc..)


My understanding with the layered security/defense in depth principle,

it would be foolish to go with one vendor's product as this creates

one point of failure. If this product has a software vulnerability,

then the security of the workstations (and specifically the attack

vectors which the product is protecting) will be in jeopardy. There

is no redundancy, its all or nothing so to speak.


Its like buying a Multifunctional Printer - if the fax or scanner

function breaks down, the whole device needs to be sent in for repairs

then you cant print. Or if you buy the brand new Apple Time Capsule

for your backups, and the hard disk breaks down, you then need to send

the device to get repairs and would be out of WIFI for the duration of

the repair.


What do you folks think regarding the advantages/disadvantages with

depending on one vendors product for your Windows workstation security

in a global corporate (~50,000 seats) from a technical perspective?


I guess a balance needs to be met with the risks with putting all our

eggs into one vendors basket verses cost.


Relevant Pages

  • MTIndia Newsletter - Proactive provisions to protect PHI
    ... on India's Information Security Environment. ... Security orientation of the Indian IT services and ITES-BPO market. ... Protection is through implication and therefore damages ... transcription and information management services to University of Michigan ...
    (sci.med.transcription)
  • Re: Vistas Security Rendered Completely Useless by New Exploit
    ... security conference was an analysis a number ... of the protection mechanisms built into Windows Vista and Windows Server ... presented a number of attacks against Vista's various security features ... impact of 'buffer overflows' ...
    (microsoft.public.windows.vista.general)
  • Re: Vistas Security Rendered Completely Useless by New Exploit
    ... security conference was an analysis a number ... of the protection mechanisms built into Windows Vista and Windows Server ... presented a number of attacks against Vista's various security features ... impact of 'buffer overflows' ...
    (microsoft.public.windows.vista.general)
  • Easy Money
    ... PINs and security codes were offered ... British bank details A fraudster offering to sell 30,000 British credit card ... Protection Act. ... addional powers that he says are needed to prevent breaches of data ...
    (uk.legal)
  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)