Forrester expects 19% of SMB organizations to trial host intrusion prevention system (HIPS) computer security software in 2009. These trials may cause IT personnel more stress than malware clean-ups, and more disappointment than the fourth Indiana Jones movie.

The need for what HIPS security software promises to address has never been greater. The effectiveness of the anti-malware software that defends over 99% of home and work computers is plummeting. That security software relies on having signatures to identify the malware it is to stop.

Stopping today’s sophisticated malware with yesterday’s signature-based technology is similar to deploying anti-terrorism measures that rely solely on authorities having photographs of known terrorists. Did airport security personnel have pictures of the September 11 terrorists prior to them boarding? Regardless, terrorists can wear a disguise, so can malware. Just about any known malware sample can be re-crafted to elude signature-based defenses. The malware makers automatically do this every 10 minutes. Each year results in more malware signatures than all the previous years combined. This is creating annoying performance issues you’ve probably noticed.

Clearly, the call for HIPS has never been louder. The Forrester prediction indicates that average IT personnel are getting the word. Now for the rest of it, careful what you wish for!

HIPS products are notoriously difficult to configure and maintain. They can distract end-users and IT personnel more than patch management, pop-up windows, spam, and forgotten passwords combined. Yes, the medicine can be worse than the illness.

The HIPS vendors are not deaf to customer feedback. They have created wizards, configuration libraries, and operating modes (e.g., low, medium, high) to make them easier to use. Unfortunately, the simpler and less intrusive these retrofitted features make them, the less effective the tool can be. For example, running a product in “medium” mode may be drastically reduce protection from the annoying “high” mode.

Nonetheless, the need has never been greater, what is to be done? Evaluate several anti-malware computer security software products primarily for usability. Most IT personnel are not malware experts and lack the resources to test security software effectiveness against relevant malware samples.

Usability questions:

• What at-risk applications are ‘secured’ via default settings (out-of-the box)?
• How long does it take to configure the security software for everything else?
• Do they require administrators to be familiar with the idiosyncracies and interactions of the software on the PC?
• How does total level of effort compare with that of a personal firewall?
• Does it distract end-users or administrators by asking them to make security decisions because the software cannot?
• Do normal life-cycle issues such as software updates require the security configuration to be re-tuned?
• Does it slow down computers or conflict with other software?
• What are the consequences of NOT sifting through its event logs?
• How frequent are policy updates and how do they reach off-enterprise PCs?
• Do they address risks from users with local admin rights?

Posted: Tuesday, January 13th, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback