Managed Security Services

MSSP Survey Part 4:
Managed Anti-Virus Services

Like viruses themselves, managed anti-virus services have been present since this survey's inception.

by Lisa Phifer VP Core Competence, Inc. [January 18, 2005]

As business dependence on the Internet—e-mail in particular—has grown, so have the number of providers offering AV services (see table). This year, approximately 2 out of 3 survey participants offer managed AV services. In addition, RedSiren, who participated in other surveyed categories, launched new managed AV, spam, and Web filtering services too late for inclusion here.

Costly virus outbreaks like CodeRed, Nimda, Slammer, and Blaster pushed many businesses into deploying AV on all desktops and laptops, but many continue to feel the adverse effects of mutating mass mail worms like Netsky. Managed AV services are typically designed to augment, not replace, host-based virus protection. As shown in the pie chart below, managed AV can be deployed on customer premises equipment (CPE) or on provider-hosted (network-based) servers. In either case, MSSPs tend to provide network (gateway) virus protection, stopping viruses before they enter or leave your company's network.

Nearly all of the managed AV services encountered in this year's survey scan e-mail traffic—SMTP and POP. Globix's network-based service also scans IMAP and encrypted POP and IMAP sent over SSL. This industry focus reflects the fact most viruses are now entering corporate networks through e-mail. The e-mail focus also reflects the market's continuing shift towards network-based anti-virus/spam services.

Simply put, it makes good sense for providers to stop both threats on (or near) their SMTP gateway. Delivering AV and spam filtering as value-added options to basic corporate mail delivery is an incremental revenue opportunity for many providers. In fact, AV and spam filtering are fast becoming baseline network service requirements, required to remain competitive.

On the other hand, customers with other CPE-based Managed Security services—specifically firewall and IDS/IPS—can leverage firewall options to scan for and eradicate viruses. In this topology, it is logical to scan not just mail protocols, but also Web content (HTTP) and file downloads (FTP), since all traffic enters and exits the customer's network through that one device. The rub is that virus scanning consumes resources, and you don't want your AV strategy to bog down your entire network.

Deploying efficient-but-effective network AV can be tricky, so many MSSPs offer both CPE-based and network-based services to help customers strike a balance through distributed processing.

We asked MSSPs to identify virus signature update intervals, actions taken when viruses are detected, and how they communicate these actions to customers through alerts and reports. Update frequency is generally configurable for CPE-based AV services, but minimums have shrunk over the years—daily or hourly is not uncommon, and several providers now offer "push updates" as new signatures are released. Currency is particularly important during major outbreaks, since worms like Slammer and Zafi spread extremely fast.

On the surface, actions sound fairly consistent: quarantine, delete, and sometimes clean. In practice, the way in which customers interact with providers can vary quite a bit. For example, if your provider quarantines virus-infected e-mail on its server, are you responsible for deleting quarantined content? On the other hand, if your provider doesn't quarantine viruses, will you have sufficient data to understand how your network was impacted and responded during a major outbreak? As managed AV services become standard fare, providers will differentiate themselves through ease-of-use and visibility features that substantiate what the service is, in fact, doing for you.