Managed Security Services

2006 MSSP Survey, Part 5:
Managed Anti-Virus and Anti-Spyware

ISP-Planet's biennial survey of MSSPs finds network anti-virus being combined with anti-spyware and anti-spam functions to offer more proactive, multi-layered malware defenses, accompanied by increasingly sophisticated provider threat monitoring and reporting.

by Lisa Phifer VP Core Competence, Inc. [December 22, 2006]

By most accounts, malware is today's top security headache. During the first half of 2006, Symantec documented over 6,700 new Win32 viruses and worms. Approximately 60 percent of the top 50 malicious code samples exposed confidential data, while 5 of the top 10 were trojan horse programs. Even spyware has gotten nastier, morphing from nuisance nagware to financially-motivated keyloggers and rootkits. Most businesses now deploy anti-virus scanners on desktops and servers. Managed anti-virus (AV) and anti-spyware (AS) services add a complementary layer of defense.

Network virus scanners examine message payload as it flows through a network firewall or unified threat management appliance. Stripping a worm from a mail message before it enters your network insulates every client that might have received that tainted message. Network anti-spyware that blocks trojans hidden within web responses reduces the risk associated with unsafe surfing. Such defenses do not eliminate the need for desktop and server AV / AS—after all, internal traffic can spread malware without ever leaving the network. But they reduce dependency on correctly installed, configured, and up-to-date host defenses.

A managed AV / AS service typically includes installation and provisioning of one or more message gateways, on-going signature updates, routine maintenance, and full-time monitoring and reporting. Twelve participants in this year's MSSP survey offer this type of service, detailed in the chart shown at right (click to view full size). This represents a 20 percent increase compared to our 2004 AV turnout.

Keeping up with the latest malware is a never-ending task. Although AV / AS products offer scheduled signature updates, surveys show that many users fail to check or install updates in a timely manner. Worse, today's malware moves incredibly fast. For example, consider Slammer, a worm that exploited unpatched MS-SQL Servers. Each server infected with Slammer tried to infect others by sending randomly-addressed IP packets at up to 50 Mbps. This behavior helped Slammer spread to nearly 75 thousand servers in just 10 minutes. Infected servers continued to exhaust CPU and bandwidth for days. Stopping Slammer at the network edge would have been far less expensive and harmful.

How can a managed AV / AS service help? An MSSP has a Security Operations Center dedicated to threat monitoring. This lets an MSSP move very quickly, pushing temporary work-arounds or signature updates to managed AV / AS platforms in the early hours of a major outbreak. Rather than waiting for scheduled updates to trickle down to hundreds or thousands of desktops, countermeasures are applied pro-actively, at one or more critical traffic intersections. For example, Altoria's managed AV / AS service employs two virus-scanning engines, McAfee and Sophos, updated every 5 minutes. Because this service is network-based, malware is eliminated "in the cloud" before it reaches the customer's network.

This year, our survey includes 6 network-based services, 8 CPE-based services, and one host-based service (Fiberlink). This represents a slight decline in network-based services when compared to our 2004 survey. Scanning is performed on a gateway of some sort in all but one case. The exception is Fiberlink, which combines virus scanning on remote access hosts with centralized monitoring and reporting. Including this here is a bit of a stretch, but we do so to illustrate the breadth of available services.

This year's CPE-based AV / AS services are supported by unified threat management appliances (e.g., ISS, Fortinet, SonicWALL, iSensor) or software like TrendMicro VirusWall running on another vendor's firewall. Surveyed network-based services also rely on commercial platforms like MX Logic, SpamAssassin, and MessageLabs. You could buy and install these platforms on your own, but then you would not benefit from provider threat monitoring.

Moreover, several managed AV / AS services are bundled with other services—in essence, adding AV / AS to a platform you are already renting. Fiberlink's solution is an extension to their Extend360 service. Getronics' offering is available by itself or as a Managed Firewall/AV/Spam Gateway option. IBM ISS provides AV / AS as a standard feature of services deployed on ISS Proventia platforms, or an option with Cisco/Checkpoint/Juniper Managed Firewalls. SecureWorks bundles AV / AS with its Managed IPS service. And so on. Differences in packaging may complicate comparison, but they reflect the tight relationship between virus-scanning and other services that inspect traffic.

One surveyed service focuses exclusively on mail traffic (Symantec), another on web and instant messaging traffic (AT&T). The rest scan a broader range of protocols, from HTTP, FTP, and IM to SMTP, POP, and IMAP. These results are less diverse than in our 2004 survey, where HTTP and FTP were scanned by just half of the crowd, IMAP support was rare, and IM non-existent.

We asked MSSPs to describe actions available upon virus detection. Log and Reject/Deny support are nearly universal; all but three offer Quarantine and Clean or Strip as well. Given recent growth in spyware, we also asked about actions taken against those non-viral threats. Nine services offer inbound filtering to strip risky active content or banned S/MIME types before spyware can take hold. If that should fail, seven services can also block outbound Spyware / Adware back-channels. Six can block outbound requests to Spyware URLs or blacklisted domains. We should note that similar capabilities can also be found in Managed Content Filtering services, discussed in the final part of this series.

Two years ago, we predicted that MSSPs would begin to differentiate managed AV offerings by including features that demonstrate the service's value. Answers supplied this year for logging and reporting appear to support that. On-line access to reports, logs, and statistics were frequently cited. For example, AT&T provides statistics on web usage by User/Group, Category, Time, Spyware Prevented, and Viruses Blocked. Getronics can identify individuals engaging in risky behavior. IBM ISS cited their ability to query, sort, filter, and correlate threats across multiple device types and platforms. Megapath delivers scheduled executive reports that present strategic threat summaries, accompanied by detailed reports that provide tactical attack details. Consult the AV / AS chart to see the answers supplied by other MSSPs. Although reports do reflect platform capabilities, they are also part of the "value add" that an MSSP can bring to the table.

—End