What happens when a major computer security firm issues a report showing that
its latest software is vastly superior to other, competing products? The
subjects of that attack rise to their own defense, as though fighting off a new
Internet virus.
That's the situation in a nutshell after eEye Digital Security recently
released a controversial comparison chart. The table asserts that eEye's Blink 1.0
intrusion-prevention software (IPS) has numerous capabilities not found in
Cisco Security Agent, McAfee Entercept, Sygate Secure Enterprise, ISS
RealSecure, and four other IPS products.
Charting A Rocky Course
I wrote up eEye's claims about Blink 1.0 in this space
last week. The new software suite, which was released
in July, is partly based on eEye's respected Retina vulnerability scanner,
which debuted in 2000. But the new Blink bundle adds application- and
system-level firewalls, plus additional software that the company claims
will prevent hacker intrusions "based on the characteristics of an attack,
rather than the specific signature."
eEye's comparison chart, posted on
Blink's product page, has inspired some of its competitors
to launch a few attacks of their own.
"Blink's representation of what Entercept does is inaccurate and outdated,"
charges Zimal Solanki, McAfee's director of product marketing for IPS products.
Besides strongly disagreeing with the eEye chart, McAfee spokespeople say their
security software has many features that eEye left out of the comparison
entirely. According to Patrick Bedwell, Entercept's product marketing manager,
these include the following:
• Levels of Protection.
"We include a number of defined signatures in our product that eEye doesn't,"
Bedwell maintains. "For some of the well-defined attacks, you really need to
have those signatures in place."
• Scalability.
McAfee's products have been well-tested in the line of fire in large
enterprises, Bedwell says. "We currently have about 30 million desktops
worldwide being monitored by
ePO," the company's ePolicy Orchestrator security
management tool, he indicates.
• Manageability.
McAfee's software has evolved to respect the policies that exist within
enterprises of various sizes, Bedwell says. He contrasted that with the new
Blink 1.0, saying, "Their management console requires administrative
privileges, which low-level admins don't always have."
Securing the Enterprise, Computer By Computer
Spokespeople for Sygate Technologies, the makers of Sygate Secure Enterprise
(SSE) were even more adamant that their product had been
misrepresented and is, if anything, more capable than Blink.
"All of the functionality they say we don't offer on that list, we actually
do," flatly states Maritza Perez, product manager for SSE.
Bill Scull, SVP of Sygate, added his own list of features that he said his
company's products offered that didn't make it into eEye's comparison:
• Enforcement.
"You might say, Here's a list of things I want to be 'on' before this machine
can connect to my network," Scull says. "You might want to make sure IM
[instant messaging] is off, that peer-to-peer networking is off, and that
there are other applications that are on." Corporate policy might require that
an antivirus program be running and up-to-date on a roaming worker's laptop,
for example, before it's allowed to access the home network.
• Adaptive Policy.
"You might want a different policy when you're connecting wirelessly from
Starbucks than when you're inside the corporate firewall," Scull points out.
• Performance And Monitoring Across The Enterprise.
Sygate's largest customer has 250,000 devices under central management,
according to Scull. "When you need to scale to a quarter-million end points,
there are a lot of things you need to do." Sygate recently has
announced deals ensuring interoperability in
multi-vendor environments, a benefit for corporations with mixed networks.
• Automatic Remediation.
When devices are found to be out of compliance with one security requirement
or another, Scull says, Sygate's products are equipped to update many of them.
"The purpose is to make sure the computer is up-to-date before it connects to
the network," Scull says. Remediation is an entire category eEye left out
of its comparison chart, he notes.
Finding Oneself in the eEye of a Storm
In a follow-up interview, eEye COO Firas Raouf acknowledged that Blink 1.0
doesn't itself handle end-point updating.
"If a machine does not meet that level of security," Raouf says, Blink can
"lock down that machine even further, or it can notify the Retina Remediation
Manager," which is a separate product. "Over time, those two products will converge
into a single agent," he said, adding that some corporations prefer to use
their own update-management software.
Thor Larholm, senior security researcher for
PivX Security
Solutions, a competitor to eEye that wasn't mentioned in the comparison
chart, feels Blink brings to the industry fairly few new technologies. The
capability that does intrigue Larholm, after reading eEye's white papers on the
subject, is the claim that Blink can prevent process-based buffer overflows,
a vulnerability that's popular with hackers who seek to plant rogue programs
on PCs.
"That's the only one from our point of view that's at all interesting,"
Larholm says. "But that's also the one that we have the least technical
information about. All of the other capabilities we see in other products."
PivX's own product, Qwik-Fix Pro, which was released on Aug. 16, "eliminates
specific vulnerabilities" in Windows, says director of forensic services
Jason Coombs. "Any attack that targets the vulnerability will fail before it
can take root."
Conclusion
eEye has a well-deserved reputation for the benefits of Retina and the firm's
other products and services. In a hot IPS market that's rapidly growing in size
and importance, it's understandable that security providers have their elbows
out to defend their reputations and customer bases.
Which IPS system truly is the best? That call will have to await independent
testing — which is just now getting underway, considering that some
of these products have been available only for weeks, not months. Until then,
my advice is, "Don't believe everything you read on the Internet."
What happens when a major computer security firm issues a report showing that
its latest software is vastly superior to other, competing products? The
subjects of that attack rise to their own defense, as though fighting off a new
Internet virus.
IE 7
Firefox 2.0
