I have been following much of the news surrounding the Microsoft launch of Forefront Client Security – a new solution for securing enterprise networks - and found myself extremely concerned about whether or not anyone cares any more about security.

Usability at the Forefront

Microsoft representatives are pushing Forefront as a highly usable system for monitoring and managing all network nodes. Of course, Microsoft made its name by developing products which concentrate on usability. I have no doubt that Forefront will live up to expectations in this area. However, there are several issues relating to the release of Forefront which will worry security professionals.

My main concern in reading the related PR was that the focus is mainly on manageability versus security. I find this very worrisome indeed.

Manageability is of course a key issue in a security solution, but in my opinion, it can't replace quality detection. If a solution can't detect threats, there will be nothing left to manage. Given that threats today are specifically designed to evade detection for as long as possible, quality of detection has to be at the forefront in choosing a product. You need an anti-virus solution that detects threats. First and foremost. Managing the solution is definitely secondary.

Certification vs. Comparatives

I was astonished when I read that Margaret Arakawa, senior director of Security and Access Product Management at Microsoft, was reported as saying that the myriad tests such as AV-Comparative.org's don't matter to the industry—rather, what matters are the two standards for certification that OneCare has in fact passed: West Coast Labs and ICSA Labs.

Given that independent testing is routinely conducted in all industries where the security of the end user is at stake – medicine, the automotive industry, airplane construction, etc. – this is a very odd statement. Independent tests are necessary simply because different companies produce goods and services to different standards. When it comes to information security, testing the quality of solutions is crucial: malware is not only becoming more and more sophisticated, but it's also increasingly designed to make money for well-organized cyber criminals. Independent tests should effectively evaluate detection rates, the speed of response to new threats, the resources required to run each solution, and the stability of the solution itself.

Testing bodies provide either certification tests (such as West Coast Labs, ICSA Labs), or comparative tests, where products compete against each other (such as AV-Test.org and AV-Comparatives.org). Some organizations provide a combination, such as Virus Bulletin which offers the VB100% award and also publishes the results of comparative tests. Certification confirms that a given solution meets or exceeds the minimum requirements of a test; in the AV world, certification guarantees a certain standard of AV functionality and the ability to detect the test viruses. Comparative tests, on the other hand, go further and evaluate the qualitative difference between products that have been acknowledged as meeting basic requirements in an imperfect world. Naturally, we can debate about testing methods and find fault with the methodology of any given testing organization. However, I think we, as a collective industry, agree that independent tests are crucial for the AV industry; both in terms of keeping vendors on their toes and in giving consumers a reasonably unbiased view of how available solutions compare against each other.

Microsoft, or at least Margaret Arakawa, appears to be asserting that independent tests don't matter. And people who follow Microsoft agree: for instance, Michael Cherry, an analyst with Directions on Microsoft, said "The criteria may not be how good signature files are in the future. Frankly, they're not that far off from each other [as it is]. [The other companies who participated in the tests that OneCare flunked] didn't do so well themselves in those tests.” Poor excuse.

More Than Just Detection

In the meantime, all the well-regarded comparative tests prove that AV products differ greatly in terms of detection rate, reaction speed to new threats, quality of proactive protection, strain on system’s resources and other parameters. Moreover, there are no visible signs that the difference is getting any smaller. In fact, in many areas (for instance, response speed) the gap is widening. This is true even in terms of the oldest standard used in comparing AV solutions – signature-based detection rates. Sadly, it seems that the expanding onslaught of cybercrime is accelerating at a much faster rate than the ability of many in the anti-virus industry to keep up.

And the size of an organization doesn't guarantee success in the AV industry. Experience is key, size is not. A successful AV vendor needs professionals who are capable of combating current threats, predicting future trends and second-guessing the virus writers who've transformed themselves into an industry.

Microsoft has enormous in-house experience in developing complex solutions that are user friendly and easy to manage. I am sure that Forefront Client Security will prove a highly usable, flexible solution for small and medium sized companies. But none of this will matter if Forefront fails to detect Trojans hiding in the network that are stealing passwords, transmitting confidential data to third parties etc. Wearing a bullet proof vest is not a fashion statement – it means that you want to survive in a critical situation. And it seems as if Microsoft has forgotten this important little detail in developing Forefront Client Security. It’s an unfortunate precedent.

Source:
http://securitywatch.eweek.com/microsoft_windows/ms_closes_the_edgeserverclient_security_loop.html