Outsourcing your antivirus infrastructure sounds tempting: subscribe, pay a fee and enjoy virus-free enterprise...
systems. There's no updating signatures or listening to employees complaining about false positives -- Nirvana right?
Unfortunately, managed AV services won't produce perfect happiness. While multiple scan engines, rapid virus signature updates and expert advice from a 24/7 service operation center (SOC) team are strong drivers for outsourcing AV, the reality is that you'll have some duties too -- beyond choosing a provider.
Managed AV services tend to fall into two camps: e-mail-centric solutions and desktop AV offerings. The majority of providers offer e-mail-centric services, a deployment, that merely requires an organization to change their MX record in DNS to point to the provider's mail servers. When e-mail for the organization arrives on the provider's server, it's scoured for viruses, spam, and possibly other content before being forwarded. Some vendors go further and analyze outbound e-mail, making sure nasty stuff isn't being spread to the Internet, or, may provide keyword analysis for checking that the e-mail system isn't leaking critical information.
CyberTrust, Inc. (formed from the recent Betrusted/TruSecure merger) and FrontBridge are two of the numerous vendors offering e-mail-centric services. The services employ signature detection, and in this case, both vendors use three different screening technologies. For example CyberTrust Managed E-mail Firewall Service uses scanning engines from McAfee and Sophos along with a proprietary one, whereas FrontBridge TrueProtect E-mail Management Service employs scanning engines from Symantec, Sophos and Trend Micro.
Symantec offers its own version of managed e-mail-centric filtering services, Symantec Managed Virus Protection Service, which also includes analysis and filtering of malware affecting Web traffic.
Alternatively, desktop AV offerings require the deployment and management of a commercial AV program installed on each and every desktop system. These services establish a significantly closer relationship between you and the vendor than e-mail-centric services. You get a slice of the vendor's SOC, where staffers continuously monitor the AV status of all desktops. Both Avaya and Verizon offer such services, built on top of McAfee's desktop anti-virus solution (McAfee does offer such services with its McAfee VirusScan ASaP).
Managed AV solutions of either nature can offer some real benefits, including:
- Rapid updates, with live monitoring -- While your staff might only be able to reliably update AV signatures and engines every couple of days, managed service providers update their signatures around the clock, as new updates are released.
- Dedicated staff with up-to-date knowledge of the latest threats -- For some organizations, keeping pace with the rapid advance of malware is tough. SOC teams can focus on the latest malware and potentially offer more detailed advice.
- A robust, affordable infrastructure -- With multiple, parallel SOCs, many AV service providers have more solid infrastructures than a lot of small and medium sized businesses (and a few large enterprises as well!), which translates into operations/performance benefits.
- Thorough protection -- Some managed AV vendors employ multiple scanning technologies, letting you take advantage of multiple signature bases without having to invest in and train your staff in several offerings. Various malware bypass certain AV tools, but not others, and using multiple engines ensures layered protection.
The downside to managed AV services is that you'll still be responsible for several items:
- Reading reports delivered by the service -- These reports typically point out potentially infected systems and e-mail accounts that are especially troublesome. Don't expect the vendor to fix these problems. Unless you pay for extra, the vendor merely identifies issues. Your security team will have to perform the actual investigation.
- Reviewing suspicious e-mail in your quarantine queues and updating e-mail filtering keywords -- You'll need to regularly toss out items that are truly sinister, while saving some items that might be false positives. Similarly, if you are using keyword searches to filter e-mail for certain content, you're responsible for tuning the keywords and keeping that list up to date.
- In the case of managed desktop AV services, helping to clean-up infections -- When a machine gets infected with malware that cannot be automatically removed by an AV tool, you'll need to deploy personnel to work with the vendor to remove the pathogen. Additionally, if some of your desktop systems' installed AV programs become unresponsive to signature updates, you'll have to deploy people to fix them. And finally, remember that no solution is 100% effective. In the case of a massive infection, your team will still need to mop up, possibly uninstalling malware manually or even reinstalling operating systems to get back into business.
If these are tasks your team can handle and outsourcing AV is right for your organization, then you are also tasked with choosing a service provider. Follow these practices when evaluating service providers:
- Ask how they perform background checks of their employees, and again make sure it meets your business needs.
- Review their network architecture, making sure there are multiple, parallel SOCs with good fail-over capabilities.
- Ask providers what policies, procedures, and technologies they employ to separate your data and network from those of their other customers, keeping in mind that someone could hypothetically hack your organization via their network.
- Check Service Level Agreements to verify the speed with which they update their AV signatures and engines, as well as how quickly they contact you when an infection occurs.
- Don't make your decision based purely on cost issues. Remember, a super cheap service may not offer the SOC redundancy and trained personnel you require.
- Don't ignore their level of employee training and expertise. Ask how they keep their personnel updated -- look for a comprehensive training program and at least a year of experience for SOC personnel.
- Check the provider's patching process, making sure they update their systems and any software installed on your machines in a careful fashion when critical patches are released.
- Don't forget to reserve the right to perform a security assessment of their service, and include specific language in your contract that allows you to perform announced assessments on a regular basis.
Although they cannot just make the AV problem go away entirely, managed AV services do provide a solid solution for some businesses. If you follow these rules of thumb and keep your expectations in check, you'll be much more satisfied with outsourcing your AV infrastructure.
About the author
Ed Skoudis, CISSP, is cofounder of Intelguardians Network Intelligence, a security consulting firm, and author of Malware: Fighting Malicious Code (Prentice Hall, 2003).