DON'T give up on HIPS. Although HIPS solutions are still immature and have a high false-positive rate, they should still be paired with antimalware solutions, Lambert says. She sees application control eventually replacing HIPS but says it will still be useful in protecting machines against problems like buffer overflows.
At CMS Direct, Bell is happy that Sophos offers HIPS capabilities as part of its scanning engine. He uses it to block downloads of potentially unwanted applications, such as adware. Instead of the system automatically blocking applications that act suspiciously, he says, you can choose to be alerted and then use the centralized policy management capability to either authorize the use of the flagged applications or block them.
DO consider reputation services. As part of its work to displace other tools in its environment with the capabilities offered by Trend Micro, the packaged food company is testing the vendor's reputation services capabilities to see if it can replace its current URL filtering tool. Reputation services works by checking every Web address that users attempt to visit and blocking access to those found in a list of known malicious sites.
DO value ease-of-use. No one has extra resources to apply to security, which makes ease-of-use an important issue. That means vendors are paying more attention to dashboards and easier reporting, management and deployment.
Bell is impressed with his product's central management and at-a-glance dashboard, as he can quickly see when clients are out of compliance. Bell says he didn't use the dashboard feature of his former software because it was not easy to understand; clients would sometimes report that their upgrades were 30 days out of date. "Within five minutes, you can see that everyone is updated," he says.
Similarly, the director at the food manufacturer says advanced reporting modules have eased the job of reporting to senior managers on network protection. Previously, reporting required manual compilation of multiple reports. Today, reporting is automated and posted to the intranet.
DO consider multiple scanning engines. No scanning engine is perfect, which is why some vendors (for example, Microsoft and Symantec) are starting to use multiple scanning engines to increase the chances of catching malware. "Different engines have different blind spots," says Dan Blum, an analyst with the Burton Group.
With Forefront's multiple scanning engines, it's like choosing two different companies for their scanning abilities and putting both on one machine, says Amos. "If one is a little bit weaker at detecting malware than the other, you get double protection," he says. He plans to roll out four different agents for scanning.