Good enterprise IT organizations are a disciplined and serious group. They appreciate the importance of orderly processes and centralized control, and these characteristics are evident in the software, technology, and workflows they employ to manage complex networks, distributed applications and large user populations. Spyware poses a clear and present danger to enterprise networks. Fully aware of the costs of both spyware-related productivity losses and remediation of spyware infestations, enterprise IT now regard spyware detection and blocking as critical components of an overall security framework.
Even as they deploy currently available technology to combat spyware, enterprise IT departments have not lost sight of the longer-range requirements that will help integrate antispyware measures into standard desktop administration and layered security architecture. Consistent with many security initiatives, a short-list of requirements emerges from early adoption and deployment that forces vendors to think beyond individual endpoint protection metrics such as product reliability, accuracy, and usability and into the realm of large scale deployment.
Secure Central Administration and Configuration. Antispyware solutions that require IT staff to "touch" every desktop don't scale to large user populations. An enterprise IT solution must provide the ability to provision and deploy "desktop" antispyware from a central source, with eventual Active Directory or LDAP integration. The process must be secure: users should not be able to defeat or ignore provisioning, or tamper with configurations.
Centralized Event Monitoring, Notification and Analysis. Once provisioned, enterprise IT will want to monitor endpoint devices to assure that they remain in compliance with configuration and policy. IT staff will also want event notification of spyware infestations delivered to and stored in a central repository at a management system, to help them quickly respond to such threats as key loggers and remote administration tools and prevent further infestation and unauthorized disclosure of sensitive, private, or regulated information. This event database should also be accessible for post-incident analysis.
Enterprise Self-administration. Enterprise IT often want to control and monitor software updates, upgrades, and anti-spyware signatures/definitions, just as they do today for Windows operating systems and desktop antivirus software. The ability to control antispyware updates from a server(s) within the organization serves several purposes. First and foremost, IT can test software to assure compatibility with existing desktop policy and configuration. Self-administration also offloads "update" bandwidth from Internet access circuits to campus networking fabric. Finally, it helps organizations with accounting and auditing (what clients are not routinely updating product, how many clients are actually using product, etc).
Integrate with Complementing Security Measures. Blocking malicious code before it infests the enterprise is a top priority. For many enterprises, endpoint security and network admission control have already proven to be effective malware deterrents. Today, Cisco's Network Admission Control (NAC) and similar solutions based on IEEE 802.1x/EAP block virus-infected endpoint devices from admission to networks; allow for quarantine and remediation prior to admission; and constantly monitor for suspicious activity. Antispyware solutions must be integrated into endpoint security frameworks as well.
Deployable as One of Many Layers of Antispyware Defense. Antispyware software for application servers and gateway antispyware measures - URL filtering, content and back-connection blocking, defeating auto-installation of ActiveX controls, etc. - are necessary components of the defense in depth deployed by many security-minded enterprises.
Satisfying enterprise IT security requirements has always been challenging. Even as antispyware vendors scramble to satisfy this Top Five, additional requirements will no doubt appear. But vendors who understand and appreciate these requirements early in the development process have a leg up on the competition.
Originally published April 2005. Core Competence received a fee from Aluria Software for the preparation of this work.