Re: End Point Security - relying on one vendor's product a weakness in itself?

[krymson () gmail com]

If you have 50,000 workstations all running Windows XP, for instance, you're already pretty homogenous. One vuln in 
Windows and they're all vulnerable. :) 

In that case, it might not add significant risk to go with one product to rule them all. You could try to say there is 
added security value in running multiple products at different levels (AV on the desktop and some other AV on the 
gateway), but I'm not sure here is really good difference in most products. An IDS might be a better place to 
diversify, HIDS vs NIDS, plus different NIDS at different places in your network (DMZ<->internet and private<->DMZ, 
e.g.).

This really comes down to the total value this will give you, above and beyond just the security value. Will your staff 
save time learning multiple pieces of a similar look-and-feel product? Will you avoid possible incompatibilities 
between other products that result in lots of homegrown glue to make work? Can one reporting engine pull and correlate 
all these products into nice, pretty reports? All of this is value to the IT/security department and thus the company.

Will the value of a consistent, predictable, and centrally controllable environment be more valuable than the risk of 
that product having some fundamental flaw later on? Perhaps.

Thankfully there are some examples of these issues. Symantec has had at least one agent-based vulnerability in the past 
couple years. Symantec and McAfee have also released buggy signatures that either misreported benign files as malicious 
or threw false alarms when web browsing. Run through the scenario and see how much pain that might cause you. (Yup, it 
can be a lot!)

I can only ask questions and give thoughts, but I really think this ends up being a question whose answer only lies 
with the company constituents themselves. Yes, some people will deride you for being homogenous with an all-in-one 
product that may not be the best-of-breed in any individual space and could leave you open to attack. But there are 
also people who realize there is value in standardizing and efficiency of operations and that value can outweigh 
security concerns.

In the end, companies are economic entities, despite how much we sec geeks might want as much security as we can 
possibly get away with.



<- snip ->
Our company is looking into using one vendor's product to manage our
workstations end-point security which consists of:

Antivirus/Spyware
Managed Firewall
IPS
Application Control
Buffer Overflow
Device Control (USB, PDA, Phones etc..)

My understanding with the layered security/defense in depth principle,
it would be foolish to go with one vendor's product as this creates
one point of failure. If this product has a software vulnerability,
then the security of the workstations (and specifically the attack
vectors which the product is protecting) will be in jeopardy. There
is no redundancy, its all or nothing so to speak.

Its like buying a Multifunctional Printer - if the fax or scanner
function breaks down, the whole device needs to be sent in for repairs
then you cant print. Or if you buy the brand new Apple Time Capsule
for your backups, and the hard disk breaks down, you then need to send
the device to get repairs and would be out of WIFI for the duration of
the repair.

What do you folks think regarding the advantages/disadvantages with
depending on one vendors product for your Windows workstation security
in a global corporate (~50,000 seats) from a technical perspective?

I guess a balance needs to be met with the risks with putting all our
eggs into one vendors basket verses cost.