Review: Trend Micro Endpoint Security
Trend Micro claims to defend against threats both known and unknown.
Trend Micro is one of the "big four" business endpoint security vendors, along with Symantec, McAfee and Kaspersky. Its offering comes in two versions: a standard one, called OfficeScan Standalone, and a more comprehensive suite called Enterprise Security for Endpoints.
OfficeScan Standalone offers protection for Windows-based endpoints and Windows, Linux and Netware servers, while Enterprise Security for Endpoints also includes plug-ins providing a firewall and protection for Apple OS X-based systems and mobile devices – iOS and Android now and Windows Phone 7 and BlackBerry OS soon. These plug-ins, as well as a Virtual Desktop Infrastructure support plug-in, are also available as extras for OfficeScan Standalone. Both versions include a version of the Windows-based Trend Micro Control Manager management server that pushes Trend Micro's agent software to endpoints.
Like Symantec's Endpoint Protection 12.1, released in July, Trend Micro's endpoint anti-malware protection is based on three technologies: client-based anti-virus signatures, a cloud-based file and Web site reputation system, and an analysis of the behavior of unknown files to spot "suspicious" behavior when they run on an endpoint.
"Signature-based protection is still very significant," said Ron Clarkson, Trend Micro's senior director of endpoint business. "Other technologies can require lots of intervention from administrators, but traditional signature-based malware detection is 'set and forget.' We have some customer that only use signature based protection."
The cloud-based Web protection works in a way common to most big security vendors: it leverages information gleaned from thousands of "sensors" on Trend's Smart Protection Network – essentially other Trend Micro client agents and the company's own machines – to build up a database of websites that host and deliver malware. If an endpoint tries to visit one of these websites, the http traffic is blocked, preventing the malware from ever reaching the endpoint.
Its reputation-based file protection, on the other hand, works slightly differently to the reputation-based protection offered by some other companies. Instead of whitelisting known good files and flagging as suspect files which are very new or which have rarely been encountered before, Trend's reputation system is essentially a set of anti-malware signatures that are stored in the cloud. "Instead of deploying signatures (exclusively) on the endpoint, we put them in the cloud," Clarkson explained. "Customers that only use signatures on their end points can still take advantage of our network of sensors because all that cloud information makes its way to their signatures but it takes a bit longer."
Challenges in the Cloud
But there are some issues with hosting anti-virus signatures in the cloud, Clarkson said. One is latency -- the delay inherent in checking a signature database in the cloud rather than held locally -- although this is rarely noticeable. More significant is the sheer amount of bandwidth that could be consumed in an organization with hundreds or thousands of endpoints connecting to the cloud to check virus signatures, and the privacy issue of transmitting file information to Trend Micro's Smart Protection Network. For these reasons customers can also choose to run their own "Smart Protection Server" -- a local copy of all the signatures based in the cloud, which endpoint agents consult instead of going to the cloud.
What happens if a user downloads a file that's never been seen before on Trend's Smart Protection Network? That's when the endpoint software's behavioral analysis kicks in. "If the file runs then we check what it does," said Clarkson. "If it starts writing to the registry or doing something else suspicious we can block it." If customers opt in then the file is automatically uploaded to Trend Micro where it can be analyzed, and if it turns out to be malware then this information is added to the company's signature database and pushed out to the cloud, other customers' Smart Protection Servers and, ultimately, endpoints.
Trend Micro also offers a completely cloud-based version of its anti-malware software called Worry-Free Business Security Service, aimed at small businesses all the way up to enterprises with up to 10,000 employees. This is an online version of OfficeScan with similar anti-malware functionality, but without OS X or mobile device support. "Cloud (based protection) is quickly becoming significant with new customers. From an endpoint perspective it is our fastest growing area," said Clarkson.
The Three Pillars of Endpoint Protection
A problem for all of the big four security vendors is that the anti-malware protection they provide is a commodity based around signatures, reputation and behavioral analysis, according to Jon Oltsik, a principal analyst at Enterprise Strategy Group. "Those are the three pillars of protection that they all provide, he said. "Then it just becomes a fake-off between their products. Depending on the criteria that you use for testing them one can always be shown to be better than the others. For that reason what most companies are looking for now is a single agent that can do lots of things -- data loss protection, network access control, encryption -- something more than just anti-malware protection."
Clarkson broadly agrees with this analysis, and points out that Trend Micro's product includes host intrusion protections system (HIPS) functionality, as well as removable media device control. "These used to be standalone products, and by including them we drive down customer costs," he said. He also believes that a small agent footprint and high performance are significant. "This is becoming increasingly important as many customers are keeping their laptops and desktops for longer," he added. OfficeScan 10.6, due out in Q4 2011, will also include data loss protection functionality, with the ability to scan for credit card numbers and other personally identifiable information.
OfficeScan Standalone and Enterprise Security for Enterprise are available with volume discounts. For 501-1000 endpoints OfficeScan Standalone costs $24.82 per user per year, and Enterprise Security for Endpoints $33.75 per user per year.
Worry-Free Business Security Services for 51-100 users costs $26.98 for one year, or $45.87 for three years.