Without digging too far into the works of Shakespeare and by horrendously over-simplifying matters, there is a pair of characters from “Hamlet” that I would like to use as a tortured analogy. They are Rosencrantz and Guildenstern, and things do not go well for them at all.
These two characters are old college friends of the Prince Hamlet and are summoned by the King and Queen to come and look in on their friend who is having a bad time as of late. This, being a Royal summons, they show up because that’s what you do. After meeting up with Hamlet, these two characters note that Hamlet is a bit out of sorts (perhaps this has to do with his father dying recently and his mother marrying his uncle?). After Hamlet kills somebody, Rosencrantz and Guildenstern are requested to embark on a road-trip with the Prince and a note. It’s a request they honor because that’s what you do at the request of the Royals. The Prince makes some small changes to the note because Princes do that type of thing. They get attacked by pirates because that just happens from time to time. In the end, Hamlet skips out on the road-trip and these two characters are at the end of the journey with a note from a King and Queen which request that they be put to death. And they are put to death because this is a Royal request and that’s what you do when the King and Queen ask you to do something of this nature.
“What does this have to do with an AV only install of SEP?” you ask. I’ll connect the two.
For many years, an AV only install was all of the protection that was needed for a client system. Sometimes it was all that was available, but that was okay. The firewall rules were tight and there was scanning on the e-mail system… All seemed well. But, slowly, the threat landscape started to change and threats were starting to leverage vulnerabilities in applications services and operating systems to gain footholds on client systems. No longer was a file required to be written or accessed by a file system in order for the system to be compromised; using an exploit or over-running a buffer could accomplish it all and it could all happen over the wire.
Security vendors noted this change and started incorporating additional technologies into what had traditionally been just AV. Intrusion detection/prevention modules were added. Client firewalls and process and device injection drivers were created. Browser add-ons and helper objects were written. All of these were added together and bundled up as a decidedly new type of client that remarkably un-like the AV client of old.
A brand new set of technologies is delivered to you and what are supposed to do with it? You set it up in the only way you know how: Mirror the old AV only solution because that is what you do. Testing goes well, but testing always goes well because the “Model Office” never seems to have anything to do with a “Real Office”. There may have been hiccups in the limited pilot, but those can be dealt with in time. The software is packaged and then, one night, the trigger is pulled and the rollout begins, because that is how this is done.
Then, the phone rings.
The business critical application that is reliant upon a specialized and rather expensive piece of hardware can no longer function. A custom Java applet can no longer launch. Teamed network cards on server clusters are failing. E-mail cannot be accessed by clients. Processes on devices won’t function. Business stops. Then, the word comes from on high that steps need to be taken to get back to where we were yesterday and you take those steps. That which can just be disabled is disabled and that which needs to be uninstalled is indeed uninstalled. Because that is what you do.
After the events, cases are opened and vendors are alerted. Hardware updates are requested and drivers are written. Device firmware and BIOS are updated. New sets of policies are updated to become part of the defaults. The entire security software suite is re-written to increase throughput and address interactions with other hardware and software. All of the backend management pieces are updated and there is even a live pilot of the current version of the security suite running on the systems that were heavily impacted last time and everything is working. All that is needed is to follow through and push the rest of the suite. The word from on high is that the new client can be released, but only to new clients as they are built. Now your upgrade path is an act of attrition and that is what you do.
Meanwhile, you are constantly being besieged by threats that are coming from all angles or are desperately attempting to keep abreast of the current vulnerabilities in the software that you run to keep the threats at bay.
Here is where Rosencrantz and Guildenstern come into play. If you have an AV only install active in your environment today, review the business decisions that took place to allow you to arrive and remain at that install. I know that things might have been crazy and that some people may have been hurt, but there are more pirates on the way and the last thing you want is to be knocking on a door holding a letter that spells your own demise, because that’s what happens.