The new Forefront Protection 2010 for SharePoint is aimed at preventing users from either uploading or downloading infected documents or sensitive information. In addition to the new Forefront product, Microsoft also unveiled Active Directory Federation Services 2.0.
But Microsoft's inclusion of any combination of a select group of AV vendors' engines in the new Forefront product stood out the most: it supports not only Microsoft's own Forefront anti-malware software, but also AV engines from Authentium, Kaspersky Lab, Norman, and VirusBuster. "We use a multi-engine approach. This is an acknowledgement that no one vendor can see all the threats and profiles out there," says JG Chirapurath, senior director of Microsoft's identity and security business group.
Rob Enderle, principal analyst with The Enderle Group, calls Microsoft's strategy here "kind of an embrace and extend technology for AV." He says enterprises typically don't like multivendor approaches to security, but they also don't like to switch vendors, either.
"By using Forefront as the management layer, they would be initially attracted by the multiple AV support and motivated to move away over time from their existing AV vendors and towards a generic Microsoft solution if happy with the initial result," Enderle says. "This actually could be one of the rare times Microsoft has, subsequent to Office, used 'embrace and extend' to move into a market."
Jonathan Wynn, manager of advanced technology and collaborative services for Del Monte, which runs the new Forefront software on SharePoint to support its seven portals consisting of thousands of websites, says his company likes having the depth of five independent AV engines. "We're downloading those definitions as the sun travels around the world. So if something comes up in Russia, I can get the definition from Kaspersky by the time the sun rises here in Pittsburgh," Wynn says. "It's about confidence … for a secure, collaborative environment."
The AV tools for SharePoint all use signature as well as heuristics-based scanning technology. But some security experts say the days of pure signature-based scanning are over. Marc Maiffrett, chief security architect for FireEye, which today announced an inline appliance version of its signature-less anti-malware technology, says there will always be some degree of signature use. "But security companies have to get away from chasing the next threat," Maiffrett says.
Maiffrett's company uses virtual machine analysis and its cloud-based intelligence network, but no malware signatures.
Meantime, collaboration was the theme for Microsoft's new product announcements today. Microsoft's Chirapurath says the new Forefront software as well as the new ADFS 2.0 software help support five recommendations the software giant listed for balancing risk management and collaboration among organizations and their partners: playing as a team, where security, content, identity, and business managers all work together; defense-in-depth, with strong anti-malware tools on SharePoint and AV on PCs and servers; use technologies for managing and federating identity among organizations and into the cloud, such as single sign-on; deploy rights management policies so only authorized users access content they need for their jobs; and be cloud-ready with technologies that secure both in-house and cloud-based systems.
"What all of this adds up to is becoming cloud-ready and really making sure that the collaborative process is secure," he says.
ADFS 2.0 is a free download for Windows Server that lets organizations apply their in-house identities to the cloud and providers secure access to applications, according to Microsoft. It works with other identity standards, such as SAML, Chirapurath says. "It takes the enterprise identity infrastructure you've built in AD and extends it to the cloud, Azure or another" service, he says. "You can extend it to another partner or group of partners."
Chirapurath says even in a targeted attack where an attacker commandeers an enterprise user's machine, Forefront and ADFS could catch any unusual activity based on the user's identity and privileges and access to systems and information. "If an attacker has JG's identity and starts browsing or downloading [files] in patterns that aren't normal for JG, it would throw an immediate red flag. We can quarantine that person or machine."
Pricing for Forefront Protection 2010 for SharePoint is at around $7 per user per year, with a minimum of five users.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.