This week, I visited the InfoSec Europe 2007 tradeshow in London. I was astounded to see that the show was probably twice as large as last year. Major security vendors held a faster pace and lots of new small vendors had appeared out of nowhere, jumping onto the hot security bandwagon.

Walking the floor, you could easily get lost in the myriad of security offerings - from comprehensive do-it-all security suites, to security audits that advise customers what protection they actually need.

I have been dealing with security for the past 20-years. I hold CISSP (Certified Information Systems Security Professional) accreditation, yet it was still difficult for me to understand what some companies actually offered and why their offering was the one solution you absolutely could not live without. I found myself thinking about those customers who did not have deep security knowledge - how would they navigate the multitude of options to decide which product to buy? Would they know how to define the pros and cons?

I asked myself a lot of questions: Should I, as a customer, listen to my reseller? After all, it is his job to recommend the best solution. But is he not biased toward products in his portfolio? And should I go for a well known brand name? Nobody was ever fired for buying I*M, but is it really the best-of-breed solution?

Big companies are known for their slow adaptation to new technologies - they are usually behind the market. Just look at what happened to anti-virus companies when spyware became a serious issue. People had to purchase dedicated anti-spyware because their anti-virus vendor kept promising solutions which never came.

Should I, as a customer, go for a small and dynamic company that has new, innovative technologies, but which I am sure will be around tomorrow? The security market is converging. The big fish constantly swallow the small ones - and after digestion, they are not always loyal to the customers which have stayed with the old product.

The dilemma is a complicated one, and there are too many parameters in the equation to solve. Thus, I recommend either doing the homework yourself, or consulting an independent security expert who is unbiased because he is not selling you any products. Don't necessary go for the big name - just because they have large booth at the tradeshow and spend a lot of money on marketing, it doesn't mean they are the right choice. If you decide to go with a small company, check their background and their financial stability to make sure they will not go belly-up next week.

However, the most important advice that I can give you is this: take the product for a trial-run before you sign the check. There is nothing like taking a test drive and seeing it in action. You need to make sure that the solution actually does what the vendor promises you, and that it fits your needs. I know what you are thinking: implementing and testing every solution you consider buying is a nightmare for the IT department. Not only that, but unsuccessful tests will eat into their precious time.

I realize that it is not simple to install a security product that you want to test in production. And I know that testing it in a lab will never give you an accurate picture. So, how should you go about selecting a product and testing it, without effecting your infrastructure, your network and your users?

This is an issue some vendors have considered - Aladdin among them. We recently introduced a new tool into our eSafe family product line. This tool can be used to test the effectiveness of our eSafe product with absolutely no effect on your network. It connects to a mirror port of your gateway switch, sniffing all Internet traffic. Wait a few days, and then you can generate reports, actually seeing what eSafe would have blocked if it had been fully deployed in your network. Smart, don't you agree?

So don't wait - deal with the issue today: ask your security vendor if they can provide you with an accurate demonstration - without making changes to your network configurations.

To learn more about Aladdin eSafe, click here. 

Its Thursday, end of the week is coming and I am looking for my next week's ski vacation in Italy. But as expected, when I come home and connect my laptop to read some last minute emails, there is an email from Microsoft security team announcing yet another zero-day vulnerability. Here goes my quite weekend! This time this zero-day vulnerability exploits Windows animated cursor files (.ani). A bug was found in a module that handles those .ani files in all Microsoft Windows operating systems.

But hold it, what is this? I am reading this correctly? What is Vista doing is in the list of vulnerable Windows systems? Isn't it supposed to be the most secure operating system ever? Isn't it designed to sustain zero-day vulnerability attacks? Well, apparently there is a big gap between the design and the implementation. Don't get me wrong, I do think Microsoft did a great job with Vista and it does contain many new security features that will indeed thwart many malware attacks, but unfortunately they have not created a panacea yet.

So far there is no protection available against this vulnerability and Microsoft is planning to release a patch in their monthly security update which is scheduled for April. The only remedy is to use antivirus products that are constantly updated with signatures of the malware automatically downloaded through the exploit. But this is like chasing ones own tail since hackers are very quick to jump on the new vulnerability bandwagon and will be adding this exploit to almost every new malware they write. This means that until the patch is out, users can be transparently infected just by visiting an infected Web site or receiving an email. The opportunity that comes with a new exploit and the window of vulnerability that it brings (until Microsoft releases a patch) is immediately seized by spyware and adware publishers. They love the idea of being able to infect our computers without our knowledge and consent, since each infected computer brings them an immediate financial gain. Each infected computer is a welcome addition to their army of robots that show ads, send out spam or engaged in a criminal action.

Nowadays hackers have learned the way Microsoft is releasing security patches and they time the release of new exploits to maximize the window of vulnerability that can give them up to 5 weeks of fertile ground of unpatched and vulnerable computers worldwide. Getting through a regular antivirus program is easy. Since antivirus programs do not detect the actual exploit but rather the malware payload downloaded as a result of the exploit, they just need to change the malware signatures frequently enough to avoid detection.

Until the patch is released, we can only ponder what we actually should with Microsoft's advisory "As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources". How exactly should I "exercise extreme caution"? Does it mean I should read my emails very slow?

So far it is clear that a different approach is needed to fight vulnerabilities. We cannot wait for Microsoft patches and we cannot rely on traditional antivirus solution. I hate to be in a position of saying "I told you so", but unfortunately I did. About 4 years ago we have realized that vulnerabilities and exploits will be the main conduit for malware to get into our computers and back then we started to develop a very unique technology that we called XploitStopperT. This technology focuses on blocking the exploitation of the vulnerability regardless of the malware that it downloads. The idea is very simple: we know how the exploit works and what exactly triggers the vulnerability and we can block any such attempt without chasing malware samples and learning their signatures. This is the essence of being proactive vs. reactive.