Most employees in IT departments of large enterprises are already aware of the term “Zero-Day” by now. The term may not be very new but it represents a new thinking amongst both vendors as well as customers of security products world over. A “Zero-Day” in IT security lingo essentially stands for an identified vulnerability that has the potential to be exploited. A Zero-Day attack is one that has not yet occurred but is looming on the horizon. When any software or hardware vulnerability is discovered either by a vendor or by an underground hacker, we have a “Zero-Day” that gets the pulse racing of any IT security personnel. The one hope is that they hear of this “Zero-Day” vulnerability before it does the rounds among malicious code writers and hopefully the security vendors have a solution for it before the exploit is let loose.

Just for a moment, think about the end game for an enterprise Chief Security Officer – it would be the day when all the systems are protected 24/7 from viruses, Trojans, worms, and hackers stealing data or destroying it or launching denial of service or buffer-overflow attacks. The CSO ideally would like protection from all this without having to react very urgently in any case. Until that happens, enterprises would constantly buy various products that promise to achieve the desired levels of protection. Enterprises would love to be in a situation where they have Zero-Day protection, without having to jump out of bed and rush to office to update signatures or be on the phone trying to rectify an infected system. In short, they would prefer proactive protection that is “always on” rather than reactive protection that requires manual intervention.

There are a few trends that are driving the market towards proactive protection. The first is a gradual transition of the security market towards products that promise “intrusion prevention”. I use this term loosely since there are very few real intrusion prevention systems in the market today. Most security product vendors merely provide intrusion detection (IDS) with limited ability for automatic action. Considering the limited capacity to prevent attacks proactively, it is almost certain that IDS technology would almost surely be history in a very short period. Enterprises are increasingly looking for a reliable and comprehensive IPS package that can be trusted to stop the viruses rather than an alert about an intrusion into the network.

Intrusion prevention (IPS) technologies could be either network-based or host-based, and serve different purposes. In both models, the IPS is looking for known and unknown patterns of attacks including signatures, behavior anomalies, using rule-based engines that can learn “normal traffic” and recognize “abnormal traffic”. There already exist intrusion prevention systems that support gigabit networks with low latency in this newly maturing market.

The second trend is the commoditization of anti-virus software, and AV products on desktops and servers moving upwards in the value chain to include minimal desktop firewall and IPS characteristics. It is not far from the day when plain anti-virus products would cease to exist for enterprises and even consumers. The idea is to protect a system from multiple threats including viruses, buffer-overflow attacks, unwanted programs or spy-ware, block illegal access of servers and other such threats that target a system regardless of whether it is in an enterprise or at home.