Yes, you can identify and protect against this type of attack, but to do so requires the deployment of a few tools. Scanners fall under the family of Policy Enforcement Points (PEP) technologies. PEPs themselves fall into two categories: sensors and actuators. A scanner is a sensor. It detects when a security policy has been violated (in this case, unauthorized software on a system) but only reports the violation. What you're looking for is an actuator. Actuators also detect security policy violations, but instead of just reporting the issue, they can also execute a remediation activity, like protecting against or removing the keylogger.
For keyloggers at the system level, the best actuator technology is a spyware/keylogger/virus removal tool. However, this assumes you know in advance that you have a keylogger problem. Also, the tool itself may be cost-prohibitive to install on all systems or unavailable for the affected operating system.
At the infrastructure level, the newest technology is Data Loss Prevention (DLP) tools. These tools can detect when unauthorized information attempts to leave the enterprise and then block the outbound transmission. While this doesn't get rid of the keylogger, it does prevent it from sending the information back to the perpetrator of the keylogger software.
One of the most important steps is to prevent spyware from getting to the end users in the first place. To do this, run an enterprise antimalware/antivirus tool at your enterprise's boundary email server (where most of the malicious software enters the organization). If you want to lock down other avenues by which spyware can get to your systems, install software on the end-user systems that locks out thumb drives and other portable media and devices, as these are the second most-used entry point for spyware/viruses. However, before banning thumb drives, be sure to consider the inconvenience it will cause users.
As a final thought, you didn't say what your position is in your organization. I mention this because there are authorized keyloggers as well. Have you verified that the security department hasn't authorized installing keyloggers on some user systems to ensure that only authorized actions are being executed on them? Some organizations use keyloggers as a sensor PEP!
For more information:
- Get more advice on how to detect keyloggers.
- What's the best strategy for using antivirus to get rid of spyware? Read more.
This was first published in November 2009