What are some of the drawbacks and limitations of network-based malware detection? We're trying to determine the ROI of supplementing our client anti-malware software with network malware detection.
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
Just like everything else in security, you're trying to calculate the ROI for a product that's being used as insurance, and that isn't an easy task. The insurance in this case is network-based malware detection, an up-and-coming method of malware protection or, as we like to call it in the security industry, an additional layer of protection.
Network malware detection isn't brand new, but it's starting to get some press as of late. The ability to position a device at your perimeter or throughout your network potentially allows for greater coverage of your network and the data passing through it. This being said, there are architectural limits of certain devices. Some of these devices are inline, which can create latency on your network. It might not be much, but latency is latency, especially if you are already dealing with a bandwidth issue. Many files will be scanned multiple times if you're using other security systems like IPS, spam firewall, and the like.
Also, some network-based malware detection systems need a span port to monitor certain aspects of the network. The system must be positioned properly for the best view of your network and might require additional hardware for complete coverage. Lastly, there is no silver bullet when installing new products. Many of these systems combine their efforts by searching for malware, finding known outbreaks or attacks and updating their methods to defend against them.
This is a great layer to defend against malware, but like anything else it needs to be tuned and managed. Since the system sees everything on the network, there could be quite a few false positives, and it could hold back data if not configured properly or monitored. Don't for a minute think you can put in a system and forget about it.
One way to help determine the ROI for this project is to consider the ineffectiveness of current methods of malware protection. Trends and data show that endpoint malware protection hovers around 50 to 60% effectiveness (on a good day) and is almost useless against zero-day threats. As for a ROI on the system itself, I would show the current price of the product with the added benefit you'll receive, plus any older legacy systems that it could replace.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Matthew Pascucci
Matthew Pascucci discusses virtual security gateway appliances and whether they are a virtual data center necessity or just an overhyped product.continue reading
Will the ongoing adoption of cloud technology affect the skills that network security engineers need in the future? Matt Pascucci discusses.continue reading
Matthew Pascucci discusses the potential security risks associated with fiber optic networking.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.