What are some of the drawbacks and limitations of network-based malware detection? We're trying to determine the ROI of supplementing our client anti-malware software with network malware detection.
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
Just like everything else in security, you're trying to calculate the ROI for a product that's being used as insurance, and that isn't an easy task. The insurance in this case is network-based malware detection, an up-and-coming method of malware protection or, as we like to call it in the security industry, an additional layer of protection.
Network malware detection isn't brand new, but it's starting to get some press as of late. The ability to position a device at your perimeter or throughout your network potentially allows for greater coverage of your network and the data passing through it. This being said, there are architectural limits of certain devices. Some of these devices are inline, which can create latency on your network. It might not be much, but latency is latency, especially if you are already dealing with a bandwidth issue. Many files will be scanned multiple times if you're using other security systems like IPS, spam firewall, and the like.
Also, some network-based malware detection systems need a span port to monitor certain aspects of the network. The system must be positioned properly for the best view of your network and might require additional hardware for complete coverage. Lastly, there is no silver bullet when installing new products. Many of these systems combine their efforts by searching for malware, finding known outbreaks or attacks and updating their methods to defend against them.
This is a great layer to defend against malware, but like anything else it needs to be tuned and managed. Since the system sees everything on the network, there could be quite a few false positives, and it could hold back data if not configured properly or monitored. Don't for a minute think you can put in a system and forget about it.
One way to help determine the ROI for this project is to consider the ineffectiveness of current methods of malware protection. Trends and data show that endpoint malware protection hovers around 50 to 60% effectiveness (on a good day) and is almost useless against zero-day threats. As for a ROI on the system itself, I would show the current price of the product with the added benefit you'll receive, plus any older legacy systems that it could replace.
This was first published in March 2013