This article can also be found in the Premium Editorial Download "Information Security magazine: Antimalware technologies and techniques to the rescue."
Download it now to read this article plus other related content.
It seems every security vendor claims it has the unique capability to find and stop (or at least minimize the impact of) advanced malware, which can be loosely defined as "anything your existing antimalware product doesn't catch, but probably not including old viruses and worms that we don't really care about."
In spite of these claims, it also seems like there is plenty of problem-space left -- notable malware infections take place in enterprises as frequently as several per week to several per day. It causes one to question whether any investment in an antimalware product can pay dividends.
The key to choosing any new product is to compare its projected total cost of ownership to the anticipated reduction in risk.
"Organizations are still getting infected by malware. They are purchasing blinking boxes promising solutions, but still suffer the same problems we saw 10 years ago," said Lance James, head of cyber intelligence for Deloitte and Touche LLP. "The risks for the bad guys have hardly changed, and the rewards only seem to continue. It is probably time to consider another approach."
No antimalware product will ever be 100% effective, yet there are many solid products that, for the right price, are good investments. But there are many variables to evaluate in selecting an appropriate and effective enterprise antimalware product. That's what we'll discuss in this feature.
Choosing Antimalware: TCO vs. Risk Reduction
The key to choosing any new product is to compare its projected total cost of ownership to the anticipated reduction in risk. In order to make this comparison, the enterprise must understand the key characteristics of the new product and determine the impact on cost.
In conducting this evaluation, it is important to cover all the costs. "I think a tragic mistake we make in IT is that we forget the tremendous burden antimalware sometimes puts on a system," says Stu Berman, security architect for Steelcase. "It is a cost we ignore at our peril because the user feels it in longer boot times, slower processing, weird messages and other ways."
An advanced malware-protection product sells itself if it can show how it accomplishes the following:
- Prevents infections by blocking the infection process. Some products aim to detect malware prior to it becoming resident on a system. Yet contemporary advanced antimalware products look to augment traditional signature-based technology with advanced heuristic and reputation-based techniques. Sometimes, it means allowing an initial infection but blocking ones downstream -- a small price to pay if it identifies truly dangerous malware.
- Prevents damage by restricting access to sensitive resources. Some products contain an infection in a way that requires further exploitation to get at sensitive data or otherwise affect an environment. Ultimately, simply closing the container may eliminate these infections.
- Increases speed of response. Some antimalware offerings employ a "fast-follower" approach by simultaneously evaluating binaries and alerting responders of an infection so they may take further action. Others may be able to quickly issue an alert and also provide forensic information for real-time response.
- Increases speed of recovery for malware incidents. Even post-infection, products that capture more information about state (e.g., registry settings) and activity history (e.g., executables launched and/or network connections made) reduce the amount of time required to completely recover from an incident.
From a practical perspective, there are a number of product characteristics that must be evaluated, aside from the viability of the vendor, platform dependencies, integration with existing technology and manageability, all of which should be standard in any evaluation exercise.
Given the four options above, it is useful to consider what type of product may provide the best protection against advanced malware for the cost. Today there are a surprising variety of products tackling the problem using different approaches. Network sandboxes run binaries looking for malware within a self-contained environment. Endpoint-containment products isolate processes and keep them away from sensitive data. Endpoint monitoring or forensics offerings provide state and/or activity information. Even traditional antimalware may provide these or other capabilities.
Each of these product categories -- and possibly others -- addresses malware-related risk in some way, though none provide a guarantee of success. Enterprise security architects must consider the characteristics of their environment to assess the likely effectiveness of any given technology.
Implementation and management considerations
As discussed above, an advanced malware-prevention product's features are critical in determining its value and effectiveness, but the way a product is implemented and managed plays a significant role as well. Below are several factors to consider.
Implementation location (network or endpoint): The most obvious decision-point for an advanced malware-prevention product is to determine whether it should reside on the network or on applicable endpoints. A network-based product is typically easier to implement but may miss some traffic, especially in a highly mobile environment. In addition, it may actually find malware that didn't infect an endpoint because it had dependencies that were not present (like unpatched systems).
An endpoint-based solution can be challenging to implement and manage, never mind that the organizational politics of selling key stakeholders on the product may be challenging in the face of Windows upgrades, bring-your-own-device initiatives and VDI projects. But endpoint-based products frequently provide more comprehensive coverage and have more flexibility in response.
Cloud integration: Almost all of today's advanced malware protection products provide some cloud capability, not only to aggregate threat intelligence or assess reputation, but also to make the malware determination. With the rapidly evolving nature of the malware threat, it is pretty clear that aggregated data provide a better opportunity for success than the standalone deployment. That said, some products don't need a cloud component, and some organizations are simply against both sharing their data and using cloud resources.
Threat intelligence and attribution: Some products work hard to monitor online "gangs" known to be at work in China, Eastern Europe and other locations around the world. Some organizations want the ability for attribution for different attacks. On the other hand, many organizations don't have resources or desire to pursue the many attackers out there and simply want protection from presumed opportunistic threats.
Evasion, false negatives and false positives: Perhaps the most important question for any advanced malware-protection product lays in its ability to actually find the bad stuff with a minimal amount of noise. And unfortunately there is no way for an absolute determination. There is simply too much variability in activity, environments and implementations. Suffice it to say every technology can be evaded, and almost every product misses some malware and catches some legitimate software. It is up to the organization to rely on references and reports at a minimum, and where possible to set up their own test beds to evaluate solutions in a manner that matches the organization's objectives.
The best way to identify the appropriate advanced malware-protection product for your organization is to determine whether you really need one. At the very least, the cost justification requires a comparison of total costs for the new product to the anticipated reduction in two areas: existing costs of purchasing, implementing and managing the product, and anticipated risk of not proceeding with the project.
The key expenses that may be reduced by a new advanced malware-protection product revolve around recovery from existing infections. If, for example, the average infection is estimated to cost the organization $1,000 in help desk and desktop support, and lost productivity, then an organization can break even with a product that costs $100,000 if it reduces the number of calls by 100.
Aside from the run-of-the-mill virus infection, these solutions aim to protect against particularly nasty attacks that result in much larger incidents. These types of incidents are (thankfully) less frequent and require some measured guesswork. Regardless of the challenge, an organization again can use a break-even analysis, comparing total costs to expected risk reduction.
Ultimately, all of the products providing advanced malware protection have a value proposition that satisfies some subset of the marketplace. It is up to the organizations to determine whether the features of a given product fit into their environments the best, but applying the principles discussed here will help ensure the cost of a product is in line with its true value.
About the author:
Pete Lindstrom is vice president of research for Spire Security, an industry analyst firm providing analysis and research in the information security field. He has held similar industry analyst positions at the Burton Group and Hurwitz Group.
This was first published in February 2014