This article can also be found in the Premium Editorial Download "Information Security magazine: Security Products Readers' Choice Awards 2007."
Download it now to read this article plus other related content.
In the trenches
Keeping pace...for now
Security managers rely on layers of defense against malicious code.
Nobody knows more about the insidiousness of malware than a university security officer. On a college campus, CIOs like Jack Seuss are often faced with the challenge of securing thousands of computers. "There's really no single solution that's a silver bullet," says the vice president of IT at the University of Maryland. Malware defense requires a multitude of approaches.
Seuss has used a host intrusion prevention system that covers most campus desktops. He also automates patch updates on the majority of Windows machines, and has enabled campus-wide distribution of antivirus and antispyware software. Part of that layered-defense strategy includes user awareness.
While victory certainly cannot be declared, many security officers feel like they've done a decent job keeping up with malware--so far.
"[Last] fall was the smoothest in the six years I have been at Northeastern," says Glenn Hill, the university's director of information security. He says credit belongs to students and administrators who are actively protecting their computers and avoiding malware more than ever.
John Hornbuckle, network manager for the Taylor County school district in Florida, hasn't had an outbreak in some time, but he isn't celebrating yet. "Just because we're relatively safe today doesn't
With the stealthy nature of malware, a major problem involves actually finding the bad stuff. "A piece of malware may have a characteristic of this or that," says Jim Moore, an information security officer at Rochester Institute of Technology. "If it's a variant, is it a variant of malware A or malware B? Or did someone get the bright idea to take pieces of one and pieces of the other?"
Another sticking point with antimalware technologies is their signature-based design. "To defeat these products, all a malware author has to do is get his product distributed more quickly than updated signatures can be distributed," says Hornbuckle.
With the geometric expansion of virus variants, many are looking for more behavior-blocking technologies that monitor system and application behavior that runs contrary to policy, rather than matching characteristics with a known virus signature.
According to a recent Yankee Group report, vendors such as Prevx, Sana Security, Third Brigade and Determina specialize in this type of technology, competing with larger vendors like IBM Internet Security Systems, Symantec, Cisco and McAfee.
"I need a tool that baselines process and data flows, and detects aberrations," says Moore. "There are different ways of doing that, from heuristics to no-execute bit architectures."
As malware writers and antivirus vendors continuously try to outsmart the other, information security officers do the best they can with what's available. "We're holding even," says Seuss.
This was first published in April 2007