For years now, many have argued that enterprise endpoint antimalware doesn't work: It's too expensive, too often misses the known malware it's supposed to catch and is unable to detect malware that nobody's seen before. However, nearly all enterprises see endpoint antivirus as a safety net their networks can't do without.
Getting a third-party patching program under way is one of the most important aspects of securing against malware on the endpoint.
So, what does the future hold for endpoint antimalware? Will it evolve and improve or be replaced by other technologies? In this tip, we'll review why enterprise endpoint antimalware has become less effective than it used to be; how to augment or replace it with antivirus alternatives, technologies or practices; and the best way to get the CIO on board with what is undoubtedly a significant strategic shift for enterprise endpoint defense.
Why endpoint antimalware has become ineffective
There are many people in the field today that bash endpoint security products because they've become largely ineffective at protecting against certain threats, particularly zero-day attacks. Traditional antimalware products rely on signatures and heuristics, and these techniques aren't going to catch every piece of malware. Zero-day attacks and malware that the antimalware software hasn't seen before often won't be detected.
So, if it can't stop the multitude of new and emerging malware, even with heuristics, why bother with it? With the headaches of keeping endpoint antimalware systems updated with the latest signatures and not being able to catch a great deal of malware that's being sent past these antimalware agents, the perceived value of these systems is declining. Does that mean it's time for endpoint antimalware to go away?
Why endpoint antivirus is still needed
One of the most common reasons why endpoint security software is still widely used in major companies is due to regulations. Regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) are helpful in ensuring that organizations meet certain information security baselines, and require that specific measures be undertaken and validated to ensure a trivial problem doesn't expose customer, patient or other important data.
Such standards typically should be seen as the minimum of what's required from an information security standpoint. Truly effective cybersecurity defense requires implementing technology and practices that range beyond what applicable mandates demand. Still, antimalware is required by a number of mandates, including PCI DSS 2.0, which specifically states that "antivirus software must be used on all systems commonly affected by malware." Developers of this standard know that malware writers are going to continue writing malicious code, but antimalware still remains an important line of defense in protecting the endpoint, even if it's far from 100% effective.
Alternative endpoint protection methods
We've heard about why endpoint protection software can be horribly ineffective as well as why we still need it, so what are we to do? If your CIO were to come to you tomorrow and ask that the antimalware be removed from all of the company's endpoints (which, by the way, I do not recommend), are there effective alternative or emerging antivirus methods for securing the company's endpoints beyond what antimalware can do?
For starters, creating an acceptable use policy for users will assist with at least warning users about how to behave on a corporate system. This doesn't stop malware from infecting an endpoint, but it might stop users from accessing dodgy websites or installing certain applications. It doesn't cost much to put such a policy in place, and even if it reduces malware incidents by 1%, it'll be worth it.
From a systems standpoint, the most important part of an endpoint security program is the hardening of the operating system, which is typically Windows. To limit the risk of a malware infection, ensure that users are limited to local administrator privileges, lock down all removable media from the workstation and keep User Account Control and the Windows firewall on and configured.
From the editors: More on endpoint security
Endpoint security: How to enforce endpoint protection
Endpoint application risks must be minimized as well. For starters, remove unused services and applications, which reduces the ways in which malware can infect a system. Also, keep applications up to date with the latest patches; this helps secure endpoints against the latest threats that exploit new vulnerabilities. Getting a third-party patching program under way is one of the most important aspects of securing against malware on the endpoint.
If there is money to spend, consider a gateway security appliance, such as proxy/Web filter, or an antispam or application firewall. These systems block a variety of malware before it reaches the endpoint, reducing the reliance on endpoint antimalware products, and that's a good thing.
There are ways to secure the endpoint and harden it against threats, but having endpoint
protection and endpoint hardening are just layers that work together to protect a company's
endpoints. When it's time to start talking to the CIO about beginning the strategic shift to reduce
the reliance on antimalware, start with the basics: it is a poor strategy to rely on any single
layer of security on its own, which is why using a defense-in-depth approach to guard against
endpoint malware, or any threat for that matter, is always preferred. Though endpoint antimalware
will likely be around for some time to come, now is the time to begin to transition toward other
antivirus technologies and methods to prepare for the increasing development of advanced malware
and other endpoint attacks that traditional AV simply won't be able to handle.
About the author:
Matthew Pascucci is an information security engineer for a large retail company, where he's involved with vulnerability and threat management, security awareness, and daily security operations. He's written for various information security publications, has spoken for many industry companies, and is heavily involved with his local InfraGard chapter. Pascucci is a frequent contributor to SearchSecurity.com and serves as its resident network security expert for its Ask the Experts panel.
This was first published in November 2012