It's easy to see why so many savvy information security professionals are skeptical about the effectiveness of enterprise antivirus systems. Today, most malware is dropped directly onto enterprise endpoints without much effort on the part of attackers. Studies have shown that a fully updated antivirus package is only about 50% effective at guarding against malware and is almost useless in preventing
Like anything else in security, protection in layers is the best approach to protect against malware, but even then there are no promises.
Malware writers are getting smarter and their viruses more sophisticated. Criminals are using encryption in their malware, along with robust business models that include quality control checks, license keys, upgrades, support and marketing. The bad guys take beating antivirus programs very seriously, and so should we.
A standard antivirus package is no match for today's malware because it is based on signatures. Having to keep thousands of antivirus clients up to date with the latest signatures is also something that becomes an issue; as AV signatures age, their effectiveness declines. This is just a cat-and-mouse game we play with cybercriminals that they are winning. In fact, most attackers test their malware against common antivirus products before ever employing it to ensure that the malware can get through. Although antivirus is still a needed layer in the defense-in-depth paradigm and demanded by many regulations, any organization that relies on antivirus alone for its endpoint protection has cause for concern.
Consider the path a malicious file normally takes before it arrives at an endpoint: The file is sent from the malicious source and makes its way through the Internet, onto the network, through a company's systems, and eventually onto its endpoint. Along this path are multiple opportunities within the network to catch this traffic and stop it before it causes a breach or infection.
Throughout this article, we'll look at each one of these locations in the network and propose a few technologies that can assist with the process of implementing a new endpoint security strategy for stopping malware before it strikes.
Antivirus alternatives: The cloud layer
The cloud has a scary reputation when it comes to storing data, but cloud computing can be especially helpful from an antivirus perspective. Many antivirus vendors now offer services in which they combine intelligence from tens of thousands of customers, partners and even other vendors to better pinpoint potentially malicious activity. The knowledge enables a more predictive form of protection from malware before it even hits a company's network.
When attempting to stop malware from infecting an endpoint, it should be stopped as close to the source as possible; the fewer layers it penetrates, the less likely it will get anywhere near an endpoint. There are only so many new signatures, antivirus or otherwise, that can be pushed down to a multitude of endpoints. If malware can be stopped in a choke point once, it would free up these nodes. Using cloud-based systems as part of the antimalware infrastructure reduces the number of malware instances that make their way to the local network.
Services like those provided by FireEye and ValidEdge allow traffic to be scanned for malware before it hits the network. These providers' services rely on appliances that are in tune with similar systems and work together against known recent attacks. This allows for quicker and more comprehensive protection before potentially malicious traffic enters into the network. In essence, the cloud allows many systems to globally share intelligence to stop malware.
Antivirus alternatives: The network layer
More on malware defense
Application whitelisting: An extra layer of malware defense
Proactive security measures: How to prevent malware attacks
The network layer can use appliances and gateways to scan packets for malicious traffic and in turn block malware. From an appliance level, next-generation firewalls are becoming a great way to prevent malware. They offer application-, identity- and reputational-aware rule sets, which were previously not possible with "old school" firewalls. Knowing what normally goes through a firewall as a baseline and being able to view application-layer activity allows a deeper monitoring of traffic. Previously, this traffic would have passed through firewalls unchecked, but now the firewalls look at traffic higher in the stack.
Other appliances at this layer are email and spam firewalls, which include malware protection. Most Web content-filtering systems are able to search files or downloads from the Web by searching the file with a list of hashes from known bad files and blocking known malicious pages before allowing the user to click on the page.
Many if not most attacks are conducted via phishing campaigns. Email messages are equipped with hyperlinks that invite unsuspecting users to download malicious payloads. Fortunately, spam gateways can be taught what spam is by using Bayesian techniques and inserting custom Real-time Blackhole Lists (RBLs), assisted by cloud collaboration, into the gateway to catch malware before it reaches an endpoint.
There's another system that can assist with catching suspicious behavior: security information and event management (SIEM). This particular technology might not prevent the infection of malware, but it does help detect malware once a system is infected by correlating and searching for malicious behavior in the system logs. It prevents an infection from spreading or doing long-term damage.
Antivirus alternatives: The endpoint layer
The endpoint is the last line of defense against malware, so it needs to be closely protected. Antivirus with updated signatures and heuristics are effective in screening out the most common types of malware, but enterprises must also consider whitelisting applications on the endpoint and hardening the OS as well.
Implementing a default-deny approach to applications prevents unauthorized applications from running and ensures that insecure applications never serve as an entry point for malware. Similarly, keeping up to date on patches and avoiding admin-level privileges greatly reduces the likelihood of a malware infection.
Using either an endpoint agent or a network scanner ensures that a company won't miss third-party software patches. Nowadays, the majority of malware is aimed at third-party vulnerabilities on software from Adobe Systems Inc. (Flash, Acrobat) or Oracle Corp. (Java). With this technology in place, Microsoft Group Policy can be used to limit users from performing actions using admin-level privileges, or even go as far as creating a virtual instance for each employee that can be cleaned or reestablished at each login.
Antivirus alternatives: The bottom line
Use cloud services like geo-IP blocking and RBLs in products to help bolster security in gateways and assist with protecting endpoints. Although nothing stops all malware indefinitely, it's critical for enterprises to move toward antivirus alternatives and to implement a layered malware defense strategy. Like anything else in security, protection in layers is the best approach to protect against malware.
About the author:
Matthew Pascucci is a senior information security engineer for a large retail company where he leads the threat and vulnerability management program. He's written for various information security publications, has spoken at many industry events and is heavily involved with his local InfraGard chapter. You can follow him on Twitter at @matthewpascucci or check out his blog at www.frontlinesentinel.com.
This was first published in August 2012