This tip is part of SearchSecurity.com's Security School lesson, Architectural considerations for enterprise antimalware deployments. For more information, visit the lesson page;
for additional learning resources, visit the Security School Course Catalog page.
"How much is enough?" That’s a question many security professionals have been asking themselves recently in regard to enterprise antimalware.
Mergers, changes in management, bundled software from providers, and accumulation over time have left more than a few companies with a veritable potpourri of antimalware products on their networks. Although the traditional security wisdom is that layered security is the best way to mitigate risk, in the world of malware it’s common to see those layers pile up in a confusing, costly and inefficient mess.
Multiple malware layers cost money every year when the annual license fees are renewed. These annual renewal fees are often 18-25% of the original cost of the product, not a trivial expenditure for most security programs. Having multiple malware layers also means having multiple consoles to administer and manage. This means more resource time to configure and maintain the product, and in some cases, can lead to mismatched configurations and policies.
Early antivirus products were host-based agents that used basic signature detection to scan hard drives for malicious code. Today’s antimalware is a more sophisticated blend of signature detection, policy rules and complex heuristics with anomaly detection. Detection engines are deployed on the host in the form of antimalware security agents. These agents are usually a hybridized amalgam of antivirus, antispyware, anti-rootkit, anti-Web malware, and personal firewall functions.
Hybridized architectures are also driving malware build-up. In addition to host-based agents companies can, and do, purchase antimalware for perimeter protection. These products include on-premise Web/messaging hygiene features that scan inbound Web traffic, emails and attachments, as well as "next-generation" firewalls and UTMs that inspect traffic for malicious code and unusual activity. There’s antimalware in the cloud too. Cloud-based message hygiene offerings inspect mail before it is sent to the corporate mail server or directly to a user’s inbox. Other cloud antimalware options include scanning for public-facing websites to determine if they’re infected with malware, and Internet hygiene gateways that can be used by mobile workers who are outside of the corporate network.
How to assess, address antimalware overload
Clearly there are a lot of antimalware options both technically and architecturally. So how can an organization ascertain if it has efficient, layered security or lunatic overload? An IT security team should undertake a step-by-step evaluation of the existing environment and needs, and then take action to reduce overlaps and fill in gaps. At a high level, the steps are as follows:
Evaluate existing environment: The first step is to look at the deployment environment to determine if it’s truly strategically layered or just layers of security product build-up. To do this:
Inventory: Start by inventorying all the devices in the organization and classifying their importance to the organization. Basic inventory information may already be available in an asset inventory list, but the security team should validate that list to ensure it is accurate. This includes the sensitivity or value of the data on that system and the importance of the system or device availability. Don’t forget to include where that system resides, since architectural options will be different for a server in the corporate data center and a smartphone that uses public networks. If a topology map is available, it can be used as a baseline network map, but again should be validated by security and augmented with penetration testing that provides attack path data and identifies which systems are vulnerable and through what entry points. For example, a database that is part of an externally facing Web application may be vulnerable to an attack from the Internet, but an internal database may only be vulnerable to attack from people on the corporate network.
Review policies: What mandates is the company subject to? If a device is in a PCI DSS audit zone, per Requirement 5.1, antivirus is not optional. NERC CIP-007-4 Requirement R4 and HIPAA §164.308(a)(5)(ii)(B) both call for some sort of malicious software prevention.
Category use: We already covered that there are many architectural options, but how many are in use at your organization? Take a look at whether some devices are subject to multiple antimalware protections; this could mean a single server has two or more host-based antimalware agents, or it could mean the same server is protected using the same engine and rule sets in multiple places like a host-based agent, and one or more perimeter gateways. Also determine if there are any systems that are left unprotected or with minimal protection. For example, many companies do not require host-based antimalware for Unix systems, but this leaves them unprotected if network or perimeter protection is not in place. And currently there are no host-based antimalware products for iOS devices (iPads, iPods and iPhones). Also review the techniques used. No single technique is perfect and a blend is often best. But make sure that product blend combines a mix of features; it doesn't make sense to, for instance, double up on signature detection and miss heuristics altogether.
Determine overlaps and gaps: Using the data from the evaluation phase, look for duplication and exposure points. Some questions to address:
- Are the same engines being used at different points?
- Are all devices protected at the same policy level?
- For devices that can’t be protected using traditional antimalware (ex: iOS), are there compensating controls in place?
- Are techniques used at the best location? (ex: messaging hygiene in the cloud)
Reduce or reinforce: By now you should have a pretty clear view of where your company is with antimalware, including which systems and data are covered, which aren’t and which ones are being buried in a surfeit of antimalware coverage. From here you can:
- Reorganize the antimalware architecture to fit with the current corporate needs.
- Eliminate overlaps by removing duplicate engines or techniques that are not adding value.
- Implement new techniques/engines/solutions if needed.
Spending money every year to renew licenses for antimalware that is not being updated or is not longer effective doesn’t make sense. And having multiple, redundant scan points may slow traffic down, but not provide any additional security benefits. Take a look at your malware architecture to determine if there are overlaps or redundancies that can be eliminated. At the same time, look for areas of exposure and gaps. This could mean a device that’s not protected, like an iPhone, or one that has outdated protection, like a signature-only network device in front of an HR database.
Taking the time to assess and clean up your malware infrastructure can not only save time and money, but also provide an opportunity to assess your current protections and improve or fine-tune as needed.
About the author:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
This was first published in April 2012