There are a number of necessary technologies for minimizing the effects of a malware attack, but tools are always more effective if backed by the proper policies and procedures. Policies such as "acceptable use," "classified waste disposal" and "auditing" are examples. Let's review some of the selection criteria you should consider when reviewing these technologies for deployment in your enterprise, and some of the challenges you will face when deploying them.
Gateway technologies are by far the most cost-effective products for minimizing the impact of a malware attack. Antispam/antivirus have been shown to be more than 80% effective in reducing the sheer amount of malware entering your shop. Thus these technologies are typically the greatest value for your security dollar. Be cognizant, however, of the business you're in. It may be perfectly reasonable to block nude pictures if you're in the financial services industry. It would not be OK for healthcare businesses. This seems like a trivial statement, but it will prove to be a costly mistake should the FDA audit you and find that you've blocked a doctor's submission of a bad drug interaction with your spam filter.
Web filters block access to sites that contain a disproportionately high amount of infected or compromised code, ideally minimizing the amount of malware your users track onto their PCs when browsing the Internet. Web filters also minimize an enterprise's exposure to the legal risks associated with access to pornographic or otherwise inappropriate Web sites
Once malware has entered the enterprise, it must traverse your network to spread and drop its payload. Therefore within your network you may consider technologies such as a honeynet, intrusion detection /intrusion prevention system or tar pit/virus throttle. All of these methods will detect and/or redirect (honeynet, IDS/IPS) or slow down (tar pit/virus throttle) the spread of malware traffic via your enterprise's network.
The desktop is the most common deployment point for anti-malware technologies. Desktop antivirus is the first-generation mitigation method. It is typically signature-based, which is always reactive and thus always behind. The antivirus companies are developing a newer generation that is leading toward behavioral-based detection. This moves this technology toward a proactive stance.
Firewalls were added next and are considered a second-generation technology. Today though we must open far too many holes in the firewall for data from legitimate business applications to get through.
The most recent addition to the desktop is that of the intrusion prevention (IPS) layer. IPS protects the kernel, and as such provides a decent layer of defense against generic exploits. The trend now is to create a single agent for the desktop that contains all three of these modules.
Vendor selection criteria
So your management has stated that you need to add several of these components to your integrated defense. How do you decide which vendor to select? Below I've listed a few criteria to consider.
- Effectiveness of the product -- Does the product provide the protection the vendor promises?
- Security of the product -- Is the offering itself secure? If it has a Web-based administrative console, can it be compromised? Does it leak user names and/or passwords in plaintext via the paging file?
- Ease of installation -- Does the installation require professional services or would this be a "nice to have"?
- Central management -- Does global deployment demand one console or many? If the latter, does administration roll up to a single console?
- Integration -- Does it integrate with other security technologies? This is becoming more important. No longer can we deploy point products, even on a global scale. Your antivirus must talk to your gateway, which talks to your IPS which talks to your SEM.
- Scalability -- Some antivirus products have policy servers that can handle 5,000 users, while others scale to 100,000.
- Usability -- How easy is it to maintain and use, both for the end user and administrator? This speaks to total cost of ownership. Are there wizards for creating rules and policies, or is it done at a Linux command line?
- Reporting – This is becoming more important from a regulatory point of view. How many canned reports does it provide? Can you create customized reports easily? Are these reports easily exported, and in what fashion? The days of a simple CSV file are long gone and insufficient; they create more work for the security administrators by forcing them to recreate charts and graphs in your spreadsheet program that already exist on the console.
- Cost structures -- Is the pricing per seat, per server or per appliance?
As security professionals, we must always remember that we're in the business of selling (place your product name here), not security. This seems like a trivial statement until the first time you use a gateway appliance to block access to a site, a site that your scientists need to make a submission under a deadline. You must allow the business to run effectively, just to do so securely.
False positives will be a big problem during initial deployment of gateways and IDS/IPS technologies. These require tuning and tuning takes time.
Usability versus security is a crucial balancing act for end users and administrators. In effect, you are balancing the needs of the business with that of security. For example, there are open ports on your desktop firewall required by Microsoft-based applications. How is it possible to minimize the security risk of these ports potentially being used by many fast-spreading worms? How about the blocking of "rogue" applications with your desktop IPS? They may be legitimate business applications. This focus on the business requires a much longer testing and deployment cycle.
Lastly you must consider the ability or inability to integrate these technologies together. For instance, there's value in having a host-based IDS detect an attack and send a signal to the gateway device to dynamically block the outbound packet stream. This is a newer concern and goes beyond simple layering of defenses. It means developing an architecture that utilizes the strengths of each technology like a puzzle, versus a stack of bricks. You will find that your defenses are more flexible and resilient if you take the time to develop this type of defense.
Always consider a gateway first and then integrate other defenses with it. Use the laundry list of selection criteria to ensure the best technology for your enterprise. Be tough during testing, just like malware writers will be in trying to compromise your enterprise. Lastly always remember that we are a support organization. Our job is never to stand in the way of a business objective, but to explain how to accomplish business goals securely and affordably, when possible.
About the author:
Tom Bowers, who holds the CISSP, PMP and Certified Ethical Hacker certifications, is a well-known expert on the topics of data leakage prevention, global enterprise information security architecture and ethical hacking. He is also the president of the Philadelphia chapter of Infragard, the second largest chapter in the country with more than 600 members. Additionally, Bowers leads the independent think tank and industry analyst group Net4NZIX. His areas of expertise include aligning business needs with security architecture, risk assessment and project management on a global scale. Bowers is a technical editor of Information Security magazine and a regular speaker at events like Information Security Decisions.
SECURITY SCHOOL MENU
Messaging Security School: Home
Countermeasures for Malicious Email Code: Lesson Home
Countermeasures for Malicious Email Code: Webcast
Countermeasures for Malicious Email Code: Podcast
This was first published in October 2006