- Ed Metcalf and Rick Simon
- McAfee
(Sponsor-Contributed Paper)
Challenges
Each month brings a new example of a targeted attack against a business, government, or critical infrastructure operator previously considered "invulnerable." At the same time, money-driven crooks continue to focus more on opportunistic attacks against weaker targets," according to the 2012 Verizon Data Breach Investigations Report. In the Verizon study, 69 percent of events involved malware, and 61 percent involved both malware and hacking techniques.
As more organizations encounter the cost, disruption, and public humiliation of malware- enabled events, more CIOs are asking IT teams to reassess their current and future risks from malware and evaluate their defenses. Today's malware is a malleable tool in the hands of a clever cybercriminal. Malicious code is disguised to look innocent. Code can attack through vulnerabilities and vectors that standard antivirus doesn't monitor or is not designed to catch. Malware adapts to evade static tools and active defenses, varying its timing and execution paths depending on the host.
Commercial malware toolkits have made it simple for these techniques to be part of opportunistic phishing, spam, and bot networks. When the rewards are high enough, the tactics are woven into custom, targeted attacks. Once established within an organization, both generic and custom malware spreads, reaches out to its command and control centers, exfiltrates data, and, in the hands of cyberactivists, looks for ways to disrupt or damage operations. Each hour, day, and month before malware is mitigated is an hour, day, or month that the malware can propagate, evolve, and conceal itself on another host.
Why is malware still affecting users?
Most companies depend heavily on two or three layers to defend against malware: an initial line of defense at the Internet gateway, plus a second layer on each desktop or server. Each of these layers must be as sophisticated as the malware. Look for the unexpected--unusual behavior and malicious designs in unknown code.
While inline systems will detect the bulk of malware, it's inevitable that some nasty code will slip through. Few companies have had the resources to deploy specialized monitoring tools and hire malware forensics experts to capture and analyze anomalous code. Typically, nothing happens until a breach or attack is identified--often well after the event through a third party--and specialists are called in to determine what happened where and define a remediation and recovery plan.
Solutions
Today's layered defense strategy must match the sophistication of modern threats. No individual antimalware product can block all malware infiltration and subsequent activity. comprehensive malware protection requires enough of the right layers within each asset and within your infrastructure. Just as importantly, these layers must be knit together into a system of systems, sharing data through dynamic processes hat work to highlight key events and expedite identification, containment, and remediation.
Reduce vulnerability to opportunistic attacks
First, organizations should reduce the attack surface for opportunistic malware by upgrading antimalware in endpoints and network gateways.
Going beyond signatures, effective antimalware technologies should hunt for known and emerging threats using dynamic detection heuristics and referrals to cloud-based services hat constantly correlate breaking threat intelligence from multiple types of sensors and sources. Ideally, endpoint tools will apply context to make a blocking decision: unusual pplication behavior, activity below the OS layer, or a real-time comparison of a suspicious file to a database that reflects multiple reputation attributes (file, sender/destination IP address). In addition to these techniques, some of today's advanced content gateways and network intrusion prevention systems (IPS) have the processing power and antimalware engines to erform real-time static analysis as well as emulation.
Add layers of scalable forensic analysis
Any remaining unusual code detected by antimalware should be referred to a dedicated forensic appliance that can perform high-speed analysis and detect subtle malware using both static and dynamic techniques. Forensic appliances can incorporate the static analysis used in advanced content gateways or next-gen IPS systems, and also apply dynamic analysis--sometimes called sandboxing--which runs the code in a safe environment to see what it tries to do. The combination will reveal malicious intent and behavior to quickly confirm a threat.
Use automation to speed response
If malicious code is confirmed, then the analysis system should tell your other security tools to detect and block that code in the future. The same fingerprint can also be used to track down compromised systems throughout your network for remediation. This is typically a manual process today. However, if you are able to integrate malware response data and processes with system security and network security, you can use automated management workflows to quickly quarantine and remediate compromised hosts.
Add additional lines of defense
Malware (and the hackers using it) will look for vulnerabilities in laptops, tablets, mobile devices, applications, file servers, and databases. You can reinforce the antimalware on these systems with controls that prevent system exploitation, creation of back doors, rootkit installation, and malware execution if the code is able to install. Common tools include host IPS, application control, vulnerability scanning, real- time kernel protection, and change management monitoring. Add database activity monitoring to protect critical assets in the data center. Integrate these systems together to create a manageable mesh of defenses that improve your resistance to multi-pronged attacks.
Assume some malware has or will get onto your network
These technical endpoint and network controls should reduce the chance that malware will get in or infect your assets. However, today's best practice is to assume that there are already compromised systems within your network. You must enhance your ability to detect, dissect, and disrupt the actions enabled by this malware by ensuring your security operations center can monitor your environment for malware activity, data exfiltration, and suspicious user behavior.
Given the volume of network traffic, comprehensive malware protection also requires a "Big Data" class security and information event monitoring (SIEM) system that can aggregate, correlate, and mine data from multiple sources: endpoint system logs, network gateways, user directories, inventories of devices entering and leaving the network, and more. With end-to-end visibility, humans can look at patterns and higher-level threat trends while automated systems tackle the tactical defenses.
Ed Metcalf is director of product and solution marketing at McAfee. He has been with McAfee for nearly nine years and is responsible for developing strategic go-to-market plans for a number of McAfee products, including the joint McAfee and Intel solutions of McAfee DeepSAFE™ technology platform, McAfee Deep Defender, and McAfee ePO™ Deep Command. Ed has nearly two decades of experience in security and technology product marketing, product management, and sales management. Before McAfee, Ed worked for Hewlett Packard, Tripwire, and various technology startups.
Rick Simon is a senior group marketing manager in the Network Security Business Unit at McAfee. Rick develops and markets integrated solutions that enable enterprises to solve key security problems. Prior to joining McAfee, Rick worked for Cisco and led marketing at several startups and held roles in product management, product marketing, and strategic alliances at Hewlett-Packard, Oracle, and Cisco. Rick holds a BSEE from The University of Michigan and an MBA from The University of Chicago Booth School of Business.
- More resources from McAfee
Leave a comment