| Top five strategies for combating modern threats: | | | | organizations can enable safe access to the network, |
| Is anti-virus dead? | | | | rather than simply blocking guests or maintain hugely |
| Changing environment and threat | | | | inefficient pools of computers for contractors and |
| The corporate IT environment has changed | | | | partners to use. |
| irrevocably over the last few years. | | | | Safe, effective web browsing |
| Threats are no longer high-profile viruses that spread | | | | The need to control unauthorized endpoint access to |
| themselves obviously to millions of internet users for | | | | the network is matched by the need to enable safe |
| maximum publicity. Now they are highly targeted, | | | | web browsing while preventing access to infected or |
| silently infecting computers to steal data and make | | | | inappropriate sites. Although the web has now |
| money for criminals. They are increasingly surreptitious | | | | become the key vector for online hacking attacks, as |
| and low profile, mutating in hours or even minutes to | | | | well as representing a drain on productivity for many |
| evade detection. | | | | businesses, the vast majority of businesses are |
| At the same time, today’s working environment is | | | | unprotected against today’s modern web-based |
| rapidly changing. The network perimeter has dissolved | | | | malware. |
| to such an extent that it is virtually unidentifiable. | | | | Solutions that offer reputation filtering, that is, that block |
| Yesterday’s “castle and moat” architecture | | | | websites known to be “bad”, provide some |
| – with its office-based desktops and servers | | | | protection, but this is inadequate against “good” |
| protected by a gateway firewall – has crumbled. | | | | sites that have been hacked. Today’s threats |
| Remote working, the use of endpoint devices such as | | | | require that the content itself is also checked – and |
| USB sticks, constant internet access and the rapid | | | | all this without adversely impacting speed and |
| emergence of Web 2.0 technologies have redefined | | | | efficiency. |
| how employees interact with an organization’s | | | | STRATEGY 4 |
| systems. In addition, increasingly complex networks | | | | Control legitimate applications and behavior |
| must accommodate not just employees, but also | | | | Application control |
| outside contractors, vendors and customers. | | | | Employees installing and using legitimate but |
| The need for all points protection | | | | unauthorized applications – such as Instant |
| Cybercriminals exploit any vulnerability they can find to | | | | Messaging, VoIP, games, peer-to-peer file-sharing |
| infect corporate networks. Their latest tricks use | | | | software, virtualization software, and unapproved |
| countless loopholes in web security to get malware | | | | browsers – are a real and growing threat. Not only |
| onto a user’s computer in seconds. One new | | | | can they introduce malware to the corporate network |
| infected webpage is discovered every five seconds, | | | | but they also seriously impact network and employee |
| and over 90 percent of these pages are on legitimate | | | | productivity and cause unnecessary support issues, |
| websites that have been compromised. | | | | and further security (and legal) risk if sensitive |
| Users are duped into visiting these compromised | | | | company or personal data is sent outside the |
| websites, typically via links in spammed emails. There | | | | company. |
| can be layers of complexity with the original website | | | | Restricting the use of these non-business-critical |
| going to another site and that in turn going to a third, | | | | software applications narrows the threat vectors and |
| and so on, ending with a Trojan being downloaded | | | | is an increasingly important facet of an overall security |
| onto the user’s computer – all of this happening | | | | policy. For maximum efficiency and return on |
| in a matter of seconds. | | | | investment it needs to be incorporated into the |
| The task of securing the network against this and | | | | management and control features of an |
| other exploits – at the web, email and endpoint – | | | | organization’s anti-malware solution. |
| is a daunting challenge for today’s IT departments | | | | Application whitelisting |
| who are being asked to do more and more with their | | | | Application whitelisting has been suggested as the |
| constrained budgets. | | | | modern solution to the challenge of protecting |
| Reducing the attack surface | | | | computers from unauthorized and malicious software. |
| Within this new threat environment, and as attitudes to | | | | In this approach, known “good” applications form |
| work and information continue to evolve away from | | | | a whitelist and only this authorized software is allowed |
| those of the past, organizations have become more | | | | to run, in contrast to the traditional approach where |
| aware of the acute need to control all points on the | | | | “bad” applications (malware) are prevented |
| network to protect its data and systems from | | | | from running. |
| criminals. However, the speed with which new threats | | | | The theory is that with application whitelisting, |
| emerge and infect means that defenses are often | | | | organizations do not need to rely on anti-virus |
| inadequate and usually out of date. | | | | companies to keep up with all the new malware |
| Protection versus detection | | | | released every day. While the approach has some |
| While much can be achieved by user education and | | | | merit, in reality it is just one of many technologies – |
| enforcement of acceptable use policies – for | | | | such as anti-virus, HIPS and application control that |
| example, banning unencrypted laptops and USBs from | | | | need to be used to ensure comprehensive endpoint |
| being taken out of the office, or stipulating what can | | | | security. |
| and cannot be sent by email1 – there is need to | | | | STRATEGY 5 |
| take a different approach to technology in order to | | | | Control and encrypt devices and data |
| reduce the attack surface and protect the network, | | | | The protection of sensitive corporate data, especially in |
| systems and data from malware. | | | | mobile computing, is more important than ever. The |
| In addition to the ability to detect, there are several | | | | news is filled seemingly daily with reports of company |
| criteria that need to be taken into account to ensure | | | | laptops, CDs and USB keys packed with confidential |
| ongoing manageable protection. The key strategies | | | | information falling into the wrong hands. By using |
| are highlighted below. | | | | device control you can prevent data being copied and |
| STRATEGY 1 | | | | stored on devices like these. However, the problem is |
| Maintain traditional anti-virus protection | | | | that modern business practice often requires the use |
| Totally reliable malware detection remains at the core | | | | of such devices. An effective solution to this obvious |
| of any security solution, and updates created by | | | | security weak spot is encryption to ensure that, though |
| security vendors from samples of particular viruses still | | | | the medium might be lost, the data itself is protected |
| form the basis of efficient detection. | | | | and that no unauthorized person can access it or the |
| Issues of manageability and automation are important | | | | rest of their IT infrastructure. |
| – anti-virus will only protect the network if it is | | | | By encrypting the entire contents of a hard drive, |
| correctly configured, deployed and updated across the | | | | organizations can complement the operating |
| whole network, and new computers logging on to the | | | | system’s own mechanisms and safeguard the |
| network need to have anti-virus software installed | | | | computer’s operating system along with its data, |
| immediately and automatically. | | | | ensuring that no changes or unauthorized access can |
| So while organizations need to take other approaches | | | | be made. |
| into account too and use other technologies, powerful | | | | Is application whitelisting the magic bullet? |
| traditional anti-virus protection remains crucial. It is | | | | Application whitelisting – allowing only known |
| relying solely on the traditional reactive approach that is | | | | “good” applications to run has both strengths |
| no longer adequate. | | | | and weaknesses as a solution to the problem of |
| STRATEGY 2 | | | | today’s threats. |
| Proactively protect the network | | | | Encryption software can also help avoid statutory |
| Traditionally, protection against malware and spam | | | | public disclosure requirements and limit the liability |
| was created by security vendors collecting samples of | | | | associated with a data leakage incident as many data |
| particular viruses and spam, and then developing | | | | protection laws have been updated to accept |
| specific protection. Today this method is simply too | | | | appropriate encryption as an acceptable safeguard. |
| slow and inadequate – there are too many targeted | | | | Strengths |
| threats and they mutate too rapidly. For example, | | | | A strategy which allows only good code to run is a |
| SophosLabs sees over 20,000 new malicious samples | | | | very appealing concept. |
| every day. Such large volumes of rapidly mutating | | | | Whitelisting is a valuable approach for locked-down |
| malware require proactive, zero-day protection, to | | | | parts of organizations, where there are already strong |
| protect against threats that the vendor has not yet | | | | restrictions on what applications can be used and |
| seen or analyzed. | | | | where those applications rarely change, for example |
| Anatomy of a threat | | | | Point of Sale (POS) terminals in retail outlets, or |
| Here is how a significant number of infections are | | | | servers performing a limited, core set of functions. |
| achieved: | | | | Weaknesses |
| - As part of a highly targeted spam campaign, a user | | | | Application whitelisting does not deal with types of |
| gets an email from a hijacked computer. | | | | malware protection needs that depend on subverting |
| - The spammed email includes nothing more than a | | | | known good applications, including script malware |
| subject line and a link to an infected website. | | | | running in browsers, macro viruses in Office, buffer |
| - This is a legitimate site so the user is not suspicious | | | | overflows. |
| and clicks on the link. | | | | If malware evades detection by a whitelisting solution, |
| - Using a vulnerability to install, a Trojan is immediately | | | | cleaning up the infection is a major task. |
| downloaded onto their computer. | | | | The whitelisting vendor has to keep up with every |
| - Their computer sends confidential data to the hacker. | | | | release of a good application, as well as custom |
| - The hacker also uses the newly hijacked computer | | | | applications. |
| to send out more spam campaigns. | | | | Administrators need to know exactly what they want |
| This proactive protection can be achieved through | | | | to allow in order to define policy and have to maintain |
| behavioral analysis, a HIPS-like* technology that aims | | | | at least some of the whitelist themselves. |
| to stop malware before a specific detection update is | | | | When the policy is defined, there is still a major |
| released, by monitoring the behavior of code – not | | | | challenge in identifying and maintaining the list of |
| just when code is run, but also beforehand: | | | | authorized applications, without impacting user or IT |
| Pre-execution analysis – examines the behavior and | | | | staff productivity. |
| characteristics of files before the file is run to find traits | | | | Strategy support through vendor expertise |
| commonly found in malware. | | | | Underpinning the technology of any security software |
| Runtime protection – analyzes the behavior of files | | | | solution is the vendor’s expertise, experience and |
| and processes as they are running, checking for | | | | understanding of the threat environment. The beginning |
| suspicious activity. | | | | of this paper demonstrated the complexity and |
| An added advantage of strong proactive protection is | | | | blended nature of today’s threats. A vendor with |
| that the number of individual threats that a research | | | | truly integrated visibility of spam, virus and web-based |
| lab needs to analyze is reduced, enabling the rapid | | | | threats will be able to ensure the rapid response |
| creation of new updates and protection where | | | | needed to combat new threats. In addition, just as |
| necessary. | | | | analysis needs to reach across all threat types and |
| STRATEGY 3 | | | | technologies, so does the support offered by help |
| Use preventive protection | | | | teams. |
| Network access control | | | | Conclusion |
| A key weapon in exercising control to ensure security | | | | Although traditional antivirus protection remains the |
| and productivity, is the assessment and management | | | | cornerstone of reliable security, modern threats require |
| of network access. Finely controlled network access | | | | solutions that go beyond this, providing proactive |
| reduces the risk of infection by ensuring security policy | | | | protection against fast-moving, zero-day malware. The |
| is being complied with by all computers – not just | | | | wider issues of controlling network access, web |
| those owned and managed routinely by the company | | | | browsing and applications need to be addressed by |
| but also those unmanaged guest computers | | | | organizations as a matter of urgency, and the |
| connecting to the network. | | | | importance of encryption in securing corporate data |
| By assessing and certifying systems before and after | | | | needs to be understood and acted upon. Finally, |
| they connect to the network, network access control | | | | organizations need to ensure that their vendor has the |
| software can ensure compliance with policies, such as | | | | cross-threat expertise both in its labs and in its support |
| requiring all computers to have security software in | | | | teams, to make the solution cost-effective and |
| place and properly configured, and operating system | | | | successful. |
| and application patches up to date. In this way | | | | |