Tactical Advice

The Discipline of Malware Management

Be sure to include endpoint and antivirus management and content filtering as a part of your company’s strategy.
The Discipline of Malware Management

Ask many IT professionals about the status of their malware management efforts and you’ll often hear responses like “Oh, we installed antivirus software years ago — we’ve got that covered.” These administrators might be ignoring the reality that the threat landscape has changed significantly over the past decade, and controls have evolved to address these new risks.

The discipline of malware management now involves two major components: a comprehensive approach to reducing the risk of malware infection and ongoing monitoring efforts designed to assess the health of those controls. Technologies available to malware defenders include endpoint management controls, web and e-mail content filtering, and antivirus management packages.

Managing the Endpoints

Generally speaking, the greater the control you exercise over the endpoints on your network, the less susceptible they will be to malware infection. Unfortunately, it’s also generally true that the greater the management control you exert, the more complaints you’ll hear from your user base, particularly power users who want to install their own software and customize system configurations.

By using tools such as Active Directory and System Center Configuration Manager, you can tightly manage the configuration of your systems. In addition to providing protection against malware infections, this type of management also greatly reduces the burden on front-line support staff.

If the business and political environment in your organization permits, you can also remove local administrator rights from end users. This single configuration change goes a long way toward controlling your organization’s exposure to the risk of malicious software infections by making it difficult for the code to gain a foothold on your systems in the first place.

Stop Malware at the Source: Content Filtering

Another effective way to control the risk of malware infections is to put mechanisms in place that prevent malware from reaching the desktop in the first place. This involves intercepting content from two main vectors (e-mail and the web), scanning the content for malicious code and filtering out any suspicious payloads before they reach the end user, who might mistakenly activate them.

On the e-mail front, most modern mail filtering products are capable of handling a full array of threats, such as traditional malicious code attacks, spam and phishing attacks. These content filters might be stand-alone appliances that sit in front of your mail server (such as Sendmail’s Sentrion appliance or Barracuda Network’s Spam & Virus Firewall) or plug-ins to your e-mail server (such as GFI’s MailSecurity or Trend Micro’s ScanMail suite).

Finally, many organizations are pushing e-mail filtering to the cloud with the use of services such as Symantec’s MessageLabs cloud services or MX Force’s CloudCrest. The best architectural choice for e-mail content filtering will vary based upon your organization’s existing infrastructure and support capabilities, but all provide the same basic functionality: filtering out unwanted and potentially dangerous e-mail messages before they reach the user’s inbox.

The second major vector for malicious code infections is the web. Users might inadvertently browse to a link containing malicious code and accidentally install it on their systems, or they could be directed to such a site via a phishing attack. Whatever the prompt that pushed them to the site, web content filtering packages have two options for detecting and blocking such traffic.

First, URL filters can detect requests for websites known to contain malicious code and block them before they reach the Internet, alerting users to the fact that the website is potentially dangerous. Second, antivirus filters can scan inbound content from user requests for known signatures of malicious code and filter out any objectionable content.

As with e-mail filters, web content filters are available both as appliance solutions and as cloud services. Products such as Barracuda’s Web Filter and Websense’s Web Security Gateway provide hardware solutions that you can install on your organization’s network. If you prefer to outsource this function to the cloud, several vendors offer hosted alternatives.

Managing Antivirus/Antispyware Packages

It goes without saying that all of the systems in your organization that are susceptible to viruses — basically, anything running a mainstream operating system — should be running up-to-date antivirus and antispyware software. These packages represent the last line of defense against malicious code. If a virus or other undesirable software makes it past your content filters and desktop security controls, it’s up to the antivirus package to block, detect, and eradicate the code from the system.

All major antivirus software programs offers an enterprise management platform that allows you to monitor both the health of your malware protection software and the status of any alerts triggered by the software installed on endpoints. These packages include Symantec’s Endpoint Protection Manager, McAfee’s ePolicy Orchestrator and Trend Micro’s Core Protection Module (part of its Endpoint Security Platform). If you have more than a few dozen machines in your environment, investing in a centralized management solution is a wise choice.

Monitor, Monitor, Monitor

Once you’ve built a comprehensive approach to malware management in your organization, the next step is to ensure that you have an effective approach to monitoring it. One of the biggest breakdowns in enterprise malware management is neglecting to invest in the staff resources needed to continuously monitor and maintain the environment. Eventually, this will lead to the slow degradation of the controls and potential malware infections on your systems.

Your malware management console contains the status reporting from your endpoint protection packages (at a minimum) and may also integrate with your content filtering solutions. Administrators monitoring this console should keep an eye out for systems that are failing to check in with current updates and for signs of potential infections. Depending upon the organization’s support infrastructure, admins then could dispatch technicians or contact the end user directly to remediate the issue.

The tendency of many organizations to dismiss malware as a “problem solved” often leads to a dangerous level of complacency. It’s important to take time on a regular basis to review your malware defenses to ensure that they are appropriate for the current threat landscape and to reassure yourself that your monitoring efforts are effective.

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.

Security

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
Tools to Maintain Mobile Sec... |
Far-flung devices pose serious challenges, but a variety of technologies can help protect...
Edward Snowden Personifies t... |
The NSA leak shows critical areas where organizations can better protect their data.

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...
Curse Builds a Private Cloud... |
One of the top resources in online gaming builds out a robust infrastructure that can...
SDN at the Forefront of HP’s... |
Computing giant kicks off Interop 2014 with a series of announcements aimed at turning...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...
XP-iration Date: Today Is th... |
It’s officially lights out for Windows XP as an operating system. Here’s how the world is...