The Discipline of Malware Management
Ask many IT professionals about the status of their malware management efforts and you’ll often hear responses like “Oh, we installed antivirus software years ago — we’ve got that covered.” These administrators might be ignoring the reality that the threat landscape has changed significantly over the past decade, and controls have evolved to address these new risks.
The discipline of malware management now involves two major components: a comprehensive approach to reducing the risk of malware infection and ongoing monitoring efforts designed to assess the health of those controls. Technologies available to malware defenders include endpoint management controls, web and e-mail content filtering, and antivirus management packages.
Managing the Endpoints
Generally speaking, the greater the control you exercise over the endpoints on your network, the less susceptible they will be to malware infection. Unfortunately, it’s also generally true that the greater the management control you exert, the more complaints you’ll hear from your user base, particularly power users who want to install their own software and customize system configurations.
By using tools such as Active Directory and System Center Configuration Manager, you can tightly manage the configuration of your systems. In addition to providing protection against malware infections, this type of management also greatly reduces the burden on front-line support staff.
If the business and political environment in your organization permits, you can also remove local administrator rights from end users. This single configuration change goes a long way toward controlling your organization’s exposure to the risk of malicious software infections by making it difficult for the code to gain a foothold on your systems in the first place.
Stop Malware at the Source: Content Filtering
Another effective way to control the risk of malware infections is to put mechanisms in place that prevent malware from reaching the desktop in the first place. This involves intercepting content from two main vectors (e-mail and the web), scanning the content for malicious code and filtering out any suspicious payloads before they reach the end user, who might mistakenly activate them.
On the e-mail front, most modern mail filtering products are capable of handling a full array of threats, such as traditional malicious code attacks, spam and phishing attacks. These content filters might be stand-alone appliances that sit in front of your mail server (such as Sendmail’s Sentrion appliance or Barracuda Network’s Spam & Virus Firewall) or plug-ins to your e-mail server (such as GFI’s MailSecurity or Trend Micro’s ScanMail suite).
Finally, many organizations are pushing e-mail filtering to the cloud with the use of services such as Symantec’s MessageLabs cloud services or MX Force’s CloudCrest. The best architectural choice for e-mail content filtering will vary based upon your organization’s existing infrastructure and support capabilities, but all provide the same basic functionality: filtering out unwanted and potentially dangerous e-mail messages before they reach the user’s inbox.
The second major vector for malicious code infections is the web. Users might inadvertently browse to a link containing malicious code and accidentally install it on their systems, or they could be directed to such a site via a phishing attack. Whatever the prompt that pushed them to the site, web content filtering packages have two options for detecting and blocking such traffic.
First, URL filters can detect requests for websites known to contain malicious code and block them before they reach the Internet, alerting users to the fact that the website is potentially dangerous. Second, antivirus filters can scan inbound content from user requests for known signatures of malicious code and filter out any objectionable content.
As with e-mail filters, web content filters are available both as appliance solutions and as cloud services. Products such as Barracuda’s Web Filter and Websense’s Web Security Gateway provide hardware solutions that you can install on your organization’s network. If you prefer to outsource this function to the cloud, several vendors offer hosted alternatives.
Managing Antivirus/Antispyware Packages
It goes without saying that all of the systems in your organization that are susceptible to viruses — basically, anything running a mainstream operating system — should be running up-to-date antivirus and antispyware software. These packages represent the last line of defense against malicious code. If a virus or other undesirable software makes it past your content filters and desktop security controls, it’s up to the antivirus package to block, detect, and eradicate the code from the system.
All major antivirus software programs offers an enterprise management platform that allows you to monitor both the health of your malware protection software and the status of any alerts triggered by the software installed on endpoints. These packages include Symantec’s Endpoint Protection Manager, McAfee’s ePolicy Orchestrator and Trend Micro’s Core Protection Module (part of its Endpoint Security Platform). If you have more than a few dozen machines in your environment, investing in a centralized management solution is a wise choice.
Monitor, Monitor, Monitor
Once you’ve built a comprehensive approach to malware management in your organization, the next step is to ensure that you have an effective approach to monitoring it. One of the biggest breakdowns in enterprise malware management is neglecting to invest in the staff resources needed to continuously monitor and maintain the environment. Eventually, this will lead to the slow degradation of the controls and potential malware infections on your systems.
Your malware management console contains the status reporting from your endpoint protection packages (at a minimum) and may also integrate with your content filtering solutions. Administrators monitoring this console should keep an eye out for systems that are failing to check in with current updates and for signs of potential infections. Depending upon the organization’s support infrastructure, admins then could dispatch technicians or contact the end user directly to remediate the issue.
The tendency of many organizations to dismiss malware as a “problem solved” often leads to a dangerous level of complacency. It’s important to take time on a regular basis to review your malware defenses to ensure that they are appropriate for the current threat landscape and to reassure yourself that your monitoring efforts are effective.