Malware Defense: Up Your Game!
By: Darin Barton CISSP, CISA, ITILv3
In 2016, organizations can no longer hope to successfully quarantine and clean infected systems on a regular basis. Today, our strongest recommendation is to DETECT, ISOLATE and RE-IMAGE; but this is easier said than done without the proper strategy in place.
One of the most challenging obstacles for IT is to both identify and block malware as it crosses the network threshold. Malware can enter a host system through several attack vectors, such as:
- Web Sites
- File Sharing Applications and Drop Boxes
- Removable disks and IoT (Internet of Things) Devices
which have become increasingly difficult to manage.
We’ve all heard the adage “a layered security approach is your best defense”. Layering security increases the odds of defending your organization; but you must layer your security with the proper tools. Your gateway web content security solution (UTM firewall or best of breed solution) will play an important part in this but it can not be completely relied upon. When applying this philosophy to malware prevention there are several specialized solutions that can dramatically increase your malware detection levels, and most importantly, isolate infected devices from the network before they become a major headache for your business.
Threat Management Systems, or “sandboxing”, has the ability to explode malware within it’s emulation systems, allowing for an increased chance to identify and block malicious traffic; but this on it’s own is not enough. There must also be an ability to identify the endpoints that are triggering the traffic, automatically isolate them from the network and alert the security admins team. To this end you will need tight integration between the sandboxing solution and the endpoints through a managed interface.
Once you have isolated the endpoints from the network, the task of cleaning the systems should be quick and efficient. We have found that trying to quarantine and clean systems is very difficult regardless of the tools you have available. Especially when your MBRs (Master Boot Records) are compromised. The best method is to completely re-image your systems, thus, modifying the expression; Detect Isolate Recover to Detect Isolate Re-Image. This requires some forethought and a strategy to ensure endpoint data is not lost. In the long run it will save you a lot of time, effort, money and headaches.
There are several manufacturer solutions that fully support the detection and isolation strategy:
- Trend Micro: Deep Discovery Sandbox, Deep Security for Virtualized Systems, OfficeScan for Endpoints with Control Manager to tie it together. Perfect for organizations already utilizing Trend.
- Cisco Systems: FireAMP for Endpoints is an excellent solution to continuously detect, track, analyze, control, and block advanced malware outbreaks across endpoints.
- Fortinet Networks: FortiManager, FortiAnalyzer, FortiGate Firewalls, FortiSandbox and FortiClient are a holistic solution which ties all of your key security assets into a strong mitigation play.
Good luck in your battle against malware.
:Darin Barton CISSP, CISA is a senior security professional in Toronto Canada, with 20+ years experience in cybersecurity and investigations and currently employed with Access 2 Networks Inc. (A2N).