Outsmarting the New Malware

by Steve Crutchfield
Director of Product Marketing, McAfee, Inc.

Whether you are responsible for ensuring the availability of your enterprise network, or you are a chief technology officer or information security manager, you will likely ask yourself these questions: How much should I spend on security? Am I more secure today than I was yesterday? What metrics can I use to measure whether my security is improving or not? When can I stop patching so I can get back to doing real work?

None of these questions are easy to answer but they all reflect today's real concerns as IT professionals are faced with a new breed of faster-spreading and more aggressive malware.

Until quite recently, security technology was usually reactive. When malware was identified, the security companies would write a code (or "signature") and distribute this to customers as quickly as possible for deployment on all their PCs.

Over time, security vendors have improved each step in this process to become more effective and timely in responding to malware that intrudes into the network. However, one question remains: Will we ever be fast enough or clever enough to keep up with the new generation of malware?

Businesses today cannot afford to be reactive to attacks on their networks. They must take a proactive and strategic approach, which not only stops attacks from spreading before they can cause any damage, but also ensures the most critical systems are also the ones best defended.

There is more malware now than ever. There are over one million viruses alone in circulation and each one is more complex and spreads much more quickly than previous variants. In addition to viruses and worms, Potentially Unwanted Programs (PUPs) like spam, spyware, adware, and key loggers can be equally malicious because they alter the security posture of the computer system on which they are installed or the network on which those systems reside.

Currently, software vendors have to issue patches with the discovery of a new vulnerability so that a hacker or virus can't exploit it. This means that customers need to protect many points in their environments - gateways, networks, servers and desktops - to stop the malware from getting through and exploiting vulnerable systems. Security vendors issue new signatures for their anti-virus, which requires customer deployment in order to detect the latest threats.

However, this is becoming commercially unsustainable for customers. Too much patching means that critical systems or network devices are unavailable for longer periods of time. It also takes scarce IT resources away from new projects.

To break this reactive cycle, security vendors need to be radically different, rather than trying to react faster and faster.

The solution is to move from reactive technology in traditional anti-virus software that relies on virus signatures to new innovative technology that proactively protects against malware without needing a signature update.

The newest commercially available technology now focuses on network intrusion prevention by using heuristics and data behavior analysis. Instead of just looking at packet headers and payloads, advanced intrusion prevention systems are capable of deep-packet inspection and analysis. Instead of blocking certain ports or looking for the tell-tale signs of an attack, they study the behaviour of data and refer to a set of rules to distinguish between permissible or harmful behaviour, comparing traffic in real time to the set of rules and either admitting or blocking the data.

For end-point protection, today's leading-edge technology has moved from virus detection to desktop protection. This software now integrates elements of intrusion prevention and firewall technology, providing robust protection for PCs and servers with the ability to block attacks even without signature updates. Such integrated technology also extends protection against today's newest threats, including buffer-overflow exploits, Potentially Unwanted Programs (PUPs) and blended attacks.

An investment in such proactive technologies will enable customers to break away from the traditional cycle of patch management, where they are constantly forced to race against time in deploying patches. A proactive approach to protection against malware effectively puts a force field of protection around the systems - even if they're unpatched, or there's new malware without a signature.

Beyond the use of proactive technologies, another critical new area of development is vulnerability management (not to be confused with vulnerability assessment tools, which merely assess but actually take no action). The science of vulnerability management is aimed at finding a smarter, more effective way to protect your business. Instead of trying to ensure 100 percent protection on every possible point of vulnerability, we can now adopt a priority-based approach to focus deep protection of our most important business assets.

It no longer makes commercial sense to attempt to protect all IT assets equally or to protect against all threats. As enterprise resources are limited, we must decide which IT assets to protect first and which to protect in depth. The choices which are made here pay off in terms of more resilient protection of the business network. Vulnerability management actually helps to restructure security spending and direct investment to where the return will be greatest.

Vulnerability management will become an ongoing, real-time activity. As the enterprise network manager, you should have a push-button view of the risk exposure of your network. When the phone rings and the CEO asks, "What is our exposure to this latest threat I just read about?", you should be ready with answers about which systems are at risk, which parts of the business are well-protected, and what actions are taken to strengthen the areas where the business network is most vulnerable.


About the Author
Steve Crutchfield is Director of Product Marketing for McAfee, Inc.

Article © Copyright 2005 McAfee, Inc. Used by permission.