Tech Insight: Layering Up For Malware Protection

Malware has traditionally entered the enterprise through two main avenues, Web and email. In the early 2000's, email was the favorite vector for malware writers: controls were low, email was everywhere, and it was easy to convince someone to open an email and run the attachment. Attackers still use email to infect machines, of course, but also have moved to more sophisticated drive-by downloads. They inject their malware into legitimate websites through advertising networks or by compromising the site, and unsuspecting visitors download the malware unknowingly and join the malware creator's army of infected systems.

The most cost-effective method of preventing and detecting this type of malware is a Web filter. Using an open-source system such as Squid, or purchasing an enterprise offering from Barracuda, Websense, Webroot, or others provides the ability to block known malware distribution sites and in some cases, analyze traffic for malicious content, such with M86's offering. Some tools let you provide filtering to your users even when they are off the corporate network.

Desktop detection is the next most common step, and the one more organizations have invested some time and money to set up. If the Web filter misses a threat, hopefully the desktop protection will catch it. Stand-alone anti-virus is becoming a thing of the past, as desktop protection suites complete with buffer overflow prevention, anti-virus, anti-malware, and intrusion prevention are becoming more the standard. These suites allow enterprises to prevent malware from exploiting the system even if the product doesn't detect it as malware.

Complex malware kits such as those for Zeus leverage multiple exploits in the OS and products to gain rights, inject malware into the system, and carry out data-stealing tasks. Utilizing a desktop protection suite, which detects known malware as well as prevents known attacks, can increase an organization's chances of avoiding exploitation that much more. But these tools are generally not as effective when it comes to catching unknown, or zero-day malware threats.

Email attacks still employ infected attachments or open an email with malicious VBS, and increasingly direct users to URLs of sites controlled by the attacker. Web filters can help block the known malware distribution URLs, but in some cases they are behind the email-filtering systems that are able to flag the email as spam and not even deliver it to the user. Email-filtering capabilities have improved drastically in the past few years and enterprises now have both on-premise and cloud offerings from companies like Barracuda, Symantec, Postini (Google), and AppRiver. These services and products prevent the malicious URL from reaching the user in the first place, and thus work no matter where the user is, or from what device the user is reading his email.

Mobile phones are the newest target for attackers. Always on, always connected, and lacking security controls, these are an attacker's dream. Some platforms, such as BlackBerry, are closed and designed to be secure. The iPhone is a closed platform, but users can jailbreak it and decrease the security. The Android line of devices is considered to be the most open and also regarded as having the most risk. Products such as Lookout, Zenprise, and MobileIron provide security features and management for phones.

Network monitoring using intrusion detection or network analysis tools provides insight into malware that may run rampant on your network. Snort is a free IDS that has virus, malware, and spyware signatures. By monitoring and alerting on network traffic, enterprises have a way to tell that malware has invaded the enterprise, and even though other controls may have failed, the enterprise can react and has some insight into where the malware resides. But IDS and IPS tools also can miss unknown threats.

As malware has become one of the largest threats to organizations, single offerings can't keep up with all threats and protect organizations. A layered approach—although not foolproof—to protecting your organization from data theft, identity theft, and intrusion, provides the best results.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.