It’s bad, but how bad is it?
You’ve seen the numbers. “McAfee Labs detects 387 new samples of malware every minute,” according to McAfee Labs Threats Report, February 2015. Mobile malware samples alone grew 14 percent during the fourth quarter of 2014, per the same report.
Malware is getting through enterprise defenses as attackers code new strains and re-clothe old ones in order to thwart information security tools. The malware they aim at mobile devices is maturing, usurping authority over employee hardware and leveraging that control to leap inside the perimeter.
CSO Magazine pinpoints some of malware’s effects on the enterprise, providing examples and instruction for softening the blows of malicious software.
The trend is for malware to leave minimal traces. “Attackers are trying to maintain a low profile to eliminate their chances of detection,” says Paul Morville, Founder and vice president of Products, Confer, a startup laying claim to the endpoint detection and response (EDR) market. Others in that market include EMC and CrowdStrike.
Meanwhile, the increasing numbers of variants up the odds that one will infiltrate the enterprise network and grow deep into its heart as an APT. “Malware authors keep the target moving by creating large numbers of variants, and this can increase their chances of reaching target victims. Such morphing threats can increase the complexity in isolating the malicious code across all end points,” says Craig Schmager, Security Threat Researcher, McAfee Labs.
Malware also focuses on the employee’s BYOD laptop or smartphone when it connects to unsecured networks outside the enterprise. “These attacks are more sophisticated and attackers are using the employee as the leverage point to gain entry inside the organization,” says Morville.
Attackers infect employee devices to steal usernames and passwords that access financial accounts within the company. They also use employee laptops to get inside the perimeter and drill their way through systems and into servers housing valuable data such as intellectual property.
Even security tools are suffering. Attackers are thwarting signature-based security mechanisms with custom-compiled malware that they repackage from existing malware to create unique drive-by downloads that signature-based tools won’t recognize, according to Rich Tener, director of Security, Evernote. The malware inside is basically the same, but the signature is unique and previously unrecorded.
Softening the blows of malware
In the battle against malware, enterprises should continue to use signature-based tools as one security layer among many. “OSX and Windows have free, native security capabilities. OSX has XProtect within its OS. Microsoft has Microsoft Security Essentials, which we use on our Windows workstations,” says Tener.
The cloud has given signature-based tools a boost. By storing the growing numbers of new virus and malware signatures in the cloud, the enterprise can take some of the load off of endpoints and endpoint-based anti-virus and anti-malware tools, enabling these tools and signatures to hold up under the pressure of multiplying malware examples.
Craig Schmager, Security Threat Researcher, McAfee Labs
“Rather than having to say, well, the signature is enforced on the client or it isn’t, we put the signatures in the cloud. We don’t have to have them taking up space on disk and in memory,” says Schmager. That way, the enterprise can leverage new and existing signatures without having to limit their volume due to limited storage space. Other vendors offering cloud-based anti-virus / anti-malware protection include Panda Security and Trend Micro.
With the glut of new malware appearing daily in the wild, enterprises must use behavioral analysis tools. These can include an EDR. EDRs help to mitigate employees as an attack vector when they connect their laptops to networks outside the enterprise. The best EDR tools strive to offer more thorough analysis for threat detection and more thorough response in order to remediate infections and to uncover and address seeds of infections.
For those using NAC, EDR tools may be compatible. “NAC is a protective control where you’re trying to prevent access from an endpoint that isn’t one you manage,” says Tener. Obviously, the enterprise must perform its own due diligence in determining what EDR tools will play well with any NAC product they employ.
Enterprises can benefit from DNS blacklisting tools. “We use a commercial DNS blacklisting agent called OpenDNS for all our offices and laptops. This allows us to quickly block access to malicious domains wherever an employee is working,” says Tener. BlueCat and MXRate offer similar products.
Enterprises should continue to protect the network as well as the endpoints. “We use an open-source security monitoring stack that includes Bro, a network analysis framework, Suricata, a network IDS with full packet capture, and Arugs, a NetFlow engine. We also complement that with Palo Alto Wildfire, a commercial, network-based malware detection engine with an on-board anti-virus engine,” says Tener. Similar products come from Cisco and Symantec.
Organizations should also use VPNs, firewalls, and load balancers in concert to protect enterprise infrastructure. “We use these to control what services we expose to the Internet, to segment our production network from the rest of our computing infrastructure,” says Tener. By controlling access to the production environment with strong authentication tools, the enterprise can maintain a healthy separation between prized data and external threats.
Rather than using WAFs and other web application security tools, fix the vulnerabilities in the applications in order to maintain a tight grip on security. “Our experience has been that web application firewalls and runtime analysis tools introduce a lot of operational overhead, both in computing resources and engineering time to constantly tune them,” says Tener.
Examine, adopt
Enterprises should be able to maintain an acceptable level of mitigation of the multiplying numbers of malware examples after considering these and other security measures and applying the most appropriate combination for their needs.