Advance Malware Protection: Network or Host?

Large organizations have legitimate cause for concern. Malware creation and proliferation is increasing rapidly as cybercriminals and state-sponsored organizations create the next round of APTs, botnets, Trojans, and rootkits. What’s more, we’ve entered the era of micro attacks designed to compromise a targeted organization, business unit, or individual.

Legacy security technologies are no match for this onslaught, so enterprises are investing in new tools. For example, ESG Research found that 77% of enterprise organizations (i.e. more than 1,000 employees) are increasing their security investments as a direct result of APTs.

So large organizations realize they need new layers of defense, but where should these countermeasures reside? To be more succinct, this decision comes down, adding new security technologies on the network or doing so on host systems. 

Typically, this decision is guided by simple math. Large organizations have thousands of hosts, but just a handful of network ingress/egress points, so a network solution is naturally more attractive. ESG agrees that this is a good place to start with network security solutions that:

1.  Act as a client proxy. In this model, network security appliances act as a proxy in front of client machines by executing content, web threats, and executables in a virtual sandbox. FireEye has been extremely successful with this model and others like Trend Micro are also pursuing this path.

2.  Monitor DNS. If you know what to look for, you can spot malicious activity based upon subtle DNS query behavior. This is where Damballa excels with both enteprrises and service providers.

3.  Prevent data exfiltration. Bad guys can compromise a host, escalate privileges, and find the sensitive data they are looking for, but their ultimate goal is stealing your digital assets. Network security filtering devices from vendors like Fidelis can detect and block this activity.

4.  Apply application controls. Palo Alto Networks is the poster boy here but others like Check Point, Cisco, Fortinet, and Juniper are jumping onboard. If you can block web applications you reduce your attack surface.

With the right planning, design, and implementation, network security can really enhance advanced malware protection. Unfortunately, this won’t be enough. Today’s hosts are virtual, mobile, and multiplying like rabbits due to server/desktop virtualization and BYOD. Furthermore, IT consumerization means that devices will have tremendous variation in terms of applications, configurations, patches, etc. 

Like it or not, eventually we will have to reinforce host-based defenses on top of the network. We are starting to see this behavior in play with servers as many large organizations now apply application controls from Bit 9, CoreTrace, Lumension, and McAfee. We also see a lot of tire-kicking on advanced malware protection software from Countertack, Invincea, and Sourcefire with visible startup Bromium on the horizon. ESG expects deployment of advanced malware detection/prevention on a majority of enterprise servers and endpoints within the next three years.

So ultimately enterprise organizations need both network- and host-based advanced malware defenses. Yeah, it’s a lot of work but it’s inevitable.  How about integrated network and host-based advanced malware defenses? It boggles my mind that no one is really pushing this concept, even though it makes a ton of sense. Stay tuned – one or two security vendors are bound to figure this out over time.