The headlines say it all -- if it's not Web-based malware infecting your desktops, it's targeted malware like that described in Mandiant's recent annual threat report on the APT1 cyberespionage group. The Chronology of Data Breaches, a list maintained by the Privacy Rights Clearinghouse, says there have been numerous malware-related breaches in the past year. We're seeing just the tip of the iceberg; what about the incidents that go undetected and unreported?
One recent approach to fighting viruses on enterprise desktops is to move beyond malware detection and instead focus on malware prevention, namely application whitelisting. Whitelisting is similar to the traditional firewall approach: Deny all traffic upfront, and permit legitimate apps to pass through. There's a new line of thinking, however, around detection that uses big data analytics to detect malware that's already on your network rather than try to prevent it in the first place.
Wait, haven't we been down this road before? Malware detection is the new prevention, I suppose. Regardless of which side of the fence you're on, consider the following questions:
- What if some of your organization's devices are already compromised? You can have all the prevention software in the world, but if intruders already have access, you're going to need a different approach to find and fight them off.
- What if you haven't yet acknowledged the known vulnerabilities in Windows that hackers target? At any given time, every organization has flaws such as missing patches, weak passwords and unhardened systems susceptible to exploitation.
- What if you don't have the proper security tools and processes to give your team the visibility it needs to fight the threats your business faces? You cannot protect yourself against, much less clean up, the malware you don't know about.
- What if your IT environment is so complex that you couldn't possibly know what to whitelist?
- Is it even realistic to keep malware from reaching every fabric of the network? Trying to prevent all malware at all times is a futile task that will only serve to set your organization up for failure.
More on malware detection and removal
Answering questions about malware and rootkits
Getting proactive with application sandboxing
What Windows admins need to know about securing desktops
Considering how Windows 8 affects desktop security
Enterprise systems threatened by targeted malware, social engineering
So, is whitelisting the best way to go, or is smarter detection the wise approach? Perhaps you can maintain bloatware on every desktop, or perhaps going the route of a thinner client/cloud-based solution is best. One thing's for sure: Malware protection always needs strengthening because new threats to enterprise desktops keep emerging. As Gilbert Arland noted, "Failure to hit the bull's-eye is never the fault of the target."
When responding to today's desktop malware challenges, you have to accept that malware is likely present on your network. With some time, skill and the right tools, you can reduce potential damage to systems, prevent data breaches and preserve your organization's reputation.
Just as important, make sure you're analyzing and resolving the enterprise desktop malware problem at the right level. Anything less is best-guess speculation -- a business risk you can't afford to take. Finally, make sure you have a plan for when malware infections occur. The questions above should get you started with malware detection.
This was first published in April 2013