Small Business Defense – Antimalware

As many have noted before me, antivirus is dead.  However, let’s clarify a few things.

First of all, you are more likely to get hit with a virus if you don’t have antivirus than if you do, so it’s not exactly useless.  Second, you can get antivirus systems for free (Windows version here) so there’s no economic reason not to run one.  However, if you go into the process thinking that if you install an antivirus system, you’re done, then you’re making a mistake.  Antivirus may not be dead, but your system will be.

See, the way that antivirus works is by maintaining a set of signatures, or unique identifiers for a piece of malware.  This worked well enough twenty years ago, but these days, the people that write malware are pretty good at making each one have a unique signature.  So, these things can change and morph faster than you can keep up.  However, you’ve got to do something, right?  What are your options?

Ignore The Problem

My mother used to tell me that if I ignored the mean kids, they’d stop teasing me.  She was wrong.  In the same way, ignoring this problem will not make it go away.  Instead, it will likely create a situation where your systems get infected and then spread that infection to your customers and partners.  I hope that we can agree that this is no solution.

Host-Based Intrusion Prevention

Many of the traditional antivirus vendors have started rolling host-based intrusion prevention systems (HIPS) into their products.  These systems shift the problem from scanning the entire system to looking at what actually runs.  These systems can detect common security flaws and prevent malware from accessing them.  With some vendors, they are combined with application blacklisting, so you can use the same system to prevent employees from running games or installing browser plugins.

Perimeter Control

In the past, we’ve used a firewall to prevent access to internal systems.  Some people are trying to extend this idea and pushing extra capabilities onto these network devices.  The logic is that if you control where your people can go (web filtering) and what can come to them (email filtering), you can block malware at the edge of your network.  It’s a nice theory, but given that you also would have to deal with USB drives, MP3 players, CD/DVDs, wireless networks, etc etc, I have my doubts that this technique will be effective.

Application Whitelisting

As many people do, once they’re told that something’s not working, they go to the opposite extreme.  In this case, instead of building a blacklist of “bad” applications, they try to identify some known “good” applications and only allow those to run.  While I’m not a fan of extremism, it seems to be working in this case.  Bit9 seems to be the current leader in this space, but it’s only a matter of time before there are others.  The one caution here is in relying on only this technique, as if anyone uncovers a flaw in the technology that prevents the non-whitelisted applications from launching, they can then launch anything they want.  Also note that, depending on your organization, it might take a long time to define the “good” applications.

Loss Detection

One thing I recommend is to recognize that your system will probably get compromised eventually, no matter what you do.  If you implement a system that can identify your important data and let you know when it detects it somewhere where it’s not supposed to be, you can at least know that there’s a problem.  Small comfort, I know, but it’s better than not knowing, right?

Combination

Every organization will have a different set of needs and will need a different solution.  However, there are a large number of businesses out there that would likely benefit from the following type of solution:

• Application Identification – Take the time to identify which applications are required for business.
• System Imaging – Build a standard “image” of all applications that a system should have and deploy to all computers.
• Application Whitelisting – Install a product like Bit9 (there are others) to prevent anything non-approved from running.
• Antivirus – Install a product like ClamAV (free) or Sophos (pay) to serve as an additional layer of defense… especially if you have laptops.
• Document Repository – Use a centralized document repository to keep all of your documents and log who accesses them when.
• Operations: Applications – On a regular basis (monthly is good) patch all applications in your image, update the application whitelist and push the changes out to all systems.
• Operations: Data – On a regular basis (monthly is good, quarterly is acceptable, yearly is not), review the access logs on your repository and make sure that things are reasonable.

There is a lot more that you can do, and if you have servers, a lot more that you should do, but as you’re likely not doing the above yet, hopefully this gives you a good place to start.