Latest Posts

Latest Comments


Managing Malware - part 2


Posted by |

In my last blog, we looked at the changing APT landscape and identified how the volume of malware is growing into a real and likely threat to even small businesses. Here we aim to identify how small businesses can improve their security and protect against the kill chain of APT.

For security technology to work, it needs to cover three essential elements: it needs to be able to detect malware entering the organisation; it needs to detect malware traffic across the network; and then it needs to detect malware on the way out. In the past companies have simply added appliances to the network that deal with each of these in isolation. It’s likely any one organisation will have a combination of firewalls, virus protection and intrusion detection amongst other security solutions. For many, the answer to a raised threat has been to simply stick another security appliance on the network.

These traditional approaches however have become limited as malware becomes more sophisticated. Firstly, each appliance sits in isolation. They’re typically provided by different manufacturers and rarely are they capable of integrating. This limits the visibility and control that the IT team has over what is really happening on their network. This lack of visibility often results in the IT team having to check each individual log or report of each device to identify if there’s a problem.

Some appliances also provide a blanket approach that doesn’t allow for the nuances of malware. For example, most network firewalls are traditional port and protocol based. This means that the firewall is programmed to let in a certain type of traffic that comes via a port – let’s say https (encrypted) traffic via port 443. That means all traffic via port 443 is allowed in – whether it’s good or bad. The firewall doesn’t check traffic to see what it is. It’s just as likely to be a piece of malware dressed up as an https request as it is to be genuine https traffic.

What we need in the fight against the kill chain of APT is a new capability, and one I call closed loop protection. This takes all of the tools available to a security team – from firewalls, malware & APT detection, real-time analysis (sandboxing), endpoint protection, correlated log analysis and others – and combines them.

This type of closed loop protection is available through next generation firewalls (NGFW). This involves a single box that can detect all traffic, identify if it’s encrypted or not, what port it comes through using what protocol and scan – in real time – for malware and APT. If it’s concerned about a piece of traffic it then runs it through a virtual machine to see what it does and its impact. This is known as sandboxing.

If it identifies the traffic as malware it will apply an automated response based on a set of rules that you’ve pre-determined. This ‘spot, prove, react, prompt’ reaction all happens in real time. This means you’re protected before you know that there’s an issue. Some NGFW’s are also able to communicate their finds wirelessly to other firewalls around the world – bringing information and protection against new pieces of malware to other companies globally.

Where NGFWs are ideal for companies wanting to protect their infrastructure is in their ability to provide more integrated information about the network than ever before. The IT team can utilise the log data generated to spot other potential issues. For example, during an assessment on a media company recently, we used a NGFW to discover that more private email was being sent than corporate email. A high percentage of employees were also using personal cloud services while at work. This meant that they were downloading files across the network that may well have viruses or worse bogus URLs. This information allowed the IT team to re-write the rules. Now employees can only upload to their private clouds not download. This has eliminated illegal bit torrent access and has developed a best practice approach.

The ability to detect against malware and APT in real-time and to be able to defend your infrastructure through different phases of the kill chain is imperative if we’re to withstand the growing volume of malware currently out there. Having the ability to protect the good applications your business wants to support while eliminating the bad, unwanted or malicious traffic from your network all in real time will put your company ahead of the fraudsters and go a long way to keeping your data and company safe.

Free Application vulnerability and risk assessment

Redcentric are currently offering a free security assessment, learn more about our Application vulnerability and risk assessment.



Post a comment

Comment submitted! Comments needs approval before being displayed.