Network Antivirus, a Case of Need

Cybercrime, in its various forms continues to grow.  Despite economic conditions, shrinking budgets and fewer resources, organizations must still protect themselves.

Download the PDF version of Network Antivirus, a Case of Need

By Sean Slattery, Technical Director & McAfee Instructor at Caribbean Solutions Lab, Cayman Islands

Follow @SeanCSL

Network Antivirus, a Case of Need

Cybercrime Statistics (source: McAfee)

• The number of employees using company-provided mobile devices has risen from 23% to 40% in 2010 - Source: Osterman Research, North America figures

• On average, McAfee Labs sees 6 million new botnet infections per month

• Malware continues to be the biggest threat facing corporate and consumer users

• Between January and September 2010, McAfee Labs identified more than 14 million unique pieces of malware

• Microsoft and Adobe products represent 27% of the currently known vulnerabilities (August 2011)

• 2% of the U.S. employee workforce (2.8 million people, not including the self-employed or unpaid volunteers) considers home their primary place of work (Telework Research Network)

Cybercrime, in its various forms continues to grow.  Despite economic conditions, shrinking budgets and fewer resources, organizations must still protect themselves from an ever increasing amount of malware and threats.

Best Practices

Defense or protection in depth is a phrase often stated in the industry.  This often means employing both host and network protection.  The industry term "best of breed" is no longer relevant to the typical organization.  Implementing many best of breed systems, while designed specifically to excel in a specific set of applications, can pose significant challenges such as greater capital expenditure, increased training costs, decreased operational efficiencies, poor integration with other systems and duplicated business processes.  When using multiple vendors, it is very difficult to accurately correlate threat data with countermeasures or to understand the impact of changes to the environment.

Another best practice is to deploy more than one security solution per task in the organization such as two or more vendors of host based antivirus.  However, implementing multiple antivirus vendors is fraught with challenges and is highly impractical.  It is therefore logical to place antivirus scanning at the network or gateway.  Most vendors simply add antivirus scanning engines to existing devices such as firewalls or Web gateways.  These are not purpose built antivirus gateways.  They fulfill many other roles which can detract from the efficiency and manageability of the antivirus components.  In many cases, vendors choose to rely upon third party antivirus engines adding unnecessary complexity to already complex environments.  Organizations with advanced security implementations will often deploy many layers of firewall, network IPS, Web and email gateways but all from different vendors and each with one or more antivirus engines.  The inefficiencies of this type environment are evident.

Recommendations

Intelligent investment in information security is required.  Gartner published a research note in 2005 with some guidelines.  Organizations should focus on ease of installation and deployment, ease of manageability, leverage appliance based solutions and exploit integrated solutions.  Limit technology providers and look for extensibility of functionality.  Automation, consistency of policy creation and behavior are key additional requirements.

Reality

To better understand how protection in depth can be implemented, let us examine the company best suited to provide such security, McAfee.  McAfee is best known for its host based antivirus software.  Well executed organic growth and strategic acquisitions have yielded a comprehensive portfolio unmatched by competitors.  McAfee has strong offerings in host and network solutions for: intrusion prevention, firewalls, Web protection, email protection, network access control, data loss prevention and audit.  McAfee's Global Threat Intelligence cloud based reputation services are by far the most mature in the industry processing over 4 billion queries per day and spanning many reputation categories including file, IP, Web security, Web content, mail and network connection.

McAfee's reputation backed antivirus solutions provide substantial security improvements over pure signature based systems.  But antivirus is still fundamentally rooted in signatures and retains the administrative overhead of managing, testing, deploying and even rolling back the files.  Recommendations for which McAfee solutions are most suited to an organization are beyond the scope of this document.  Suffice it to say that an organization with an optimized security strategy will implement a combination of McAfee's host based and network based solutions.  With ePolicy Orchestrator as the foundation for security and risk management and with integration across all products, McAfee clearly meets the recommended strategies for information security.

However, a diligent reader will note the absence of an important piece to the security puzzle: purpose built network antivirus.  It is important to understand why host based security needs to be supplemented with network protection.  The simple reason is the inability to completely control endpoints.  In a desktop computing environment with very strict LAN network access controls and Web access policies, the requirement for network protection is lessened.  Telecommuting, bring our own PC initiatives, mobility and the rapid proliferation of IP enabled devices all contribute to the fact that organizations are owning, managing and controlling less of their infrastructure.  It is also quite common now for commodity operating systems to be embedded in specialty devices such as printers, ATM's and medical equipment.  While the need to protect these systems is real, installing host based antivirus is all but impossible on these devices.  Often the organization does not own or have the rights to alter these systems.

The Solution

There is a compelling need for appliance based, malware prevention systems (MPS) that are capable of inspecting network traffic for malicious payloads, connections to malicious hosts and the transmission of malicious content.  A hybrid cloud-based and signature-less approach would be ideal and reduces administrative overhead.  A simple, easy to manage and easy to understand user interface is an absolute necessity.

Enter FireEye.  FireEye's strategy places malware prevention upon purpose built hardware.  The devices typically sit at the network perimeter, just inside the firewall.  Leveraging FireEye's Malware Protection Cloud (MPC) enables blocking known attacks and callbacks to malicious hosts in microseconds.  As their market share and deployments increase, so does their effectiveness.  A key differentiator for FireEye's is the ability capture network traffic, content and file transfers and execute the payloads inside multiple on-board virtual machines.  The resulting outcome is evaluated for malicious behavior and if necessary further content and communication is blocked.  The virtual machines consist of operating systems and applications typically found on an endpoint including but not limited to Microsoft and Adobe operating systems and applications.

Effectiveness

 
A dataset of unique IP addresses was collected over several months from several deployments of a FireEye MPS 2000 system.  Several organizations were monitored and spanned industries such as federal government, healthcare and financial services.  The IP addresses were then tested against the other vendor’s solutions or reputation services.

The McAfee Web Gateway is considered to be the most secure gateway on the market.  Its proactive antimalware engine and ability to simultaneously leverage IP, email, Web security and Web content reputation are clearly supported by the high catch rates.

While there will always be slight differences in vendor's cloud reputation services, FireEye's ability to analyze potential malware in the virtual machines prevented several threats that would never be caught by traditional signature or reputation lookups.  Malware communications to other infected hosts or command and control servers were prevented; even those destined to private (RFC1918) Internet addresses.  Global IP reputation databases cannot include reputation for private addresses and are consequently ineffective against internal malware communications.

At the time of this study, it was unknown if the other vendors offered host based and network solutions with the ability to leverage all of their reputation services.

Conclusion

FireEye Malware Prevention Systems allow organizations to substantially increase security with minimal effort, minimal administration and minimal changes to infrastructure.  As a natural complement to host based antivirus and other security systems, FireEye MPS enables best practices to be implemented in the real world.

About FireEye

FireEye is the leading provider of next-generation threat protection focused on combating advanced malware, zero-day and targeted APT attacks.  FireEye's solutions supplement security defenses such as traditional and next-generation firewalls, IPS, antivirus and Web gateways, which can't stop advanced malware.  These technologies leave significant security holes in the majority of corporate networks.  FireEye's Malware Protection Systems feature both inbound and outbound protection and a signature-less analysis engine that utilizes the most sophisticated virtual execution engine in the world to stop advanced threats that attack over Web and email.  Customers include enterprises and mid-sized companies across every industry as well as Federal agencies.  For additional information, please visit http://www.fireeye.com.

Sean Slattery is Sr. Engineer and McAfee Instructor at Caribbean Solutions Lab and will be presenting at the McAfee FOCUS Security Conference in October.