Albert Gonzalez stands accused of masterminding a ring to use malware to steal and sell more than 170 million credit card numbers in 2006 and 2007, the largest computer fraud in history. Gonzalez and his accomplices used SQL injection and packet sniffer malware software to create backdoors to several corporate systems in order to steal computer data.
More recently, a trojan horse program stole more than 1.6 million records belonging to people from Monster's job search service. The data was used by cybercriminals to craft phishing emails targeted at Monster.com users to plant additional malware on users' PCs.
Any good defense-in-depth security architecture will include several tools for protecting servers and workstations from malicious software. Malware is the malicious unwanted software that shows up as a virus, worm, trojan horse, rootkit, spyware, some adware, bots, keystroke loggers and dialers. Malware targets defects in operating system designs and uses those defects to steal information or take control of the compromised system. Solutions for providing protection against this malicious software include anti-virus, anti-spyware, anti-spam, anti-adware rootkit detection all rolled into an anti-malware offering.
Our criteria for the product reviews this month focused on technologies that are used to provide a central point for mitigation of the threat of malware. Malware management, for purposes of this group, was defined as a product that reduces the threat of malware for small, medium or large enterprises on an organization basis.
We saw a couple of approaches to solving the malware challenge. The first group of products took an anti-virus-like approach to scanning and identifying threats in the operating system files, applications and registry. The second group used the approach of managing the ability to place a file onto the PC without a user's approval or knowledge. We were interested in the strategies the various products took to remediate the risk against today's more sophisticated blended threats. We were interested in the kinds of malware that these products could identify and stop. Since a breach is inevitable, we were also interested in the logging, event notification and reporting capabilities of the products to provide things like real-time alerting and auditing support.
We did not test the products for their catch rates. We were looking for the products' ability to identify, alert and stop zero-hour threats. Some products used firewall and IDS-like approaches to lock down executables, applications and registry items. Some used advanced heuristics for threat detection. Others provided scripting tools to allow for a wide range of additional management and alerting options. We focused heavily on the products' management solutions. Some used web-based dashboards for centralized alerting and reporting. Others allowed for full endpoint management, endpoint software deployment, centralized management, alerting, reporting and backup of client configurations. Some provided full network discovery via LDAP or Active Directory. Others provided network mapping via ICMP-based means, while still others required manual endpoint deployments that could then be managed by a central solution. We were also interested in the products' ability to provide near real-time updates to virus and spyware engines and databases through a centralized means that would reduce load on network bandwidth.
Each of the products reviewed provided multiple components of the malware definition. Most provided anti-virus and anti-spyware. Some took a completely different approach in that they relied on other products to deliver the traditional signature-based virus and spyware protection (i.e., protecting against the threats we know), while they took a more focused approach on protecting from the unknown threats.
Most of the solutions deployed easily with fully automated processes that included the software load followed by a wizard-based configuration tool for setting up the basic management functions. We reviewed the centralized management capabilities of the various solutions. We focused on the usability of the user interface, the ability to detect or import the user workstations, automated or easy agent or software deployments, detailed alerting and event information, reporting and auditing capabilities and advanced capabilities for detecting non-signature based threats.
The solutions we reviewed all did a nice job attacking the malware problem. The integrated solutions were easy to use and manage, while the more focused solutions would make a great collection of tools if budget and personnel power allows you to support that approach.