IT support services may want to rethink their approach to enterprise security – as well as their relationships with IT security vendors – based on sobering new findings from Palo Alto Networks’ inaugural publication of the Modern Malware Review. In short, the study concludes that traditional antivirus solutions are missing much – if not most – of the malware that infects networks.
That is because the vast majority – 94 percent – of malware is being delivered via web browsing or web proxies, the report found. In layperson’s terms, that means browsers have become the low-hanging fruit for malware writers. The common targets are usually passwords stored in the browser and/ or the manipulation of cookies.
The Weakness in Traditional Anti-Virus Products
There are a number of reasons that traditional antivirus products are failing to detect web-based malware, Modern Malware Review said. For starters, web-browsing and other web-based applications are real-time by nature, which significantly shrinks “the timescale in which detection and enforcement decisions must be made.”
More to the point, Modern Malware Review continued, web-based malware “easily leverages server-side polymorphism, which simply means that the webserver that delivers the malware can automatically re-encode the malware payload to appear unique.”
This means huge amounts of malware can be generated on demand, making it unlikely that anti-virus vendors will be able to capture the sample and create a signature.
Steps IT Should Consider
The study’s conclusions are straightforward: To better protect the enterprise, IT workers and IT managed services must expand anti-malware strategies to include proactive, real-time network controls.
The study recommends the following:
- Bring anti-malware technologies into the network instead of keeping them on the desktop. “The data shows that malware has found particular success by moving to a more real-time use of the network, and as such security teams should expect and be prepared to enforce at the network as well,” the report said.
- Revise an automated process to determine if unknown files are malicious or benign. Then, integrate that process into the network. The fact is, unknown malware has become the norm instead of the exception, the report said. For instance, the researchers of this report identified malware by executing unknown samples in order to see what they actually do.
- Use real-time detection and blocking whenever possible. This requires a shift away from focusing on detection and towards a focus on prevention.
- Companies or their vendors providing desktop managed services must enforce user and application-based controls on applications that can transfer files. The report notes that HTTP-proxies are a common source of malware. Therefore “organizations should ensure that only their corporate proxies are allowed and end-users are prevented from using their own web-proxies, which are often used to circumvent security policy.” Facebook can be allowed, but its file transfer feature should be limited.
Such basic steps can limit some of the exposure to both generic and targeted malware entering the network.