We hear about new security threats and incidents affecting enterprise infrastructure periodically. In this section, we discuss the latest trends in managing these threats.
For a free consult on your specific situation,
What is malware?
Malware, short for malicious software, harm the enterprise network in one way or the other. Spyware steals confidential data. Ransomware disrupts operations demanding a ransom to restore them. Crypto miners slow down servers by using them to mine cryptocurrencies. …and so on.
The two characteristic features of malware are:
- they cause harm, and
- they spread fast to nearby devices.
How do they infect?
- Infected file downloads
- Visiting infected websites
- Network and disk propagation
These are delivered using a variety of ways. The most common are:
- social media messages
- malicious advertisements
- pirated software
- removable disks
- unsecured ports
What are the critical issues amplifying this threat?
- User dilgence.
- Unsecured user devices.
- Encrypted network traffic.
What do you do about user diligence?
As human error causes most security breaches, the first step is user awareness training. Despite being aware, malicious emails and websites that tempt users with
- fear (messages about diseases, new laws that impact you, etc.)
- greed (sales advertisements at improbably low prices, lottery winnings, etc.),
- curiosity (intriguing pictures and headlines as click baits),
- compassion (asking for help, taking advantage of a person's inherent propensity to help),
- familiarity (messages pretending to be from people or organizations that you know),
Presented as urgent, they force the user to make a quick uninformed decision.
The attackers are in a statistical game that requires only a tiny fraction of their attempts to work. Therefore, user training is not a complete solution; enterprises need other tools to reduce the threat.
How is the threat contained?
Whatever the policies, administrators must expect some malware to sneak through. The solution hinges on three activities.
- monitor network traffic.
- Secure and monitor user devices.
- segment the network to contain the spread.
How is network traffic monitored?
- Email scanners scan email traffic to locate phishing attempts and infected attachments.
- Intrusion Protection Systems (IPS) scan network traffic for known malware signatures and suspicious anomalous behavior.
- Threat intelligence systems that help in locating Zero-Day threats and Advanced Persistent Threats.
What is a Zero-Day Threat?
Commercial systems may have vulnerabilities hitherto unknown to the manufacturer. An attack is zero-day if it occurs before the manufacturer knows about it, zero referring to the number of days between the attack and the manufacturer's discovery of the vulnerability.
What is an Advanced Persistent Threat?
Nation-states and Organized Crime syndicates have started using cyber attacks on prominent private and public organizations. Termed Advanced Persistent Threats, these attacks are hard to defend without the right tools and experise.
- advanced, because the attacker has access to sophisticated open-source and commercial tools,
- persistent, as they persevere in finding vulnerabilities in their target's systems, and
- coordinated by human threat actors, who provide intent and expertise to achieve specific objectives.
Why is encryption a problem?
Encryption turns data into gibberish to prevent theft. However, it also prevents network-based scanners from looking at them.
How do you deal with this issue?
For smaller organizations, a Next-Generation Firewall (NGFW) could be enough. It combines traffic decryption and intrusion prevention in the same box in addition to standard firewall functions.
In more extensive networks where separate appliances perform these functions, successive decryption/re-encryption in each service cause higher latency. The cryptographic operations, being resource-intensive, waste processing capacity at each scanner.
What can you do about that?
Over-sized security scanners and high network latency increase cost and diminish user experience. Ironically, the solution lies in adding another device, a Network Packet Broker.
They decrypt the data traffic, pass the unencrypted data through all the scanners residing on a separate network segment, and re-encrypt the data before forwarding it.
With hardware-accelerated cryptography, Network Packet Brokers reduce latency. None of the other services now perform cryptographic operations, thereby reducing the processing capacity needed.
What is the story with protecting user devices?
User devices, or endpoints, are the gateways that bring in malware. Users execute email attachments, plugin infected removable drives, visit dubious websites, etc. Endpoint protection software keeps track of disks, network, and memory on a user device looking for malware signature.
How do you keep the endpoint protection (EPP) software updated on many user devices?
Yes, EPP efficacy depends on keeping the software on all user devices up to date. Now, all endpoint detection and response (EDR) systems have central orchestrators that automate this process.
Is there a way to prevent the spread of malware once a device gets infected?
Microsegmenting a network is the best way to achieve this. Traditional networking divides a vast network into several broadcast domains called Virtual LANs, with a reduction in overall broadcast traffic being its primary goal.
All hosts in a virtual local area network (VLAN) see other unimpeded. Only a firewall on the host itself can restrict incoming traffic. Software-defined networking changes that by creating a network perimeter around every network host. Such a micro-perimeter prevents host visibility on the network reducing virus spread significantly.
An Indian startup, Block Armour, uses centrally controlled firewall/VPN agents on every host to implement a software-based device perimeter. While intended as a solution for access control, it also helps in containing malware spread significantly.
What brands do you prefer?
While we have partner relations with many product companies, we do not prefer any specific brand; we decide on a suitable product in collaboration with the customer based on their needs.