If you search the Internet for anti-malware/Virus or attend security conferences, you will find billions of vendors. Which solution is best? There are endpoint and server solutions, network appliances and embedded upgrades for existing applications. What separates the gazillion anti-whatever solutions outside of price? Many claim reaction time however what separates “X Faster Than Y” when most attacks do damage in milliseconds? It’s best to step away from vendors and understand the DATA you are protecting before considering a solution.
If data on endpoints is the primary focus, consider applications that protect 24/7 regardless of network connectivity. Signature based technology is a commodity and shouldn’t makeup your strategy. The basic principle of signatures is defending documented attacks, which will not catch day zero threats. Behavior technology improves things however must be customized to enforce cooperate policies along with utilizing visibility into all threat vectors to be impactful. Locking down services such as disabling wireless when physically connected and leveraging patch management solutions dramatically decreases the use of anti-virus/Malware services. There are alternatives to endpoint anti-virus/malware solutions such as leveraging proxy-based technology. Proxy solutions act as a middleman between the data and endpoints separating infected machines from the inside network.
Anti-Malware/Virus vendors are targeting appliance solutions at the commercial market. There are Intrusion Detection/Prevention Systems (IDS/IPS) with anti-malware/Virus functions as well as Malware appliances that sit on the wire passively or inline and scan for threats. These solutions can only impact the wire they touch and if inline, typically cause delays. Email and web security appliances usually include native solutions or partner with anti-virus/Malware vendors as part of their suite. Its key that these work together as users could use one to bypass the other (IE avoid cooperate email security by using web email such as Gmail). FireEye took an interesting approach by developing a solution that executes suspicious code/objects in a virtual environment and identifies their intent prior to releasing things to the real network. Cisco Ironport offers a layer 4 traffic scanner in their web security appliance that scans SPAN ports for malware/bot phone home activities from compromised devices. The list goes on regarding anti-malware/Virus appliance solutions so consider where sensitive data sits and how that data moves before dropping appliance technology on the network.
The most important thing to realize is the threats are real. Attackers don’t want to be known and will utilize multiple attack vectors to access your data. Best practice for choosing security solutions focus on likely hood of being compromised verse impact to your business from data being lost. Building security into the data handling process rather than after the fact or around where it sits will save you tons of money. Including your agency’s policies in security planning is a must and education is key to success. Users are the weakest link so choosing solutions that are transparent will be the most successful. Detection is critical which typically is a monitoring solution utilizing Security Information and Event Monitoring (SIEM) technology. Tuning out false positives and developing workflows for handling incidences will determine how successful you are protecting what matters most … the DATA. Anti-Virus/Malware is only one of many attack vectors so look past the vendors and understand your data before you drop the money on a solution.