If my last blog on how today’s malware penetrates your systems terrified you – you’re not the only one! Now lets take a look at protection technologies and where they are effective.
In phase one, effective tools are those that limit or block first contact with a victim. These include host or network based web filtering products for the majority of today’s threats. For protection against physical compromise, such as with APTs, device control is needed. Host based NAC products can ensure that only ‘healthy’ endpoints are allowed to connect to a network. Even host based firewalls can protect against misconfigured network security or unsecured internet connections like roaming users might find.
In phase two, the job gets harder, especially when trying to stop previously unknown threats from exploiting new or recent vulnerabilities. Typical here is some type of buffer overflow attack which requires some type of memory protection or system call interception techniques to watch for buffer overflow attack. What is also required is scanning memory and network traffic upon access, sometimes called on-access scanning. Relatively new are file whitelisting or application control products, which use a ‘deny by default’ approach so that only known files or applications can be installed.
In phase three, traditional AV has played the strongest role by scanning the disk for known malicious files. This method has the advantage of being very deterministic in detecting and cleaning all areas of the file and operating system, but remediation costs are higher. New technologies like McAfee Deep Defender protect attacks prior to the OS loading, providing new protections for this critical threat. Uses McAfee DeepSAFE technology to operate beyond the OS and the first solution to provide real-time kernel memory protection to stop zero-day threats before they have chance to hide. What is interesting about these four phases is that various security technologies usually have a narrow role to play in disrupting malware. It also shows that traditional Antivirus techniques stop malware very late in the infection process, usually after software has been written to disk.
In phase four, change control techniques like Whitelisting and access protection rules can prevent malicious software from changing known good application files, preventing the execution of many activities. Also hosts based firewalls can prevent connections to known malicious bot networks and limit the loss of sensitive data.