fireby Michael Starks

Imagine if a building on every street started on fire every day.  They are small fires, which cause relatively little damage, and are usually quickly extinguished by the sprinkler system.  Every once in awhile, the entire house burns down because the sprinkler system hasn’t been updated in over a year.  Now imagine that people have come to believe that this is normal and expected, that as long as you keep your sprinkler system updated, you should be OK. And if the sprinkler system does its job, the fires aren’t a problem.

While analogies are never perfect, this is the basic situation we have today with viruses and anti-virus software.  Billions of dollars are spent in defending against viruses, with software ranging from simple desktop scanners to multi-tired, enterprise class anti-virus defense ecosystems.  When they catch viruses and other forms of malware, we judge them to be successful.  We run reports with nice graphs to show management, and as long as the viruses are being caught, we feel our information is safe.

While few dispute that anti-virus software is a necessity in a modern computing environment (particularly, one which contains Microsoft Windows), fewer still frame anti-virus in the proper context.  How many look at the number of viruses caught, juxtapose them with the effectiveness of the software in catching viruses, and make a plan to reduce the number of viruses detected?  In other words, how many ensure the anti-virus software is working as intended, then work to reduce the infection rate?

Viruses and other malware are not simple problems to solve, but there are solutions to reducing the number of infections that do not depend on the use of anti-virus software.  Among them:

-Reducing the rights a user has to run and install software.  Do your users run with Administrator rights by default?  Why?  If they’re not changing network settings, installing software and looking at logs on a regular basis, most people don’t need these rights as a part of their normal job.

-Educating users about safe computing.  When a virus is detected, do you interview the user in an attempt to determine how the infection occurred?  Viruses, at least for now, are not spontaneous phenomena.  Something happens for that infection to take root.  Usually, unsafe computing behavior is involved.

-Educating users about appropriate use.  Are your users installing personal software or games (see #1), connecting to untrusted networks or surfing to personal web sites?  To what extent are you willing to allow for these activities versus the cost of increased virus rates?

-Examining the choke points for data entering the network.  While the perimeter is becoming increasingly porous, looking at data flow is critical in determining how infections occur.  Do most occur from drive-by downloads, or are they due to e-mail attachments?  By looking at data flow, protections can be put into place to reduce the chance of viruses entering the network.

Notice that all of the points mentioned involve process, education and analysis.  None of them involve spending more money on more defense technology.  While that may at times be the natural outcome of the process, it should not be the first reaction.

Anti-virus software isn’t perfect; in fact, the ability for anti-virus software to detect modern malicious code has been declining in recent years.  While still needed, we need to look our perception of its role in protecting information. Is it our first and only line of defense or is it an alarm that something else has failed?  By shifting our thinking to the root causes of infections, and by focusing on solutions to those problems, we can reframe anti-virus software as primarily IDS, rather than IPS.  We can set goals for increasing the effectiveness of preventing malicious code, while simultaneously reducing the number of detections found. 

Virus infections are an anomaly that we have been trained to accept as normal.  By shifting our thinking towards anti-virus as a rarely activated sprinkler system, we’ll go a lot further towards keeping our information safe.

Michael is an Information Security Professional specializing in host-based security, IDS, log analysis and compliance. He believes in applying basic security principles to an ever-changing threat landscape, and is currently exploring the various ways in which human behavior affect the success of security programs.  He is a founding member of the Rochester, NY chapter of ISSA and has served for both ISSA and OWASP. He currently holds the CISSP, GSNA and A+ certifications.  In his spare time, Michael enjoys spending time with his wife and daughter, and listening to early twentieth-century blues. 

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.