Traditional host-based anti-malware packages just aren't that useful anymore, according to some companies that find it either doesn't protect against the main dangers they face from the Web or it simply doesn't run well in virtualized computer environments.
More on cybercrime: Apathy, law enforcement complications keep cybercrime hopping
"We're hovering at 95% virtualized," and the move has necessitated a new approach to security, such as deploying virtual-machine-based intrusion detection and protection says Johnny Hernandez, vice president of information security at PrimeLending in Dallas. But PrimeLending has also found some things that worked fine in the pre-virtualized era, such as traditional host-based anti-virus software, just don't seem to run well in a virtualized environment, he says.
The company has undergone a gradual transformation from traditional physical servers and desktops to virtualized ones based on VMware vSphere. "Today, we don't run A/V in the current virtualization environment because it does have an impact on the back-end and system utilization," Hernandez says. PrimeLending has virtualized its internal financial databases, Exchange and SQL servers and SharePoint. Traditional anti-malware programs running in multiple virtual instances can disrupt application performance.
Perimeter-based malware filtering, in this case using a Cisco-based anti-malware filter, is one line of defense for the company. Physical appliances used for security, however, generally face "blind spots" in terms of VMs. But PrimeLending is now monitoring and inspecting VMs for signs of malware or attack traffic in a way it couldn't before by using the HP TippingPoint Virtual Controller (vController), the version of TippingPoint's intrusion-prevention system (IPS) for VMware-based environments. It works like a software-based extension of the physical HP TippingPoint IPS.
That has worked well at overcoming the VM "blind spot" that was there, Hernandez says, though the unexpectedly high traffic speeds that were an unanticipated impact of virtualization itself meant switching to a more high-speed TippingPoint appliance.
The vController IPS has been able to identify potential problems — like the document that had gotten infected, apparently because it was edited on an infected home PC by an employee and then uploaded to SharePoint. "The document stored internally was trying to gather information from another," Hernandez says. The vController IPS detected and blocked that.
PrimeLending is also using the TippingPoint vController capability to share security event data with the RSA data-loss prevention product it uses and the RSA security and event management product, EnVision.
But in the quest to find the suitable anti-malware defense that could be used for VMs, PrimeLending plans to try Trend Micro's Deep Security, which uses VMware-based vShield APIs to do malware scans. But it doesn't yet have a way to automate removal of malware if it somehow sneaks in. "There will be limitations in the beginning," Hernandez says. "It's new ground, a new effort."
Others also say traditional host-based anti-malware is not as valuable to them that it once was because the main problems they face are coming from Web-based malware.
"We were having a lot of infections in our environment, one to two, sometimes three infections per week," says Albert Gore, director of information technology operations at the John F. Kennedy Center for the Performing Arts in Washington, D.C. He doubts most desktop anti-virus software, including the McAfee software used at the Kennedy Center, can do much against the malicious code that can be inadvertently spread via employee, contractor, and the performing artists using the Web.
Facebook and YouTube are the two biggest sources of infections in the experience of the Kennedy Center, Gore says. Infections mean "you have to go find out what happened, quarantine them, find out if data has been stolen, if any," he says. Malware attack episodes have shown people do lose files or find them deleted. However, the performing arts center needs to use social-networking in its business.
The Kennedy Center found its virus-infection flare-ups were largely stamped out by using a Web filtering gateway. The one in use today, the Websense Web Security Gateway, lets the IT department provide broad access to social-networking sites and the web in general but blocks specific links that are dangerous sources of malware.
The Kennedy Center is hardly alone in coping with Web-based malware incidents.
According to a survey of 382 IT professionals published this week, 78% said their organizations had experienced at least one malware attack during the last 12 months, with a common experience being a malware attack every 73 days.
The survey, done by Osterman Research and sponsored by M86 Security, said 97% of the respondents indicated their organizations used a desktop anti-virus product of some sort, but just 60% used a secure Web gateway. The most-reported type of malware attack was traced to an infection from the Web, according to 70%. Fake software, such as fake anti-virus, ranked high. Twenty-seven percent said their malware problems had increased over the past 12 months, and only 9% said it had decreased.
The survey found that 76% reported the need to re-image computers after malware attacks, and the typical malware attack requires a mean of 27.5 IT person-hours to remediate. It was also noted that 12% of employees in the average victimized organization had their work disrupted while a malware-related problem was being remediated.