Ten best practices for controllingmodern malware

Learning Objective:

•Combating malware and botnets with security best practices.

1. Ensure visibility into all traffics

Accurately classifying all traffic.

Extending visibility beyond the perimeter

2. Restrict High-Risk Applications

Block (or limit) P2P applicationsBlock unneeded applications that can tunnel other applicationsBlock applications known to be used by malwareBlock anonymizersBlock encrypted tunnel applicationsLimit use of approved proxies to authorized users with alegitimate business needLimit use of remote desktop protocols and applicationsto authorized users with a legitimate business need

3.Selectively Decrypt and Inspect SSL Traffic

Enterprises need to control SSL traffic with: ✓ Decrypt policies that allow decryption and inspection

of the following SSL traffic:• Social networking• Web-based e-mail• Instant messaging• Message boards• Micro blogging• Gaming sites

3.Selectively Decrypt and Inspect SSL Traffic

✓Do-not-decrypt policies that protect the confidentiality and integrity of the following SSL traffic:• Health care applications, information, and sites• Financial applications, data, and sites• Secure channels

4. Sandbox Unknown Executablesand Attachments

Modern attackers are increasingly turning to customized malware targeted at a particular enterprise network or a specific host.

Signatures can only protect against malware that has been previously detected and analyzed.

To address this vulnerability, enterprises should supplement their signature-based tools with direct analysis of unknown executables for malicious behaviors.

Direct analysis is typically done by placing the unknown executable file in a virtual environment to observe how it would behave in a vulnerable environment.

5. Block URLs That Are Known to Host Malware

A strong URL filtering solution should be able to keep track of sites that have been known to deliver malware.

In addition to known bad sites and URLs, extra caution should be exercised with any recently registered or unclassified domains

IT security teams must be able to update URL classifications based on malware that may have been identified through sandboxing.

6. Enforce Drive-by-DownloadProtection

Enterprises must enforce drive-by-download protection toprevent infections by:

✓ Detecting downloads in the background, even unknown exploits and malware

✓ Automatically reporting drive-by-downloads to the user and either blocking the download or requiring the user to acknowledge and permit the download

✓ Training users not to just click “OK” or “Accept” but to read and understand pop-up warnings from their network firewall

7. Block Known Exploitsand Malware

IT organizations commonly disable many known vulnerability signatures and features in intrusion prevention systems or anti-malware software for performance reasons.

The single unified threat engine in a true next-generation firewall is designed to process high volumes of network traffic in real-time to detect all threats, without sacrificing performance or reliability

8. Limit Traffic for CommonApplications to Default Ports

Legacy port-based firewalls simply allow traffic across an open port and assume that it is the default application or protocol for that port.

A next-generation firewall compares the traffic to application signatures in order to accurately identify the application or protocol, and allows you to set policies that permit only the default application on a common port and block everything else.

9.Evaluate Network andApplication Events in Context

To evaluate events in context: ✓ Develop context-based visibility with accurate information

about applications, signatures, sources, and behaviors.

✓ Correlate events by user and application, including• Known malware• Known exploits• Phone-home detection• Download history• URL categories

10.Investigate Unknowns

Unknown traffic should be tracked and investigated to find potential malware or other unidentified threats on the enterprise network.

Unknown or unclassified URLs

Unknown encryption