Fighting spyware with unified threat management

Winning the war against malicious spyware requires a layered defense applied at the desktop, server and network edge. Security professionals are already familiar with desktop antispyware programs, but consider also how unified threat management (UTM) appliances can help you defeat spyware at network and workgroup perimeters.

More information on UTM In a live webcast on Wednesday, Mar. 28, at noon ET, Lisa Phifer will review which UTM offerings are the best fit for your organization. Pre-register now. To learn more about the basics of unified threat management, including the different technologies and implementation choices available, check out Joel Snyder's UTM lesson in our Intrusion Defense School.

Here, there, everywhere
From pesky adware like ISTBar to stealthy attacks like Trojan-Backdoor-SecureMulti, spyware is now held responsible for one out of four help desk calls and half of the PC crashes reported to Microsoft. IDC estimates that more than 75% of corporate desktops get infected with spyware. According to antispyware vendor Webroot Software Inc., spyware-related downtime and cleanup costs corporations approximately $250 per user annually. Fighting spyware on the desktop requires new techniques and tools because not only has spyware evolved considerably in recent years, it also still behaves differently than viruses and worms. Many enterprise products (e.g., CA Inc.'s eTrust Pest Patrol, Lavasoft Ad-Aware Enterprise, Webroot Spy Sweeper Enterprise) focus exclusively on host spyware eradication. Antispyware programs are also being rolled into desktop security suites, such as Symantec Corp.'s Client Security, which combines host antivirus, antispyware, firewall and intrusion prevention. Microsoft has embedded basic antispyware defenses into its recently released Windows Vista operating system.

Network antispyware
In most companies, desktop antispyware simply isn't good enough. Employees connect infected laptops to the corporate network; desktop software breaks or becomes out of date; visitors, contractors and home workers don't run your chosen antispyware program. Protecting an entire network against spyware really requires a network-based product that can be easily controlled by IT.

UTM appliances complement desktop antispyware by enforcing spyware policies at the network edge. Most UTM appliances, from companies like Cisco Systems Inc., Crossbeam Systems Inc., Juniper Networks Inc., Fortinet Inc., WatchGuard Technologies Inc., SonicWall Inc., and Secure Computing Corp., among others, consolidate firewall, intrusion prevention and antivirus scanning, and may provide additional security services, including VPN, Web filtering, antispam and antispyware.

Antispyware benefits from this unified approach, because network-based defenses can run the gamut from outbound request filtering -- functions one might ask of a firewall or Web filter -- to inbound content inspection, which can resemble intrusion prevention or even antivirus capabilities. Depending on the feature set, countermeasures that may be implemented on a UTM appliance include:

• Blocking outbound requests to risky Web sites: Many spyware infestations start when a user clicks on a malicious URL embedded in a Web page or a phishing email. UTM appliances can filter outbound HTTP traffic to block access to blacklisted domains and URLs that fall into banned categories (e.g., phishing, P2P file sharing and adware/spyware sites). Stopping a problem before it starts is generally less expensive than cleaning it up later. With tenacious spyware -- especially rootkits -- a complete system rebuild may be required to make a compromised host truly trustworthy again.
• Stripping banned objects from inbound messages: Although public blacklists and URL databases used by appliances are constantly updated, new spyware programs will slip through the cracks. Most UTM appliances can also be configured to block active content and banned MIME types carried by HTTP, FTP, POP and other protocols, including unsigned ActiveX controls, Java applets, VB scripts, and PC executables. This can be a bit tricky. For example, zip files are used to "hide" executables, or HTTP sessions are encrypted by SSL.
• Network-based spyware scanning: Some UTM appliances can look beyond message headers and content types, scanning inbound application payloads for known spyware. This technique is a logical extension of desktop antispyware scanning. Like desktop scanners, UTM appliances can use regularly updated signature databases and may take configurable actions -- dropping, cleaning, deleting, quarantining -- when spyware is detected.
• Back-channel blocking: Unlike desktop antispyware programs, UTM appliances cannot observe the local system behavior of spyware launched on a desktop. However, appliances are well-positioned to react immediately to spyware network behavior. Many UTM appliances can use malware databases to block known spyware back channels, such as outbound HTTP connections to adware servers, outbound non-bizware connections like instant messaging and "phone home" messages sent by remote control Trojans and keystroke loggers. They may generate alerts to help spot infected hosts, and even quarantine those hosts to prevent damage prior to remediation.

When it comes to fighting spyware, a single countermeasure won't do the trick; for example, UTM appliances cannot protect remote access devices when connected to external networks. Combining desktop and network antispyware covers both bases.

UTM appliances are extremely diverse and will continue to evolve along with spyware itself, so look very closely at any given product's feature set to determine how it can help you battle this scourge. Also give serious consideration to the impact that network antispyware may have on appliance capacity, throughput and message latency.

Weighing these factors, consider UTM to strengthen spyware defenses while reducing the operational and productivity burdens associated with this increasingly stealthy, malicious and expensive network threat.

About the author:
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Lisa has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for over 20 years. At Core Competence, she has advised large and small companies regarding security needs, product assessment and the use of emerging technologies and best practices. Before joining Core Competence, Lisa was a member of technical staff at Bell Communications Research where she won a president's award for her work on ATM network management.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics How to patch Kaminsky's DNS vulnerability Directory services and beyond: The future of LDAP Screencast: Catching network traffic with Wireshark Enterprise role management: Trends and best practices Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Unified Threat Management (UTM) Fortinet acquires database vulnerability scanner from IPLocks Verizon UTM service reflects telecom security push Firewall deployment options increase for enterprises Screencast: How to configure a UTM device What are common (and uncommon) unified threat management features? Interop: Vendors update software, demonstrate new security features Microsoft NAP-TNC compatibility won't speed adoption, users say Screencast: How to configure a UTM device Snort creator, Sourcefire seek fresh approach UTM Spyware, Adware and Trojans Researchers develop cloud-based antivirus Web advertising exploits: Protecting Web browsers and servers SaaS startups enter Web security gateway market Ransomware: How to deal with advanced encryption algorithms Stolen data ending up in Google cache, say researchers Information security book excerpts and reviews Yahoo, McAfee to warn users of dangerous websites Botnets and ethics Security Services: Webroot Email Security SaaS Interview: Jim Kirkhope of NCR Spyware, Adware and Trojans Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Data Encryption Standard  (SearchSecurity.com) denial of service  (SearchSoftwareQuality.com) digital certificate  (SearchSecurity.com) disaster recovery plan  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) encryption  (SearchSecurity.com) integrated threat management  (SearchSecurity.com) Trojan horse  (SearchSecurity.com) trusted PC  (SearchSecurity.com) unified threat management  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.