Spyware Spyware - Everywhere

Spyware is on everyone's brain. With good reason, of course, given that Webroot published some compelling statistics this week regarding the growth of spyware attacks in 2005. This is joined by Barracuda's recent announcement of a desktop cleaning agent to work in tandem with their spyware appliance. Other recent news pegs include a new web security box from IronPort that is "fast," whatever that means. There are also managed services offerings emerging, most notably from ScanSafe, though it's just a matter of time until the email hygiene services jump on this bandwagon.

I'm sure we'll see more stuff next week at the RSA conference.

Some highlights from the Webroot study:

• "For enterprises, between Q3 and Q4 2005, the number of Trojan horse infections increased 9 percent and from Q2 to Q4 2005, the number of system monitors like keystroke loggers increased 50 percent consecutively each quarter."
• "Throughout 2005 Webroot researchers observed a steady increase in the complexity and severity of spyware technology."

Sure, this is pretty obvious stuff, but the numbers don't lie. Spyware attacks are increasing, becoming more malicious, and harder to catch. If you haven't already, the time is now to start thinking about proactive defense against these attacks.

Malware/Spyware will be the subject of an upcoming "Battle Plan," which is a detailed Security Incite analysis into a space , planned for April/May. But in the meantime, here are some things to think about from an architectural perspective as you focus on the right way to defend your enterprise from this scourge.

1. Client, Servers, and/or Perimeter - One of the major decision factors in the battle against malware is where to deploy protection. In a perfect world, you'd have protection everywhere. Of course, the world is seldom perfect and tough decisions need to be made because multi-layer protection is not free. Your decision here will be made based upon the type and level of mobility and the types of external devices and people that connect to your network and resources. To be clear, there is no simple answer, but you can profile a use case to get a feel for what could make sense for your organization (yes, the battle plan will detail use cases in this manner).
   
   
2. AV vendors own the client? - AV is already at the desktop, and the AV vendors are frantically adding anti-spyware capabilities to their security suites. So why would anyone need something else on the desktop? It's not clear that you would, but integration becomes an important aspect of this. Do you need policies defined and enforced that span from perimeter to endpoint? Again, it depends on your usage characteristics, but obviously it's an uphill battle for anyone besides an AV vendor to gain presence on the desktop for any length of time.
   
   
3. Is this a feature of UTM boxes? - From a perimeter defense standpoint, why would you need an extra box to detect spyware? Over time, you probably don't, but right now the technology is still maturing to do all of these functions effectively on one platform. But if you do have segmented equipment depending on the traffic type (email vs. web vs. web services), you are looking at implementing malware/spyware defense on all of the devices, since attacks can vector from anywhere.
   
   
4. Managed Service impact - The further away from your enterprise you get rid of bad stuff, the better. That's just common sense. So, the next step is to filter in the network. Managed services will have a very strong play in this sector, since it's trivial to point your pipes to a service provider for this hygiene service. Of course, scalability on the part of the service provider is critical, but the email security providers proved this model can work (functionally at least, not necessarily economically). The Web filtering and spyware folks will get there too, sooner rather than later.
   
   
5. Complementary pieces of layered defense (anomaly detection, NAC policies, application control) - Malware defense is also just a piece of the security architecture, and thus needs to interoperate with other aspects of a layered defense. Depending on your requirements, you may want to make sure you are looking at traffic flows on your networks (for analomolous behavior) and also lock down both your networks (with NAC) and endpoints (with application control), to ensure full protection, and that these defenses are complimentary. Sure, economics dictate you can't do everything, but you need to make sure you are doing something.

So there is some food for thought. Much more later, as the battle plan develops and new types of attacks cause us to adapt our defenses. That's just the way of the world.