Webroot

Spyware is on everyone's brain. With good reason, of course, given that Webroot published some compelling statistics this week regarding the growth of spyware attacks in 2005. This is joined by Barracuda's recent announcement of a desktop cleaning agent to work in tandem with their spyware appliance. Other recent news pegs include a new web security box from IronPort that is "fast," whatever that means. There are also managed services offerings emerging, most notably from ScanSafe, though it's just a matter of time until the email hygiene services jump on this bandwagon.

I'm sure we'll see more stuff next week at the RSA conference.

Some highlights from the Webroot study:

• "For enterprises, between Q3 and Q4 2005, the number of Trojan horse infections increased 9 percent and from Q2 to Q4 2005, the number of system monitors like keystroke loggers increased 50 percent consecutively each quarter."
• "Throughout 2005 Webroot researchers observed a steady increase in the complexity and severity of spyware technology."

Sure, this is pretty obvious stuff, but the numbers don't lie. Spyware attacks are increasing, becoming more malicious, and harder to catch. If you haven't already, the time is now to start thinking about proactive defense against these attacks.

Malware/Spyware will be the subject of an upcoming "Battle Plan," which is a detailed Security Incite analysis into a space , planned for April/May. But in the meantime, here are some things to think about from an architectural perspective as you focus on the right way to defend your enterprise from this scourge.

1. Client, Servers, and/or Perimeter - One of the major decision factors in the battle against malware is where to deploy protection. In a perfect world, you'd have protection everywhere. Of course, the world is seldom perfect and tough decisions need to be made because multi-layer protection is not free. Your decision here will be made based upon the type and level of mobility and the types of external devices and people that connect to your network and resources. To be clear, there is no simple answer, but you can profile a use case to get a feel for what could make sense for your organization (yes, the battle plan will detail use cases in this manner).
   
   
2. AV vendors own the client? - AV is already at the desktop, and the AV vendors are frantically adding anti-spyware capabilities to their security suites. So why would anyone need something else on the desktop? It's not clear that you would, but integration becomes an important aspect of this. Do you need policies defined and enforced that span from perimeter to endpoint? Again, it depends on your usage characteristics, but obviously it's an uphill battle for anyone besides an AV vendor to gain presence on the desktop for any length of time.
   
   
3. Is this a feature of UTM boxes? - From a perimeter defense standpoint, why would you need an extra box to detect spyware? Over time, you probably don't, but right now the technology is still maturing to do all of these functions effectively on one platform. But if you do have segmented equipment depending on the traffic type (email vs. web vs. web services), you are looking at implementing malware/spyware defense on all of the devices, since attacks can vector from anywhere.
   
   
4. Managed Service impact - The further away from your enterprise you get rid of bad stuff, the better. That's just common sense. So, the next step is to filter in the network. Managed services will have a very strong play in this sector, since it's trivial to point your pipes to a service provider for this hygiene service. Of course, scalability on the part of the service provider is critical, but the email security providers proved this model can work (functionally at least, not necessarily economically). The Web filtering and spyware folks will get there too, sooner rather than later.
   
   
5. Complementary pieces of layered defense (anomaly detection, NAC policies, application control) - Malware defense is also just a piece of the security architecture, and thus needs to interoperate with other aspects of a layered defense. Depending on your requirements, you may want to make sure you are looking at traffic flows on your networks (for analomolous behavior) and also lock down both your networks (with NAC) and endpoints (with application control), to ensure full protection, and that these defenses are complimentary. Sure, economics dictate you can't do everything, but you need to make sure you are doing something.

So there is some food for thought. Much more later, as the battle plan develops and new types of attacks cause us to adapt our defenses. That's just the way of the world.

As discussed in Friday's post about StopBadware.org, I believe that building and maintaining a database of known "badware" is important. The missing piece of StopBadware.org is a way to caution users before they do something stupid like download a known bad application.

Another way to prevent the spread of spyware is to make sure that anti-spyware products use common terminology and meet a lowest common denominator level of effectiveness. I'm reasonably excited about an initiative announced this morning by McAfee, Symantec, Trend Micro, ICSA Labs, and Thompson Cyber Security Labs (who?).

A clip from the press release really underscores the need for this type of activity:

When publishing results and product recommendations, few product testers currently document their test samples or methodology, and many use very small sample sets in their testing environments. As a result, there is no distinguishable benchmark for comparison of anti-spyware product vendors, leaving customers unclear as to the most effective products and solutions for their environments.

This is exactly right. The industry needs a benchmark to define this moving target called anti-spyware. ICSA Labs' involvement means it may actually get done. Having worked at TruSecure, I am very familiar with the capabilities of ICSA Labs (since TruSecure, now CyberTrust, owns them). This is a significant opportunity for ICSA Labs, which has not really had another "hit" in terms of a program that users deemed a requirement for their vendors to be tested since the AV and firewall programs launched years ago. Of course, my friend George Japak (who runs the Labs) may disagree, but it is what it is.

Given the confusion around what anti-spyware is and what it isn't and whether it makes more sense to stop it at the perimeter (via a gateway appliance) or on the client or both, having a common, agreed upon testing methodology will help. ICSA Labs has built certification programs for every significant security market, so they get how to standardize the terminology and put in place a structured, repeatable process to ensure the anti-spyware products remain effective in the face of rapidly evolving threats. It won't be long before ICSA Labs rolls out a formal certification program, so that vendors can prove they meet an acceptable level of effectiveness. This will be a big positive for everyone.

Since Microsoft is giving away their anti-spyware solution, it will be interesting to see how they fare relative to the testing methodology. Microsoft is also conspicuous by their absence in this initiative. That also begs the question about Webroot, Blue Coat and Sunbelt Software. These folks (among others) should have a hand in this as well. Hopefully this is not a transparent attempt by ICSA and their anti-virus buddies to try to protect their turf. Like any of them can really stop Microsoft. Alternatively, this could be another example of Microsoft's arrogance in not thinking they have to play in the sandbox with the rest of the industry. Ultimately, this initiative must get broader industry support to have a chance of sticking. 

As with everything, there are lots of things that can go wrong, but in the meantime users should enjoy the good news today. Help is on the way to ease some of the confusion around anti-spyware defenses.