Malware Response guide (By Microsoft)

Those who followed the latest RSA SFO 2011 conference via tweet or live likely attended one of the – ‘Ahh I have been breached, now what” themed sessions.  These were very popular and provided great insight.  The firms participating in the discussion represented some of the largest and most sophisticated in the world.  The greatest takeaway I took from these discussions was the necessity shift our approach to infections.

I wrote briefly on the subject, but after receiving the February 17, 2011 updated Malware Response guide from Microsoft and thanks to Roger Halbheer for the quick post I can provide a bit more substance.

Today most malware that hits businesses infects on average 15 machines (pulled from presentation at RSA).  That means the intent is to infect, not a lot but enough – and then change.  This makes simple AV and help desk responses minimally effective.  In fact, based on several statistics the AV component as a control is less than 30% effective.  The additional challenge is the malware today is very sophisticated and designed to exfiltrate data from the business.  Approaching these infections without the full attention and talent of the organization is a mistake.

Specifically, I would propose that ANY infection be treated as an INCIDENT unless otherwise proven different.  Meaning the incident response functions must be more effective, must scale, and must be able to rapidly diagnose the situation on a machine basis.  The Infrastructure Planning and Design Guide for Malware Reponse is a great basis to build from by Microsoft.

Here is the link to Roger’s short post highlighting the graphic model.  Pointed attention to the 3 major options:

  1. Attempt to clean the system
  2. Attempt to restore system state
  3. Rebuild the system

Key phrase – Attempt, and this is from the provider of the operating system and a substantial amount of infrastructure enterprise safeguard tools.

Bottom line:  the threats have shifted and therefore our responses within corporations must match play for play.  I see this shift in the PCI DSS standard in how assessments and audits are being conducted.  I also am beginning to see a shift beyond presence of controls to coverage and effective.  The AICPA has introduced SOC1, SOC2, SOC3 as a broader effort to demonstrate greater clarity in our technology world.

Other thoughts?  Challenges?

James DeLuccia IV


One response to “Malware Response guide (By Microsoft)

  1. Hello James,

    Congratulations, you did a very nice job in this blog! I didn’t find a better way to talk to you, so im doing through this comment…

    I think i have a good question/challenge for you!
    Im working on a e-commerce project and it has a new function that allows a customer to buy products via a pre-registered card. In a few words, the customer register the card, (pan and cvv) on his personal page and when he wants to buy something, he clicks on a special button that allows he to choose the pre-registered card as payment method and goes to the confirmation page. This information is stored encrypted in the database and they have some controls on who access this data and how this data is accessed. I know that we cannot store such information, but as a competitive differential, the client wants to provide this agility to his customers. If we have a lot of compensatory controls, on who access this data and how this data is accessed (and others, required by pci dss), can we say this is enough to certify this function as pci compliance?

    Thanks in advance!

    Diógenes from Brazil

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s