Those who followed the latest RSA SFO 2011 conference via tweet or live likely attended one of the – ‘Ahh I have been breached, now what” themed sessions. These were very popular and provided great insight. The firms participating in the discussion represented some of the largest and most sophisticated in the world. The greatest takeaway I took from these discussions was the necessity shift our approach to infections.
I wrote briefly on the subject, but after receiving the February 17, 2011 updated Malware Response guide from Microsoft and thanks to Roger Halbheer for the quick post I can provide a bit more substance.
Today most malware that hits businesses infects on average 15 machines (pulled from presentation at RSA). That means the intent is to infect, not a lot but enough – and then change. This makes simple AV and help desk responses minimally effective. In fact, based on several statistics the AV component as a control is less than 30% effective. The additional challenge is the malware today is very sophisticated and designed to exfiltrate data from the business. Approaching these infections without the full attention and talent of the organization is a mistake.
Specifically, I would propose that ANY infection be treated as an INCIDENT unless otherwise proven different. Meaning the incident response functions must be more effective, must scale, and must be able to rapidly diagnose the situation on a machine basis. The Infrastructure Planning and Design Guide for Malware Reponse is a great basis to build from by Microsoft.
Here is the link to Roger’s short post highlighting the graphic model. Pointed attention to the 3 major options:
- Attempt to clean the system
- Attempt to restore system state
- Rebuild the system
Key phrase – Attempt, and this is from the provider of the operating system and a substantial amount of infrastructure enterprise safeguard tools.
Bottom line: the threats have shifted and therefore our responses within corporations must match play for play. I see this shift in the PCI DSS standard in how assessments and audits are being conducted. I also am beginning to see a shift beyond presence of controls to coverage and effective. The AICPA has introduced SOC1, SOC2, SOC3 as a broader effort to demonstrate greater clarity in our technology world.
- Primary link to the Infrastructure Malware Guide
- Download link to full Zip file containing .DOCX & PPT
Other thoughts? Challenges?
James DeLuccia IV