Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Knowledge as a Defense Against Malware

Team Anti-Virus, an independent group of anti-virus researchers, published Ten Rules of Common Sense Computing and Virus Defense ten years ago to help educate network security personnel, end users, and the general public about anti-virus issues. The rules are still very relevant today. Three of the rules focus on knowledge:

  • #4: Leverage experts, not generalists
  • #7: Listen to others when told you may be infected
  • #8: Don't believe all alerts

These knowledge-centric rules are some of the cheapest to implement, but the costliest to overlook.

The need for specialists

Without experience and knowledge, the response team will not know which alerts to respond to

There is an old saying: “That which is cheap becomes expensive.” Staffing malware defense and response positions is often done with recent graduates or people with no direct experience in the counter-malware field. Simply knowing how to deploy and configure software does not mean that the individual will know how to most effectively employ desktop security software, nor does firewall knowledge translate to counter-malware architecture. Counter-malware is as much a specialized career field as is encryption, VPN or firewalls. These skill sets will often overlap, but the mindset does not. A good counter-malware architect will be experienced in hardware, software and network protocols, and will have insight into the human mind. Many times, these specialists will be called upon not only to reverse engineer some suspect code or troubleshoot symptoms, but to figure out the opponent’s intentions and goals.

Following the right leads

Counter-malware experts also know what questions to ask, where to seek additional information, and where to look for answers or indicators. While many corporations have moved to a centralized management and reporting model, there are still times when the counter-malware specialists may be contacted by third parties with information about a potential compromise. This is when questions must be asked and responded to correctly. Ignoring the reports can increase liability, while chasing the wild goose can cost time and assets. While we no longer see the rash of emails and reports claiming that “Someone said there is an undetectable virus that will crash your hard drive,” the reports we get from our own systems and third parties can be equally misleading, can produce false positives, or could be outright wrong. Without experience and knowledge, the response team will not know which alerts to respond to, or even worse, they may respond to the wrong ones while legitimate alerts are neglected due to a lack of resources.

The knowledgeable individual will also apply his expertise to the evaluation of unconventional responses and alerts. By leveraging knowledge of what malware can or cannot do, historical author intent, and host network targets, a risk assessment can be performed and simple defenses can be custom designed. While organizations often like to throw money at a problem, sometimes the answer is to use existing resources in an unconventional manner to achieve a similar goal. An historical example of this was adding “canary” email accounts into the global address book. These accounts (before texting became popular) would trigger the response team’s pagers. Occasionally there would be a false positive (from someone accidentally selecting one of the accounts as an email recipient), but this technique most often found directory traversing email worms. Canary email accounts cost an organization nothing but provided invaluable visibility into their network.

Knowing what’s normal

Using your knowledge, are there any gaps that you can close by unconventional means? Do you or your company experts know what “normal” looks like on your network? By leveraging this knowledge, identifying, preventing and responding to attacks is much easier. For example, Tenable’s SecurityCenter Continuous View™ can monitor all your assets continually, retain logs of all activity and events, and track anomalies. When you have such a baseline on network health, assessing activity outside of “normal” gets a whole lot easier and provides a knowledgeable operator with plenty of supportive information.

By leveraging experienced field specialists, this knowledge translates to corporate cost savings, early identification of gaps in coverage, and increased defense. When you hire a lower salaried generalist to interpret the data, you lose the knowledge and experience that reduces the costs and scope of responses.

I hope that we all realize that generalists are necessary and important to the security landscape, but assigning key specialized duties to them will wind up costing more than prevention would cost. And while not a substitute for a specialist’s wisdom, tools like Tenable’s SecurityCenter Continuous View provide the visibility that knowledgeable people need to identify the gaps.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training