Detecting Malware that Walks Into Your Network
Corporations take extensive measures to monitor, detect, and stop malicious code from entering the enterprise via the Internet. But what about detecting malware that walks through your enterprise’s front door and into your network—hidden in the devices that your employees, contractors, or delivery personnel are carrying?
A case in point. IBM recently disclosed that they had shipped an unspecified number of malicious USB flash drives to some of their customers. The drives, when inserted, infected the victim’s PC with malware. IBM eventually discovered the infected devices and released a support advisory, urging customers to destroy the USB flash drives to prevent their use and the spread of infection.
The incident highlights how important it is for organizations to identify malware that enters their network through means other than traditional Internet-based threat vectors (email, file downloads, and malicious website). In addition to perimeter controls, organizations need to protect against malicious objects on laptops, phones, wearables, or USB devices that are physically carried in by employees and partners—or in this case, the shipping and receiving department.
Malicious USB drives are responsible for a significant number of data breaches. But other devices that walk into our enterprises each day can inflict even more damage. The number of smartphones infected with malware is dramatically increasing. Nokia reports smartphone infections increased 83 percent during the second half of 2016 (as compared to 96 percent during the first half of the year) and according to Gartner, only 23% of employees are given corporate-issued smartphones. That means close to 80% of the smartphones at the average enterprise are employee-owned and managed. A lot of them have poor security and are infected.
Detecting suspicious activity
Endpoint antivirus solutions are capable of identifying some of this walk-in malware but are largely ineffective. To adequately protect themselves, organizations need a solution that detects malware by its structure and behavior as well as by its signature. Network monitoring for malicious traffic and connections is of particular importance. Malware will almost always attempt to contact the criminal’s command and control servers. Detecting those connections and other suspicious network activity is both critical and effective.
Network perimeter controls are essential. But organizations must also be able to detect malware that bypasses those controls and is already inside the organization.