427 Botnet fm qxd

■
Corrective controls (measures to reduce the likelihood of a recur-
rence of a given breach)
■
Recovery controls (measures to restore systems to normal operation)
You can see from this list that detection is only part of the management
process. In fact, when we talk about detection as in “virus detection,” we’re
often using the term as shorthand for an approach that covers more than one
of these controls. Here we consider antivirus as a special case of a HIDS, but
it doesn’t have to be (and, in enterprise terms, it shouldn’t be) restricted to a
single layer of the “onion.”The antivirus industry might not have invented
defense in depth or multilayering, but it was one of the first kids on the block
(Fred Cohen:
A Short Course on Computer Viruses,
Wiley). In a well-protected
enterprise, antivirus sits on the desktop, on laptops, on LAN servers, on appli-
cation servers, on mail servers, and so on. It’s likely to embrace real-time (on-
access) scanning at several of those levels, as well as or instead of on-demand
(scheduled or user-initiated) scanning. It might include some measure of
generic filtering (especially in e-mail and/or Web traffic) and should certainly
include some measure of heuristic analysis as well as pure virus-specific detec-
tion (see the following discussion).
Nowadays full-strength commercial antivirus software for the enterprise
normally includes console facilities for central management, reporting, and
logging as well as staged distribution of virus definitions (“signatures”).
Properly configured, these facilities increase your chances of getting an early
warning of malicious activity, such as a botnet beginning to take hold on your
systems. Look out for anomalies such as malicious files quarantined because
they could not be deleted or files quarantined because of suspicious character-
istics. Many products include a facility for sending code samples back to the
vendor for further analysis. And, of course, antivirus products can be inte-
grated with other security products and services, which can give you a better
overview of a developing security problem.
Antivirus is often seen as the Cinderella of the security industry,
addressing a declining proportion of malware with decreasing effectiveness
and tied to a subscription model that preserves the vendor’s revenue stream
without offering protection against anything but known viruses. What role
can it possibly have in the mitigation of bot activity? Quite a big role, in fact,

Download 6,98 Mb.

Do'stlaringiz bilan baham: