• TechnologyInnovator
• NextInnovator
• EnterpriseInnovator
• SecurityInnovator
• DefenseInnovator
• WirelessInnovator 
• HPinnovator
• EnergyInnovator
• TransportationInnovator
• SMBinnovator (beta)

• NextInnovator(at)Live.com

• Newsroom Home
• Newsroom Archives
• Fast Facts
• Financial  Information
• Global  Citizenship
• HP Labs
• Company History
• HP in the News   
• Videos
• B-roll
• Blogs
• RSS Feeds 

• Connect
• Connect - Deutschland
• 3000 Newswire Blogs

• Ghost City
• Frontline Sentinel
• Innovation Insights
• WebInno
• Over the River
• Enderle Group
• Security Insights Blog 
• McAfee Audio Parasitics
• Rethinking Security
• Ovum
• iSuppli
• Canalys
• eMarketer 
• CRM Help Desk SW 
• Rethink Research
• The Gadgeteer
• Master the Moment

If my last blog on how today’s malware penetrates your systems terrified you - you’re not the only one!  Now lets take a look at protection technologies and where they are effective.

In phase one, effective tools are those that limit or block first contact with a victim. These include host or network based web filtering products for the majority of today’s threats. For protection against physical compromise, such as with APTs, device control is needed. Host based NAC products can ensure that only ‘healthy’ endpoints are allowed to connect to a network. Even host based firewalls can protect against misconfigured network security or unsecured internet connections like roaming users might find.

In phase two, the job gets harder, especially when trying to stop previously unknown threats from exploiting new or recent vulnerabilities. Typical here is some type of buffer overflow attack which requires some type of memory protection or system call interception techniques to watch for buffer overflow attack. What is also required is scanning memory and network traffic upon access, sometimes called on-access scanning. Relatively new are file whitelisting or application control products, which use a ‘deny by default’ approach so that only known files or applications can be installed.

In phase three, traditional AV has played the strongest role by scanning the disk for known malicious files. This method has the advantage of being very deterministic in detecting and cleaning all areas of the file and operating system, but remediation costs are higher. New technologies like McAfee Deep Defender protect attacks prior to the OS loading, providing new protections for this critical threat. Uses McAfee DeepSAFE technology to operate beyond the OS and the first solution to provide real-time kernel memory protection to stop zero-day threats before they have chance to hide. What is interesting about these four phases is that various security technologies usually have a narrow role to play in disrupting malware. It also shows that traditional Antivirus techniques stop malware very late in the infection process, usually after software has been written to disk. 

In phase four, change control techniques like Whitelisting and access protection rules can prevent malicious software from changing known good application files, preventing the execution of many activities. Also hosts based firewalls can prevent connections to known malicious bot networks and limit the loss of sensitive data.