Buyer's Guide

Antispyware buying guide for Indian enterprises

By Anil Patrick R, Chief Editor, SearchSecurity.in

As chief of security operations for Bharti Airtel, Aman Nugyal has to protect India's leading telecom player from various security threats, spyware inclusive. This is a tough job, since the perimeter to be defended from spyware and infection vectors increases with each passing day. "The most recent threat that we had to gear up against was Conficker and its variants. Thankfully, we were not affected due to our proactive defence strategy," says Nugyal.

As most Indian CIOs will readily attest, an antispyware strategy is not an easy task, considering spyware's ever-evolving nature. Many attackers use "blended attacks" that involve sending a spam email containing a link to an infected site. "Antimalware defenders try to block access to malware sites, but these sites keep moving, and in any case the attackers rely heavily on corrupting legitimate websites, making

    Requires Free Membership to View

Download an Indian enterprise's "Ultimate Buyer's Guide to Antispyware Solutions"
Compare the features of products from CA, Google, McAfee, Sophos, Symantec, Trend Micro and Websense. Click here to download
it difficult to rely on the reputation of a website in deciding whether to allow access," says Graham Titterington, principal analyst, Ovum.

So, what exactly constitutes spyware, and as a CIO, how do you go about buying an antispyware solution for the Indian business?

Understanding spyware

The generally accepted definition of spyware, also known as privacy-invasive software or potentially unwanted application (PUA), is any form of software that monitors a user's actions without his explicit consent. Spyware started out as a covert way to monitor user behaviour but has now taken largely criminal proportions.

Today, many spyware programs perform nefarious activity such as installing unwanted applications, stealing sensitive user information such as credit card details, hogging organizational bandwidth, relaying spam, changing network/client security settings and even assuming control of infected computers to launch distributed denial-of-service attacks.

Hindrances to spyware detection

Spyware detection and removal is difficult with the existing antivirus and antispyware solutions. When it comes to spyware detection, the traditional approaches rely mainly on detecting the code of known malware samples, aka "signatures". The underlying premises in these solutions are not in sync with the changing business and threat environment.

Infection vectors
Spyware can land inside your corporate network in the following ways:

* Laptops of road warriors, especially when the users connect to other systems using Bluetooth, IR, Wi-Fi, etc.
* Web 2.0 websites (as well as other unscrupulous websites) dropping malicious code
* Infected pen drives, mobile devices, external HDDs and MP3 players
* Remote users with untrusted computers
* Viruses that download spyware (such as the Conficker variants)
* Unauthorised user software installs
* Email forwards
*Industrial espionage
*Over erstwhile "trusted" ports (80, 443, 21, etc).

As Nugyal explains, the signature-based antispyware solution does not account for aspects such as dissolving the perimeter -- nor does it consider proliferation of alternate networks such as Wi-Fi, dial-up, infrared, Bluetooth and WiMax. "These solutions prove insufficient when dealing with aspects such as mass-scale bot infections and complex root kits. Today, social engineering through Web 2.0 vectors is highly evolved and difficult to detect. Yet another difficulty is the very quick hopping of C&C, phishing and suspect sites to new IPs," says Nugyal.

Signature-based antispyware solutions provide poor analysis of anomalous behaviour, and new, unknown spyware goes undetected. Adding to these issues is the difficulty in updating signatures if a laptop is out of the network perimeter. Such deficiencies in signature-based antispyware solutions led to "in the cloud"-based spyware detection models. "More broad fronted approaches are needed such as the recent move by various antispyware vendors into integrating signature detection in the cloud just over a year ago, so that the user doesn't need to download the signature file," says Titterington.

Trend Micro, Websense and Google (Postini) are among the first movers with antispyware models utilizing this approach. In-the-cloud antispyware solutions basically use Software as a Service (SaaS) antispyware solutions or client solutions that depend on spyware detection mechanisms at the service provider's end (cloud). The SaaS (or hosted) antispyware solutions typically act as a proxy for the entire organization's Web traffic. These rely on various aspects such as behavioural analysis of traffic along with code and reputation analysis to detect unknown spyware. Hence, this model has significant advantages over traditional signature-based antispyware models. Hosted models are in vogue at the moment in Indian small and medium enterprises (SMEs) due to their higher hardware and management cost-effectiveness.

Selecting the right antispyware application

Irrespective of whether it's a point product or a comprehensive suite, the factors to

Varieties of antispyware solutions
Antispyware solutions basically come in two flavours:
Standalone antispyware solution: Client-based model with just antispyware functionality. Mostly dependent on signature-based spyware detection.
Comprehensive suite model: Integrates antispyware functionality with a mix of capabilities such as antivirus, personal firewall, intrusion prevention systems and data leak prevention. Many of these solutions are also available as SaaS.
keep in mind are the same: The product must provide future scalability, along with ease of management and required administration capabilities.

It's essential to opt for antispyware with good enterprise-wide management capabilities. A single management console to help administer your antispyware, antivirus and other security mechanisms is desirable, even though it means dependence on a single vendor. If dependence is not desired, opt for this control over antivirus and antispyware functionalities, at least. "Product management can be an expensive task if the tool does not provide a 'single point of touch' management interface. You may want to prevent users from turning off any of the antimalware functionality," says Titterington. Active Directory integration might be useful in case your organization depends on the directory service.

Always select a solution containing a broad range of defensive approaches in a coordinated fashion. For this, real-time blocking and notification capabilities are essential features to base the evaluation on. The antispyware solution should be able to prevent rogue programs from changing user-defined settings, as well as capable of receiving updates outside the organization's perimeter. Effective reporting and good detection of anomalous behaviour witnessed within an organization are essential. Due to such capabilities, most CIOs prefer to take the comprehensive suite approach to battling spyware with its obvious advantages.

While the comprehensive suite approach has several advantages, there are cases where your business might be bound to a vendor due to earlier commitments (For example, antivirus from a vendor that is not able to provide antispyware functionality). In such cases, the CIO may opt for a best-of-breed antispyware approach (with no single-console management capabilities). Cons aside, this approach may provide advantages such as more customizable products and a higher level of granular control over scanning, if implemented in the right manner.

Basics of antispyware implementation

Irrespective of the antispyware solution being implemented, defence must be in-depth in nature, with multiple layers working in tandem to thwart a threat. Hence, it's essential that the defence mechanisms implemented operate in a coordinated manner.

The number of layers to be put in place depends on the organizational size (large, medium or small), as well as its specific management and cost requirements. While the Indian large enterprise may depend on several defence layers, a medium or small organization (with its lesser budgets and fewer technical resources) might find it easier to opt for a SaaS solution.

For example, Bharti Airtel uses the layered approach when it comes to fighting spyware and other malware. It uses antivirus and antispyware to protect endpoints. These are supplemented by stringent firewall rules and multiple layers of zoning. Each LAN has dedicated firewall and IP-based access, as well as advanced levels of access controls using network intrusion prevention systems (NIPS). Such complexity may not be possible in medium-sized or small businesses, which may opt for lesser levels of defence or a hosted service.

During implementation, it is key to focus on optimal performance overheads and coordinated functioning between the various defence layers. "At the endpoint, we must not have a horde of clients, each of which takes its toll on performance and space. An incoming/outgoing packet must be ideally opened once, run through a battery of tests and allowed to pass. This holds true of the network perimeter as well," recommends Nugyal. He says he feels that the solution has to be correlated to the highest extent possible with other controls deployed in the organization such as NIPS, host-based IPS and honeypots. This may need considerable support from the solution provider.

Solution advice by company size
Large business: Antispyware, antivirus, personal firewall, DLP, HIPS/NIPS, zoning, access control at various levels, network firewall and email gateway security can be the basic components.
Medium-sized business: Antispyware, antivirus, personal firewall, HIPS/NIPS, access control at various levels, network firewall and email gateway security. Hosted solutions can also be considered.
Small business: Suite or hosted service with antispyware, antivirus and personal firewall capabilities. This has to be supplemented by access controls and a network firewall.

The user aspect

The biggest problem facing Indian SME CIOs is security policy enforcement. While most medium-sized enterprises have rudimentary security policies (at the least), these are seldom enforced.

A good case in point is Internet access control. While most Indian organizations manage to explicitly bar Internet access for social networking sites, this access control does not extend to road warriors (or the top management), who have administrative access and access to all websites while they are out of office. Similarly, remote users infect the network with unsecured desktops (which may include infected personal PCs with pirated software or obsolete antivirus and antispam tools).

Users must be educated on security threats and legal implications posed by spyware, especially the threats posed by Web 2.0 sites. With the social networking boom, most Indian CIOs opine that this is the most difficult threat to control. Stringent usage policies supplemented by content filtering and effective access control are the only ways to combat this threat.

Pen drives and USB hard-disk drives (HDDs) used without authorization, especially by road warriors, are also major threats. Hence, it's essential to strictly enforce the use of approved USB drives and block USB ports (unless expressly required). MP3 player usage should be for only charging, if road warriors are allowed to connect these players.

As is evident by now, the best technical defences cannot succeed unless the antispyware implementation is supported by necessary security policy implementation and revisions. Hence, a zero-tolerance policy should be put in place to act as deterrents against such practices.

This was first published in August 2009