3.4 Antimalware Protection Flashcards
3.4.1 Endpoint Threats
For the purpose of this course, we can define endpoints as hosts on the network that can access or be accessed by other hosts on the network.
Each endpoint is potentially a way for malicious software to gain access to a network. In addition, new technologies, such as cloud, expand the boundaries of enterprise networks to include locations on the internet for which enterprises are not responsible.
3.4.2 Endpoint Security
Various network security devices are required to protect the network perimeter from outside access.
However, many attacks originate from inside the network. Therefore, securing an internal LAN is nearly as important as securing the outside network perimeter. Without a secure LAN, users within an organization are still susceptible to network threats and outages that can directly affect an organization’s productivity and profit margin. After an internal host is infiltrated, it can become a starting point for an attacker to gain access to critical system devices, such as servers and sensitive information.
Specifically, there are two internal LAN elements to secure:
Endpoints - Hosts commonly consist of laptops, desktops, printers, servers, and IP phones, all of which are susceptible to malware-related attacks.
Network infrastructure - LAN infrastructure devices interconnect endpoints and typically include switches, wireless devices, and IP telephony devices. Most of these devices are susceptible to LAN-related attacks including MAC address table overflow attacks, spoofing attacks, DHCP related attacks, LAN storm attacks, STP manipulation attacks, and VLAN attacks.
3.4.3 Host-Based Malware Protection
ANTIVIRUS/ANTIMALWARE SOFTWARE
This is software that is installed on a host to detect and mitigate viruses and malware. Examples are Windows Defender Virus & Threat Protection, Cisco AMP for Endpoints, Norton Security, McAfee, Trend Micro, and others. Antimalware programs may detect viruses using three different approaches:
Signature-based - This approach recognizes various characteristics of known malware files.
Heuristics-based - This approach recognizes general features shared by various types of malware.
Behavior-based - This approach employs analysis of suspicious behavior.
Many antivirus programs are able to provide real-time protection by analyzing data as it is used by the endpoint. These programs also scan for existing malware that may have entered the system prior to it being recognizable in real time.
Host-based antivirus protection is also known as agent-based. Agent-based antivirus runs on every protected machine. Agentless antivirus protection performs scans on hosts from a centralized system. Agentless systems have become popular for virtualized environments in which multiple OS instances are running on a host simultaneously. Agent-based antivirus running in each virtualized system can be a serious drain on system resources. Agentless antivirus for virtual hosts involves the use of a special security virtual appliance that performs optimized scanning tasks on the virtual hosts. An example of this is VMware’s vShield.
HOST-BASED FIREWALL
This software is installed on a host. It restricts incoming and outgoing connections to connections initiated by that host only. Some firewall software can also prevent a host from becoming infected and stop infected hosts from spreading malware to other hosts. This function is included in some operating systems
HOST-BASED SECURITY SUITE
It is recommended to install a host-based suite of security products on home networks as well as business networks. These host-based security suites include antivirus, anti-phishing, safe browsing, Host-based intrusion prevention system, and firewall capabilities. These various security measures provide a layered defense that will protect against most common threats.
In addition to the protection functionality provided by host-based security products is the telemetry function. Most host-based security software includes robust logging functionality that is essential to cybersecurity operations. Some host-based security programs will submit logs to a central location for analysis.
There are many host-based security programs and suites available to users and enterprises.
3.4.4 Network-Based Malware Protection
New security architectures for the borderless network address security challenges by having endpoints use network scanning elements. These devices provide many more layers of scanning than a single endpoint possibly could. Network-based malware prevention devices are also capable of sharing information among themselves to make better informed decisions.
Protecting endpoints in a borderless network can be accomplished using network-based, as well as host-based techniques, as shown in the figure above. The following are examples of devices and techniques that implement host protections at the network level.
Cisco Secure Endpoint - This provides endpoint protection from viruses and malware.
Cisco Secure Email - This provides filtering of SPAM and potentially malicious emails before they reach the endpoint. An example is the Cisco ESA.
Cisco Umbrella - This uses DNS requests to provide filtering of websites and blocklisting to prevent hosts from reaching dangerous locations on the web. Cisco Umbrella provides control over how users access the internet and can enforce acceptable use policies, control access to specific sites and services, and scan for malware.
Network Admission Control (NAC) - This permits only authorized and compliant systems to connect to the network.
