May 2002

Special Report

Command and Control

Centralized management solutions provide enterprises with a bird's-eye view of AV defenses.

BY Jack Koziol

Contemporary distributed networking is a complex infrastructure of servers, gateways and workstations--in some enterprises, numbering thousands of nodes--all vulnerable to virus infections. The challenge to sysadmins is keeping the AV applications on all of these boxes updated and properly configured before they're infected with the next variant of Anna Kournikova or Nimda.

Centralized AV management solutions aim to provide enterprises with a bird's-eye view of their AV defenses and granular command and control. The basic feature set of all AV management suites is the ability to see all users on the network, know what application versions they're running, efficiently and expediently update virus signatures and policies, and receive alerts and other reports.

Signature Updates

In theory, heuristics scanners will detect and block new and previously undetected malicious code. But because AV heuristics remains an inexact science with high false-positive rates, most AV solutions rely on signature matching-comparing samples of malicious code with the fingerprints of known viruses and worms.

Although reactionary, signature matching is effective as long as scanning engines' databases are updated before a new virus or worm hits. AV vendors often release signatures within hours of new malware being discovered. The nightmare of AV management is ensuring signature definitions are updated regularly and uniformly across the enterprise, which includes myriad servers, desktops and laptop.

Centralized AV management allows admins to efficiently push new signature updates to every node through point-and-click GUIs and scripted routines. For example, the drag-and-drop function in Central Command 's Vexira Antivirus Professional (http://www.centralcommand.com/) allows admins to automatically propagate signatures to predefined nodes. This eliminates the need to have users manually connect to an FTP server to retrieve new signatures.

Enterprises can also take advantage of automated update services, which periodically check a vendor's Web site for new signatures and program upgrades. For example, most of Symantec 's (http://www.symantec.com/) AV applications come with an optional "Live Update" service. While efficient for routine updates, such services don't replace the need for a push function for responding to new malware outbreaks.

Policy Enforcement

Updating signatures is only part of the challenge of managing AV defenses on large, distributed networks. If users disable their virus scanners--say, to install a new piece of (often unauthorized) software--they can create gaps in the AV screens.

Centralized AV management enables efficient enforcement of security policies by providing mechanisms for routinely applying patches and upgrading software, scanning systems for malware, and configuring AV application settings.

Admins may have tight control over server-based AV agents, but the client-based scanners are a wild card. Because AV tasks can impede productivity and functionality, users will often disable scanners or cancel periodic scans. Centralized management gives admins the ability to monitor the status of AV scanners and enforce an organization's AV policy.

For instance, Computer Associates' eTrust Antivirus (http://www.ca.com/) can deny a user access to network resources if he disables the AV client. This feature is particularly useful for remote users and road warriors, who could expose the corporate network to viruses via their infected clients.

Centralized management solutions can also push policy and configuration changes to the client, restart disabled scanners and deploy new AV software. In some cases, the management console can remotely install new software and reboot the client.

Policy may also dictate how viral code is handled. Using solutions such as Kaspersky Lab's Corporate Suite (http://www.kaspersky.com/), admins can configure clients to either quarantine or delete code at the site of infection, or forward it to a central repository for analysis. Admins can set server-based solutions to do the same, and strip suspect attachments from e-mails before they pass through border gateways.

Alerting Functions

Time is of the essence when new viruses are discovered in the wild. Admins must implement mitigations and update signatures before the virus or worm enters the network. Most management consoles come with alerting mechanisms that tell admins when their AV devices encounter a threat.

Most AV management solutions allow admins to set the threshold for alerts based on the risk severity and level of infection. Alerts are often issued to admins via e-mail, pager, SMS or all three. For instance, Trend Micro's Trend Virus Control System (http://www.trendmicro.com/) allows admins to define what constitutes a severe infection and a threshold requiring immediate attention.

Once an alert is issued, admins can identify the point of infection and determine an appropriate course of action. If new signatures are available, they can push the signatures out to the AV clients. If signatures aren't available, they can quarantine the point of infection to keep the malware from spreading to the rest of the network.

Reporting and Analysis

Individual AV applications have long delivered statistics on the number of viruses they detected, deleted and quarantined. AV management consoles can collect and aggregate those statistics, as well as other operational information, for analysis.

A crucial function of centralized AV management solutions is knowing the version and status of AV applications running on the network. For example, Norman's Virus Control 5 (http://www.norman.com/) will keep track of what versions of its AV software are running in different user groups, as well as when they were last updated.

Some centralized AV management solutions keep a running inventory of network devices and clients. Reports, such as those generated by Sophos' SAVAdmin (http://www.sophos.com/), show what devices have been added to the network and whether they need an AV agent or update.
Analyzing infection rates and attempted virus attacks can yield crucial intelligence on what network segments and devices are being targeted. These reports help admins gauge their AV systems' performance and user policy compliance, and provide data for measuring the ROI of AV investments.

AV logs and reports can show the devices and network segments most often targeted, and how well the AV defenses perform. Such information can help admins identify and correct soft spots in their security infrastructure. And policy compliance reports show which users are opening gaps in the AV defenses.

Security managers often struggle to provide quantitative metrics to justify cost to management. With the reporting capabilities of centralized AV management, security practitioners can gather data on the number of attempted virus/worm attacks and the rates of infection. This information can be extrapolated into a cost/benefits analysis for AV spending. Gap analysis is a powerful tool in motivating management, especially when used to compare an organization's AV posture to that of industry peers.

Limited Reach

While centralized AV management systems offer enterprises tremendous command and control over the distributed network, they may be limited by design drawbacks.

As with other security solutions, the effectiveness of centralized AV management depends on proper configuration and administration. Security admins must be able to properly deploy and manage remote clients, accurately interpret incident logs and appropriately respond to new alerts. The management consoles offer control and information-gathering functions, but those functions are useless if admins don't know how to use them.

Time also works against centralized AV solutions, particularly because automated and centralized signature and policy deployment doesn't mean immediate updates. Even with the best management systems, it takes time for updates to propagate across the network. For instance, remote workers who connect to the central office only once or twice a week may have machines that are vulnerable to new viruses for days before they can get updated.

Virtually all enterprise-class AV management systems employ some sort of signature-push mechanism, but not all have the same reach. Some products can't reach beyond the corporate network to update and manage remote networks and users, requiring separate management systems and personnel. 

Cross-Product Management

Perhaps the greatest pitfall to centralized AV management is that it may impede a defense-in-depth AV strategy. Because of the varying effectiveness of the different AV applications, security experts recommend running multiple solutions--such as running Trend on the gateway, Sophos on the e-mail servers and Symantec on the desktop. All except one management solution is proprietary, requiring enterprises to use a vendor's client applications and management console.

McAfee Security (http://www.mcafeeb2b.com/) is the first vendor to move away from the proprietary model with the release of ePolicy Orchestrator, which can manage McAfee and Symantec AV applications. McAfee says future versions will also support Trend Micro applications.

Whether cross-product management will take off remains to be seen. Other vendors are adopting a suite approach to security, making content scanning a core component of an integrated security offering. Symantec recently released its Security Gateway appliance, which has centralized AV, IDS and firewall management and reporting in one console. Likewise, Aladdin (http://www.ealaddin.com/) is offering the eSafe Appliance, a plug-and-play box that offers antivirus and content security.

---

JACK KOZIOL (jackkoziol@hotmail.com) is an information security officer at a major financial institution in Chicago.

May 2002 Table of Contents