Medical researchers look for patient zero to find out where a virus outbreak started and what places and people patient zero came into contact with in order to contain the outbreak and prevent further infections. Similarly, infosec researchers need to look for the user who first introduced the malware into the network, which application was carrying the malware, and the files that are causing it to spread in order to contain it, eliminate it, and prevent reinfection, explained Huger, vice president of development at Sourcefire’s cloud technology group.
“Enterprises have lots of security software deployed all the way down to the desktop, but people still end up suffering malware infections”, observed Huger. Everybody is focused on detection, but there is not much software that helps enterprises deal with an infection once it happens, he told Infosecurity.
“Patient zero is the user who saw the malware first and when he or she was compromised. Those are pretty tough questions to answer, but if you can’t answer those basic questions, it is really difficult to reduce your risk profile over time”, Huger said.
Without that knowledge, organizations are forced to play a game of “whack-a-mole” – they try to remove the malware, but it keeps popping up in other places.
“We think it is important to be practical about malware infections and answer the questions that will help you recover from an outbreak quicker and then narrow your risk of a subsequent outbreak”, Huger explained.
“Organizations need to have software to block the infection but they also need software that gives visibility past the point of infection. For whatever reason, your security software failed, and you have to figure out ‘What now?' You have to be able to deal with the situation”, he said.
Finding and fixing malware infections are time-intensive activities. IT staff usually skip right to remediation because they don’t have time for the analysis necessary to understand the scope of the infection.
“Typically, IT staffs have more problems than hands. So they don’t spend a lot of time doing detailed forensics that require specialized personnel….Most incident response teams are trying to bandaid a lot of problems at once”, Huger said.
Huger explained that the key to avoiding the whack-a-mole approach is to have visibility into the network, as well as software tracking and control capabilities. “If you have these things, you save incident response people a tremendous amount of grief because when they recover malware, they can know where it is and how it got there”.