CSA CCM UEM-09
Anti-Malware Detection and Prevention

Viruses, worms, trojans, ransomware - the digital world is full of nasty malware lurking in the shadows, waiting to infect your devices. But fear not! The UEM-09 control is here to save the day. By configuring your endpoints with anti-malware detection and prevention technology, you can keep those pesky bugs at bay and surf the interwebs with confidence.

Where did this come from?

This pearl of wisdom comes straight from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix of cloud security goodness at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM provides a handy framework of controls to keep your cloud deployments squeaky clean and secure. For more details on anti-malware protection, check out the AWS docs on their GuardDuty threat detection service.

Who should care?

This one goes out to all the IT admins, security analysts, and CISOs with a burning desire to keep their fleets of laptops, desktops and mobile devices malware-free. If you're responsible for securing endpoints and are tired of fighting a losing battle against the latest malware variants, this control has your name written all over it.

What is the risk?

Without proper anti-malware defenses in place, your endpoints are sitting ducks for all kinds of digital nastiness:

  • Viruses that corrupt files and hog system resources
  • Worms that spread through networks like wildfire
  • Trojans that sneak in and steal data
  • Ransomware that locks up files until you pay up UEM-09 arms your endpoints with the tools to prevent malware infections, detect any that slip through the cracks, and help contain and remediate compromised devices. It's like a bouncer, a security camera and a hazmat suit all rolled into one!

What's the care factor?

On a scale of "meh" to "drop everything and implement this NOW", anti-malware controls rate a solid "this should be standard practice". Sure, there are plenty of exciting security projects you could be working on, but ensuring basic endpoint hygiene with anti-malware should be high on the priority list. The costs and damage from a malware incident can quickly snowball, so a little prevention goes a long way.

When is it relevant?

UEM-09 is applicable anytime you have a fleet of endpoints accessing corporate resources, which these days is pretty much always. Some key scenarios:

  • Laptops and desktops - duh!
  • BYOD and mobile devices if accessing company apps and data
  • Servers if you like them malware-free
  • IoT devices since malware is equal opportunity
  • Basically if it computes, it should have anti-malware

What are the trade offs?

Ah security, the art of balance and compromise. Anti-malware isn't without its downsides:

  • Software and licenses cost $$$
  • Scans can impact device performance and annoy users
  • False positives happen, blocking legit files
  • Keeping definitions up to date is a never-ending treadmill
  • Users will try to disable it the second it gets in their way But weigh that against the time, money and sanity lost cleaning up a malware fiasco and it's a no-brainer. With some smart configuration and expectation-setting, the benefits of anti-malware far outweigh the costs.

How to make it happen?

Ready to lock down those endpoints? Let's get tactical:

  1. Evaluate anti-malware vendors and pick one that fits your needs/budget. Leaders include Crowdstrike, Symantec, Microsoft Defender, Trend Micro, McAfee. Look for key features like central management, behavior-based detection, automated response.
  2. Procure licenses, then identify a pilot group of endpoints and users. Focus on higher risk devices like laptops of road warriors.
  3. Define configuration and policy. Map to compliance regs. Will you block external media? Restrict software installs? Scan attachments? Consider user experience.
  4. Install the anti-malware agent on pilot devices. Ensure it's pulling the latest updates.
  5. Enable any blocking, scanning, prevention features. Start with a smaller/safe subset.
  6. Run it for a few days. Review alerts, performance impact, user feedback. Tweak as needed.
  7. Refine the config until it's dialed in, then deploy to remaining endpoints in waves.
  8. Schedule periodic scans, review alerts daily, and keep it updated. Automate response where possible.
  9. Train users on best practices and what to do if malware is detected. Have an incident response plan ready.

What are some gotchas?

Even the best laid anti-malware plans can hit some snags:

  • User revolt if it's too restrictive or noisy. Communicate early and often. Make exceptions where risk allows.
  • Older systems may not meet the OS/performance requirements. Prioritize replacing them or finding alternative controls.
  • Licensing costs can add up at scale. Look for volume discounts, bundles, and optimize deployment.
  • Managing yet another agent. Explore integration with existing EDR/XDR/MDM solutions.
  • False positives. Define an exceptions and whitelisting process. Leverage vendor support.
  • Doesn't play nice with other security tools. Test early and thoroughly. Stagger deployment schedules.

What are the alternatives?

If a full-blown endpoint anti-malware rollout sounds daunting, consider some lighter-weight alternatives:

  • Microsoft Defender (free with Windows)
  • Cloud-based attachment/file scanning (like ATP Safe Attachments)
  • DNS filtering to block malicious sites (Umbrella, OpenDNS)
  • Network traffic analysis for malware C2 (Darktrace, ExtraHop)
  • User security training (still need this even with tools)
  • Offensive security testing to find gaps
  • Solid backup strategy for when malware does land

Explore further

Hungry for more anti-malware musings? Check out:

  • NIST SP 800-83 for malware incident prevention and handling
  • CIS Endpoint Protection and Malware Defense v8 benchmarks
  • CSA CCM v4 AAC-01 (Audit Logging), IVS-07 (OS Hardening and Base Controls), TVM-02 (Vulnerability and Patch Management)
  • The /r/antivirus subreddit for the latest tips and trends
  • Every vendor's white papers touting their products as the ultimate in malware protection

Blog

Learn cloud security with our research blog