Every organization needs robust policies and procedures in place to defend against the ever-present threat of malware. This includes having controls to detect, prevent, block and remove any malicious software that tries to infect assets. These policies should be centrally managed, regularly reviewed, and tightly integrated across the entire computing infrastructure.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10, released on 2023-09-26. You can download the full matrix here. The matrix provides a comprehensive set of cloud security controls mapped to leading standards, best practices and regulations. Malware protection is a critical part of any cybersecurity program, as malware remains one of the most common attack vectors. The CIS Critical Security Controls also emphasize malware defenses as a key control.
Who should care?
This control is relevant for:
- CISOs and security leaders responsible for managing organizational risk
- IT operations teams who manage computing infrastructure
- Endpoint administrators who configure anti-malware tools
- Developers who need to ensure their apps and code are malware-free
- Compliance officers who must ensure adherence to relevant standards
What is the risk?
Malware, short for malicious software, is any program or file that is harmful to a computer. Types of malware include viruses, worms, Trojans, ransomware, spyware, adware, and more. Malware can steal data, encrypt files, spy on users, serve unwanted ads, and otherwise wreak havoc. The average cost of a malware attack on a company is $2.4 million. 60% of small companies go out of business within six months of getting hit with malware.
Without strong malware protection policies and procedures, an organization is at severe risk of:
- Massive data breaches and theft of intellectual property
- Ransomware attacks that lock critical systems
- Reputational damage and loss of customer trust
- Financial losses and regulatory fines
What's the care factor?
On a scale of 1-10, malware protection is an 11. Malware is ubiquitous and can impact organizations of all sizes across all industries. No one is immune. Damages from malware can be catastrophic, even company-ending in some cases. While anti-malware tools are not foolproof, they are still essential and can stop a significant amount of malware when configured properly. The risk of not having them is simply too high.
That said, malware defenses can be costly and complex. Organizations need to prioritize based on risk and asset value. Trying to protect everything equally is not realistic. Focus on safeguarding your crown jewels and most vulnerable systems first.
When is it relevant?
Malware protection is relevant in virtually all situations since malware can strike anytime, anywhere. It's especially critical for:
- Public-facing systems and websites
- Endpoints that connect to untrusted networks
- Servers hosting sensitive data
- Legacy systems running unpatched software
There are a few scenarios where certain malware defenses may not be applicable:
- Isolated, air-gapped systems not connected to any network
- Low-value, non-sensitive assets where infection risk is low
- Embedded OT/IoT devices with hardened custom firmware
But in general, some form of malware protection is needed across the board, especially in cloud environments.
What are the trade offs?
Malware defenses don't come for free. Some potential costs and considerations:
- License fees for enterprise anti-malware software can be expensive
- Endpoint agents can slow system performance and annoy users
- Signature updates require constant connectivity and computing resources
- Behavioral analytics and sandboxing add latency and complexity
- False positives disrupt productivity and require triage by IT
- Configuration drift and tool sprawl as infrastructure scales
None of these are reasons to avoid malware protection. But it's important to recognize the overhead involved and invest sufficiently in a solution that balances security and usability. Trying to secure systems with freeware and limited staff won't cut it.
How to make it happen?
Here's a step-by-step guide to implementing this control:
- Inventory all assets and prioritize based on risk/value
- Evaluate leading enterprise anti-malware solutions (Defender, McAfee, Symantec, etc.)
- Procure and deploy the agent to all assets, starting with high-value targets
- Ensure all instances are enrolled in central console for management
- Configure robust policies (signatures, behavioral, cloud lookups, sandboxing)
- Set up alerts and reports for security teams, with SLAs for response
- Distribute end user training and escalation procedures
- Monitor and tune to minimize false positives and performance impact
- Have a plan to isolate infected systems and recover with backups
- Review and update policies at least annually
Refer to vendor documentation for detailed product-specific configurations and best practices.
What are some gotchas?
Some things to watch out for:
- Ensure you have permissions to deploy agents and manage centrally (RBAC)
- Check OS/version compatibility with agent and console
- Test first to avoid breaking line-of-business apps with false positives
- Exclude certain files/folders to avoid performance hits (logs, SQL, git)
- Make sure SOC is prepared to handle the extra alerts
- Beware of fileless/in-memory malware that evades common defenses
- Don't rely solely on malware tools - layer other controls like patching and user education
What are the alternatives?
Some other compensating controls to help defend against malware:
- Network segmentation and strict firewalling rules
- Aggressive system hardening and attack surface reduction
- Application whitelisting and execution control
- User least privilege and elimination of local admin
- Web content filtering and malicious domain blocking
- Periodic compromise assessment and red team tests
While valuable, none of these are a full replacement for dedicated malware protection software. Defense in depth with multiple malware controls is ideal.
Explore further
For more information and guidance, check out:
- CIS Control 8: Malware Defenses
- NIST SP 800-83: Guide to Malware Incident Prevention and Handling
- NSA Cybersecurity Guidance on Malware
- CISA Insights on Malware Trends
