Defensive architecture at the core of NIST cybersecurity guidance
Even with the best mitigation techniques in place, malware incidents will occur and a defensive architecture can help manage malicious code that does infiltrate a network, says the National Institute of Standards and Technology.
The agency published July 25 a draft revision to special publication 800-83 (.pdf), its guide to malware incident prevention for laptops and desktops, which updates material to reflect today's "more stealthy" malware threats and incidents.
According to the document, there are three techniques agencies should consider for implementing a defensive architecture.
Sandboxing applications allows them to only run in a controlled environment that restricts and isolates the application from interacting with other parts of the network. Browser separation, or using different web browsers for different websites of varying security thresholds, is another proven approach. Lastly, virtualization can segregate applications or operating systems from each other through the use of virtualization.
The publication makes several recommendations for improving incident prevention and response techniques. But before applying security measures agencies should assess their environment. For example, "a technique that works well in a managed environment might be ineffective in a non-managed environment," says the publication.
Policy statements will also help guide malware prevention efforts, says NIST.
"If an organization does not state malware prevention considerations clearly in its policies, it is unlikely to perform malware prevention activities consistently and effectively throughout the organization," write authors.
However, NIST warns that policies should not be so specific that they cannot be implemented consistently throughout the organization or require numerous policy updates as the organization or threat landscape change.
Specific mitigation techniques highlighted in the publication include deploying antivirus software on all hosts and standing up a robust incident response process. The incident response process should be broken into four phases: preparation, detection and analysis, containment/eradication/recovery, and post-incident activity.
- download the document, NIST SP 800-83 Revision 1 Draft (.pdf)