I work for an employer who is working toward ISO27001. Nevertheless, there has been a major headache on me when I wanted to push for refinement of anti-malware controls on staff workstations and production servers.
Let's talk about the office environment first, that comprises mostly a mixed installation of Windows and Mac, mostly Macs. One of the departmental managers, while he has no objection to installing anti-malware solutions on staff workstations in his unit, he specifically disallows configuration of regular scans and claims that the real-time detection of the anti-malware solution is adequate, and he believes that regular (e.g. weekly) scans, even if scheduled during lunch times, are a resource hog and he would oppose any of such scans in his unit no matter what. On the other hand, he also requires local administrative access to all staff workstations in his department, so staff can (theoretically) install software without restriction even though there are guidelines requesting staff not to do so without permission. You can also assume that staff are free to have Internet access with minimal anti-malware controls applied on the office network security firewall.
The same departmental manager is also in charge of the servers including the production ones, which run on some public cloud. The site allows users to upload certain types of files. There are only a handful few servers customer facing that directly receive these uploaded files, but there are other non-Internet facing servers which may post-process or access these files as part of the typical processing. Processes are not run as root but these uploaded files are stored in some kind of cloud-managed file repository, so we know there is always a risk of stored malware for as long as the file is retained in the repository. Currently, there are not any anti-malware solution installed at the ingress points as well as the backend processing tiers for a similar reason (performance concern; and he alleged Linux servers are not prone to malware).
As a CISSP myself of course I am aware why such controls should be necessary and can analyze the risks associated with not having these controls in place, but I found it very hard to get the needed management buy-in to trade CPU cycles for security. What is the industry practice, and what should I do about it?
Assuming you're with an organization in the private sector, they likely to be motivated by their business, & the profits it generates.
While you & I can easily see the need to secure systems against malware, management may lack the ability or knowledge to comprehend it. If all they can see is figures, it's up to you to portray the ROI for investments needed in IT Security, so as to convince them to budget it.
Start by ensuring your organisation has policies covering anti-malware, gauge the adequacy of the controls to reduce the risk of malware, and finally, if you need something new (additional implementation or enforcement) for this, prepare a good business-case containing a risk analysis --- and hand this to your management on a plate...
(In my organization, I've had to deal with partners stating that their Linux platforms were very secure, claiming no malware protection was needed, but we got multiple cases of malware infections of them, which I complied to show the risks.)
I Agree with Shannon and in addition to providing a risk analysis you should also help them comprehend the risks by having the management sign-off on accepting the Risks as stated in your Risk analysis if they decide not to mitigate it.
Yes, I forgot to include that part, thanks @DALX. Whenever I submit a Risk Analysis report, I end it with 'Unless the provided recommendations are followed, the mentioned risks will effectively be ignored --- after which it's in the hands of management. (Like I said earlier, throw the ball into their court!)
I would find out why they are so adamant against it. Was this person the one responsible for choosing the anti-malware (AM) product? If so, they may see the scans as an affront to their reputation/competence and that is why they are reluctant/defiant to allow scanning. They may fear that it will show that they were not competent in providing the "right" protection. Ask if they could do a benchmark study to see how it impacts the dept. Why can't the scans be run at night? Find some videos about Stuxnet, WannaCry and zero-days and show them to them. Explain that most AV/Malware programs (even with "real-time" protection) are based off of known patterns or deviations from expected behavior. When the bad actors use new techniques or new attacks that aren't known, even real-time protection may not be enough.
Also show them that most successful attacks use known vulnerabilities that have been out for 6 months or more. Download any of the major breach reports such as the Verizon DBIR or some of the other ones. These breach reports show how successful attacks were able to get in. This can possibly give you some ammo showing that even with AV and AM, people got in through unpatched systems, etc.
You could ask why banks have multiple defenses such as, time-lock safes, alarm buzzers, security cameras, exploding dye packs, and some even have armed guards? Why do they not just use one method to protect the money? The answer lies in defense in depth. Time lock safes deter one type of criminal, guards deter another type, exploding dye packs and security footage helps catch the criminal after the fact, etc.. AM only stops one kind of attack. Scanning is designed to stop another type of attack. That is why you need to scan. Attackers don't just use malware to get in. It is but one tool in their box of attack methods.
If all that didn't work then try this. Ask them if he/she is willing to sign a risk acceptance document that if any breach comes from within their dept. that they are willing to take full responsibility and blame for it, along with the corresponding disciplinary actions.
Thanks everybody for your comments.
Yes, I work in the private sector, and not in some kind of regulated environment. Otherwise you can guess a scenario like this would not have been allowed to happen.
With respect to Shannon's feedback, I am very interested in knowing what kind of malware infections were detected on the partner Linux systems you referred to, whether that was ultimately stopped by anti-malware solution and what the consequences could have been had they not been stopped. One issue that I have is that in the absence of anti-malware controls, we do not even have visibility into whether any infection actually there are, and hence determining the risks of such infection has been considered an even second-nature activity. I am aware of Linux ransomware, but I wonder if there are additional types of malware that are common on Linux systems outside the likes of rootkits and else.
I like CISOScott's comment regarding real-time protection vs manual scanning of anti-malware solutions. I understand that aspect myself, though I was apparently unable to portrait that in an adequately intuitive manner for management to better understanding how they complement each other. I think it was well said, especially the mention of defense in depth, though I think the issue here is more how I can get them to go that extra mile to practice so.
I also like everyone's mentions regarding getting management to explicitly accept that risk. Even though we are not in some regulated environment, we do have some compliance concerns and may be visited by infosec auditors. Therefore, is it actually common out there to deploy anti-malware solutions on Linux for web-based platforms? If integrating anti-malware solutions and configuring regular scans is the industry norm (for web-based application platforms), then I will have a stronger argument that their insights are not aligned with the industry best practices for security, but I need the industry insights to confirm.
Nevertheless, for production environment it doesn't seem feasible for us to do regular scans. The repository is just too large for it, and it is cloud-based so it is not like a SAN that you can mount and then scan as if it is a local file server, but I agree scan-on-upload or before processing should be considered mandatory to lower the operational risk you all raised earlier.
@cbkihong I'm not at liberty to provide specific info, but what I can tell you is that the malware produced a lot of traffic, triggered alarms, and was finally removed manually --- courtesy of the system administrator insisting that anti-malware wasn't needed on Linux.
The fact is that no platforms are inherently secure. We probably encounter more cases of Windows being hit by malware 'coz it's a more attractive target --- and something designed to exploit a vulnerability in Windows won't necessarily do the same on Linux...