Best approach to SMB network security

[Azure]

So we recently ran into some problems with malware infecting our network which basically swamped everything and had our gateway anti-virus running at 90% CPU to prevent attacks.

I think I may have tracked down the computer creating the problem so everything seems fine for now but it got me thinking about our AV solution and how we look at network security.

I really like Umbrella by OpenDNS which basically blocks known malware at the DNS level from communicating with our computers, and we are looking into implementing that ASAP.

We currently use MSE for endpoint AV, but it seems like MSE has really fallen off the charts lately with detection accuracy which was actually evident as the computer infected was up to date with MSE.

Currently Bitdefender seems to be getting the best reviews from numerous different testing sources, so we are looking at that. We have about 15 computers that would need licensing and it would be pretty cost effective from what I've seen.

Does anyone currently use it? Thoughts? As the saying goes you get what you pay for, and we currently don't pay for AV with MSE. Thinking it might be worth it to buy Bitdefender for some peace of mind.

So I'm thinking setup Umbrella by OpenDNS to filter on the DNS level, and by all accounts they do a great job, and Bitdefender on the endpoints. Put that together with the Sonicwall Gateway Antivirus we currently run and we should have things more or less under control.

[MarchHare]

FYI, MSE is only available for small businesses with up to 10 computers. Since you have 15 PCs in your organization, you shouldn't be using it anyway.

[Rathji]

MSE is only licensed for up to 10 users and not suitable at all for a business environment. Microsoft even stated when Windows 8 came out that it should not be your first line of defense for AV.

You need a centrally managed AV solution. I have experience with Trend Micro, AVG and Symantec Endpoint Protection and all work. Something that alerts you when there is an infection, so you can perform additional scans and target hardening as required. The cost for such a solution is typically similar to non-managed options, especially considering the time involved in updating and deplying the software is reduced..

You also need a second layer of defense. Your AV appliance should be handling this but is over taxed so moving that load to the PC or the cloud would be a good plan. Your Umbrella solution might be a good one - I don't have any experience with it, personally, but it should work similar to MBAM's malicious website blocking, which I quite like. MBAM would be an option I would consider for sure, and CryptoPrevent, which was designed to prevent Cryptolocker also can prevent lots of other infections as well.

Another cloud option would be aggressive spam filtering, through a service like Intel's MXLogic.

Ensuring that no user is running with administrative privileges will likely eliminate almost all web browser attacks and most other vectors, and locking down scripting in the browser except for required websites.

You could also take steps to eliminate USB infection by disabling devices, but I find that it is more trouble than it is worth.

[GoinAllTheWay]

We use managed anti virus here which I believe is the commercial equivalent to bit defender.

Get's the job done, nice and light weight as we don't have the most powerful PC's here.

[Hack&Lube]

Get:

- Centrally managed AV (like Trend Micro Officescan). Should notify you or your helpdesk by e-mail/ticket instantly when a workstation is compromised so you can take it offline immediately.

- Network design/DMZ/zoning so internet facing servers do not contain sensitive information and are protected.

- Good Firewall, Good port management

- Good policies. Manage user workstations via group policy. Restrict bad user behavior through group policy. Nobody should have admin rights.

- Up to date patching on workstation and servers. This includes patching vulnerable applications like Adobe Reader and Java, etc.

- Use the Nexpose free vulnerability scanner on all your workstations to see what exploits and kits they are completely open to attack from: https://www.rapid7.com/products/nexp...-downloads.jsp
If your users navigate to compromised sites (don't even have to download anything) or open attachments or have infected USB, these things can exploit right away.

- Cloud based filtering (Microsoft Exchange Online Protection [used to be Forefront], MX Logic, etc.). What is your email system?

- Browser web filtering like Websense to prevent your people from going to malicious sites. Umbrella sounds good as well.

- Good backups (!!!). If you get ransom-wared through Cryptolocker, etc. you are screwed without this. Also helps if you can replace a workstation or compromised server immediately.

[woob]

Quote:

Originally Posted by Rathji

through a service like Intel's MXLogic.

All excellent advice, but had to jump in here - MXLogic is McAfee.

[psicodude]

And McAfee is owned by Intel, so you're both correct!

[woob]

Quote:

Originally Posted by psicodude

And McAfee is owned by Intel, so you're both correct!

Had no idea Wonder if they'll ever re-brand it? Likely not.

[Rathji]

Quote:

Originally Posted by woob

All excellent advice, but had to jump in here - MXLogic is McAfee.

Which is owned by Intel, and will be completely rebranded shortly as I understand.

[Hack&Lube]

Quote:

Originally Posted by woob

Had no idea Wonder if they'll ever re-brand it? Likely not.

John McAffee sure would like it if his name wasn't on the worst antivirus of all time (according to him).

[Rathji]

Quote:

Originally Posted by Hack&Lube

John McAffee sure would like it if his name wasn't on the worst antivirus of all time (according to him).

Yeah, thats the context I recall learning about the rebranding, something to do with his legal troubles. I will see if I can find a link to the story. I am not sure if it will be all McAfee products or just the desktop AV line though.

[FanIn80]

https://meraki.cisco.com/products/appliances/mx80

[Azure]

We use Office 365 for email. Blue Coat for content filtering and gateway intrusion prevention and anti virus, PLUS the Sonicwall for gateway intrusion prevention.

A bit complicated to explain why.

My problem is mostly with endpoint security.

Plus you can never have enough malware protection.