Trustworthy Computing: Learning About Threats for Over 10 Years – Part 3

In the first two parts of this series (part 1, part 2) I explored some of the ways that the threat landscape has evolved over the past decade and introduced a new special edition Microsoft Security Intelligence Report (SIR) called “The evolution of malware and the threat landscape – a ten year review.” 

Another interesting aspect of looking back at the evolution of the threat landscape is how malware infection rates of different locations around the world have trended.  The two graphs below are based on data Microsoft received from hundreds of millions of systems around the world since the first quarter of 2009 (1Q09), represented in a measure called computers cleaned per mille (CCM).

If you are interested in understanding the difference between the dashed and solid lines in the figures above please read an article I wrote called Determining the Geolocation of Systems Infected with Malware.

Each location listed has a slightly different mix of prevalent threat categories and families.  For example, a threat in the password stealers and monitoring tools category called Win32/Bancos was detected on 12.6% of systems infected with malware in Brazil in the second quarter of 2011 (2Q11); this threat isn’t in the top ten threats in any of the other locations with consistently high malware infection rates listed above – reflecting the regional nature of that particular threat. 

I often get asked how the consistently least malware infected regions maintain such low infection rates?  This is a topic that I have written about extensively in the past.  But we decided to take a closer look at Finland since it has consistently had one of the lowest malware infection rates in the world. 

I went to Finland to talk to some key ecosystem stakeholders, to share our SIR data, and learn how they maintain such low malware infection rates.  While I was there I met with a company called TeliaSonera. TeliaSonera is the largest Internet Service Provider (ISP) and largest carrier of Internet Protocol traffic in Europe.  They are the fourth largest ISP in the world with 29,000 employees serving 164 million customers.  I learned that TeliaSonera prides itself on being the “cleanest of the clean” and how the company has earned a reputation for safe computing by creating an automated monitoring and alerting system to identify infected devices, alert their owners, and quarantine the devices from the network until cleaned. 

Figure: TeliaSonera provides a complete cycle of protection for its users

In essence, TeliaSonera monitors traffic on their network for signs of infection, and if malware is detected the impacted customer is notified while their system is isolated to a “walled garden” until it has been cleaned of malware. Once the infected device has been cleaned, it is allowed back on the network. 

The real innovation here is that TeliaSonera automated this process to reduce the costs associated with manually contacting customers and increase how quickly they could contain and control malware outbreaks on their network; this work has greatly enhanced TeliaSonera’s service level and reputation with its customers. According to Arttu Lehmuskallio, a Security Manager on TeliaSonera’s Computer Security Incident Response Team, “just as we had one person create the application, it takes only one person to manage the monitoring and alerts.  A process that required 45 minutes to handle manually in the past was automated so that one person could handle the same procedure at the rate of 500 an hour.”      

There are a few best practices that TeliaSonera recommends other ISPs consider when looking to improve the health of their networks:

  • Create your own solution: while TeliaSonera freely shares its solution with others, it suggests that organizations create their own internal application so that it specifically meets their needs.
  • Monitor: as a first step the application should provide automated monitoring of network activity and other elements to detect the presence of malicious code.
  • Alert: TeliaSonera believes it is essential that users be notified when an infection is detected so they can take actions to safeguard their own resources, as well as remediate the problem to protect the health of the network. The company has found that the alerts also serve an educational purpose, making users more cautious about opening attachments or clicking on unknown links.
  • Contain: the company advises others to adopt its practice of isolating infected devices from the network until they have been remediated to protect other network users and to enhance the overall health of the Internet.
  • Encourage third-party remediation: TeliaSonera has consciously decided to leave plenty of room for third-party resources to provide remediation services. Once TeliaSonera alerts a device owner, the company doesn’t care who provides the disinfecting services. “We didn’t want to be in the position of alerting a device owner to a problem and then charging them to fix it,” Lehmuskallio says. “The customer can work with whomever they like to resolve the issue.”
  • Verify remediation: after remediation, the customer rejoins the network. If infection is still present, the problem is automatically flagged again.
  • It’s a journey, not a destination: as long as the threat landscape continues to evolve, so will the need to continue refining how to keep networks clean. But taking that first step on the journey is essential. TeliaSonera started its monitoring activities with manual methods some years earlier. When the company decided to automate, it simply looked at what tasks required the most time to do manually and then created the code to automate those processes.

TeliaSonera’s efforts as an ISP protecting users from malware represents an innovative step toward creating safer, more trusted Internet experiences for everyone. It struck me that the way TeliaSonera was keeping its networks clean from malware was very similar in some ways to the Internet health model that Scott Charney, Corporate Vice President of Trustworthy Computing at Microsoft, proposed in a paper he published in 2010 called Collective Defense – Applying Global Health Models to the Internet.

We worked with TeliaSonera to develop a case study outlining their approach to maintaining the cleanest network in the cleanest region of the world, and its benefits.  I invite you to read the case study: European Telecom Uses Microsoft Security Data to Remove Botnet Devices from Network.

Tim Rains
Director
Trustworthy Computing
 

About the Author
Tim Rains

Director, Trustworthy Computing

Tim Rains has over 20 years of experience in the technology industry across several disciplines including engineering, consulting, and marketing communications roles. He currently manages security marketing and corporate communications in the Trustworthy Computing division at Microsoft. His expertise ranges Read more »