A friend of my sent me this link recently about some researchers at UC Santa Barbara who took control of a botnet for 10 days earlier this year. I'd seen the report but never read the entire thing. (http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf). He indicated that his company had been affected by a similar problem and suffered a leakage of data. This got me thinking about the principle of defense in depth.
Our information technology ecosystems are complex. There's no getting around that fact. As we build more functionality into them, we're loading the gun of our adversaries with ammunition to shoot right back at us. Trying to defend against an attack using only one defense mechanism is bound to fail. My dad was a career Navy man. I remember asking him one day why the aircraft carrier he was attached to had a "strike group" surrounding it. His explanation was…you guessed it…defense in depth. The submarines, destroyers and frigates that sailed with them were layers of defense to protect the carrier. Each had its own mission which overlapped with the other ships. This created a mesh for miles around the carrier which was designed to identify, intercept and if needed destroy any threats to the carrier. Should any of these defense layers not be deployed, there would be a gap or weakness in that mesh of security.
Companies often decide to only deploy one layer of security which targets specific threats that are seen as high probability. These companies often find themselves in a world of hurt. If that end node is compromised there is nothing to stop the trouble which is sure to follow.
If you rely solely on desktop malware protection then monitor your outbound traffic logs for inconsistencies such as lots of traffic to an IP or domain, spikes in traffic during off peak hours, etc. At least this way you'll know you have a problem and can begin to plan your response. Better yet…layer up your defenses at the network perimeter, interior network core and then at the end node. Hopefully through a layered approach you'll be able to identify, intercept and destroy any threats before the even come close to your data.