Via InfoSec Handlers Diary Blog – Egress Filtering? What – do we have a bird problem?, a very good article on getting started in egress filtering.
One of the major tools that we have in our arsenal to control malware is outbound filtering at firewalls and other network “choke points”. Over the years, it’s become obvious that “enumerating badness” on the internet is next to impossible, it’s generally much easier to enumerate “known good” traffic, and simply deny the rest as bad or at least suspect. Often the management response is “we trust our people”, but that’s not really the point. While maybe you can trust all of your people, you can’t trust the malware they may have, or all the links they might click. But let’s be honest, it’s likely that you can’t trust all of your people to never install a bittorrent client or other higher-risk program.
When you know what legitimate traffic is leaving your organization, you can watch for the bad stuff.
And even beyond that, you want to know what legitimate traffic is leaving your organization, right?