Analyzing the finer details of past threats can provide insights into the lifecycle of malware and where new threats may emerge, say experts
Good intelligence has long been a decisive factor in the battle again malware. But with threats multiplying exponentially, analyzing information may become just as important as gathering it.
What the future holds for anti-malware is an open question. Signature-based file scanning, the most common method of dealing with infections in the past, is becoming less effective due to the sheer volume of malware produced. But for lack of a better strategy, many enterprise antivirus products still rely on it to a large extent.
Things are changing, however. Antivirus vendors are beginning to realize that to stay ahead of the bad guys (or at least, not too far behind), it’s necessary to look deeper into what malware is doing and where it came from, and hopefully, predict where it might spring up in the future.
Dave Millier, CEO of Sentry Metrics
, a Toronto-based security consulting firm and managed services provider, says that many vendors are no longer focusing on the threats coming in “one at a time” and are starting to collect the data and look at wider trends over time. The technology that makes this possible is relatively new, he says.
“You’re seeing more data collection happening at the network level, where you’re trying to use a lot of information from a security point that we didn’t used to be able to use.”
One of the vendors he works with is Sourcefire Inc.,
a company that has begun to view malware as fundamentally a “big data” problem. Sourcefire recently came out with a cloud-based enterprise security product called FireAMP, which widens the security net by looking at “fuzzier” malware signatures and broader global patterns for suspicious activity. FireAMP also uses what Sourcefire calls “machine learning” to model what potential threats may look like.
Significantly, FireAMP is able to take a retrospective look at what occurred during an outbreak across a network, a capability that can be important not just for corporate security purposes, but also for legal reasons.
“We’ve focused very heavily on turning our cloud-based platform into what I like to call a flight recorder for the endpoint,” says Oliver Friedrichs, senior vice president of Sourcefire’s cloud technology group. “We’re essentially recording file activity across your endpoints to be able to store a tamper-proof record of file activity in the cloud.”
With FireAMP, he says, connectors are installed at the endpoint to send data to the cloud whenever a user installs or executes applications.
“In the future, if there is a breach, we can tell you how that threat actually got in, where it went, who patient zero was, for example, the very first person who got infected, and where that threat actually spread and how much damage was caused.”
Another anti-malware vendor, Trend Micro Inc
., is also investing in new intelligence capabilities, powering its infrastructure with the cloud and the strength of its online community. Tom Moss, director of products and services at Trend Micro in Canada, describes it as a “fight fire with fire strategy.”
“As much as the botnet controllers are kind of using the cloud or using the Internet to control large numbers of machines,” he says, “we use the network of machines that our customers have to collect intelligence about how malware is behaving, who it’s trying to communicate with.”
Here again, the data is collected for later analysis. Trend Micro runs a sort of background check on the source of the infection, he says: “Where was that domain registered? What other domains has that person ever registered? How often is the address associated with that domain changing?”
Millier says that while analytics is becoming a part of the fight against malware, the IT security industry faces the same big data challenges as everyone else. Bringing large amounts of data into one place for closer scrutiny is a sound strategy, he says, but it’s difficult to perform meaningful analysis on a mass of raw information.
“In order to be able to trigger on it effectively, in order to be able to search through it effectively, it really does need to be indexed and it needs to be sorted,” says Millier. “And so you lose that flexibility with the idea of unstructured.”
Millier says that overall, the various tools we’re using to gather and analyze security data have improved considerably in recent years. The depth and breadth of the intelligence is far greater.
“You’re getting a much better idea of what’s actually happening across the network. You’re seeing it at the system level, you’re seeing at the network level, you’re seeing it at the firewall, even at the application level. And so the idea of being able to identify threats faster is certainly better.”