Advanced Malware Identification

After having been at a vendor for a zillion years I have enjoyed allowing my formerly rigid perspective be changed based upon what I learn from so many new security entrants. The job of corporate security is so large that obviously no single solution can do handle all. I feel we (MTP) are uniquely privileged in that we are directly exposed to what most firms are doing, and we can then construct a constellation of services that complement and magnify each other.

In the malware identification space (sandboxes – the rest is unproven and/or unreliable), the decision vectors are clearer than in most areas. Which traffic is analyzed is a big deal. The dominant player in the market is without a doubt Fireeye. Fireeye itself discards most traffic from inspection in favor of those flows it feels are most likely to contain evil. Further, Fireeye is typically deployed at the DMZ/gateway, there by focusing on North-South or ingress-egress traffic. This makes sense.

In our description of the security constellation we make the important point that the most dangerous malware is often already resident on a network (Fireeye has estimated that >95% of all networks are already infested). Either Fireeye was too expensive or not considered, or it got through Fireeye, or it was there before Fireeye.

Regardless, its there, it now travels East-West with impunity, and is the most grave of corporate threats. We have come to the opinion that we simply need to inspect East-West interior traffic, and we need to avoid the pitfalls of the most common sandbox technologies. That is why we have embedded an SDN based monitoring infrastructure, enabling us to capture and filter all East-West traffic (in addition to North-South). Further, we can control what traffic is analyzed and what is allows to pass uninspected. The breadth of inspection and control of selection is important.

When we evaluate sandbox technologies, we ask the following questions:

1) If I deploy in the interior (East-West), what are the cost implications?

2) What traffic do you analyze in a sandbox and what traffic to you ignore?

3) Do you instrument hypervisors or build an emulator? Why?

4) What is the ratio of throughput to cost?

5) What is the best architecture to amass a farm of sandboxes?

6) If nefarious black-hats discuss your solution on Youtube (or elsewhere) describing how to defeat your technology, have you ameliorated the resistance to the exposed techniques, and if not, when do you expect this to happen (check Youtube before asking).

7) What is the best architecture for pervasive sandbox coverage? How do we best deploy at scale affordably?

8) How do I address infections which have happened before we installed your technology?

9) What other technologies best complement yours?

When you understand why we are asking these specific questions, you will understand how best to deploy this fantastic technology to benefit your organization, and why we have made the decisions we have made for the adaptive security constellation.

Dave Butler

About the Author

Leave a Reply


captcha *