Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/11/2009
11:14 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Rollout: How Much Is Bot Detection Worth To You?

Damballa's appliance shows promise, but it still has a lot of ground to cover.

Tests In Traffic
To ensure that the appliance was monitoring our traffic, we began with some simple activities. The Damballa appliance can track the number of binary files downloaded, so we thought this would be a good test of monitoring ability. We downloaded several binary files, including the Windows-based Putty SSH client and the Windows-based uTorrent BitTorrent client. Both of these files were marked as malware and reported back to Damballa. This proved the appliance was in fact monitoring our traffic, but also that there's room for improvement in the analysis of binaries.

Next, we decided to test real command-and-control traffic. The appliance was moved to one of our isolated test networks where we sneaked infected bot files onto our test hosts through a back channel to ensure that the appliance could not see them. Once loaded, we let the malware connect to its handlers to receive commands. The appliance was able to detect this activity and report the host that was compromised. If this were the real world, our IT staff could now be dispatched to clean the infected host and perform a postmortem.

Unfortunately, that's all that can be done. As of Failsafe 3.0, there are no threat-blocking, mitigation, or remediation features. Once a system is found to be infected, staff should race to clean it and hope other controls have stopped sensitive information from leaving the company. Damballa is quick to point out that a proper security posture is made up more than one single control, and its approach seems to be to rely on other controls to stop the threat.

At $100,000 for the privilege of monitoring 10,000 nodes, the product is lacking in the return-on-investment department when compared with offerings from Blue Coat Systems, McAfee, Mi5 Networks, Symantec, and others.

Damballa is hyperfocused on the threat of bots, and thus in theory should be able to detect these threats faster than other products. This may be worth a premium to some organizations, but for others, a more common approach to virus, malware, and bot detection and prevention may be a better fit -- especially those that can't afford the price of Damballa plus other protection systems.

It's worth noting that Damballa realizes the ability to block, whether automated or manual, and host cleaning are features worth pursuing. This product works as advertised, but has a high price tag and is in its early stages.

Adam Ely is senior manager of technology at a Fortune 100 company and a frequent contributor to InformationWeek.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.