To ensure that the appliance was monitoring our traffic, we began with some simple activities. The Damballa appliance can track the number of binary files downloaded, so we thought this would be a good test of monitoring ability. We downloaded several binary files, including the Windows-based Putty SSH client and the Windows-based uTorrent BitTorrent client. Both of these files were marked as malware and reported back to Damballa. This proved the appliance was in fact monitoring our traffic, but also that there's room for improvement in the analysis of binaries.
Next, we decided to test real command-and-control traffic. The appliance was moved to one of our isolated test networks where we sneaked infected bot files onto our test hosts through a back channel to ensure that the appliance could not see them. Once loaded, we let the malware connect to its handlers to receive commands. The appliance was able to detect this activity and report the host that was compromised. If this were the real world, our IT staff could now be dispatched to clean the infected host and perform a postmortem.
Unfortunately, that's all that can be done. As of Failsafe 3.0, there are no threat-blocking, mitigation, or remediation features. Once a system is found to be infected, staff should race to clean it and hope other controls have stopped sensitive information from leaving the company. Damballa is quick to point out that a proper security posture is made up more than one single control, and its approach seems to be to rely on other controls to stop the threat.
At $100,000 for the privilege of monitoring 10,000 nodes, the product is lacking in the return-on-investment department when compared with offerings from Blue Coat Systems, McAfee, Mi5 Networks, Symantec, and others.
Damballa is hyperfocused on the threat of bots, and thus in theory should be able to detect these threats faster than other products. This may be worth a premium to some organizations, but for others, a more common approach to virus, malware, and bot detection and prevention may be a better fit -- especially those that can't afford the price of Damballa plus other protection systems.
It's worth noting that Damballa realizes the ability to block, whether automated or manual, and host cleaning are features worth pursuing. This product works as advertised, but has a high price tag and is in its early stages.
Adam Ely is senior manager of technology at a Fortune 100 company and a frequent contributor to InformationWeek.