Hunting for Hidden Infections – Detecting the Undetectable
Today's persistent threats and network breaches are driven by modern malware infections that easily evade detection by traditional signature-based endpoint solutions. The malware-infected device then communicates with criminal operators using techniques that imitate a legitimate user to evade detection by traditional network security solutions designed to prevent obvious illegitimate traffic. Damballa Failsafe is the only solution specifically designed to automatically detect criminal network communication behavior, analyze zero-day and targeted malware, correlate the forensic evidence to pinpoint live infections, identify the nature of the threat and the criminal operator, and terminate the communication to stop data theft.
"Damballa Failsafe has never failed to detect unknown threats and hidden infections in corporate networks," said Stephen Newman, vice president of product management for Damballa. "Our ability to correlate multiple behavioral indicators to rapidly and accurately pinpoint hidden infections is unequaled in the market. We now offer real-time malware analysis as additional forensic evidence that contributes to the threat conviction scores for threats identified on infected devices."
"There are products available today that analyze 'malware in motion,' but they do so by analyzing the malware in a sandbox within the customer's network," added Newman. "There are obvious limitations inherent with running captured malware samples live within a targeted organization. Damballa Failsafe overcomes these limitations by performing the malware analysis in the cloud, outside of the targeted company's network."
The Power of Cloud-based Malware Analysis
The malware analysis feature in Damballa Failsafe 5.0 utilizes cloud-based dynamic malware analysis, which occurs at Damballa Labs in real-time. Customers can opt to automatically submit all suspicious files for analysis, or selectively submit files as desired. A cloud-based approach offers many advantages over in-network malware analysis technologies:
Malware analysis is conducted in 'dirty' (anonymous, non-production) networks with Internet access Much of today's malware is 'Internet aware' and won't execute without Internet access or will act 'benign' to fool analysts. Letting the malware complete its initial beaconing allows Damballa to gain further intelligence regarding subsequent downloads and command-and-control behavior. Multiple inspection and analysis techniques, tools and resources Much of today's malware will not execute if it detects a virtual machine or sandbox. With Damballa Failsafe 5.0, suspicious files undergo multiple inspection and analysis techniques including bare-metal platforms. Unlimited processing capacity, no need for box upgrades Unlike in-network technology, which can have difficulty handling the traffic and corresponding level of malware to analyze, cloud analysis provides unlimited processing capacity. Constant, real-time updates on malware information Using a cloud-based approach, customers receive real-time updates as new threat intelligence is discovered. With an in-network approach, suspicious files are analyzed once and the behaviors archived. Adding analysis techniques and tools without appliance or software upgrades Damballa can continue to add malware 'gaming' or analysis and scanning options without requiring any change to the customers' installation. With an in-network approach, any significant change to how the malware is analyzed requires an upgrade to the on-premise appliance and/or software.
"Malware analysis and malware reverse engineering has been a staple of Damballa Labs since our inception in 2006," said Gunter Ollmann, vice president of research for Damballa. "It is fundamental to our research as we profile criminal command-and-control and for threat attribution to criminal operators. We are now applying this capability, in real-time, to our customer implementations of Damballa Failsafe. Malware analysis is now one more piece of evidence we automatically harvest and correlate to hunt for infected devices and detect zero-day or targeted attacks. It also provides our customers with additional insight into how infections occur when the device is within their corporate network, which can assist them with improving their security posture and improving user behavior."
The new malware analysis capability is included in Damballa Failsafe 5.0 at no additional fee and is a simple upgrade for existing customers. For a demonstration of Damballa Failsafe 5.0, visit http://www.damballa.com/solutions/demo_load.php.
About Damballa Damballa is a pioneer in the fight against cybercrime. Damballa provides the only network security solution that detects the remote control communication that criminals use to breach networks to steal personal and intellectual information, and conduct espionage or other fraudulent transactions. Patent-pending solutions from Damballa are platform and system-agnostic, protecting networks with any type of device including PCs, Macs, smartphones, as well as mobile and embedded systems. Damballa customers include Fortune 1000 companies, Internet and telecommunications service providers, government agencies and educational organizations. Privately held, Damballa is headquartered in Atlanta. http://www.damballa.com