The Malware Threat Today’s Businesses are Ignoring and How Damballa Failsafe Fits In
Malware is no doubt one of the most misunderstood threats to business. Perhaps it’s related to the fact that – like the human virus counterpart – malicious code is out of sight and therefore out of mind. In many respects, telling management that something needs to be done about malware on the network is like telling a toddler to keep his hands out of his mouth while shopping at the mall. They can’t see the infection, but they also can’t comprehend the consequences. They simply don’t get it.
Contrary to popular perception, a “preventative” approach isn’t always what’s needed to keep malware at bay, especially zero-day exploits. In many instances, malware has already taken a foothold so it’s a matter of responding in a mature and methodical fashion in order to get things back in order.
Having worked on projects involving command and control malware that had infected thousands of computers in a targeted attack, I‘ve seen how ugly things can get when malware goes undetected and is improperly handled in the enterprise. The reality is that you can implement what would otherwise be considered “solid” security controls all day long and your network will still not be impervious to command and control, advanced persistent threat (APT) types of attacks using zero-day malware. This is especially true given how simple it is to trick users into clicking malicious links and opening infected files.
We often have a general false sense of security because our traditional security controls are reporting that all’s well. Log monitoring and event correlation can’t put all the pieces together. Patch management, strong passwords and security awareness training aren’t enough by themselves either. Perhaps most importantly, traditional anti-virus and anti-spyware are often not enough to protect the enterprise from advanced malware threats.
Enter Atlanta, Georgia-based Damballa. Having been around since 2006 – a time before command-and-control malware was cool and APTs weren’t even being discussed – Damballa has been fine-tuning its advanced persistent threat detection product to address this problem. An appliance-based solution, Damballa Failsafe uses sensors to monitor network traffic for anomalies and infections which, in turn, report back to a management console for visibility, control and termination of advanced malware as it propagates.
Damballa Failsafe looks across the entire malware/APT infection cycle as follows:
The initial dropper being downloaded via a malicious Web link or email attachment The updater and download process reaching out to grab the actual malware The communication of installation status and sensitive information off the victim system The ongoing command and control communication process that can last indefinitely
Damballa Failsafe correlates deep packet inspection of all Internet traffic across egress points, proxies and DNS looking for suspicious behaviors that indicate advanced malware infections. Specifically, the technology determines if the traffic is suspicious, the destination is shady or the behavior is automated – three things that can indicate systems infected with known or zero day malware. Since it monitors network traffic rather than specific endpoints, Damballa Failsafe can detect infected systems across the board from Windows to Mac OS to iPads and smartphones. That is a big advantage over endpoint-centric controls. Because, if you’re not protecting every type of system then you have some residual – and unnecessary – risks that need to be addressed.
The big new feature of Damballa’s recently-released Failsafe 5.0 is its cloud-based malware analysis. Suspicious Windows executables and PDF files are picked off the wire and then sent to Damballa Labs for dynamic analysis. Rather than just alerting to potential infections, all of this information is analyzed automatically so you don’t have to correlate log events and determine infections manually. Assets and victim systems are then given “Risk Factor” and “Threat Conviction Scores” that prioritize the systems requiring attention. Instead of producing reactive alerts to problem areas, Damballa Failsafe provides actionable intelligence on how to best respond.
Left ignored, the malware problem can grow from a mere “viral infection” to a cancer on your network that you can’t ignore. Don’t wait until it’s too late. One vendor’s technology – Damballa or otherwise – isn’t the silver bullet for managing all of your information risks but it’s certainly a critical piece of the puzzle to help fight this threat that we can’t seem to get our arms around. Damballa’s technology is certainly worth checking out. Damballa Failsafe or not, just do something. This issue isn’t going away.
