New tools can detect hidden malware

We tested new security appliances from Damballa, Lancope and LightCyber that are designed to detect the latest cyber-attacks.

022315 detect malware 1
Shutterstock

New tools can detect hidden malware

We tested new security appliances from Damballa, Lancope and LightCyber that are designed to detect the latest cyber-attacks by monitoring network traffic and identifying when a piece of malware is communicating back to its command and control center. (Read the full review here.)

022315 detect malware 2

Damballa Failsafe

The Damballa Failsafe product was the easiest to use, had the best user interface and would be the quickest to deploy, an important consideration if an organization suspects that its network has already been compromised. Here, the Damballa Failsafe executive report shows at a glance everything happening of concern in the test network during the evaluation period. Widgets showing other information can be dragged and dropped to add them to the interface.

022315 detect malware 3

Damballa Failsafe

Individual assets that have been identified by Failsafe as infected can be examined more closely, including the rendering of a complete time-stamped evidence trail showing why a system generated a system alert. In addition to identifying suspicious activity, the MD5 hash of all malware programs are recorded so that they can be eliminated from an entire network, not just the computer where the infection is active.

022315 detect malware 4

LightCyber Magna

LightCyber Magna proved a perfect tool for detecting hidden threats that are trying to find specific data inside a network or elevate its privileges. It can also be useful in identifying insider threats. The main dashboard of the Magna interface shows all suspected and suspicious hosts at a glance, as well as how many have already been cleaned.

022315 detect malware 5

LightCyber Magna

Here Magna has identified suspicious lateral movement within a network that might indicate that attackers are attempting to branch out or elevate credentials before launching a full attack. Most perimeter defense programs would not care about traffic already within a network, which is why so many advanced persistent threats remain hidden for so long. Every incident of concern within a monitored network is explained to investigators. This can help humans determine if a suspicious process is legitimate or part of an attack.

022315 detect malware 6

Lancope StealthWatch

Lancope StealthWatch provided the most details about the communications going on within a network and the relationships between groups and devices, making it a useful tool for other things beyond security, such as network optimization or even capital planning. The top level StealthWatch interface looks rather intimidating at first. However, almost every single element within the program is clickable, making drilling down into problems easier than it would at first appear.

022315 detect malware 7

Lancope StealthWatch

The concern index panels tab is probably where security teams will likely spend much of their time. All suspicious activity generates demerit points which increases a system’s concern index, making it easy to spot the most dangerous threats. StealthWatch provides a very granular view of all network traffic. If an organization suspects that a trusted insider is doing bad things, a single click can show all of their activity in great detail. Relationships between users, groups and devices can also be mapped out and defined by StealthWatch, which can be a big help for organizations trying to implement communications-based compliance or regulatory issues.