Big data analytics defining new malware strategy
By Brian Bloom
May 09, 2012 — IDG News Service — Good intelligence has long been a decisive factor in the battle again malware. But with threats multiplying exponentially, analyzing information may become just as important as gathering it.
What the future holds for anti-malware is an open question. Signature-based file scanning, the most common method of dealing with infections in the past, is becoming less effective due to the sheer volume of malware produced. But for lack of a better strategy, many enterprise antivirus products still rely on it to a large extent.
Things are changing, however. Antivirus vendors are beginning to realize that to stay ahead of the bad guys (or at least, not too far behind), it's necessary to look deeper into what malware is doing and where it came from, and hopefully, predict where it might spring up in the future.
Dave Millier, CEO of Sentry Metrics, a Toronto-based security consulting firm and managed services provider, says that many vendors are no longer focusing on the threats coming in "one at a time" and are starting to collect the data and look at wider trends over time. The technology that makes this possible is relatively new, he says.
"You're seeing more data collection happening at the network level, where you're trying to use a lot of information from a security point that we didn't used to be able to use."
One of the vendors he works with is Sourcefire Inc., a company that has begun to view malware as fundamentally a "big data" problem. Sourcefire recently came out with a cloud-based enterprise security product called FireAMP, which widens the security net by looking at "fuzzier" malware signatures and broader global patterns for suspicious activity. FireAMP also uses what Sourcefire calls "machine learning" to model what potential threats may look like.
Significantly, FireAMP is able to take a retrospective look at what occurred during an outbreak across a network, a capability that can be important not just for corporate security purposes, but also for legal reasons.
"We've focused very heavily on turning our cloud-based platform into what I like to call a flight recorder for the endpoint," says Oliver Friedrichs, senior vice president of Sourcefire's cloud technology group. "We're essentially recording file activity across your endpoints to be able to store a tamper-proof record of file activity in the cloud."
With FireAMP, he says, connectors are installed at the endpoint to send data to the cloud whenever a user installs or executes applications.
"In the future, if there is a breach, we can tell you how that threat actually got in, where it went, who patient zero was, for example, the very first person who got infected, and where that threat actually spread and how much damage was caused."