Sourcefire Inc. has announced new malware detection and forensics capabilities for its enterprise network and endpoint security portfolio, staking its claim among a growing number of vendors offering alternatives to signature-based antimalware products.
If you don't solve the root cause of today's new vulnerabilities, like Java zero-days, and determine how a threat is getting in, you're going to see high levels of reoccurrence.
Oliver Friedrichs, SVP, Sourcefire
The Columbia, Md.-based vendor, maker of the venerable Snort IDS/IPS product, Monday added what it calls "malware trajectory" to its Advanced Malware Protection portfolio, which includes its line of FireAMP network and endpoint malware-analysis products, as well as to its FirePOWER IPS and next-generation firewall appliances.
The vendor also announced new FireAMP features, including an "indicators of compromise" capability that correlates seemingly benign events to determine whether a system may have been compromised, and "device flow correlation" that crosschecks potentially anomalous endpoint activity against network traffic to spot malware proliferation, particularly on mobile devices that may reside beyond the corporate network.
Oliver Friedrichs, senior vice president of Sourcefire's Cloud Technology Group, described malware trajectory as being like a "black box" flight-data recorder for malware that traverses networks and endpoints undetected. Using technology acquired in Sourcefire's 2011 acquisition of cloud-based security startup Immunet, it records and stores object data for files, whether they're passing through the network gateway or on the endpoint.
Friedrichs said there's a growing recognition among security practitioners that signature-based antimalware products "aren't meeting expectations" because they look only for the malware signatures in their .BAT file detection sets and nothing else, often missing zero-day attacks using never-before-seen malware.
While Sourcefire believe its FireAMP and FirePOWER products offer a more effective malware-detection strategy, Friedrichs admitted that no antimalware product is 100% effective. To that end, when an organization needs to discover the source and extent of a malware incident quickly, Sourcefire's malware trajectory capabilities allow it to determine what happened, specifically when and how specific files entered the environment and which endpoints they targeted.
Friedrichs said the goal is to shave weeks, if not months, off of malware incident-response times, taking the guesswork out of what's needed to remediate a malware incident and any related infections. "If there's another incident," he said, "they can determine in seconds how that incident occurred."
One beta customer, a power company that operates 17 hydroelectric plants in the western U.S., had particularly good success using the malware trajectory capabilities, Friedrichs said, detecting the source of a malware outbreak that began with a Java zero-day attack. Sourcefire's FireAMP product was able to detect the attempted exploit, he said; from there, the customer, using the malware trajectory, pinpointed how the malware entered the network and all the endpoints to which it had spread.
"If you don't solve the root cause of today's new vulnerabilities, like Java zero-days, and determine how a threat is getting in, you're going to see high levels of reoccurrence," Friedrichs said. "Even if traditional antivirus works, detecting portions of a threat, it may not help resolve the root cause itself."
The malware trajectory feature overcomes the latency and storage issues that burden many full-packet capture products by instead storing file metadata, like file signatures and endpoint file hashes, so that the process that introduced the file can be traced back to its origin.
For Sourcefire's FireAMP device-based product customers, malware trajectory data is stored in Sourcefire's secure, self-run cloud infrastructure. FirePOWER customers can store the data on the appliance, and it also can be synced with the cloud.
Chris Rodriguez, an industry analyst for network security with Frost & Sullivan, said Sourcefire's malware trajectory and other new FireAMP features reflect a mature attitude, recognizing that signature-based malware and other perimeter-centric defenses are decreasing in effectiveness. A variety of security vendors, including startups like FireEye and Damballa, and industry stalwarts like Sourcefire, McAfee and others, are offering technologies meant to support or outright replace AV systems that often fail to detect advanced malware attacks.
"It shows a pretty evident need for continuing to look at devices and files on the network post-admission with the things that Sourcefire does well, like file monitoring, file and device trajectory," he said. "It's increasingly possible for malware to lay dormant or even to change after a perimeter inspection, so I feel there's a lot of value in those things."
Friedrichs was careful to say that the malware trajectory capabilities aren't meant to further position Sourcefire's FireAMP and FirePOWER products as replacements for signature-based antimalware products, but to provide an additional layer of projection. "Many companies aren't going to be willing to remove their AV products or acknowledge they made a mistake in buying them," Friedrichs said. "Our approach is more of a complement, not a replacement strategy at the moment. That may change. Certainly the traditional desktop AV vendors will need to react as well; I don't think it's a secret that detection is not working well at all."
Rodriguez said Sourcefire's product portfolio remains best suited to technically sophisticated organizations that possess the internal expertise necessary to manage the products well.
"Once these potential indicators of a compromise are flagged, that's still not going to be a 100% positive; it could be a false positive," he said. "With IPS, you have to eliminate those false positives; and while the indicators show the IT staff and security pros where to look, that further investigation has a human element to it."