NATIONAL HARBOR, Md. – Atlanta-based startup Damballa Inc. is among the many vendors seeking to position itself at the forefront of advanced attack detection and prevention. Not only is it endeavoring to do this with copious research and an ongoing public relations effort, but also by hiring big names. Most recently the company added Sameer Bhalotra, former White House senior director of cybersecurity under President Barack H. Obama, to its board of advisors.
At the recent 2013 Gartner Security and Risk Management Summit, SearchSecurity spoke with Bhalotra and Damballa CEO David Scholtz about the benefits of best-of-breed information security products, emerging malware and the future of threat detection.
What are your thoughts on partnerships among best-of-breed product vendors? Symantec CEO Steve Bennett outlined his strategy for packaging Symantec's products with those from other vendors, and Damballa already has partnerships in place with companies like F-Secure, Nominum and Blue Coat. Why is that beneficial for enterprises?
David Scholtz: We're in the midst of an evolution involving the traditional layers of security. Look at a lot of the innovations taking place at companies like Damballa, Invincea, Bromium or Co3. There are a lot of companies out there brining a lot of innovation and intellectual capacity to this landscape, which is creating a new layered fabric of security. Over the last couple of decades, you have either had "security in depth" or "layered defense" or whatever terms you want for traditional endpoint and networks security, and all the different products in that stack. Now all that is being reinvented in real time to address the new threat paradigm. There is going to be a whole new set of companies that collaborate and work together. We vendors may all appear competitive, but the reality is, we're doing different things.
Sameer Bhalotra: To me, cooperation is a must; it's mandatory. We have no chance to defend ourselves if we don't. I think that products that seem the same or competitive usually have different strengths. For example, there are companies that focus on the prevention of advanced threats. Technology like Damballa's is [a] very useful compliment to them even though they might seem competitive when you're looking at them from far away. A combination of those technologies might provide the best defense, so I think it's a must.
Your company's mission, according to your website, is to discover the threats that bypass other layers of security. What are those threats, and what makes your approach unique?
Scholtz: If you think about the kill chain, with Damballa, we really pick it up from the point of communication; we're not a prevention play at all. Another theme you'll hear is that prevention will not scale, especially when you think about the amount of resources being deployed to respond and remediate. To get in front is to understand what the mindset is and the techniques are of the threat actors themselves. So what we're working to do is shorten the time from infection to detection, and then from detection to response and then ultimately provide more value in ongoing remediation.
The way we do that is the various profilers we have, which we refer to as communication profilers. As I mentioned, we started with DNS, now we have domain flux and a DGA [domain generation algorithm] profiler. We recently announced a peer-to-peer profiler. So those are all based upon the types of techniques we see the threat operators using, in this case around communication. So between the analysis of behavior and the intelligence we have about the threat operators themselves, and the bad domains out there and the infrastructure being used and the content analysis, and as we have our algorithms determine whether or not an asset is infected in real-time based upon communications, we also package up that core bit of forensic evidence that we used to determine that an asset was under threat operator control, and we pass that along to assist in the acceleration of the response.
What are some of the most prevalent malware evasion techniques that you're currently seeing?
Scholtz: A lot of the techniques are not all that sophisticated. And the bad news is right now they don't have to be. For example, some of the malware variants we've seen recently, like PushDo, have been based on malware that's been around awhile, so in some cases it's just being repurposed. The infrastructure being used by threat operators fosters a whole series of events. It's going from not only the reconnaissance and weaponization, but also getting into the points of dropping files, having command and control back to actually download a separate payload, removing the traces of what was there before.
Domain fluxing is a technique increasingly being used more often. Domain fluxing is the notion that on any given day there will be one domain that can actually be rationalized and the malware, in its communication, will work through a whole series of algorithms, talking and trying to connect with thousands of what we refer to as NXDOMAINs, or domains [that] are not resolved, and then they'll find the one that is current for that specified time period, and that's what will establish the communications. And then that one is no longer valid, and then each day it just moves on to the next.
Where is Damballa heading in the next 6 to 12 months and beyond?
Scholtz: We just released our peer-to-peer profiler [which performs flow analysis on egress traffic to discover malicious connections in P2P swarms]. I think additional product offerings will really look at expansions on the profilers we have. Our research teams and threat analysts are looking at the techniques that are being used by attackers and coming up with additional technologies. For us, our mission is to provide the best, most relevant detection capability in the industry.
We're seeing the recognition that amid a noisy world of alerts and massive amounts of information and a lot of effort being spent on prevention, there's value in the actionability and the specificity of the information that we provide to our customers around what their assets are doing. Often that means information not only about whether they are infected, but also that those hosts are actually actively communicating. That's how we highlight business risk.