Large data analysis redefining malicious software policies

Good intelligence has always been a determining factor in the war against malware. But the threat multiplied by the exponent, the analysis information may become as important as collecting it.

Future Anti-malware is an unresolved issue. Due to the increasing number of malware generated, the most common approach to dealing with infections in the past-based on signature file scans-is becoming increasingly ineffective. But there is no better strategy, and many of the enterprise's anti-virus products still depend heavily on it.

But things are changing. Antivirus vendors are starting to keep exploring the trends of malware in advance (or at least not too far behind them), tracking malware more deeply-what it is doing, where it comes from, what it wants, and predicting where it might emerge in the future is necessary.

Dave Millier, chief executive of Sentry Metrics, a security consulting and hosting provider in Toronto, said many vendors no longer focus on the threat of "one at a time" in the future, but began to gather data and speculate on broader trends in the future. He says it is relatively new technology that makes all this possible.

"You see more data gathering happening at the network level, where you're trying to use a lot of information from a security perspective that we didn't use in the past." ”

One of the suppliers working with him is Sourcefire, which has largely started to see malware as a "big data" issue. Sourcefire company recently launched a cloud-based enterprise security product called Fireamp to view "Fuzzy (fuzzier)" Malware signatures to expand the safety net, and a broader global model for monitoring suspicious activity. Fireamp also uses Sourcefire, known as machine Learning (machine learning), to model possible attributes of potential threats.

It is noteworthy that Fireamp is able to recall what happened during the outbreak on the network, which is an important function, whether for corporate security purposes or for legal reasons.

"Our focus has been a major shift, through our cloud-based platform, to the struggle records we call endpoints," said Oliver Friedrichs, senior vice president of Sourcefire Cloud technology. "We're basically documenting activities across endpoints, Tamper-proof records that can store file activity in the cloud. ”

Through Fireamp, he says, connectors are installed in terminals that send data to the cloud whenever the user installs or executes the application.

"In the future, if there is a breach, we can tell you where the threat actually comes in, where it goes, marginalised zero (the first source of infection) is who, for example, the first person is infected, and how much damage this threat actually spreads and causes. ”

Another Anti-malware company, Trend Technology, also invests in new intelligence capabilities, leveraging cloud infrastructure and online community power. The trend technology company in Canada, director of product and service Tom Moss, introduced a "I strategy" (Fight Fire with fire strategy). ”

"Zombie controllers are a way to use the cloud, or use the Internet to control a lot of machines," he said. "We use machines and networks that our customers collect about how malware behaves and who are trying to communicate with intelligence." ”

Or here, collect the data for future analysis. Trend technology running a background check on an infection source, he said: "Where is this domain name registered?" What domain name has this person registered? How often are the addresses associated with these domain names changed? ”

Millier says analysis is becoming part of the fight against malware, which is also facing the challenge of big data like everyone else. Bringing a lot of data to a local surveillance is a sound strategy, he said, but it is difficult to carry out meaningful analysis on a large amount of raw material.

"To be able to trigger effectively, it really needs to be indexed and sorted in order to be able to efficiently search," Millier said, "So you lose the flexibility to remain unstructured." ”

Overall, we are using a variety of security data collection and analysis tools that have improved dramatically in recent years, with far greater depth and breadth of intelligence, Millier said.

"You get what actually happens on the network, you see it at the system level, you see it at the network level, you look at it at the firewall, and even look at it at the application level, and of course you can identify the threat faster and better." ”

(Responsible editor: The good of the Legacy)