New Laws of Anti-Malware Technology #2: Malware Protection Capabilities Should Neither be Viewed Nor Designed as a "Stack"

In a previous blog entry, I introduced the concept of the "New Laws of Anti-Malware" and promised a series of posts, each of which talks about one new law. In keeping with this promise, I'd like to unveil the second "new" law:

New Law of Anti-Malware Technology #2: Malware Protection Capabilities Should Neither be Viewed Nor Designed as a "Stack".

Let me elaborate. Traditional anti-malware vendors describe their protection technologies as a “stack.” By this terminology they mean that they have a number of engines, each of which operates in an independent silo. Typically, a threat is blocked on a system as soon as one of the engines in their stack deems it malicious. By operating independently, important contextual information is lost between the different technologies. At the same time, the stack-based approach was sufficient at a time when threats were more simplistic in nature.

Today’s more sophisticated threats require a far more nuanced approach. Rather than operating as independent pieces of a stack, the different components should form a tightly integrated lattice. Different protection components should talk to each other and they should operate in concert to arrive at a final disposition about whether a particular piece of software represents a threat. This notion permeated our thinking during the design of our Immunet Anti-Malware offering.

For example, one of the protection technologies that Sourcefire customers benefit from is our advanced analytics engine, which looks for suspicious global patterns. These patterns may point to an increased likelihood that a particular file on a customer’s machine represents a threat (imagine that these patterns suggest an 85% likelihood that a file is a threat). In isolation, this information alone may not be sufficient to block that file because the false positive rate (i.e., the likelihood that we will accidentally identify a benign piece of software as malicious), especially in the absence of any other information, might be too high. Imagine, however, that one of our existing detection approaches (e.g., our Spero machine learning technology) deemed this file to be suspicious with 88% likelihood. Or perhaps this file matched one of the more aggressive generic signatures from our Ethos technology. Combining these different independent signals might lead us to believe that the file has a very high likelihood of being malicious – even though no one source was enough to make that determination conclusively.

This represents just one example. But the reality is that we have implemented many more capabilities that are variations on this overall concept – all of which harness the collective power of our extensive threat intelligence infrastructure and overall global view.

It turns out that between 6-7% of our in-field detections come about from leveraging additional context. By having our protection technologies work collectively, we ensure that every little bit of relevant information is accounted for and that it is used towards arriving at our final conclusion. In short, our customers derive maximum benefit when we derive maximum value from our vast collection of threat intelligence.