The New Laws of Anti-Malware Technology #3: Don't think "endpoint", think "endpoints"

Over the last few months, I've introduced a "law" that I believe should fundamentally dictate what one should expect of next generation malware defense technology. I'd like to "unveil" the third such law: "Don't think Endpoint, Think Endpoints." Let me explain what I mean by that.

Traditional anti-malware vendors have had a singular focus on "the endpoint." While that ostensibly seems like a reasonable thing to do, it turns out to be extremely limiting. There is often valuable information that is lost when we consider systems in isolation. Instead, if we can understand trends across collections of endpoints, we can actually identify malicious behavior with an alarmingly high success rate. But by looking at one endpoint alone, we do not get that same degree of leverage. Collections of endpoints give you context; a single endpoint only gives you a single datapoint, but with nothing to compare it to.

Having a universal perspective allows us to determine what normal trends should look like. This knowledge, in turn, allows us to spot anomalies. Of course, being able to achieve these aims in near real time is reliant on having a robust analytics infrastructure that can process large data sets quickly.

As part of Sourcefire's Immunet anti-malware product, we have built a number of advanced analytics engines that leverage collective intelligence. These engines work in concert with our other detection technologies. For example, a file might be deemed “somewhat” suspicious by our Spero machine learning technology. In other words, all else being equal it is slightly more likely to be malicious than benign based on its characteristics. However, from a practical perspective, we might need more confidence before we conclusively determine that the file represents a threat. Our advanced analytics engines can provide that additional context. For example, they can consider what we have understood about that file when examined from the perspective of our entire user base and other intelligence sources. This global information, combined with what we have understood from Spero can help us make a far more accurate determination about the disposition of the file.

What’s more is that once we have made this determination, we propagate that intelligence across the entire community and protect all of our users from this threat. In other words, the system we have built is highly agile and highly intelligent. It attempts to leverage all relevant information with the goal of maximizing protection across the user base. In fact, over a recent 6-week period, a little over 7% of our detections came about through these advanced analytics capabilities.

There is an old adage that there is safety in numbers. However, from our perspective, it’s not just about the raw quantity, but rather about the quality of information we derive. Moreover, it's also about our ability to swiftly translate that intelligence into actual customer protection.

Sleepless in D.C.

"I am often asked what keeps me up at night, and one of the key issues is cyber threats."

This recent remark comes from Rep. C. A. "Dutch" Ruppersberger, a member of the House Intelligence Committee, reflecting a concern that the rest of us have felt for many years. He made the remark at a meeting to introduce new cybersecurity legislation that would promote sharing of threat intelligence between the Federal government and American companies.

This security collaboration between the public and private sector is an important additional piece of the puzzle in meeting the ongoing challenges of cybersecurity—but the discussion cannot stop there.

With this potential public-private collaboration as a backdrop, Sourcefire will participate in a panel discussion airing on WTOP Federal News Radio of public and private sector leaders, discussing cybersecurity and other emerging technologies.

The panel will cover not only cybersecurity, but trends in geospatial applications, big data, along with virtualization and mobility. On cybersecurity, the panel will discuss the current threat landscape and what is being done in the federal sector to combat advanced persistent threats.

The panel takes place on Tuesday, December 13 at Noon ET and will welcome C-level IT security officials from the Veterans Affairs, U.S. Air Force and NOAA, along with Sourcefire’s CTO Martin Roesch and other private sector IT leaders.

Please tune in online at Noon ET on Tuesday December 13 here:http://www.wtop.com/?nid=706 or turn your D.C. area radio dial to 1500 AM.

For more information on Sourcefire and the public sector, please see our web site: http://sourcefire.com/industry-compliance/government. As for the legislation, a good overview, “Bill Would Open Channels On Cyber Threats,” by Elizabeth Montalbano of Information Week can be seen here.

Next-Generation IPS Core to Sourcefire Next-Generation Firewall

As you might have seen Monday, Sourcefire has officially entered the Next-Generation Firewall market with a NGFW built on world's best Next-Generation IPS (NGIPS), which also calls on unparalleled contextual awareness. This means correlating information on applications, users, content, hosts, attacks, vulnerabilities, behavior and changes in a user’s environment to assess risks and threat impact to make more precise enforcement decisions. Sourcefire also introduced the flexibility to deploy this solution as a NGIPS with application control, to augment existing firewall deployments.

On this topic, in this brief video, our founder and chief technology officer Martin Roesch sat down with IT Harvest analyst Richard Stiennon to discuss core advantages of Sourcefire's Next-Generation Firewall and core NGIPS innovation.

As we said before, the trick is to find solutions that are next-generation through and through. Sourcefire offers the choice, the network visibility, the automation, and the best threat prevention--which is exactly what a NGFW and NGIPS should offer. Watch the video to hear it from Roesch himself:

Sourcefire Unveils What a Next-Generation Firewall Should Be

Let’s put it out there. For the last several years, Sourcefire has heavily focused on the network security appliance market, namely with our Next-Generation Intrusion Prevention Systems (NGIPS). We’ve watched the growth – and fits and starts – of the Next-Generation Firewall (NGFW) market and we’ve heard what our customers have had to say about both. For many customers, they were interested in the shift into NGFW for the promise of application control. But, for most, they were hesitant to make such a shift due to performance and quality of protection. Existing solutions merely cobble together inferior components to traditional firewalls and force trade-offs between control and prevention. They have bolted on signature-only IDS, unaided by any form of contextual awareness to optimize enforcement decisions. So, for our customers, and those other companies who demand agility in their security infrastructure, we today introduce the Sourcefire Next-Generation Firewall.

Built on our core competencies of context-aware and adaptive security solutions, fueled by our FirePOWER performance platform and sophisticated FireSIGHT intelligence, we deliver a universal security platform that isn’t just a firewall. It isn’t just a NGIPS. It can be exactly what our customers need it to be. It’s exactly what a next-generation firewall should be.

Our solution is built on a highly dynamic single-pass engine that can be a NGFW, a NGIPS, or a NGIPS with application control. We understand that customers, especially large organizations, need flexibility and scalability in their organizations – and that doesn’t just come down to speeds and feeds. This comes down to real business decisions that rely on total network visibility, control without compromise, and intelligent security automation. This is what I envisioned several years ago. And this is what my team has built and delivered today. Choice coupled with the most effective threat prevention in the industry.

As threats continue to advance and IT environments continue to evolve, so too must our network security defenses. Back in 2003, I realized that intrusion prevention systems needed to evolve to provide effective protection in the face of dynamically changing environments. A NGFW has to do the very same thing. This is what a next-generation firewall should be. This is what is missing from other existing solutions. No other NGFW, or IPS system for that matter, can come close to this level of awareness, automation and threat protection.

Many security professionals agree that threat prevention is paramount for NGFW solutions. This message is not intended to downplay the firewall component at all – a NGFW must have a low-latency firewall. But how important, and, at what cost? A recent Ponemon Institute study of NGFW implementations across 15 industries found that threat prevention was ranked as the most important feature of their NGFW for data protection, but the firewall ranked as least important. This tells us that confidence is waning in these bolted-together NGFW solutions.

Companies want true integration – at the engine level – so that they are able to have the confidence in both their performance and their protection, and let their firewall be a firewall, while their IPS does what it is supposed to do. They want a universal security platform. The Ponemon Institute survey validates that current NGFW technologies need to evolve in order to be truly context-aware security platforms that provide effective data protection.

As organizations strive to protect their IT environments from increasingly sophisticated attackers, it’s only natural to seek out next-generation security technology. The trick is to find solutions that are next-generation through and through. We offer the choice, the network visibility, the automation, and the best threat prevention.

We offer exactly what a next-generation firewall should be.

For more information visit http://www.sourcefire.com/ngfw.

Sourcefire's Oliver Friedrichs Named a Rising Silicon Valley Star

Most are now aware that in the past five years, the face and behavior of malware has changed considerably. What, unfortunately, had not changed considerably in that timeframe is the anti-malware approach that most security vendors still use, rooted back several decades.

Enter Sourcefire's Oliver Friedrichs, the senior vice president of our cloud technology group. Oliver called upon his years of experience, having founded three cybersecurity companies (all acquired by major IT security players) to rethink from the ground up, how we as an industry -- and even a society -- address the ongoing confrontation with malware. He co-founded Immunet, now part of Sourcefire, and built a team and developed a product that calls on the power of the cloud and big data to redesign how malware is combated.

For these reasons, along with many others, Oliver has been recognized by the Silicon Valley San Jose Business Journal in their annual "40 Under 40" that acknowledges the top 40 rising stars in Silicon Valley who are under the age of 40.

We would like to heartily congratulate Oliver on his inclusion in such a distinguished, select list. He exemplifies the focus and flexibility, innovation and integrity, respect and responsibility, and enthusiasm and excellence that we value in all of our Sourcefire employees.

Again, Oliver, thank you for such remarkable innovation and congratulations from your Sourcefire teammates on being named one of Silicon Valley's rising stars.