Sourcefire Corporate Blog

23 Jan 2012

Advanced Malware Protection: What Your Enterprise Really Needs

posted by Oliver Friedrichs

Today Sourcefire introduced its new FireAMP™ product, an intelligent, enterprise-class advanced malware protection solution that uses big data analytics to discover, analyze and block advanced malware. This release is the culmination of years of hard development work by the Immunet team that was acquired by Sourcefire in 2010. It's also an evolution of the radically disruptive big data security platform that we've been building for the past 3 ½ years since the birth of Immunet.

All of the celebration aside, you might ask yourself – another anti-malware product? Well, no. This isn't just another anti-malware product. FireAMP is representative of what your enterprise really needs to address advanced malware. Over the course of the past year we've talked to well over 100 enterprises and heard one common theme: they have the latest endpoint security products, with the latest DAT files, but they are still heavily infected (in fact, our data shows that in many organizations, up to 10 percent of all computers are infected). More importantly, they don't know how these threats got in, how they are spreading when inside, or which computers have them.

The industry has certainly been trying as hard, if not harder, than we always have. The attackers have been working pretty hard too, but it doesn't take much effort to defeat today's anti-malware defenses. Most threats can be packed and repacked with publicly available tools in order to bypass most endpoint security technologies. The industry has been stuck in a never-ending cycle of trying to develop better detection technologies. Vendors have spent 20 years building signature engines, heuristic engines, behavioral engines, emulators, sandboxes, reputation services, and clouds, to name just a few, and most still cannot detect today's advanced malware.

Introducing Visibility

In order to win this war we need to borrow a book from modern military strategy. That involves collecting and processing as much data as possible in order to achieve the best tactical advantage. One of the things that the cloud, combined with massively scalable data mining and analysis technologies, gives us is the ability to collect, store, and process an incredible amount of information. This approach is the only effective way to preempt attacks and identify security risks before they can act. One of the key tenets of FireAMP is to use these technologies to provide COMPLETE visibility.

Figure 1. FireAMP File Trajectory

FireAMP turns the cloud into what I like to call, a "flight recorder" for the endpoint, allowing you to track ALL file activity across the enterprise. By using this approach we gain an unprecedented level of detail, including identifying the root cause of threats as well as their entry point, trajectory, infected computers, and their specific behaviors. This simplifies the laborious and costly forensic and cleanup effort. This advanced visibility can only be accomplished on the endpoint, and not from the network where other similar products reside.

Introducing Control
Just the act of discovering and analyzing threats is clearly not enough if the threats themselves remain resident. Modern anti-malware solutions rely on a lengthy and proprietary signature update process that leaves organizations exposed for days, and in some cases, weeks, before providing a defense. Sourcefire has embraced an open architecture since day one, as witnessed by our open source Snort platform.

With the launch of FireAMP we are introducing a second disruptive technology into the advanced malware battle – Outbreak Control. FireAMP offers Outbreak Control for customers to create custom signatures and to tag and quarantine malware themselves, immediately, sidestepping the traditional vendor detection process. Next, FireAMP's Cloud Recall technology quickly rechecks all endpoints without a full scan, using data that has already been collected in the cloud, and automatically quarantining files as needed. This approach dramatically reduces the exposure window for organizations experiencing advanced malware infections.

In the course of one's career in the technology world, you have only a few opportunities to develop and introduce an entirely new product. The Visibility and Control capabilities in this FireAMP™ release mark a unique new approach to fighting the advanced malware problem that is plaguing many of the world's largest organizations. We are proud to introduce FireAMP™ as a new, powerful tool in your arsenal to fight this battle.

For more information on FireAMP, register for one of three webinars


advanced malware protection fireamp

comments powered by Disqus