Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, June 11, 2013

Seculert uses big data security analytics to precisely identify APTs and other malware

Palo Alto (News - Alert) Networks, a provider of network security solutions, has introduced its appliance for the deployment of a private cloud solution for the detection, analysis and prevention of advanced persistent threats (APTs). The Palo Alto Networks WF-500 appliance is designed to address the needs of customers who wish to gain access to comprehensive sandbox detection and analysis capabilities of the Palo Alto Networks public cloud-based WildFire subscription offering on a customer-owned platform.


In last week’s newsletter I wrote about new approaches to IT security that utilize big data and security analytics (see “Security analytics will be the next big thing in IT security”).

What’s unique about Swamp is it is automated malware analysis which allows the malware to evolve over time—minutes, hours, or however long it takes to observe and analyze the software’s behavior. By comparison, a typical sandbox malware inspection environment doesn’t allow the malicious software to run more than a few minutes, so a sandbox solution might overlook malware that doesn’t operate in that time frame.

Using results from Swamp, Seculert infects a lab full of its own devices with malware in order to become a member of various botnets so the company can learn exactly who is controlling each botnet. Seculert applies different methods to intercept the botnet traffic and by that they can detect other members of the botnet and also collect the actual traffic that travels within this botnet.

Seculert customers provide identifying keywords such as their IP ranges or Web interface domains, and that information is used to search the data that was collected from the botnet traffic.

Subscribers to the service upload on an ad hoc or ongoing basis months or even years worth of their gateway traffic log data to Seculert’s elastic big data analysis cloud, where it is analyzed against the malware samples from the Swamp module. In addition, Sense applies a wide variety of methodologies—such as malicious traffic correlation from live botnets, domain/IP reputation, DGA detection (domain generation algorithm), machine learning sets and more—to detect suspicious and malicious activity in these Internet traffic logs.

Whenever Seculert Sense identifies malicious activity in any given log source, it will automatically be able to detect similar activities in other sources, even if the logs originate from different vendors’ products.

They can upload log files from existing secure web gateway or proxy solutions (such as Bluecoat, Squid and more) and Seculert Sense will automatically identify previously undetected malware attacks.



Posted on 06/11