In last week’s newsletter I wrote about new approaches to IT security that utilize big data and security analytics (see “Security analytics will be the next big thing in IT security”).
What’s unique about Swamp is it is automated malware analysis which allows the malware to evolve over time — minutes, hours, or however long it takes to observe and analyze the software’s behavior. By comparison, a typical sandbox malware inspection environment doesn’t allow the malicious software to run more than a few minutes, so a sandbox solution might overlook malware that doesn’t operate in that time frame.
Using results from Swamp, Seculert infects a lab full of its own devices with malware in order to become a member of various botnets so the company can learn exactly who is controlling each botnet. Seculert applies different methods to intercept the botnet traffic and by that they can detect other members of the botnet and also collect the actual traffic that travels within this botnet.
Seculert customers provide identifying keywords such as their IP ranges or Web interface domains, and that information is used to search the data that was collected from the botnet traffic.
Subscribers to the service upload on an ad hoc or ongoing basis months or even years worth of their gateway traffic log data to Seculert’s elastic big data analysis cloud, where it is analyzed against the malware samples from the Swamp module. In addition, Sense applies a wide variety of methodologies — such as malicious traffic correlation from live botnets, domain/IP reputation, DGA detection (domain generation algorithm), machine learning sets and more — to detect suspicious and malicious activity in these Internet traffic logs.
Whenever Seculert Sense identifies malicious activity in any given log source, it will automatically be able to detect similar activities in other sources, even if the logs originate from different vendors’ products.
They can upload log files from existing secure web gateway or proxy solutions (such as Bluecoat, Squid and more) and Seculert Sense will automatically identify previously undetected malware attacks.
Link: http://m.networkworld.com/newsletters/techexec/2013/060713bestpractices.html?page=1