I recently had a chat with Manish Gupta, senior vice president of products at security vendor FireEye. Gupta described how the IT threat landscape has changed dramatically over the last three or four years, and how this has rendered legacy security solutions rather weak. This means that a new generation of IT security solutions has to be developed to counter the new threats.
Gupta says that adversaries have become much smarter and much more organized. The days of people hacking into systems for notoriety are gone; they are in this to make money. In many cases, the bad guys are funded by nation-states and they have very specific targets in mind. They know that they want to go after intellectual property that will reside in company X. They are after nothing else but just that. Given what they are after and how well-funded the hackers are, they are also very patient. They take the time to understand who they are going after. It’s that shift in how the attacks and the attackers behave that has rendered legacy security solutions rather weak. This includes things like traditional antivirus, and traditional web gateways and email gateways.
“Over the last 10 or 15 years our industry has developed a bunch of security technologies to protect organizations from yesterday’s attacks,” says Gupta. “All of these technologies require prior knowledge of the malware or the vulnerabilities, meaning weaknesses in software. The modus operandi of solution vendors was or has been that I will let the first few machines get infected, then I will take those machines into my research lab to find out what they got infected by, and I will create a signature. And then that signature that can detect any future instances of that same malware will help to protect my customers. This is the mode that we were in as an industry and it worked really well for many years.”
I was curious about his comment about “yesterday’s attacks” and asked him what is different now. “In today’s attacks,” says Gupta, “we don’t see the same malware in most cases after the first hour of its life. Attackers keep changing it. So a new security architecture is needed that isn’t dependent upon having seen the same attack before. Security vendors have to come up with an architecture that has the ability to detect attacks even though you have never seen them before.”
As you might guess, FireEye is one of those “new architecture” solution providers that has developed technology to detect unknown threats, but it’s not the only one. The latest generation of solution vendors is taking a variety of approaches to detect and prevent advanced persistent threats and other unknown threats. Here are just a few…
FireEye – Gupta’s company focuses on understanding what the attacker is doing to make his way into the network to steal information. FireEye protects against three attack vectors on the endpoint: email, web, and files. The solution runs all email, web content and attachments in a virtual machine to see where it goes and what it does before the real user has access to it. If any malicious activity, code or payload is found, the user is prevented from accessing the web page or opening the file.
OpenDNS – This is a recursive DNS company that filters all of a customer’s web traffic through a cloud service. Using billions of daily DNS requests made by its clients all over the world, OpenDNS uses sophisticated predictive algorithms to perform analysis of traffic to determine if it is malicious or not. If it is, the traffic is quarantined so that it never reaches a customer’s network.
Trusteer – This security provider focuses on preventing exploits from reaching customers’ endpoints by using stateful application control. When an endpoint device triggers a file download from the Internet – either on purpose, such as an application update, or unintended, such as a drive-by drop of malware – the solution analyzes the application’s memory state and the properties that are running on the endpoint to determine if the download is legitimate or not, and whether it violates the normal operation of the application. Trusteer quarantines malicious downloads so they can’t infect an endpoint device.
Seculert – This new entry into the security market analyzes more than 40,000 different samples of unknown malware every day. The samples come from a variety of sources, including Seculert’s own security modules, a range of partner AV companies, and Seculert’s customers. The analysis yields a model profile of malware that functions similarly to a signature, but there’s no need to reverse engineer a known piece of malware to develop the profile. These model profiles are fed to screening systems that stop the files before they can do their damage.
Corero – This player is re-defining the enterprise perimeter by offering appliance based mitigation, in front of the firewall protecting against DDoS attacks, and the broad spectrum of unwanted cyber infiltrations. Complimentary to cloud protection providers and traditional firewall technologies, they are providing comprehensive solutions for intelligent, real-time protection against cyber-attacks.
These are just a few of the numerous next generation security vendors that have developed innovative approaches to protecting networks and endpoints from APTs and unknown threats. Vendors are getting creative in their use of big data to analyze millions and billions of data points to find the malicious needles in a haystack. This is what it will take as the haystack gets bigger and the needles get ever sharper.
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us