One of the biggest security threats to a modern business is a malware outbreak. The risk of its occurrence is fairly high, thanks to the prevalence of malware-spam campaigns and easy propagation via USB devices and network vulnerabilities, and the impact on a business can be devastating. Think of a company-wide ransomware attack! Malware has already taken hospitals, government departments, power grids and airlines offline for days or weeks.
Now, malware in its many varieties is not new. For decades there has been a battle between antivirus companies and malware creators. Why has there never been a solution for this problem?
The answer is fairly simple: malware authors will always be one step ahead of the anti-malware vendors. Malware detection and prevention are inherently reactive to newly-developed malware; after all, it’s hard to fix a problem that hasn’t been created yet. Some progress has been made with machine-learning program classification and sandboxing, but these are expensive and far from reliable. What has been successful, however, is the collection of threat intelligence around malware.
Threat intelligence attempts to gather as many unique identifiers related to a particular malware sample as possible. This means that new files that are suspicious or malicious (or that sometimes even appear clean at first glance) can easily be compared to the existing malware dataset.
This comparison can be done manually, but these days many end-point products such as Crowdstrike Falcon and Carbon Black, or SIEM products such as Splunk Enterprise Security and ArcSight, can do this automatically. They interface with online cloud-based malware collection platforms such as VirusTotal and Hybrid Analysis. All that is usually needed is an API request carrying a hash; after this, intelligence on the file is fed back to the customer.
This is where the business model of these collection-hosting companies (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Frank Siemons. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/zCoHzFZuEKE/