Sourcefire boosts remediation technology with trajectory and indictators of compromise features
Sourcefire has added file detection and trajectory software to its advanced malware protection portfolio to allow visibility of threats for remediation.
It said that the cloud-based technology gives users detailed visibility into malware attack activity and enables them to detect, remediate and control malware outbreaks.
Two types of trajectory capabilities are offered: Network File Trajectory that it said allows malware to be tracked across the network with detailed information given on point of entry, propagation, protocols used and which users or endpoints are involved; and Device Trajectory, which builds upon existing endpoint file trajectory capabilities to deliver critical analysis of system level activities, file origination and file relationships for root cause and forensic analysis.
Speaking to SC Magazine, Sean Newman, field product manager EMEA at Sourcefire, said that a major problem in remediation is on when malware gets in undetected, knowing what to look for and how it acted.
He said: “We focus on the trajectory within the network and understanding where the files go and keep track of them in future. It is about stopping malware propagation and finding indicators of compromise.
“Often with advanced attacks, you cannot see it and cannot do anything about it. Once you have determined it to be bad, the trajectory can do something about it. The real forensic part is when it is known to be bad, you can look into devices to see what it is doing and specify malware when it starts to run.”
Also added are Indicators of Compromise and Device Flow Correlation capabilities, which Sourcefire claims enable users to correlate seemingly benign and unrelated events, while also monitoring device activity and communications to uncover potential malware. Newman said that the Indicators of Compromise technology works with Sourcefire's cloud and Big Data backend to see what was impacted.
Asked if this was using signatures, Newman said it was not and instead looks for common malware behaviours and correlates it to the backend database. “We use the malware to find a bad file, or the cloud looks at all the files that we know and we can tell the state of the malware and the user will get an alert and can do something about it,” he said.
The device flow correlation technology looks at network-based connections to make a determination of what was compromised. According to the company, this helps determine whether a system may have been compromised by providing users with a prioritised list of potentially compromised devices and helping control malware proliferation on endpoints outside the protections of a corporate network.
Martin Roesch, Sourcefire founder and CTO, said: “Even organisations which are diligent in their security measures realise that breaches are entirely too likely in the face of modern threats and they need solutions that help them deal with malware before, during and after an attack.
“The enhanced trajectory features in our Advanced Malware Protection portfolio provide customers with decisive insight when a breach occurs and extend Sourcefire's innovative retrospective security with the ability to immediately locate and eradicate malicious files everywhere they surface.”