Sourcefire moves into malware analytics

Sourcefire has launched a malware discovery and analysis solution that uses big data analytics.

Named FireAMP, it utilises technology from Immunet, which Sourcefire acquired a year ago. According to the company, FireAMP is designed for large enterprises and delivers the visibility and control required to block threats missed by other security layers.

Oliver Friedrichs, senior vice-president of Sourcefire's cloud technology group, said that with anti-virus vendors typically pushing out anything from 10,000 signatures a day, security is becoming a big data problem.

Friedrichs said: “We developed FireAMP with sophisticated detection, visibility and control especially for enterprises whose primary solutions are lacking. FireAMP's discovery and analysis capabilities can help these companies quickly determine which systems are infected, how the infection occurred, the extent of the infection and how the malware behaves in order to both stop the malware and recover.

“Advanced malware is a new threat so it is about how you address it, while visibility and control are very important. It needs to be dynamic and you need to know if you have a problem and who was first infected and how.”

He told SC Magazine that FireAMP takes the data and stores it in the cloud "in a type of black-box recorder" so future files and activity can be compared. “Now you will have all data for the enterprise, [know] how it got in, what it is and what it did. Otherwise you would spend 24 or 48 hours looking,” he said.

“You can have a detection engine that is better than anti-virus, but there is nothing that will stop everything. This is intended to diagnose what happened after the event. You can determine the core problem of what was causing the threat and find the malware on the system.”

He added that FireAMP has forensic capabilities so a user can find out what happened with certainty.

FireAMP uses a lightweight agent to communicate with a cloud-based analysis engine, and only leverages metadata for evaluation, requiring less storage, computation and memory than other security products. This minimises system impact and allows it to coexist with and supplement existing security layers without sacrificing performance or manageability, according to the company.

Asked if Sourcefire's intention was to step into the ‘second security layer' sector, Friedrichs said that most of the focus in that sector is on advanced malware, but they detect at the gateway and cannot remove threats from the network; he said users have to be able to analyse the system and remove malware.

Leon Ward, field marketing manager EMEA at Sourcefire, said it is not possible to find and block all malware, but this will enable security teams to find out when they were infected.

Sign up to our newsletters