Freezing the Spread of Advanced Malware Should Not be Assumed

Mike Fey posted an interesting blog last week on another myth surrounding advanced malware. In the latest post, Myth #6 – Finding Advanced Malware Stops the Threat, he busts the myth and explains that malware discovery is just that, discovery. And discovery by itself does not actually stop anything.

McAfee recently announced Advanced Threat Defense, a new product that enables this dynamic system-wide security integration. It complements and tightly integrates with your existing McAfee security products, providing a comprehensive solution to defend against advanced malware. It not only identifies (FIND) advanced malware, but also tightly integrates with products like Network Security Platform (IPS) and McAfee Web Gateway to block (FREEZE) threats. Further integration with McAfee Real Time and endpoint systems enables broad visibility and the ability to remediate (FIX) impacted systems.

Since it’s freezing outside right now (in many parts of the US anyway), the FREEZE integration seems to be an appropriate focus for the day. There are a few reasons why advanced malware products, by and large, do not really do blocking.

First of all, the oldest advanced malware product has barely been on the market for more than a year or so and no serious networking organization would risk deploying these product inline. The potential for overrun and failure is too high and uptime is still mandatory.

Network Security Platform and McAfee Web Gateway are mature networking products designed to operate inline in high speed environments and are now tightly integrated with Advanced Threat Defense. Deploying Advanced Threat Defense with either yields a stable architecture with inline blocking capabilities that malware analysis systems deployed inline simply cannot match. These stand-alone malware analysis systems were built for inspection, not high-speed throughput and traffic management. Whereas other advanced malware products are not ready for inline blocking, McAfee’s solution is already in the trenches.

The second reason is that sandboxing requires significant resources and time to properly determine whether a suspect file is malicious. Unlike traditional firewall, IPS or gateway products that are largely powered by signatures and make their blocking decisions in near real time, advanced malware analysis can take seconds or minutes (even hours in some cases with one vendor working from a 24 hour SLA). User experience would suffer greatly if file delivery was delayed for analysis to take place, so suspicious files pass on to the endpoint while copies of the suspicious file are sent to the sandbox (this is exactly what happens for sandboxes operating off of a SPAN as well).

By the time the sandbox completes its analysis, even if it only took a few seconds like McAfee’s Advanced Threat Defense, the malicious file has already infected the endpoint. This is a paradigm shift from traditional network security where blocking occurred in real time – with advanced malware, at best you are stopping further infiltration of a malicious file, but at best, you still have to instrument some new rules in devices that can block (FREEZE) and you also have to go to the endpoint to clean it and any other endpoints it subsequently infected (FIX).

To truly address advanced malware, dynamic system-wide security integration is required to quickly identify, isolate and remediate advanced malware. Loosely connected or disparate systems cannot fully comprehend the urgency and complexities of the threat and cannot orchestrate the multi-pronged effort needed to fully address advanced malware.

These are just a couple quick examples of the power of a true system-wide integration. Stay tuned for more on Advanced Threat Defense and stay warm!nat

Leave a Comment

eighteen − six =