More Against Botnets – the IPS Game Changer

McAfee Network Security Platform release 7.5 just hit the streets and has a massive game changer for IPS – ‘more’ malware defenses. Malware is the scariest new threat in network security, and most IPS products are stuck using only legacy techniques to defend against it. McAfee now stands apart from other IPS approaches to malware – check out this video on it.

Advanced Botnet Detection Video

Most IPS products claim to handle botnets – but bot defenses are not all the same. For instance, most products have traditional signature-based defenses for some well-known bots and based solely on this functionality, make the claim that they defend against bots. Signatures are a good way to start and provide baseline coverage for well-known bots. In fact, because they are efficient and accurate, McAfee uses this technique when possible as well. However, signature-based defenses alone are inadequate to protect organizations from bots. Bots are often altered for each attack, changing their code sequence and easily evading these defenses. ‘More’ is needed.

Advanced IPS products should add behavioral analytics to identify additional bot activity that signature-based approaches miss, but rudimentary implementations here often come up short. Infected bots are clever, hiding their activity as innocent-looking traffic. For example, a web request to an obscure server could be a bot checking for connectivity or it could just be an innocent web search. A single event is usually not enough to convict a host as a bot.  McAfee makes use of behavior analysis to detect bots too, but rudimentary approaches limited to single events and short time horizons miss too many stealthy bot attacks. ‘More’ is needed.

Reputation data, especially for command & control servers (C&C), seems like a promising approach, but it also has one big problem. C&Cs are often infected hosts themselves, subject to discovery and remediation like other infected hosts. Because of this risk, cybercriminals relocate their C&Cs as they are discovered, making C&C location quite dynamic. McAfee makes good use of C&C reputation data, but is careful not to use obsolete data. Old reputation data can be useless and cause false positives. ‘More’ is needed.

The great news is McAfee Network Security Platform release 7.5 has ‘more’ when it comes to bot defenses.  The Advanced Bot Detection functionality is signature-less and does something that no other IPS product does – it correlates multiple suspicious events and over a longer time horizon too. By evaluating several lower confidence events in each other’s context, overall confidence grows and bot activity is accurately identified and blocked.  There is also an Active Botnet Engine with a local copy of active C&Cs, so high confidence active C&Cs are flagged and their flows are shut down immediately. Older C&C data receives lower confidence to reduce false positives.  These two features are the game changers that add ‘more’ and combine to make the strongest IPS bot protection in the industry today.

Leave a Comment

13 + 19 =