This series of articles and the accompanying videos are part of an ongoing project to illuminate the people, products, and vendors that make up the IT security industry. The vendors paid a fee to cover the expense of producing the videos.
As malware become both more sophisticated and more targeted traditional AV began to fail. It has been a decade since large enterprises began to complain that their AV vendors would not add signatures to their signature files for unique malware that was discovered on their network. Why, after all, should an AV company create a signature for a virus that no one else would ever need?
It was not long before banks and defense contractors started to hire their own malware researchers. Now we are well into the era of new security tools that can evaluate executables and determine if they have malicious intent and categorize their unique ‘key indicators.’
So called Advanced Malware detection usually has some ability to ‘detonate’ an executable in a virtual environment or an emulator to extract these key indicators. A challenge for many of the first such solutions was the ability to customize the virtual environments so they reflected the platforms within the customer’s network. Without being able to reproduce the customer’s ‘gold image’ a solution would get overly noisy and cause false alarms for malware that attacked Windows XP for instance, or missed attacks against particular applications, like Adobe.
Cyphort announced general availability of their solution in February this year. A team of industry veterans got together to tackle the targeted malware problem. They decided that in addition to needing a virtual sandbox, emulated environment, and a gold standard image, they needed to collect information from the customer’s network to provide context. A crucial element of their solution is a series of sensors deployed on the network to determine what the customer has and what traffic they are seeing. In this way key indicators can be correlated with the presence of vulnerable systems and suspicious network traffic.
Watch my interview with Ali Golshan, CTO and cofounder of Cyphort to hear him expound on their four pillars of advanced malware detection.