Damballa CSP Automates Botnet Identification, Removal for ISPs

Damballa updated its cyber-threat monitoring service for internet service providers and telecommunications providers. The appliances detect malware infections affecting any device on the CSP (Communications Service Providers’) networks, including PCs, Macs, tablets and smartphones.

Damballa CSP 1.6 passively monitors a carrier’s network activity to identify malicious traffic, the company said May 26. Because it works out-of-line within the network, criminals trying to evade detection don’t even notice the appliances monitoring their activities, according to the company. ISPs can use the Damballa service to protect customers from attacks and malware, issue alerts about possible infections and help remediate systems afterwards.

“We can deliver a light-weight, highly scalable end-to-end solution that automates detection, correlation and remediation of the subscriber infection,” said Stephen Newman, vice president of product management for Damballa.

ISPs and telecomm providers are facing pressure to provide “clean pipes” and to protect customers from various online threats that try to steal sensitive information, intercept login credentials, commit fraudulent transactions or remotely control systems for other attacks, according to Damballa. When subscribers are infected, it increases the cost of operations for the carriers to identify the source and cause of the problem, according to Jennifer Pigg, vice president of network research at Yankee Group.

“Network abuse is a primary concern for all carriers today,” said Pigg.

Carriers have to approach security differently than normal enterprise network administrators, according to Damballa, as performing deep packet inspection over subscriber traffic is typically not feasible or permitted. Damballa CSP is an out-of-band appliance that sits inside the carrier’s network and passively monitors DNS (Domain Name Service) requests from customer IP addresses. By monitoring DNS queries, Damballa CSP can identify which IP address may be infected with malware.

Damballa CSP 1.6 categorizes suspicious network traffic by “criminal intent,” such as Downloader, Multi-Purpose, DDoS, Information Stealer and Exploit Kit. Once categorized, the service provides details such as information about the cyber-criminal behind the attack, known behavioral patterns, names of variants, observed traits and capabilities.

Carriers are beginning to build out cyber-threat detection and remediation capabilities to protect their subscribers, according to Newman. Comcast has been offering a Constant Guard Bot Detection and Notification service, powered by Damballa CSP since last year. ISPs and telecommunications providers can deploy an automated monitoring service based on Damballa CSP that will identify cases of network abuse caused by infected devices and remove the infection, Newman said. The service will also be able to detect compromised devices that are carrying out instructions from a botnet’s command-and-control server.

Damballa CSP integrates with a number of other products to make it easier for carriers in the detection-notification-remediation process. If the carrier is already using HP’s Arcsight Enterprise Threat and Risk Management platform for monitoring and managing their security events, the platform can pull data from Damballa CSP to automate correlation of infected IP addresses to the actual customer.

Once the data is correlated, PerfTech can generate a customized notification to the customer to alert them to the infection, provide instructions and direct them to a security portal for assistance. The Threat Intelligence data gathered by Damballa CSP 1.6 can also be correlated with threats that can be remediated using Microsoft Safety Scanner and the Malicious Software Removal Tool.

Mobile threats are growing as cyber-criminals develop new strains of malware designed to take advantage of large amounts of sensitive and personal data increasingly being stored on mobile devices. Other threats include social networking scams designed to trick users looking at malicious Websites on a small screen and viruses that send SMS messages to premium numbers. Users often experience “bill shock” at the end of the month when they see the sky-high data charges, text messaging costs, and fraudulent transactions.

Damballa CSP 1.6 is generally available. Pricing is based on the number of subscribers, according to Damballa.