Damballa's Failsafe botnet detection appliance allows IT managers to find infected systems and decide which compromised machine to remediate first.
Damballa trumpeted the ability to "triage" compromised systems with
the latest version of its Failsafe botnet detection appliance.
Failsafe 4.1, which Damballa
officially announced Dec. 8, is "redefining cyber-security's definition of
risk," said Stephen Newman, the company's vice president of product
management. Organizations generally approach risk as what "will happen if
the system is compromised," when they should be thinking, "what is
the impact now that I've been compromised?" said Newman.
Designed to sit behind the corporate firewall, Failsafe detects botnet
on any system on the corporate network by flagging any attempts
by the malware to call home to a command-and-control source for instructions,
according to Newman. Malicious DNS queries, suspicious DNS behavior such as
domain flux, and the frequency of attempts connecting to the egress or proxy
servers are detected, he said.
"We not only indicate that the asset is infected, we also profile the severity
of the compromise
relative to the other assets in their network that we
have identified as being infected," said Newman.
Failsafe doesn't remove botnet malware on the compromised system, but
provides IT managers with the forensic evidence to find and eradicate it, said
Newman. The appliance does have a mode where the IT manager can prevent the
infected machine from communicating with the rest of the botnet until the security
staff gets a chance to resolve the issue.
The appliance lets the IT administrator analyze the list of infected assets
and apply an "Asset Risk Factor" score, to prioritize the seriousness
of the infection and the importance of the asset, said Newman. If a computer
that no one is using has been compromised, that would have a smaller risk than
if the computer belonged to the CEO, for
IT managers assess risk based on seven factors, including on the number of
connections attempted, the amount of data it's sending out or receiving, as
well as whether it has multiple infections or not, said Newman.
It sounds a little cold-hearted to say that administrators should be
deciding which assets to remediate first, but according to Newman, that is
"the reality of cyber-threats today."
"Prevention is not enough. Yes, you still want to be preventive, but it
hasn't been hit yet, so you focus on the ones that have," Newman said.
IT managers have a limited staff, and they are tasked to protect the company's
infrastructure, data and brand, said Newman. If they suddenly uncover 100
compromised systems, the staff can't address the issues all at once, so they
have to "perform triage" and decide which ones need to be fixed first
and which ones can wait, he said.
To use a medical analogy, "We already found the sick people and we
brought them to the hospital, and now we are helping you figure out who is
sick," Newman said.
The passive appliance sits on the organization's network and watches all the
traffic to detect and identify all compromised systems, said Newman. The
appliance looks at network activity so all devices-laptops, desktops, servers and
mobile devices-are monitored, regardless of whether the company knows about
them or not.
Since it is not inline or on the host machines, cyber-criminals are also
unaware that Failsafe is monitoring the network. As it watches the mirrored
traffic from the router, Failsafe can monitor traffic hitting the DNS, proxy
and egress servers, Newman said.
Failsafe does more than just prioritize assets. The dashboard of the
management interface lets IT managers correlate the information into a heat
map, showing the number of compromised assets with the severity of the issues,
said Newman. The dashboard allows managers to drill down based on "which
type of malicious behavior they deem most dangerous," he said.