Damballa Failsafe Detects, Prioritizes Botnet Infections in Enterprise

Damballa's Failsafe botnet detection appliance allows IT managers to find infected systems and decide which compromised machine to remediate first.

Damballa trumpeted the ability to "triage" compromised systems with the latest version of its Failsafe botnet detection appliance.

Failsafe 4.1, which Damballa officially announced Dec. 8, is "redefining cyber-security's definition of risk," said Stephen Newman, the company's vice president of product management. Organizations generally approach risk as what "will happen if the system is compromised," when they should be thinking, "what is the impact now that I've been compromised?" said Newman.

Designed to sit behind the corporate firewall, Failsafe detects botnet infections on any system on the corporate network by flagging any attempts by the malware to call home to a command-and-control source for instructions, according to Newman. Malicious DNS queries, suspicious DNS behavior such as domain flux, and the frequency of attempts connecting to the egress or proxy servers are detected, he said.

"We not only indicate that the asset is infected, we also profile the severity of the compromise relative to the other assets in their network that we have identified as being infected," said Newman.

Failsafe doesn't remove botnet malware on the compromised system, but provides IT managers with the forensic evidence to find and eradicate it, said Newman. The appliance does have a mode where the IT manager can prevent the infected machine from communicating with the rest of the botnet until the security staff gets a chance to resolve the issue.

The appliance lets the IT administrator analyze the list of infected assets and apply an "Asset Risk Factor" score, to prioritize the seriousness of the infection and the importance of the asset, said Newman. If a computer that no one is using has been compromised, that would have a smaller risk than if the computer belonged to the CEO, for example.

IT managers assess risk based on seven factors, including on the number of connections attempted, the amount of data it's sending out or receiving, as well as whether it has multiple infections or not, said Newman.

It sounds a little cold-hearted to say that administrators should be deciding which assets to remediate first, but according to Newman, that is "the reality of cyber-threats today."

"Prevention is not enough. Yes, you still want to be preventive, but it hasn't been hit yet, so you focus on the ones that have," Newman said.

IT managers have a limited staff, and they are tasked to protect the company's infrastructure, data and brand, said Newman. If they suddenly uncover 100 compromised systems, the staff can't address the issues all at once, so they have to "perform triage" and decide which ones need to be fixed first and which ones can wait, he said.

To use a medical analogy, "We already found the sick people and we brought them to the hospital, and now we are helping you figure out who is sick," Newman said.

The passive appliance sits on the organization's network and watches all the traffic to detect and identify all compromised systems, said Newman. The appliance looks at network activity so all devices-laptops, desktops, servers and mobile devices-are monitored, regardless of whether the company knows about them or not.

Since it is not inline or on the host machines, cyber-criminals are also unaware that Failsafe is monitoring the network. As it watches the mirrored traffic from the router, Failsafe can monitor traffic hitting the DNS, proxy and egress servers, Newman said.

Failsafe does more than just prioritize assets. The dashboard of the management interface lets IT managers correlate the information into a heat map, showing the number of compromised assets with the severity of the issues, said Newman. The dashboard allows managers to drill down based on "which type of malicious behavior they deem most dangerous," he said.