As malware is becoming increasingly stealthy, there is a growing need for advanced tools to help enterprises uncover threats. That’s the goal of the new Advanced Malware Protection and Detection (AMPD) managed security service from Dell SecureWorks, which leverages malware detection technology from Lastline.
“AMPD is a combination of people, processes and technology,” Chris Collard, Dell SecureWorks’ product manager for AMPD, told eWEEK.
The AMPD service combines full-system emulation sandboxing from Lastline with actionable, up-to-the-minute intelligence from Dell SecureWorks’ Counter Threat Unit, according to Collard. In addition, AMPD includes the expertise of Dell SecureWorks security analysts and SecureWorks’ MSS (Managed Security Services) technology to create a service that is totally managed and monitored, he added.
Dell isn’t the first company to integrate with Lastline. Lastline also has integrations with Blue Coat, Tripwire, Juniper and Barracuda.
“The platform we built is a software platform, and the components are very flexible,” Engin Kirda, Lastline’s co-founder and chief architect, told eWEEK.
Each vendor integration depends on the vendor’s own needs, according to Kirda. There is no “silver bullet” for security, he added, and integration is often the key to a comprehensive security platform.
The Lastline platform provides a full-system emulation approach to detecting malware and potential breach risks. At the core of the platform, Lastline leverages the open-source QEMU (Quick EMUlator) emulator, which, according to Kirda, Lastline has heavily modified and extended.
“Malware has become very evasive, so when you attempt to analyze it, the behavior can change,” he said. “So our technology has full-system emulation that allows us to look deeper into malware execution and extract behaviors.”
Lastline’s system also has a correlation engine that can provide context, pulling different security events together to provide a complete picture. For example, the system would understand that something was downloaded, which in turn led to an infection and then some kind of connection out to a botnet for command and control.
Lastline’s “secret sauce” isn’t just the emulation technology, but rather the detection mechanisms that are used, according to Kirda.
“In our case, since we have in-depth insight into the execution, we can create snapshots, we can look into the memory, look at how a file is opened and also look at other behaviors,” he said.
Kirda noted that Lastline has also taken a number of steps to reduce false-positive malware alerts. The Lastline system provides a color-coded approach to help users identify the severity of an issue. A blue alert might be generated for adware or a potential click fraud incident. A yellow alert indicates that there is some evidence that a particular item is bad, but the evidence is not 100 percent concrete. A red alert indicates that Lastline has concrete evidence that an item is in fact malicious and impactful.
“The false-positive rate is really low, since in order for us to say that something is bad, we combine a lot of different things and we have a lot of evidence,” Kirda said.
Moving forward in 2015 and beyond, Kirda said the plan is to continue to improve the Lastline platform in a number of areas. Currently, his view is that Lastline is doing a decent job at detecting evasive malware, but it’s not an exact science and Lastline will constantly work on newer and better detection methods.
“For example, can we identify malicious domains automatically in a better way,” he said. “Hopefully we’ll have an even better product in a year.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.