New security service pounces on 8 telltale signs of malware infection

Startup TaaSERA claims its behavior-modeling strategy can detect zero-day malware with fewer false positives

Signatures? We don't need no stinking signatures. That's the philosophy behind a new malware-detection service dubbed TAAS (Trust as a Service) NetAnalyzer, launched today by startup company TaaSERA.

Rather than relying on pre-existing signatures to detect malware, the service monitors data flowing in, out, and around a company network for telltale patterns of infection. The idea is to add an extra layer of security to spot zero-day malware that doesn't yet have a signature.

TaaSERA -- headed by former PwC Consulting CEO Scott Hartz and with former Secretary of the Department of Homeland Security Tom Ridge chairing its advisory board -- calls its approach to malware tracking as "behavior modeling." Here's how it works: Through NetAnalyzer, network agents passively monitor data traffic in search of suspicious activity. If an agent sees at least two of the eight signs of suspicious behavior, it triggers an alert. Those signs represent what SRI has deemed the eight stages of malware lifecycle: infection preparation, egg download, peer infection, command and control communications, system scanning, attack preparation, malicious outbound scanning, and data exfiltration.

Alerts are visible to users via a GUI for reporting and analysis. Users may also choose to export alerts to their SIEM platforms such as HP ArcSight using the Common Event Format (CEF).

Alerts also go to the TaaS AWARE (Attack Warning and Response Engine) platform for closer forensic analysis, drawing on the company's cloud threat and infection data while taking into account what applications are running on the network and whether they're properly patched.

The platform, by the way, integrates data feeds from third-party analysis tools such as whitelisting and binary analysis, according to the company, as well as vulnerability, configuration, compliance and patch-management systems. The company also offers APIs for creating continuous data feeds into third-party SEIM, NGFW, IPS/IDS, and antivirus tools.

If the system determines there is a malware infection, it alerts the client's IT department; the client takes it from there. TaaS also passes on the details of the malware to the rest of its subscribers.

Behavior-based malware detection isn't exactly a new concept. Established companies and upstarts -- including WebRoot, Symantec, RSA, FireEye, Palo Alto Networks, and Damballa -- have embraced the general concept in one way or another. According to TaaSERA VP of Corporate Development David Nevin, NetAnalyzer trumps other approaches in a couple of key ways. First, some rival offerings look out for generally anomalous behavior or heuristic trends, flagging anything that doesn't fit a specific profile. That approach, he said, results in a high rate of false positives.

Complementing NetAnalyzer and AWARE is Threat Feed, an expanding list of IP addresses known to be used for spamming and spreading malware. "If we know file or software came from malicious URL, that's good evidence that we can declare an application malicious," said Hartz.

In the near future, TaaSERA will release endpoint agents to complement NetAnalyzer. The first agent will be for Android devices, cited by Hartz as increasingly exploited with malware. An agent for PCs will follow by the RSA Conference in February.

"Android is very scary, particularly to enterprises. It's the scariest of the mobile OSes that enterprises are being asked to connect to their networks," said Hartz.

This article, "New security service pounces on 8 telltale signs of malware infection," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies