Advanced Malware Defense: The Need for Speed

According to the Verizon Data Breach Report 2015, 70 to 90 percent of malware samples are unique to an organization, which means the malware Red-Eyed-Cat-Cwouldn’t automatically be identified as a threat. This puts any organization relying only on signature-based tools at great risk, as they could have malware actively running in their environments yet be unaware of any compromise. Motivated threat actors can typically find ways to bypass purely preventative measures, including “advanced” measures that still must rely on previous experience or knowledge of a strain of malware to detect and stop it. Techniques like metamorphism, polymorphism, and sandbox evasion have changed the game and unfortunately, are no longer confined to the domain of sophisticated threat actors. Nowadays, they’re the status quo.

In the face of such a reality, effective approaches for addressing malware can’t be predicated on just prevention alone, but must be focused on deep visibility and swiftness of response.

For that reason, I’m especially excited about the latest version of RSA Endpoint Compromise Assessment Tool (ECAT). ECAT 4.1 is designed to be able to quickly detect sophisticated zero-day malware and offer unparalleled insight into what’s happening across an organization’s endpoints.  With those insights, organizations are better equipped to understand the scope and impact of threats to their environment to ultimately drive the right remedial actions.

What traditionally makes malware defense so daunting is the hundreds of millions of unique samples we encounter each year. Of course, there actually aren’t hundreds of millions of unique threat actors. Instead, many of the core malware instances are more-or-less identical, but have been disguised with seemingly unlimited kinds of window dressing. What makes ECAT so different from other malware solutions and so powerful is that it focuses less on what the malware looks like and more on how it behaves as it executes within a compromised system’s memory.  At some point, no matter what a file or process looks like, if it is malware, it will behave anomalously and ECAT is engineered to reveal the attacker behind the facade.

But beyond detection, ECAT is built to provide robust capabilities to translate visibility into actual insights that give analysts the knowledge they need to fully understand not just an individual piece of malware but its role within a larger attack or attack campaign. ECAT helps leverage machine learning technologies to help understand which system processes are risky, perhaps associated, and in need of further inspection. Pivoting from this view, it’s possible to understand the entire attack chain associated with a given process.

Finally, ECAT tears down security data silos by connecting and integrating endpoint and network visibility with RSA Security Analytics. By uniting traditionally independent viewpoints, advanced attacks can be comprehensively understood and addressed from multiple fronts. More so, ECAT is designed to incorporate threat intelligence data via STIX, allowing organizations to even more quickly detect and understand threats in their environment. And with ECAT’s responsive capabilities, threats can be mitigated, quite literally, in minutes.

About the Author: Zulfikar Ramzan