Sourcefire tackles advanced malware with cloud-hosted FireAMP tool

Security specialist Sourcefire is addressing the threat to enterprises from sophisticated malware with a new tool that can trace and remove infections by utilising the power of the cloud and big data analytics to identify new threats and enable customers to take remedial action.

Available now, FireAMP is designed to combat advanced malware threats that may be capable of evading traditional security counter measures and, hence, complements existing anti-malware tools rather than directly replacing them, the firm said.

"Advanced malware has become difficult to catch because it is changing all the time, through packing and repacking of the code and techniques such as polymorphism that change the code every time it is executed," Leon Ward, field marketing manager for Sourcefire, told V3.

"Because of this, traditional antivirus and anti-malware is unable to cope and you need a second line of defence"

FireAMP has been designed with the assumption that some malware is going to make it onto the network before it gets detected and, once this happens, security teams need to be able to pinpoint the source of the infection and how far it has spread before they can take action.

To this end, the platform uses an endpoint agent that tracks the creation and movement of files on the network, which enables the security team to trace the exact propagation path of any malware, find how it got onto the network in the first place and quarantine any infected systems.

"FireAMP is unique in giving control to the end user, so they can contain and remediate immediately any type of malware threat they find," added Ward.

FireAMP also uses the technique of sending data to the cloud for analysis, which has the advantage of reducing the processing burden on the endpoint systems.

It also means all FireAMP users are protected from a new malware threat as soon as it is detected, without the need to distribute signature updates to every endpoint.

In Sourcefire's case, its FireCloud is based on technology it gained from the acquisition of Immunet last year. This is already used to deliver a cloud-based consumer anti-malware product, which will continue to be supported, the firm said.

FireAMP uses multiple techniques to detect malware, including hash checks on executables, plus a 'fuzzy hash' algorithm to detect variants of known malware and a machine-learning engine that analyses whether a particular file may be an unidentified threat.

"The number of unique executable files on your network should be quite low, unless you have got malware. So if FireAMP finds a file that has never been seen before on any other endpoint, we can start treating it as suspicious," said Ward.

This technique also avoids the problem of false positives, he claimed, which has hit users of some traditional anti-malware tools when the software mistakenly identifies a legitimate Windows component as malicious and blocks it.

FireAMP additionally provides a sandbox environment, to which users can upload suspected malware in order to see what it is doing.

Licensing for FireAMP starts at an annual fee of £22.50 per seat, which includes 24/7 technical support, plus all maintenance releases and content updates.

Because FireAMP is cloud-based, there is no server component to install and administration is performed via a browser-based management console.