Damballa. Interview with Stephen Newman, VP Product Management
https://www.ispeech.org/text.to.speech
Uncovering the unknown threat: Damballa’s First Alert
I recently sat down with Stephen Newman, Damballa’s VP of Product Management, to get up to speed on their advances in beaconing detection. I have identified beaconing detection as the fastest growing segment of the IT security industry. While small, most of the vendors in the space are growing at 50-100% a year. The driver for this growth of course is the prevalence of malware within most networks; even those that already have deployed the dozens of other products needed for defense in depth (I count 80 different security product categories).
Beaconing is the communication between an infected host and a command and control server (C&C). It can take many forms. This paper from Lawrence Livermore describes what can be seen just by looking at network flow data. www.cert.org/flocon/2008/presentations/balland_flocon2008.pdf
More sophisticated beaconing can connect to a particular Twitter account for a link to the latest C&C server in case the original is taken down. Or malware can be programmed to phone home to a particular domain which can change on pre-determined schedule.
Damballa’s FaliSafe solution is a network appliance that connects to a span port and monitors all network traffic. The purpose, as Newman points out is to discover the unknown: a Trojan, or bot that has evaded detection and is sitting on some infected host. They also provide a slimmed down version Damballa CSP that relies mostly on DNS queries for ISPs that is scalable to 30 million subscribers for a single sensor in one case.
Damballa has uncovered some new methods of analyzing domain registrations and the reputation of domain-IP address couples to inform their devices of new malicious domains. This FirstAlert service is maintained in the cloud and relies on five years of history of domains and their reputations.
To get an education on beaconing and how detection can uncover those unknown infections watch my interview with Stephen Newman. Since he claims that 100% of their prospects and clients have infections that Damballa discovers it may be an interesting challenge to monitor your own networks for these digital spies that are siphoning off your information.
source
Gloss