Seculert uses big data security analytics to precisely identify APTs and other malware

Despite huge expenditures on enterprise security infrastructure, including firewalls, IPS and other devices, Gartner claims 95% of enterprises are already compromised with advanced persistent threats or other malware. Security startup Seculert offers a new cloud service that identifies malware on your network.

Companies worldwide collectively spend $15 billion a year on computer security solutions. Nevertheless, Gartner claims 95% of enterprises are already compromised with malware, and many of them don't even know it.

No one knows precisely how many computers are infected with malware, but informed estimates range from 40% to almost 90% of computers running Windows operating systems. Smartphones are quickly becoming a targeted platform too, as more people inadvertently download apps that contain malicious code.

The types of malware range from the annoying (adware) to the insidious (rootkits). However, enterprises are most concerned about advanced persistent threats (APTs) designed to steal data such as intellectual property or to cause harm to critical infrastructure. The attacks that utilize APTs are stealthy and persistent, and they can stay under the radar for long periods of time -- weeks, months or even years. Recent studies by Mandiant and Symantec show the average amount of time it takes an enterprise to detect an attack is over a year.

[ IN PICTURES: The future of malware ]

Given the amount of money spent on security technologies and the high rate of compromised computer systems, it's obvious prevention is failing us. A company can deploy all forms of firewalls, intrusion prevention systems and antivirus/anti-malware -- but they still aren't foolproof. As long as someone in your organization is naive enough to click on a malicious link in a spear-phishing scam, it's impossible to completely prevent compromise.

In last week's newsletter I wrote about new approaches to IT security that utilize big data and security analytics (see "Security analytics will be the next big thing in IT security"). Basically, detection of malware is shifting to the cloud, while prevention and mitigation are still done on-premises. John Pescatore, a former Gartner analyst and now the director of emerging security trends at SANS Institute, says managed service providers will be first to offer services built on security analytics. In fact, the leading edge of those service providers is now bringing innovative solutions to market.

One of the early entries is from Seculert, a cloud-based security startup. Seculert uses advanced techniques to detect the presence of malware and tells you precisely which devices are infected so you can directly address the problem. The solution works on devices both inside and external to your network, including remote access users, partners and customers.

Seculert's solution consists of three modules known as Swamp, Echo and Sense.

Seculert Swamp is an elastic, cloud-based, automated malware analysis service. This module automatically analyzes 40,000 different samples of unknown malware every day. The malware samples come from different sources, such as security industry partners like antivirus companies, Seculert's own internal research, and the other modules of the system. Also, customers can upload suspicious files to Seculert's cloud for analysis. The end result is a model profile of malware which Echo and Sense can use.

What's unique about Swamp is it is automated malware analysis which allows the malware to evolve over time -- minutes, hours, or however long it takes to observe and analyze the software's behavior. By comparison, a typical sandbox malware inspection environment doesn't allow the malicious software to run more than a few minutes, so a sandbox solution might overlook malware that doesn't operate in that time frame.

The second module, Seculert Echo, intercepts botnet traffic. Using results from Swamp, Seculert infects a lab full of its own devices with malware in order to become a member of various botnets so the company can learn exactly who is controlling each botnet. Seculert applies different methods to intercept the botnet traffic and by that they can detect other members of the botnet and also collect the actual traffic that travels within this botnet. They actually see the traffic that flows from the other bot members to the command and control servers. Using this technique, Seculert identifies 7 million new unique infected IP addresses every day.

Seculert customers provide identifying keywords such as their IP ranges or Web interface domains, and that information is used to search the data that was collected from the botnet traffic. This allows Seculert to identify its customers' devices that are participating in a botnet. Customers receive a report that shows precisely which devices are compromised. This information can be integrated into on-premises security devices for blocking or remediation. Also, customers can drill down to see more information about the threats: Who owns the machine? What is the actual threat? What is the risk? What actions are recommended?

The final module of the solution is Seculert Sense. Subscribers to the service upload on an ad hoc or ongoing basis months or even years worth of their gateway traffic log data to Seculert's elastic big data analysis cloud, where it is analyzed against the malware samples from the Swamp module. In addition, Sense applies a wide variety of methodologies -- such as malicious traffic correlation from live botnets, domain/IP reputation, DGA detection (domain generation algorithm), machine learning sets and more -- to detect suspicious and malicious activity in these Internet traffic logs.

Whenever Seculert Sense identifies malicious activity in any given log source, it will automatically be able to detect similar activities in other sources, even if the logs originate from different vendors' products. This enables discovery of targeted attacks across distributed enterprise environments, or even across multiple organizations and industries.

Sense enhances existing security solutions that Seculert customers have. They can upload log files from existing secure web gateway or proxy solutions (such as Bluecoat, Squid and more) and Seculert Sense will automatically identify previously undetected malware attacks. The information can then be integrated back to on-premises security solutions using a RESTful API.

Users can see a wealth of forensics information about the detected attacks in reports available in the Seculert Web dashboard. This includes the ability to see all information related to the malware activity, and all URLs involved in delivery or phone-home of the malware.

Seculert's entire solution is delivered as a cloud-based service. Customers don't need to install new hardware or software or make changes to the enterprise network. It is a protection platform designed to enhance existing security defenses by giving them added intelligence so they can work better.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2013 IDG Communications, Inc.

IT Salary Survey: The results are in