Malicious software is nothing new. Computer viruses and worms have been around for decades, as have most other families of malware like remote access tools (RATs) and key loggers. But all our experience with malware hasn’t made the job of knowing when our organization has been hit by it any easier.
In fact, recent news stories about breaches at Home Depot, Target, Staples and other organizations makes it clear that even sophisticated and wealthy corporations can easily overlook both the initial compromise and endemic malware infections – and at great cost. That may be why phrases like “dwell time” or “time to discovery” seem to pop up again and again in discussions of breach response. There’s no longer any shame in getting “popped.” The shame is in not knowing that it happened.
Greg Hoglund says he has a fix for that latter problem. His new company, Outlier Security, isn’t “next generation anti virus.” Instead, its technology that fills a gap in the incident response chain: facilitating access to a wide range of forensic information that resides on infected (Windows) endpoints, but that isn’t easily retrievable by traditional incident response and security information and event management (SIEM) products.
As Hoglund describes it, modern malware is vulnerable to discovery for one, key reason: it is software. And, as software, malware has to interact with the host that its running on. Those interactions, invariably, leave traces that a knowledgeable investigator can uncover and, thus, reveal the compromise. That’s what Outlier’s technology does.
Despite the millions invested in network based intrusion detection, perimeter based defenses and SIEM products, the endpoint ends up being the richest source of forensic information on malicious activity on the network. Endpoints (and Hoglund means Windows endpoints) record every action that occurs on the ost in minute detail, as logged events or registry changes or timestamps. He refers to these telltale signs as “splash patterns” that reveal the moment of infection or the actions of a malicious program.
“In nearly all the examples I run across in the field, malware must interact with other systems to install itself, or to survive in the long term. There’s some level of interaction with other components…It’s very difficult to make malware completely invisible,” Hoglund told me.
Outlier’s technology is capable of quickly scanning for those splash patterns, and reporting its findings back up to SIEM platforms, allowing IT teams to identify compromised hosts and begin a forensic examination.
Check out my conversation with Greg in our latest Security Ledger podcast!
|Listen on Security Ledger|
|Listen on Soundcloud.com|