Damballa’s engineering team uses an interesting internal lexicon for the various technologies employed by our Failsafe solution for enterprises. In many ways, our product architecture is modeled on the American legal system. Evidence is collected, perpetrators and victims are identified by name and other known aliases, a jury is assembled, a trial conducted, and the presence of a crime is decided by the jury’s consideration of all of the evidence.
Network security staff in many enterprises often struggle to grasp this concept, because they have been well trained in the model of host-based antivirus. They expect to be shown host-based evidence, such as a specific virus name and information about which files, registry keys, or other modifications to the compromised system confirm that the compromise is present. Damballa often cannot provide this level of precise host-based information for compromises we identify, and some of our customers initially view this as a weakness of our solution. It’s the network equivalent of lacking habeas corpus.
In many ways, however, this “weakness” is actually a key strength. Our Failsafe solution is incredibly non-disruptive compared with deployment requirements for the plethora of other, much less effective security tools. You don’t have to deploy software to each of your 100,000 Windows workstations or pass all of your Internet traffic through one of our devices in order to get the actionable information you need about compromises that exist on your network and how to eliminate them.
Instead, we look at the circumstantial evidence. It’s the network monitoring equivalent of who talked to whom, when, and what is said to each other. Some of our technologies are focused specifically on identifying patterns in these communications that are indicative of Command-and-Control (CnC) and/or attack behaviors (who, whom, and when). Other parts of our proprietary technology stack inspect what was said in the more suspicious of these conversations. Finally, we use sophisticated decision logic to correlate communication patterns with the transmission of high-risk content to draw our conclusions about who the victims are, what crimes were perpetrated against them, and by whom.
Our enterprise customers receive a full summary of each of these network crimes and the ability to view all of the evidence we collected that lead to the verdict that was rendered. Damballa provides network-derived evidence for these network-enabled crimes. That said, we are increasingly able to extract more intelligence from the network about specific host-based modifications, as well.
Much of our proprietary technology currently in development is focused on extending the actionable intelligence we provide to include specific instances of malware that have likely been installed on victim hosts, and detailed information about what modifications that malware likely made to them. These details are especially useful intelligence, as a vast amount of malware we identify is not recognized by the latest host-based tools and signatures from other vendors. Stay tuned as Damballa continues to lead the industry in these innovative technologies.
- Tripp Cox, Damballa VP of Engineering
