Sourcefire Proactive Security Approach based on Analyzing Malware Trajectory

We have been covering Sourcefire for years.

In retrospect, let's try to understand its offerings and products in a more layman's term manner.

Firepower ?

First of all, let's try to understand what Firepower really is.

Firepower is a technolgy by Sourcefire created to perform intrusion prevention with utmost throughput rates by leveraging on parallel processing of CPU and stacking of network modules - it is deployed as appliance.

In short, the goal of Firepower is to achieve the ability to inspect just about every bit of data (packet) in and out of the network to identify potential intrusion.

Based on Firepower technology, 4 solutions are made available by Sourcefire.
  • Traditional IPS (Intrusion Prevention System)
  • Next-generation IPS (NGIPS) - with contextual awareness
  • Next-generation firewall (NGFW)
  • SSL inspection.

There is always a confusion between the NGIPS and NGFW. Based on my technology instinct, I would say that NGFW is powered by NGIPS - that is why it is called next-gen. Just that with the former, the networks are hardened with a wall to stop intrusion by blocking unsolicited traffics in and out; with the latter, no blockage is performed, only monitoring and analysis.

SSL inspection can be considered as a specialized type of IPS.

I can guess that NGIPS is useful for organizations with existing Firewall solutions but do not have a good visibility solution for planning and analysis.

The Threat Landscape

According to KY Kong, Security Architect for Sourcefire Malaysia, hacking and malware incidents were top threats of 2012.

In fact, if you look at the summary compiled by It-Sideways on computer security for Q1 2013, it was found that the following latest trends have emerged.
  • Threats driven by mobile computing trends such as BYOD.
  • Enterprise seeking proactive approach security solution.
  • Threats arouse internally on the rise.
  • Cyber attacks zeroed-in at zero-day vulnerabilities of Adobe Flash and Oracle Java.
  • Browser security sandbox compromise is more real than myth.
  • APTs were usually politically driven.

Ok, at least our conclusion brings good news for Sourcefire in a sense that yes, proactive approach is the way forward for now, given that cyber attackers have up their tempo recently.

As the matter of fact, just last week, US NSA Director warns that Cyber attacks will get worse.

Ivan Wen, Country Manager, Sourcefire MalaysiaKY Kong, Security Architect, Sourcefire Malaysia

Retrospective AMP Solution

Coming back to Sourcefire, who also markets the FireAMP (Advanced Malware Protection) solution; intelligent and enterprise-level malware analysis and protection solution that detect, track, analyze, control and block malware.

The AMP solution works side by side with Firepower.

FireAMP uses a telementry model that leverages on big data and advanced analytics on the cloud. As a result of this, it is able to perform retrospective analysis.

It can be understood as the ability to perform continous malware analysis on an files across endpoints, PCs, VMs, SDNs and mobile devices.

To achieve that, it uses the concept of trajectory capabilty where it captures information on files (as potential malwares) pertaining to its 1.) network attributes such as point of entry, protocol used and etc; 2.) owner origination attributes such as device ID, owner ID and etc; 3.) destination attributes such as device ID and user ID of those who had downloaded the file.

A file previously considered safe will be subjected to continous analysis for malware potential based on renewed intelligent all the time and should it is found to be malicious in nature later, appropriate action will be performed based on the trajectory information available.

More details.