Cloud malware analysis a must-have for advanced threat protection

Cloud-based malware analysis is becoming a must-have feature for both established and upstart advanced threat protection vendors.

The cloud isn't just a destination for users' data and applications. Now it's a destination for malware as well -- and, surprisingly, that may be a good thing.

Advanced malware protection vendors such as Cisco Systems Inc.'s Sourcefire unit, Palo Alto Networks Inc. and upstarts like Lastline Inc. have created cloud-based virtual sandboxes where malware and other potentially malicious code can be quickly analyzed and identified.

The idea behind using the cloud for advanced malware detection and protection is simple: As the amount of malicious code circulating the Web grows, cloud-based virtual sandboxes give malware protection vendors an expandable resource which addresses that growth.

Lawrence Pingree, analyst and research director at Stamford, Connecticut-based Gartner Inc., confirmed that the scalability of these cloud-based virtual sandbox environments is their primary advantage and why use of the technology by advanced malware protection vendors has quickly grown from an emerging trend a year or two to a key part of their product portfolios.

"The cloud gives them the ability to scale out quickly, whereas an on-premise appliance is much harder to scale," Pingree said. "I do believe these sorts of virtual sandbox solutions are very important tools in advanced malware identification and protection for that reason."

For Lastline's own newly announced advance malware protection offering, the cloud aspect of the process is fairly simple: Lastline's anomaly-based sensor detects suspicious or unidentified files, code, or network behavior and compares its findings against known malware or other threats. If the potential threat is still unidentified, the code or file is uploaded to Lastline's private cloud sandbox for a more in-depth analysis.

I do believe these sorts of virtual sandbox solutions are very important tools in advanced malware identification and protection.
Lawrence Pingreeresearch director, Gartner Inc.

The elastic nature of the virtual sandbox enables it to scale up or down to add CPU, memory and storage, depending on the number of files being uploaded. In addition, the sandboxes are designed to emulate full computer systems to give Lastline the same perspective into any potential malicious activity as an end user, according to the Redwood Shores, California-based vendor and the analysis is performed outside the operating system and run through the CPU.

Brian Laing, vice president of product and business development at Lastline, said the vendor has seen customers upload "hundreds of thousands of files and programs a day" since Lastline launched in 2011.

So what causes the number of uploads to Lastline's private cloud sandbox to spike? Laing said it depends. While there are a growing number of high-profile data breaches and infamous malware incidents, Laing said there are countless numbers of malicious codes and files from simple keylogging programs to basic email Trojans that collectively can push the needle up.

"The spikes aren't necessarily because of a new malware file being downloaded," Laing said, "but because the total number of malware pieces and malicious code is growing and there's just so much more of it every day."

Because the system aggregates files and metadata in one location in the cloud, Laing said Lastline believes its cloud gives it a decided advantage against competitors in the speed of its malware analysis capabilities.

"If we see a large number of customers with a large number of similar requests, then we know that's indicative of a larger infection. So cloud also provides us a more rapid response ability to analyze and address the malware," Laing said. "And if 100 customers saw a new type of malware, then all 100 would have to analyze it separately in their networks. But now, collectively they can communicate with our cloud and we can respond faster to potential threats."

Pingree said advanced malware protection products that use cloud-based malware detection and analysis feature hold a significant speed benefit over products that don't use the cloud. But the cloud frontier isn't without its own risks and complications.

"The downside to this is that you have to submit the files to an outside source in the cloud," he said. "For a lot of companies, there may be regulatory and compliance issues that prevent that sort of thing."

Laing said the on-premise version of his company's Lastline Enterprise product costs more than the cloud version, but a number of customers still use the on-premise version, which transmits only the metadata of suspicious files and code to Lastline for additional analysis.

"It comes down to a policy decision," Laing said, adding that many financial services clients aren't permitted to transmit certain types of files and data to third parties.

Even if it isn't expressly a compliance violation to upload certain files and data to a third-party cloud, businesses may still be apprehensive about sending sensitive data to the cloud -- regardless of whether it's private or public. But Pingree said the speed and scalability advantages of cloud-based malware protection are too strong to ignore.

"It's not the standard now," Pingree said, "but it could be in the future."

Dig deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close