Executives at security startup TaaSERA, Inc. believe their new malware detection technology can identify attacks before information is sent back to a remote server, enabling incident response teams to remove malware before it results in a data breach.
The Cupertino, Calif.-based company's technology sheds malware signatures for deeper behavioral analysis for malware detection. Using static and dynamic analysis and whitelisting, the agents can check to determine if files are acting suspiciously. The detection technology's attack warning and response engine collects data, combining it with threat intelligence feeds, and uses behavior modeling to score potential actions that need to be addressed, said Srinivas Kumar, TaaSERA's chief technical officer who previously served as a security architect at VMware.
"Our approach of analysis is radically different," Kumar said. "We look at detection as the trigger for analysis rather than taking everything on the wire and analyzing it."
The TaaSERA (Trust-as-a-Service) technology is based on research conducted at SRI International, formerly the Stanford Research Institute. The technology analyzes the data it collects to identify the early stages of malware activity. Over days and weeks it can identify patterns, looking for actions, such as a piece of malware reaching out to a command-and-control server to communicate that it has infected a system. It builds an evidence chain, which eventually builds up, triggering an alert that the system is potentially infected.
The company is still testing its technology, but it plans to use it in the release of its NetAnalyzer, PC Analyzer and AWARE Mobile app for Android within the next several months. A threat intelligence service is also being developed.
NetAnalyzer inspects the same traffic that a network intrusion detection or intrusion prevention system (IDS/IPS) appliance would examine. Instead of looking for malicious traffic, the technology looks for bad behavior by correlating activity and communications that happen between internal systems and external systems, Kumar said.
"We're looking at an internal system that has been communicating with other internal systems or with external systems, building into a lifecycle a model of potential threats," Kumar said. "The detection is based on traversing the early malware lifecycle rather than signatures."
NetAnalyzer comes with a console to view the network at a glance, generates reports and configures the threshold used to generate alerts from the modeling scores.
NEXT: Other Security Firms Use Behavioral AnalysisTaaSERA will be one of a number of new security startups touting behavioral analysis and other methods as part of a proactive defense strategy next month at RSA Conference. Security experts say organizations may be able to employ offensive tactics against cybercriminals by using deception, phony environments and next-generation honeypotting. To be effective, enterprises need to detect malware quicker than ever before, said TaaSERA's Kumar, who believes his tool can help support the offensive approach by enabling incident response teams to quickly quarantine a potential threat, setting up a phony, virtual environment to study the malware and determine its purpose.
"This is positively proactive and could help my clients get a notch ahead," said Howard Johnson, president, TSCM Security Services, a Marlboro, Md.-based firm that specializes in computer security and counter surveillance technologies. The firm recently started testing the TaaSERA technology and Johnson said he believes it holds promise. "After it establishes a baseline for your network you can see abnormal activity in real-time."
TaaSERA has been compared to Milpitas, Calif.-based FireEye, Inc., led by former McAfee CEO Dave DeWalt, which does stateful inspection packet analysis to detect threats, rather than using signatures. Other companies, such as Palo Alto Networks and Damballa inspect traffic looking for abnormal behavior. TaaSERA, led by Scott Hartz, the former CEO of PwC Consulting, differentiates itself through its analysis engine, Kumar said. Rather than looking for traffic that doesn't fit a set profile, the analysis finds trends over time, reducing false positives, he said.
The company plans to sell its detection technology as a virtual appliance and is seeking early adopter customers in the financial industry, retail, energy and government and critical infrastructure facilities.
The TaaSERA Android mobile app and Windows endpoint technology looks for the target configuration on the device or PC that sets off the malware. It could be a keystroke, a combination of keystrokes or another activity, Kumar said. The system monitors user action, application action and system action to look for anything out of the ordinary.
"We're looking at the fuse that triggers the malware," Kumar said of the endpoint agents. "We cluster these actions, and [over a period of time], we see if this is a natural progression of events or not."
PUBLISHED JAN. 28, 2013