FireEye's network security platform has gained praise for its ability to detect custom malware used in targeted attacks, but there's been a problem: Once malware is identified, it has to be handled manually. To help automate that process, security vendor Verdasys this week introduced a data connector the firm says contains threats detected by FireEye's system.
The Verdasys feed takes action on alerts generated by the FireEye appliance, applying basic security rules to identify infected endpoint systems and devices and then either quarantine them or take them completely offline. The platform can also apply protection, blocking the malware from infecting other systems, said Marcus Brown, vice president of business development at Verdasys.
"They send over the indicators to us, and we can validate if we've seen it already and which endpoints have been infected by it," Brown said.
Waltham, Mass.-based Verdasys said its Digital Guardian Connector for FireEye can protect corporate laptops and provide protection on physical and virtual laptops, desktops and servers. The platform also submits suspicious artifacts collected on host systems for analysis by the FireEye appliances.
FireEye has been gaining a lot of attention for its Malware Analysis System, which takes a snapshot of all platforms in the company environment to test suspicious files in a virtual machine. The goal is to detect custom malware and zero-day threats designed to thwart traditional security systems. Until now, FireEye has been deployed by organizations with deep pockets that have mature IT teams who can handle incident response activities, addressing alerts generated by the platform, said Rick Holland, a senior analyst at Forrester Research Inc.
"Most of customers I'm seeing are doing the analysis out-of-band anyway, so they're not expecting real-time inspection," Holland said. "Some people say they went in expecting more than they got out of a deployment, but once they understand how to use it, they're very pleased with the product and see that it's detecting things that traditional network appliances are missing."
FireEye is in an emerging market for advanced malware detection technologies. Other firms with similar capabilities include Trend Micro's Deep Discovery platform, as well as next-generation firewall maker Palo Alto Networks and intrusion detection system maker Sourcefire, which was recently acquired by Cisco Systems. Sourcefire's technology, which has built-in file behavioral analysis engines, detonates suspicious files in an isolated environment and examines their behavior to identify previously unknown malware.
Other security firms are providing connectors to FireEye. Cupertino, Calif.-based network access control vendor ForeScout uses a FireEye API to feed threat metadata into its CounterACT product.
The Verdasys connector may provide a much-needed bridge between networking teams and endpoint system administrators who commonly address infected systems, said Andreas Mertz at IT-Cube, a certified FireEye partner based in Munich, Germany. The consultancy and system integrator has sold FireEye appliances mainly to large organizations that deploy the technology alongside other threat detection systems.
"Verdasys is not network-centric; it's endpoint-centric. And, FireEye is not endpoint-centric; they are network centric, so this can provide a way to make taking action on alerts more efficient," Mertz said.
Verdasys competes in a crowded market for data loss prevention technology, said Forrester's Holland. The company competes against traditional endpoint security vendors Symantec and McAfee as well as Websense and RSA, the security division of EMC. The connector could help Verdasys pivot into a broader competitive landscape that includes firms such as Mandiant, Bit9, EnCase and HBGary, now part of ManTech International, Holland said.
PUBLISHED SEPT. 18, 2013