Antivirus vendors have long used sandboxes--benign computing environments--as a way to study captured malware and write signatures, which they push out to their customers' antivirus scanning engines, to arrest further copies of the malware. But with their own malware sandbox, security managers could craft bespoke virtual patches to block emerging malware without waiting for a signature update.
"Sandboxes have been used in consumer products--GreenBorder, acquired by Google--to prevent the escape of malware, and by AV vendors--Norman for one--to segregate malware for analysis," Richard Stiennon, chief research analyst for IT-Harvest, a security industry analyst firm, said in an email interview. "To make a sandbox available in an enterprise usable form is a great improvement over existing offerings."
Using sandboxes enables security-conscious organizations to more rapidly address outbreaks. "IT analysts are often frustrated by lack of responsiveness from their AV vendors when they submit new malware samples," he said. "This product will be very useful in helping them understand the severity and intent of infections they have found."
Trend Micro on Monday also released new security information management (SIM) software called Threat Intelligence Manager, and updated its Threat Management System with better network-based malware detection and remediation capabilities. Interestingly, by using those two products, together with the Dynamic Threat Analysis System, plus a Threat Discovery Appliance, and a small software agent that runs on PCs, IT administrators can set them to automatically remediate any malware that the software discovers.
Kevin Faulkner, director of product marketing for Trend Micro, said in a telephone interview that the small, required software agent, which works with Threat Management System, is compatible with any other security software that might be running on the PC. "It's silent unless activated," he said, though it maintains a log of system changes. "If activated, it will go back through its own log files and tracking that it's doing on the system, to effect the remediation," he said.
Such automated remediation capabilities are available via some other security products. "The one that comes closest is from Guidance Software that uses HBGary technology to 'nuke' malware once it is detected anywhere on the network," said IT-Harvest's Stiennon. But using the combination of Trend Micro products noted above appears to provide a unique combination of capabilities. "There are several competitors to each of the Trend offerings but no comprehensive offerings that include all three," he said.
How important is spotting outbreaks and then automatically remediating them? Faulkner said that about half of Trend Micro's customers that can use automatic remediation, do, while the other half handle it manually.
Stiennon said the bigger issue--at least, based on market growth--is that security administrators must spot outbreaks as quickly as possible, to minimize any resulting damage. "The one area that is getting a lot of traction lately is the ability to detect already compromised machines on the inside of a network. NetWitness--just acquired by RSA/EMC, Damballa, and FireEye are all growing rapidly--over 100% per year--because of these offerings," he said.
One way to spot compromised PCs is by watching inbound and outbound traffic to monitor for signs of malware. "Trend has had this ability to detect when a computer communicates with command and control servers for a year, but has not been marketing it until now," said Stiennon.
Watching not just for incoming malware, but also outbreaks, is essential because no antivirus software reliably detects all malware. Indeed, attackers might craft never-before-seen malware, such as Stuxnet, or modify existing malware to escape detection. As a result, according to a 2010 NSS Labs study, even the best-performing antivirus software only blocked 79% of malware on download, or 90% by the time it attempted to execute.
As indicated by Trend Micro now pitching a sandbox at businesses, however, every minute counts after a business discovers malware running on its PCs. "Two years ago I would have said this was not of interest, except to customers with a security operations center, or government agencies," said Faulkner. "But I think we'll see fully 25% of our enterprise customers opting for this technology."
In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)