Sourcefire is expanding its malware tracking and visibility capabilities today with an update to the company's Advanced Malware Protection solutions portfolio. The new capabilities include both end-point and network-based features to track and identify malware when it enters an enterprise.

"One of the things we continue to see despite all the layers of defense on the network and on devices is that threats are still getting in," Oliver Friedrichs, SVP of Cloud Technology and Strategy, at Sourcefire, told eSecurity Planet. "One of the reasons for that is that file-based detection simply is not effective anymore."

Since detection rates are low, threats are getting through and as a result many enterprise don't know how a threat got into a network or where it went. That's where Sourcefire's improved Network File Trajectory comes into play. Sourcefire first introduced file trajectory capabilities at the beginning of 2012 on its FireAMP malware device.


Going a step further, Sourcefire is now enabling Device Trajectory capabilities for FireAMP. This increases the ability to see file activity as it passes through a network.

Adding Depth to Malware Detection

"This allows you to drill very deeply into a device and determine the specifics of a malware infection," Friedrichs said.

Originally FireAMP offered a breadth-based approach to finding malware within an organization. As such, the system was able to pinpoint on which devices malware resided. With the device trajectory, Sourcefire has added a depth-based approach that enables enterprise admins to find malware within a given device in a very specific manner. The system is able to identify which application or action introduced the malware in the first place.

The device trajectory feature enables Sourcefire to track the ancestry of malware on a given device and thus offer a full view of the infection. In contrast, normal anti-virus typically only detects the top level of an infection. The improved network and device trajectory capabilities are part of the FirePOWER 5.2 software update.

A possible use case in which the new capability could help is defending against the recent spate of Java-based attacks.

"A power grid customer of ours on the West Coast of the U.S. was able to use these new features in order to determine that a recurring infection from a trojan was actually happening as a result of Java introducing the trojan onto the computer," Friedrichs said. "Then the trojan itself continued to re-introduce new artifacts onto the computer."

Not SIEM

The concept of tracking outbreak data over time to find the root cause is a familiar one for SIEM vendors. IBM for example is using its QRadar SIEM as the core of a security solution offering to help hunt down malware threats.

Friedrichs does not see the new Sourcefire capabilities as being SIEM-like.

"SIEMs typically work at a level higher than a view into the file activity itself," Friedrichs said. "They work very well at capturing and correlating events."

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.