FireEye Touts Next-Generation Malware Protection

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Milpitas, Calif.-based FireEye, a specialist in malware detection, today took an aggressive step into the malware prevention sphere with a new line of inline network security appliances.

FireEye claims its integrated Malware Protection System (MPS) can stop 90 percent of the modern malware attacks missed by traditional intrusion prevention, Web filtering and antivirus products. The FireEye MPS appliances use a fully integrated inbound and outbound malware-blocking defense. They block both targeted attacks and transmissions by existing malware infections through the use of local network analysis and global data from the FireEye MAX Cloud Intelligence network.

"We use a two-phased approach," said Marc Maiffret, chief security architect at FireEye. "In the first phase, we are looking at Web-based traffic."

FireEye's detection approach is not signature-based. Instead, it uses a real-time malware-virtual machine (VM) filter to detect and stop zero-day malware and targeted attacks, which are often embedded in Web, PDF and other online content.

"The gap between targeted attacks and everyday cyber crime is disappearing," Maiffret said, adding that reactive, signature-based security technology is not enough to deal with the sophistication of today's security threats. "As vulnerabilities and threats continue to evolve, the technologies that are based on the reactive, signature approach are only as good as what we know or our heuristics."

Maiffret explained that the network-based MPS appliance leverages FireEye's expertise in malware detection to monitor Web traffic on the network for suspicious activity. For instance, the Aurora attack that penetrated Google's single sign-on password system, as well as a number of other companies, used obfuscated JavaScript to hide the exploit. FireEye customers who were targeted by Aurora and using test versions of the MPS were able to detect and stop it, Maiffret said.

Once suspicious traffic is identified, the second phase involves sending the entire Web session through a set of virtual machines in the appliance. It is then easy to see whether the virtual machine becomes compromised, Maiffret said. He explained that the ability to identify suspicious traffic and then test it with the virtual machine allows the FireEye appliance to deliver comprehensive and accurate detection of attacks at near-zero false positive or false negative rates in addition to near-zero latency.

Detecting an attack is one thing and stopping it is another. FireEye's appliances also incorporate a multiprotocol malware-callback filter to block outbound callbacks, which Maiffret said stops data exfiltration attacks that signature and list-based defenses miss.

"In the case of something like Aurora, we had three customers who were targeted as part of Aurora," Maiffret said. "When the very first customer was attacked with Aurora, the virtual machine analysis was able to learn where the callback information was trying to communicate, and that information was sent back to the cloud."

"As we're learning about these new callbacks and how malware is communicating, those things are blocked," Maiffret said, noting that the technology can also prevent callbacks from infection vectors other than the Web. "If someone brings in infected removable USB media, for instance, we'll still be able to pick up the fact that it's compromised and stop it from spreading."

The FireEye appliance sits behind the firewall and other perimeter security technology, just before the desktop environment. IT teams can deploy the FireEye appliance to the network without any tuning.

"Because of the way the virtual machine analysis works, there are no rules and fine-tuning to worry about," Maiffret said. "You don't have to learn things over time. It's very much a plug-and-play sort of device."

The appliance comes in several versions, starting at $24,950. The FireEye 2000 series supports egress bandwidths of up to 50 Mbps, while the FireEye 7000 series supports egress bandwidths of up to 1 Gbps.

Thor Olavsrud is a former senior editor of InternetNews.com and has covered operating systems, standards, and security, among other things.