Organizations understand the value of keeping an in-house malware research team “plugged in” and ready to analyze files at any time, and this emphasizes the value of the breach detection system (BDS). Breach detection systems initially relied heavily on sandboxes (virtualized or emulated operating systems) for analysis. These systems primarily functioned as an antivirus safety net (i.e., they alerted on what signature-based technologies missed) in an effort to answer the rise in zero-day targeted attacks. Enterprises found enormous value in this capability, and the product category has not diminished in appeal (although many vendors have since expanded their products’ capabilities considerably).
File-based threats can come from any source, and they can exist in multiple formats, including MS Office documents, binaries, libraries, Adobe PDF, Oracle Java, Adobe Flash, and URLs. Automated analysis of suspicious objects is helpful for organizations of most sizes, but particularly for larger enterprises that likely have myriad objects to inspect, where any automation that can reduce “noise” is welcomed. These larger organizations have also required that these systems integrate with existing security technologies (network, gateway, endpoint, etc.) to provide file analysis for the network as a whole, including ingress and egress points, and they also require the capability to manually submit files via API. It’s not a question of if automated file analysis is useful, but rather it is a question of where it should be appropriately deployed and who should own such technology in an organization.
However, file analysis is not without impact on system resources. To address enterprise objections of latency, vendors are inserting preprocessing layers, including threat intelligence (proprietary and third party), filtering based on file type, and signatures. Also, more and more local systems are now complemented by (or even replaced by) cloud systems because of their elastic capacity and the additional functionality that is enabled.
Is a BDS cost effective? That depends on how you look at it; but often, initial purchase costs are quite steep. Is a BDS useful? Without a doubt: in an adaptive and resilient security environment, it can play a critical role.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released. NSS Labs will soon release its Breach Detection Systems Product Selection Guide, which will provide market and vendor information on this constantly changing market.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.