January 23, 2012, 3:40 PM — Sourcefire today announced anti-malware software for Windows-based devices that combines signature- and behavior-based detection methods to identify malicious code trying to invade the enterprise network, tracking it down through cloud-based analysis.
The lightweight Windows-based software, called FireAMP, can identify malware and block it, says Alfred Huger, vice president of development at Sourcefire's cloud technology group. Once a specific threat is identified, which involves analyzing it on the fly through the FireAMP cloud-based infrastructure, another step can be taken to immediately figure out if that same malware has struck other enterprise computers.
SECURITY ROUNDUP: Anonymous attacks DOJ, RIAA sites; Israeli-Palestinian cyberconflict escalates
Huger acknowledges that the 7MB FireAMP agent software will detect and block a wide range of malware through both signature and behavior-based methods, but it won't recognize every threat when it first hits the enterprise network. FireAMP represents the development of the anti-malware software Sourcefire acquired in its acquisition of startup Immunet a year ago.
The basic idea behind FireAMP is that it can make the job of tracking down any infected computers fairly simple because FireAMP works by "capturing all endpoint data and putting it in the cloud," explains Huger. "We keep an image of all file behavior in your computers in the cloud. We know when a file gets put there." Therefore, FireAMP would be able to tell when malware, in the form of a malicious file, made its way into someone's computer, and there would be a way to trace an originating point.
FireAmp's continuous tracking of file activity means that if there's an infection outbreak, once the malware specimen is identified, it's going to be possible to give security managers immediate feedback on when and how that infection spread to specific enterprise computers. "Our goal is which systems need remediation or which need to re-image," says Huger. "When there is a system compromised, this is an efficient way to address it."
"The average number of infections is 10," says Huger about how virus outbreaks typically occur, noting that staff in information-technology departments find one of their biggest struggles is tracking down infected computers that fly in under the radar of traditional antivirus software.
Huger also notes that FireAMP is "not competing with antivirus vendors," but is trying to be complementary to antivirus software. FireAMP's approach is said to be closer to that of FireEye, which blocks based on behavior, but here too, Huger compared the two approaches as somewhat complementary.
Sourcefire's FireAMP software at present is only available for Windows, but the security firm is considering something similar for Android later this year. In addition, FireAMP today works with its own management console, but in the future Sourcefire anticipates further integration into some of its other products, such as Defense Center. FireAMP, which costs about $30 seat annually, is available now.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.
