Cybersecurity analysts at energy companies are facing Big Malware – often more than 100,000 unknown and potentially malicious files crossing their network thresholds daily. Only a small subset of these poses significant danger, but which ones? An increasing number of companies are coming to the conclusion that an automated malware analysis solution is the answer, but how do you get started?
Some of the country’s largest utility, energy and pipeline organizations are using automated malware analyzers for nearly real-time analytics. These innovative solutions allow security-conscious organizations to find potential problems in safe, virtualized environments before actual problems occur, and to remediate the damage caused by actual breaches. Some of the organizations are building their own solutions, others are buying.
How do you make that choice? This is the classic question. It extends equally to both the physical and virtual worlds and involves multifactor trade-offs that necessarily include imperfect information, plus highly subjective value judgments, concerning the relative weightings of the various decision factors.
As an IT professional who is responsible for thoroughly analyzing malware and understanding its many harmful effects upon an organization’s networks, systems and data, you are tuned to the challenges of finding solutions that meet the needs of the changing landscape. Whether you ultimately decide to build your own custom malware analysis testbed or buy a commercial solution, you must understand the full impact of your decision, including possible unintended consequences or ripple effects.
Most of all, you must be prepared to live with the consequences of your decision and be ready to defend it against critics for a substantial period of time. After all, your credibility is on the line.
Tool Or Finished Product?
“What am I going to use the solution for?”
Before you build or buy something, you must ask yourself what you plan to do with it and how you plan to use it. Understand your needs and your goals.
Do you have enough time and the right skills to build a custom solution that is roughly commensurate with equivalent products already on the market? Even if you could build a suitable solution yourself, what are the costs you would incur by expending resources toward building a custom malware analysis testbed? Finally, be sure to ask, “What can go wrong?”
Know What You Are Doing
Your approach to analyzing malware is perhaps the single most important factor to understand before making your build vs. buy decision. The approach you take drives your use of any given solution, which in turn, determines your needs.
Consider which statement best fits your approach to analyzing malware within your organization:
a. I frequently spend a lot of time analyzing a small number of malware samples in great detail, many of which are already known.
b. I need to quickly scan large numbers of unknown, potentially malicious samples to focus my defenses on the most urgent threats.
c. My job involves a mix of A and B.
Build Vs. Buy
How would you characterize the nature of the malware threat to your organization?
Is invasive malware an occasional problem, a frequent nuisance or a daily distraction? Is it regularly disrupting critical systems and processes? Do system downtime and lost data pose existential threats to your organization?
Are malware attacks isolated or widespread? Are the threats general in nature or specifically targeted against your organization? What is the average daily volume of unknown, potentially malicious samples you receive across all of your networks?
How would you characterize the nature of your IT security and compliance requirements?
Are your requirements unique? What makes them unique? Are they common to others in your industry?
What happened the last time you were audited? What kind of improvements would you like to see the next time you go through the audit process?
What compliance requirements do you have to fix in order to remediate discovered threats? What do you do in between audits? If you are not audited, how do you ensure the safety and integrity of your systems?
Timeframe To Productive Use
How quickly do you need to be tackling the malware problem head-on, generating actionable intelligence to improve defenses and respond to threats with maximum impact?
Do you have the time to develop software tailored to your exact specifications? Can you respond quickly if your requirements change?
What will you do while the custom solution is developing? Do your executives understand and accept that results may not come right away?
Develop The Right Solutions
Do you have the skilled resources and knowledge base capable of matching existing product offerings?
Can you acquire sufficient knowledge of malware analysis, indicators of compromise and actionable intelligence on your own and maintain it at that same high level throughout the life of the project?
Can you build a solution to fit your use cases? Can you integrate it into any workflow? What happens if your needs change over time?
What should happen to your malware analysis capabilities if your primary application developers decide to leave their jobs?
Are you creating a one-of-a-kind solution with a single point of failure? Could somebody new easily come in and pick up the pieces right away?
Licenses, Warranties, Liabilities
Are you prepared to manage all licensing requirements and restrictions yourself?
The General Public License (GPL) is the most widely used open-source software license. It allows end users the freedom to use, study, share, copy and modify the software and grants recipients the rights of the Free Software Definition. Derived works must be distributed under the same license terms, however, GPL warranty disclaimers often use the language “distributed as-is with no warranty of implied merchantability or fitness for a particular purpose.”
Integration With Larger Frameworks
Can you effectively integrate a home-grown solution into other applications and processes?
How will you accomplish integration with other security tools? Is there an open and published API (Application Programming Interface)? Are there well-documented examples you can use or modify? How will you implement your workflows? Can you get help when you need it?
Can you devote long-term resources to support and improve your custom-built solution to keep pace with ever-changing threats over time?
Developers often prefer to work on new code or new solutions and may be less enthusiastic to perform “maintenance” or “support” tasks. Home-grown solutions often lose momentum after the initial deployment, especially if they fail to keep pace with COTS (commercial off-the-shelf) products. Are you prepared to manage the complete product life cycle, including obsolescence planning and eventual replacement?
How will you ensure continuous uptime availability and ongoing technical support for a home-grown solution?
Are your malware analysts’ capabilities truly mission critical or merely incidental to your organization? What happens if you are breached? What would be the effect of a week of downtime on your ability to analyze and defend against malware threats? Who will you call in an emergency? Does anyone have a vested interest in your success or are you completely on your own?
What is your organization’s position concerning the use of open-source tools?
How commonly are they found within your company today? Do they have official organization support? Are you familiar with the limitations of the open-source model? Are you aware that young projects often skew to ‘power users’? Others have little or no voice. Also, in the quest to be “free,” tools and components used may be sub-optimal and lack accountability. Everyone uses Linux, but most companies will select a vendor-supported version.
Not Always ‘Either-Or’
A proper malware analysis workbench typically involves a wide range of tools and employs a broad array of techniques in the never-ending fight to keep your organization safe from relentless adversaries. Incorporating both an off-the-shelf and home-grown tools can sometimes be the best solution.
Michael Rosen has a master’s degree in information systems and more than 20 years of experience delivering secure, high-reliability hardware, software and service-based solutions to organizations and government. His background includes data security, public safety 9-1-1 telecommunications, wireless communications, biometrics and telemetry data systems. Rosen is a product manager for Norman Shark, an industry-leader in automated malware analysis and forensics.