In this post, which is the fourth, in my series on the "New Laws of Anti-Malware Technology," I'd like to talk about the concept of a "threat landscape". (See here, here, and here for the previous posts.)
Many anti-malware vendors and security researchers talk about the "threat landscape" as if it were a single uniform monolithic object. I've even made this mistake in the past. While it's convenient to talk about a single threat landscape for describing oversweeping global trends, the reality is that this nomenclature fails to capture the fact that from the purview of each organization and each individual, the threat space looks very different.
Each organization especially has to worry about the kinds of attacks that are particularly germane to their own infrastructure. The factors that contribue to the exposure of a particular organization include its size, the value of its information assets, how high profile the organization is, and the vulnerability of the systems in the organization (as well as the vulnerability of the individuals who operate these systems). A small business that offers a commoditized service has different information security concerns than a multi-national corporation that designs sensitive technologies for government customers.
Ultimately, however, the members of a particular organization, especially those who are on the front lines when it comes to malware defense have a unique and powerful vantage point from which to evaluate the organization’s overall security posture and the threats against it. Despite that, information security personnel at these companies have not been given the autonomy to leverage their domain expertise as it relates to the threats to their infrastructure. Instead, any attempt to influence and improve malware protection has historically required working directly with an anti-malware vendor, which adds an extra step to a process that is highly time sensitive.
To help address this significant shortcoming, one nice feature that Sourcefire's consumer Immunet anti-malware product offers is the ability to create custom signatures. In many ways, what we have done is analogous to what happened in the Intrusion Prevention System (IPS) space where an open source rules language was created to allow individuals to create IPS rules. Our anti-malware rules language is fairly simple. Anyone who can, for example, create a Snort rule, is capable of creating an anti-malware signature.
This functionality essentially decouples customers from being completely reliant on an anti-malware vendor. Customers now have an opportunity to directly participate in their own security. Moreover, they can leverage their own domain expertise.
With this type of capability, which is really part and parcel of our data-driven approach, customers regain control over their information assets. While our team has considerable experience in dealing malware defense as a whole, our customers may have extensive expertise in addressing the information security needs of their own respective environments. It's high time that the industry provided customers with the tools to take maximum advantage of that expertise.
©2011 blog.sourcefire.com. Content provided by Sourcefire, Inc., please do not reproduce without permission.![]()
