Correlate Next Generation Signature-less Malware Detection

Overview

Image

Correlate is a signature-less end-point and network malware detection tool that can alert you to malicious activity in near real-time. By combining lightweight agents on the end-points with strategically placed network appliances, Correlate provides the critical information needed to quickly and easily understand what is happening on your network.

Correlate provides a new way of thinking about malware detection. Instead of only looking for "known bads", as what current anti-virus solutions do, Correlate was built to examine a system and network similiar to how a human would analyze and determine malicious-ness. This is based on simple principles developed from years of Windows programming along with malware analysis and incident response experience.

If you don't already know that traditional anti-virus cannot keep up with the constant stream of threats, consider the following summary from a report by Lastline Labs.

Over the course of one year, the researchers studied hundreds of thousands of malware samples and tested them against 47 vendors’ AV signatures featured in VirusTotal to determine which caught the malware samples and how quickly. On any given day, significant volumes of malware went undetected by the majority of AV vendors. Additionally it was found that:

  • On Day 0, only 51% of AV scanners detected new malware samples
  • It took an average of two days for at least one AV scanner to detect malware that went undetected on the first day
  • Detection rates bumped up to 61% after two weeks, indicating a common lag for AV signatures
  • In one year, no single AV scanner caught every new malware sample in even one of the test days
  • After a year, 10% of the scanners still do not detect some malware
  • The 1-percentile of malware least likely to be detected was undetected by the majority of AV scanners for months, and in some cases was never detected

How It Works

Image

Correlate is made up of both software and hardware components on the end-points and the network. On the end-point, this consists of installable software in the form of Windows services and kernel drivers. The network components can be varied based on network configuration and level of protection required. For example, in order to perform stealth packet detection a network tap or Correlate appliance is required. However, if network analytics are not necessary then it is a simple client/server setup. The server can be hosted locally by your organization or can be a cloud based server with analysis and support provided by Heilig Defense. If Correlate is hosted locally, the server software is designed to run on standard hardware which helps to keep costs down. Correlate is also able to scale the network analytics to any size network because Correlate performs this work at the subnet level. So expanding your network protection is as simple as adding additional Correlate network appliances.

The image at the right shows a high-level overview of the main Correlate components. But again, given the flexibility of Correlate this is not the only supportable configuration. No two deployments of Correlate are the same so please contact us to get more details on how it can work for you.

Protection

Protections

Correlate can protect networks and end-points from a whole host of attacks. From simple dll-injection to advanced privilege escalations, Correlate is able to identify when events of interest occur and then determine whether the context surrounding that event supports a malicious determination. The following list are some of the fundamental malware "keys to success" that we generally find across malware and all things that Correlate can easily identify. And because Correlate is not signature based means that the piece of malware itself it irrelevant in this determination.

  • Process memory manipulations
  • Stealth packets
  • Root-kit obsfucation
  • Privilege escalations
  • Windows architectural vulnerabilities

Dashboards

Correlate: Dashboards

The web-based interface is your one stop shop for information regarding your Correlate deployment. The dashboard provides details on the clients and systems under Correlate's watch, on any alerts that have been generated and allows for a deep drill down into individual systems and processes to truely understand what is happening on a system and network. Additionally, the dashboard provides options and configuration settings to modify the way Correlate works and also provides status information on various Correlate components.

The dashboard runs on the server and the server can be hosted locally or in the cloud. It provides granular access controls to limit what activities a specific user can perform. From the dashboard, an admin can observe in near real-time process activity on a specific end-point and if necessary issue a number of commands against that system or specific process.

Alerts

Image

Defining alerts with Correlate is as simple as drag and drop. No need to learn some new scripting language or navigate a confusing user interface. Correlate makes it easy to design, configure and understand exactly what your alerts will do.

The alert engine has pre-built actions that span the range of displaying messages to shutting down a system. And if the pre-built actions do not suite your needs, Correlate has the ability to run external applications with custom parameters or to post detection data to another security appliance such as a SIEM.

As Correlate processes system data, it will eventually assign a value to a piece of software or event. This value, that ranges from 0 to 100, corresponds to a pre-defined classification level that can be used as the starting point for any alert. These three levels are Unusual (50-70), Suspicious (70-90) and Malicious (90+). In the example on the right, we can see that if something receives a malware classification of 'Malicious' on any system or on the network, then the following actions will occur.

Features

Correlate is a fully featured and highly customizable end-point and network security suite that goes beyond just detection. From the content rich web-reports to the ability to remotely remediate system changes, Correlate provides capabilities above current solutions. But don't just take Heilig Defense's word for it. Dell SecureWorks has made a few recommendations on what an end-point security solution should be able to do. It includes:

  • Assess the host for known and unknown threats
  • Monitor for threats attempting to maintain persistence
  • Monitor process creations and associated files
  • Examine thread injection events looking for adversaries moving between processes
  • Examine network connection data at the host level to identify suspicious communications being sent to and from the host.

Correlate can do all of these things and more. For starters, Correlate has the ability to track the lifecycle of attack no matter the level of obsfucation or employed stealth. So from initial infection to persistence to network activity, Correlate can see it all and understand what was affected and most importantly communicate those results to the user.

It should also have the ability to be customizable in how it responds to detected threats from simple message alerts to near-full remediation of malware activity. Simple web-based management and interoperability with other solutions are also things that Heilig Defense believes security solutions should be able to do. So while Dell's recommendations are a good start, any solution that just implements the bare minimum is coming up short.

Why Correlate?

Image

Correlate is a powerful tool in the fight against malware however, Heilig Defense realizes there are other solutions that are also marketed as the next generation of anti-malware tools. It's important to understand why so many of the competitors are the wrong solution. It comes down to two main factors: capability and reliability.

Starting with capability, it's necessary to understand how the solution collects the data it needs. Is it "agent-less" or does it deploy agents to the end-point? Solutions that offer "agent-less" scanning are at a distinct disadvantage over deployable agents. First, the data retrieved is only a snapshot in time which, unlike Correlate, collects historical data that can be used for fast and effective remediation. Second, once the device is off the network (for example if the user works away from the office) then the system is no longer protected. Correlate's agents provide protection whether connected to the network or not. And if the solution is just a network appliance but promises advanced end-point protection, run away!

But not all agent-based solutions are created equal either. Solutions that provide only user-mode based agents will never be a real match against advanced malware. With strictly user-mode components, there is no way to be confident that it is able to see all of the activity that a piece of malware could perform. Correlate works inside the kernel which means no amount of stealth can hide from it.

As for reliability, it's important for the solution to not impact the system in a detrimental way. While malware doesn't play by the rules, there is no reason that security software should rely on "hacks" or other unsupported methods because that can be just as harmful as malware itself. Solutions that operate outside of the operating system by using advanced techniques can seriously impact system stability and reliability and not to mention, many if not all, of those techniques are not supported by Microsoft. The only legitimate method to gain the insight required while still working harmoniously with Windows is to use fully supported and documented kernel level callbacks which is exactly what Correlate does. Anything else is too weak or too dangerous.

White Papers

Trial By Fire: Real-world examples of Correlate detecting and mitigating malware threats. Detecting the Undetectable: Hunting malware with Correlate.


Videos

vs. Malicious Office Document

Active Hunt

Image

Network and endpoint security is no longer a passive sport. Sometimes it requires actively looking for something even if you are not sure what you are exactly looking for. That is what malware hunting is.

With Correlate, malware hunting is now easy. Gone are the days where you had to physically goto a machine and install a hodgepodge of tools to collect reams of data to then manually sift through. Correlate provides the tools necessary to perform effective hunting on an enterprise scale. Start with the suggestions that Correlate provides or perform your own searching, filtering and reporting. And if you suspect that you have found something of interest, execute custom built actions against the host or 'Go Real Time' in order to get a direct view of the system. All from the single web-based report console.

Malware is not going to have any place to hide when the deep visibility and advanced analytics of Correlate is combined with the power of the human mind.