Intersect: Combining Commercial/Foss Tools With Custom Code To Root Out Malware presented at ShmooCon 2011

by Matthew Pawloski, Fotios Lindiakos,

Tags: Security Malware

URL : http://www.shmoocon.org/schedule#intersect

Summary : All enterprise networks implement malware detection capabilities, yet attackers are still breaking in, maintaining their foothold, and exfiltrating data. Today’s most successful and popular attacks involve email with malicious attachments or links to malicious files. While there are many commercial solutions that try to prevent these attacks, no product alone can protect an entire organization. The security community needs an architecture that enables multiple commercial tools, as well as home grown solutions, to be integrated into a “single pane of glass”. Results and threats should be centralized for correlation and ready searching. Home-grown solutions are often developed quickly and are not built to be “enterprise ready” or “robust”. This architecture must enable custom file inspection that is designed to account for failure of these home-grown tools, as well as make their creation and adoption as painless and efficient as possible.

We will demonstrate that a customized file inspection architecture based on these principles can find malicious files moving within an organization. Our implementation of this architecture, INTERSECT, will also do so with higher success levels than traditional commercial/FOSS solutions alone.

Fotios and Matt are employees of the MITRE Corporation in McLean, Virginia. They both graduated from the Rochester Institute of Technology and are members of Computer Science House.

Matthew Pawloski: Matt has a BS in Information Technology (2005) and received his MS in Information Assurance (2010) from Capitol College. He previously worked at Symantec and Knowledge Consulting Group.

Fotios Lindiakos: Fotios has a BS in Computer Science (2007) and is currently pursuing a MS in Information Security and Assurance at GMU.