Ixia bills itself as "a leading provider of network testing, visibility, and security solutions". It has made a bold claim, one it has even gone to the trouble of trademarking!
The technology behind this claim is called "ThreatARMOR" and is "a key component of Ixia’s Security Fabric".
ThreatARMOR claims it "blocks mutated versions of malware that use sophisticated obfuscation techniques to evade detection by signature-based security engines", with the rest of the Ixia Security Fabric solution claiming to provide "robust resilience, context-aware intelligent data handling, and security intelligence, ensuring the right data gets to the right tools every time even when encrypted, and enhancing the performance of existing security tools".
We are told that, in 2015, hackers "launched more than 1 million pieces of malware every day,’ and pointing to a CNN Money article for the stat.
The company notes that researchers in security companies ‘scramble to bring new products to market to counter these ever-evolving — or, mutated — threats,’ which is obviously something that security companies have to do if they want to stay in business.
Ixia then makes another obvious but necessary observation and states that "these defences, while powerful, have to process exponential increases in threats every year", and goes on to claim its solution "helps relieve those burdens by blocking zero-day mutations at their source".
How is this accomplished?
The company states its "Ixia Security Fabric is powered by feeds from the Ixia Application and Threat Intelligence Research Centre", and can "completely filter out unknown and zero-day attack mutations by blocking them based on their IP launch source rather than analysing those millions of attacks one at a time".
By reducing bad traffic and their associated alerts, says Ixia, "the Security Fabric makes existing security tools and teams more effective".
Ixia continues its explanation of how its technology works by getting to "zero-day mutations", and gives a recent example of the Locky ransomware, "in which malware changed to escape detection by signature-based antivirus and intrusion detection systems".
The company states that "zero-day mutations often target users through emails containing a document with macros. When the user opens it, the macro connects to the attacker’s remote server to download the ransomware which enabled Locky infections to hit 100,000 per day this year".
This is where the company says its "Threat Intelligence" is applied, a "comprehensive approach to strengthening applications with security solutions that are kept up to date with a feed from the company’s Application Threat Intelligence (ATI) Research Centre, which is continuously updated. The ATI Research Centre performs both manual and automated analysis of malware and techniques used by hackers to compromise networks, 24x7, 365 days a year".
Again, it’s something you’d expect to hear from a security company, for they wouldn’t be in business long without such capabilities!
However, Ixia clearly believes its technology is better, with its senior director of application and threat intelligence, Steve McGregory, stating: “Ixia’s ATI Research Centre captures and analyses thousands of new malware samples, including mutations, daily.
“We pay particular attention to their networking activity – what domains they search for, what sites they connect to for downloading new instructions or executables, and where they send exfiltrated data. We cross-reference all of those, and plug them into our machine learning and big data analytics engine to help ensure that our customers’ networks are protected.”
So, what "ThreatARMOR" is said to do is to "leverage the Ixia ATI feed to protect customers from malicious sites and reduces security alerts by using the attack’s IP address to block it".
"This means that even if a user accidentally opens a malicious document, the ransomware download attempt is blocked, nullifying the attack before other protections are even aware of the new threat."
Ixia say ThreatARMOR delivers zero-day malware Immunity "because it is not a signature-based solution".
We are told that it also "blocks attacks based on an expansive 'Rap Sheet' cloud database which contains up-to-date information about the proliferation of malicious IPs currently in use. Only sites with extensive proof of malicious activity are blocked, and clear on-screen evidence is provided by ThreatARMOR’s Rap Sheet".
So, there you have it. Time and Ixia’s customers will tell whether the approach is foolproof, or whether hackers will find a way around it, but the great game of whack-a-mole security ransomware-edition continues being played, with no sign of it ending anytime soon.