All enterprise networks implement malware detection capabilities, yet attackers are still breaking in, maintaining their foothold, and exfiltrating data. Today’s most successful and popular attacks involve email with malicious attachments or links to malicious files. While there are many commercial solutions that try to prevent these attacks, no product alone can protect an entire organization. The security community needs an architecture that enables multiple commercial tools, as well as home grown solutions, to be integrated into a “single pane of glass”. Results and threats should be centralized for correlation and ready searching. Home-grown solutions are often developed quickly and are not built to be “enterprise ready” or “robust”. This architecture must enable custom file inspection that is designed to account for failure of these home-grown tools, as well as make their creation and adoption as painless and efficient as possible.
We will demonstrate that a customized file inspection architecture based on these principles can find malicious files moving within an organization. Our implementation of this architecture, INTERSECT, will also do so with higher success levels than traditional commercial/FOSS solutions alone.