Behind the scenes at Labs
Showing results for 
Search instead for 
Did you mean: 

How do you make a highly sophisticated malware analytics system practical for non-specialists?



By Curt Hopkins, Managing Editor, Hewlett Packard Labs

The ArcSight team has announced the Generally Available version of the DNS Malware Analytics (DMA) product.  

Since its initial announcement last September at Protect, DMA was available to only a limited range of customers. Thanks to the work of Chip Mesec, analytics product manager for HPE Security ArcSight, along with the DMA development team and Labs, this highly technical product is now available to a less technical marketplace. This was a great example of work between labs and HPE’s business unit experts.

DMA started as an in-house experience.

“In 2012, then-HP security management was logging security events via ArcSight,” said Mesec. “They were seeing two billion event per day from security products within the company. They subsequently decided to log DNS, but measurements showed that they would be adding 20 billion more events per day.”

Finding such a security undertaking untenable financially, management turned to Labs and asked for help.

Security research manager Bill Horne figured out a way to capture data within the company’s cyberdefense center (CDC), the main security operations center for HPE. The prototype he and his team developed ran within the CDC. Others saw it and the idea for a product was born.

There were a lot of components to juggle in turning that product into a cloud-based tool that anyone could use, said Yolanta Beresna, research manager in Labs’ Security and Manageability lab. These included securing the pipeline (in which events are streamed from customer to the cloud), separation constraints, how to treat confidential data.

“How do we take big powerful high horsepower truck which can move a lot of data and do a lot of things and package it as a pickup to make it affordable and deployable for a lot of people?” asked Mesec. And how can a tool that contains a lot of abstract data science be redesigned to be user-friendly if the user is no such thing?

In order to find the best way forward, researchers from Labs did what we do best: experimented.

That outcome was something Mesec describes an automated tool for the detection and destruction of malware.

“Other systems require you to know malware already,” he said. “But we have presented it in a form where someone with very little IT experience can use it.” The generally available DMA then is a “purpose-driven” or “use case-driven” technology, not a platform-driven one.

In any development like this, the bulk of the work was just that, work. But there were a few eureka moments. Barak Raz, ArcSight applied data science manager, was trying to find a way to explain the path an operator should take to look for suspicious behavior in the network, which flowcharts you could automate to find issues in the network.

“So one of our ‘eureka moments,’” he said, “was trying to figure out the set of steps a human operator, even if he doesn’t have deep security knowledge about malware, could follow to find suspicious machines.”

The first time the team was able to automate a set of steps that led to malware identification was a turning point. The automation necessary for this product to work for the general public was doable.

The work between labs and the business unit was integral to the successful development of this product, as was the fact that HPE has very large security data sets to work with.

As Mesec noted, security data is among the hardest to lay hands on and smaller startups have to rely on data modeling without very much data. HPE and Labs are not hamstrung by that restriction. With Labs’ mission to explore possibilities and personnel to do so at the highest level, and HPE’s product competence and deep experience, the collaboration was integral to creating a smart, useable product that solve real customer needs.

Photo public domain via Pixabay

0 Kudos
About the Author


Managing Editor, Hewlett Packard Labs