Monday, June 13, 2011

Tracking the Online Threat Analysis Centers

While the Homeland Security Department no longer color-codes its threat levels, several security vendors offer up their own dashboards with all sorts of eye candy to try to keep track of which viruses and malware are heading towards your network across the Internet. Here is a brief rundown of the more popular services. All of them rely on agents and collection points scattered across the major Internet peering points and on other critical junctions to watch for particular traffic patterns. The idea here is to gain insight into what is happening now, before something enters your network and starts to hose your equipment or steal your data.
Trend Micro today introduced its Threat Intelligence Manager which uses its database of trends to form the basis of several protective products that Trend offers, including OfficeScan and Deep Security. The new service leverages the Trend dashboard that can be seen here.
Trend is not the only vendor with such a service. Here are some others that I have used in the past (you are welcome to add your own favorites in the comments, too):
Some of these threat dashboard sites offer more than color-coded icons and long lists of threat descriptions. For example, McAfee's has an online reputation management system, where you can enter any particular domain and it will report back on all sorts of statistics to judge whether the domain is legit or not.
The TrustedSource site shows you the trends of a particular domain (in this case, and other relevant information.
All of these sites suffer from some of the same drawbacks. First, there is the needle in the haystack situation: there are hundreds of new attacks each day, and most exploits aren't really going to do much damage. The few big-ticket items are often hidden underneath the copious number of alarms for the minor ones. For those of you that don't monitor these exploits, it is worthwhile (and somewhat depressing) to take a gander at one of these sites and see how much garbage is streaming through the average router.
Second, there is no standardized virus or threat naming system, so the same threat can be called completely different things by each vendor. This makes cross-site comparisons almost impossible; until a virus gains enough notoriety that the press can bring some kind of consistency, sometimes. Of course, by the time the press gets a hold of something, it might be too late for you to do much about it in terms of protecting your network.
Finally, if you are trying to find a particular patch or security bulletin, you might be better off Googling it than trying to track this down on each site.