Damballa’s FailSafe is the first and only network security Detection control to tightly integrate (1) cloud-based, big data DNS analytics and malware reverse engineering, with (2) on-premise egress traffic flow analysis to detect hosts compromised by zero-day and other attacks missed by signature-based methods.

Damballa reduces the risk of data breaches orchestrated using remote control communications via the internet, also known as command-and-control (C&C). Damballa detects and cuts the malicious C&C cord to mitigate this risk.

Damballa’s on-premise appliances leverage the largest non-government cloud-based DNS traffic analytics systems and malware reverse engineering facility. Damballa appliances automatically detect and terminate the C&C communication that is required for the criminals to operate the malware agents on compromised assets. Once terminated, Damballa provides the necessary forensics to track, plan and execute timely remediation. As a Detection control, Damballa’s appliances work ‘out-of-band’ in conjunction with the Damballa cloud so that network performance is not impacted and the bad guys cannot detect or evade analysis.

In a sentence, Damballa’s Failsafe combines cloud-based, external big-data analytics with on-premise appliances which work out-of-band to (1) analyze and correlate (a) specific network traffic behavior associated with DNS servers, proxy servers, and firewalls (egress) with (b) suspicious executables to (2) identify compromised workstations and then (3) terminate the command & control traffic between the compromised workstations and the cyber predators.

The Problem – Advanced Malware, Zero-Day Targeted Attacks

Today’s targeted attacks are executed using stealthy malware and command-and-control infrastructure designed to steal corporate data and commit industrial espionage.

The sophisticated malware used in these attacks is engineered to bypass prevention layers and signature-based defenses, providing criminals a conduit to customer data, intellectual property, and trade secrets. Once stealthy malware has infected an endpoint device (PC, Mac, iPad, smartphone, etc.) it communicates with the criminal operator in the same manner a legitimate user would access the internet.

This command-and-control (C&C) communication is used to issue instructions to the malware, steal data and credentials, and update/change the malware to further evade detection or to perform a more targeted task, making these stealthy threats the top priority for security teams across all industries.

According to recent research, on average, asset compromises go unnoticed for more than 140 days before they are discovered. Rapid detection of the breach and termination of the criminal communication is critical to stopping data theft.

The Solution – Damaballa Failsafe

Damballa Failsafe is a purpose-built, specialized threat protection solution, which hunts for these hidden threats utilizing an array of patent-pending technologies. Damballa Failsafe:

  • Automatically detects and analyzes suspicious executables and PDFs entering the network to uncover zero-day and unknown malware
  • Rapidly identifies C&C behaviors and criminal traffic on your network
  • Correlates the malware and communications evidence to immediately pinpoint live infections
  • Terminates the criminal communications to stop data theft
  • Delivers full forensic evidence and playback of events in sequence to provide actionable intelligence to remediate the breach

The Damballa Failsafe sensors monitor DNS, egress and proxy traffic and utilize multi-dimensional deep packet inspection engines to correlate suspicious behaviors to rapidly identify and isolate a breach.

Utilizing the industry’s most advanced cyber threat intelligence from Damballa’s cloud-based, big data analytics systems and malware reverse engineering facility, Damballa Failsafe accurately detects unknown and zero-day threats and mitigates the risk caused by these breaches by blocking the communication from compromised endpoints to criminal C&C servers.

Damballa FirstAlert – Advanced Cyber Threat Intelligence

Damballa FirstAlert is Damballa’s cloud-based, big data analytics system that powers the Damballa Failsafe solution. FirstAlert is the result of more than five years of mining global passive DNS activity, advanced malware analysis, and patent-pending machine-learning and predictive threat classification technologies that profile the command-and-control (C&C) infrastructure of criminal networks.

Because Damballa FirstAlert is collecting and analyzing so much DNS traffic, FirstAlert can detect new C&C methods including Domain Generating Algorithms long before the actual new malware is deployed. Cyber criminals test new malware and C&C methods before they deploy just as enterprises test new software applications before they deploy them.


The proven ability and accuracy of Damballa FirstAlert is founded in award-winning scientific research that has resulted in patent-pending, machine learning systems that automate the early detection of rising threats. The two most recent inventions are named ‘Kopis’ and ‘Notos’.


Kopis is an early warning threat discovery system that monitors domain look-up behaviors across ‘autonomous’ networks, uniquely capable of operating at different levels of the internet hierarchy. The Kopis research paper first appeared in the August 2011 proceedings of the 20th USENIX Security Symposium, a top tier academic security conference.


Notos is a dynamic reputation system for DNS, which operates by utilizing the massive historical DNS data aggregated in the Damballa Labs. It automatically assigns DNS reputation scores to new, previously unseen domains. The Notos research paper appeared last year in the proceedings of the 19th USENIX Security Symposium in 2010. The Notos technology was originally developed at the Georgia Tech Information Security Center (GTISC), where research in DNS-based monitoring for botnet defenses has been supported by funding from the National Science Foundation, the Department of Homeland Security, the Office of Naval Research, the Air Force Research Labs, the Army Research Office, and Google.


Factoring Risk, Confirming Infections

Damballa Failsafe rapidly and automatically identifies assets under criminal control and profiles the relative risk of each infected asset. All evidence of criminal network activity is correlated and an Asset Risk Factor is assigned to provide threat response teams a way to prioritize response efforts by identifying which assets pose the biggest relative risk to the enterprise.

The Asset Risk Factor is based on a number of observations including the number and severity of the threats identified on the asset, connection success and frequency, the volume of data leaving the asset or entering the network, as well as the location, user or classification of the asset.

Threat Conviction Score is calculated for each identified threat, based on behaviors seen across the DNS, egress and proxy sensors. Identifiable criminal communication traits include DNS queries for suspicious domains, domain query behavior such as fast flux (NXDomains), egress and proxy connection attempts to C&C servers, connection behavior (automated versus user-driven), and suspicious binary downloads. A threat report also details what is known about that threat(s) identified on the device and the criminal operator(s) related to the threat(s).

Armed with this correlated evidence, organizations know with certainty which devices need immediate attention, enabling efficient prioritization of remediation efforts.

If you have a question or a comment, or would like more information or a demonstration, please let us know by completing the Contact Us box on the right side of this page.