Social Media Threats, The President’s Cyberspace Policy Review, and Neckties

May 29, 2009

Some thoughts, musings, and follow-ups as the short week draws to a close.

  • Within minutes of posting the blog entry about social media and noting the post on Twitter, I received my first Twitter spam.  A real estate professional direct messaged the @Triumfant ID.  Out of curiosity I checked the sender ID and the outbound messages were all direct spam.  Given that the recent Symantec/MessageLabs Intelligence Report cites that over ninety percent of email is now spam, it would only seem a matter of time before places like Twitter begin to choke.  I was amazed at how much spam we get on our blog and how fast the spammers found it.
  • That same MessageLabs report also notes that social networking sites are especially vulnerable to threats because the content is created by the users of those sites.  In other words, without rigor, there will be vulnerabilities, and that is where the bad guys will set up shop.
  • The President’s long awaited and anticipated cyber security report will be announced today.  I do not expect that we will hear much earth shattering information, as the security industry is very adept at quantifying the cyber threat.  That is, after all, one sure way to move product.  What will likely be more entertaining is the analysis of every nuance of the report, as well as the rush of every security vendor to claim that they are the lone company to provide the remedy for the problems outline in the report.  You will of course know that all of that is a fabrication as Triumfant is clearly the solution (sorry, could not resist).
  • I have worn a tie every day this week.  Why is that important?  Well, to the head of marketing of a startup, that means that I have been on a meaningful sales call each and every day this week.  People are beginning to hear the message and have genuine interest in the benefits that Triumfant can offer their organization.  Because our solution is so unique and so different from the other tools on the market, the calls are normally very lively and we go from PowerPoint to very constructive conversations very early in the call.  It makes for a fun call when people “get” what we do and immediately begin to map the technology to practical application.  I love being on these calls and it has been a blast to take the message out to prospects, so I don’t mind the tie at all.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Social Media Opens a New Front in the Cyber Security War

May 28, 2009

The rise of social media opens an entirely new front on the war against cyber crime.  In the May 26 post of the “Zero Day” blog on ZDNet by Ryan Naraine and Dancho Danchev, there is a detailed account of a vulnerability in the Twitter API that is an open door for hacking. Besides being sound analysis of this specific problem, the article serves as a great example of how the continued rise of social media will affect IT security going forward.

Don’t underestimate the impact social media and the generation raised on such communication will have on the workforce and therefore IT security.  I have heard stories that many of today’s college graduates have to be taught how to use email, because the social media tools are so ingrained in their daily existence and therefore replaced what those of us in the previous generations find to be an essential tool.  And even old dogs learn new tricks as I have found myself drawn into the world of social media as part of my responsibilities.   

Furthermore, the speed in which social media trends rise and fall and the number of opportunistic startups that pop up overnight to write applications to ride the next hot trend raise concerns on the security rigor applied to writing these applications.  One only has to look at the many apps that popped up around Twitter as an example.  It is not a reach to be worried about the level of attention being paid toward securing these applications for enterprise consumption.

While many of the attack vectors used against social media will be familiar, undoubtedly many will not, and such attacks will put additional strain on aging defensive technologies and already thinly stretched IT staffs.  If your company or government agency is not thinking about the impact of social media to security, you should be. And you should not take for granted that your existing endpoint security software is sufficient to protect your IT assets from this next generation of threats and the associated malware.

1 Comment | Endpoint Security | Tagged: , , | Permalink
Posted by Jim Ivers

Understanding What We Are By Understanding What We Are Not

May 27, 2009

When you have an endpoint security solution that is based on technology as unique as Triumfant, introductory conversations take two paths.  The first path requires a bit of Gestalt on the part of the listener who is able to hear how the technology works and immediately begin to connect the dots on the practical applications of our ability to detect, analyze and remediate every change on an endpoint machine or server.   There is normally a very enlightened look and phrases such as “then that means you can <insert cool practical application here>.” I find in presentations that go this way, I immediately shut down PowerPoint and engage in a very lively conversation about the value of Triumfant and our solutions.

The second path gets to the same destination, but the conversation includes a line of discussion where people seek a reference point to compare Triumfant with other endpoint protection products or product categories.  This is natural and I by no means imply that such people are not smart or perceptive – it is human nature to build new knowledge off our existing points of reference.  This path begins with the phrase “oh, so you are like <insert product name or product category here>?”, and that is where the fun begins as we spend some time discovering what our product is not. 

Which leads me to today’s post – I thought I would provide a primer on what we are not:

  • Antivirus – If you did not know this, you must be a first time visitor and may want to check out the post on our malware counter.  We are most definitely not an antivirus product and do not use signatures to detect malicious activity.  Not that there is anything wrong with that.
  • Behavioral Analysis – behavioral analysis is getting some attention as an alternative to AV but has been met with mixed results.  Essentially behavioral analysis tools watch running processes and create an alert if the process does something that it deems suspicious.  These tools are touted as protection against zero-day attacks but can suffer from false positives that make them problematic.  (Note: Some vendors will position their behavioral based tools as comparable to Triumfant.  The comparisons don’t stand up.)
  • Heuristics – heuristic analysis attempt to operationalize experience to identify new malware or variants of known malware. Three methods are used: file analysis, file emulation, and generic signatures, all of which require some previous knowledge of the attack and therefore suffer from the same diminishing (Gartner’s word, not mine) capabilities as signature based AV software as the number of attacks grow geometrically. Triumfant makes use of some heuristic analysis once we detect an attack, but it is not how we detect an attack.
  • HIPS – some people feel that HIPS (host intrusion based protection) tools are a close match to Triumfant. These tools use a combination of firewall, system-level action control and sandboxing in an attempt to detect malware and prevent it from being loaded onto the host machine.  These tools have found limited success and are considered resource intensive and prone to false positives. Triumfant takes a very different approach to HIPS and does not require extensive blacklisting, nor does it result in resource issues on the host machine or the network. 

It should be noted that none of these tools include the capabilities of synthesizing situational remediations for detected problems that fix not only the malicious attack but all of the collateral damage associated with the attack.

So there you go – a brief discussion of what we are not.  You can now free your mind and think about what we are: a unique tool that uses granular change to detect, analyze and remediate unexpected changes to endpoint machines and servers.  Understanding how we are different further frees you mind to grasp the practical applications of our technology such as the real-time detection and remediation of malicious attacks. For a better explanation let me suggest you start with our web site or with some of the following blog entries:

Leave a Comment » | Endpoint Security, Triumfant Resolution Manager | Tagged: , , | Permalink
Posted by Jim Ivers

The Worldwide Malware Counter, Gumblar, and Conficker

May 21, 2009

As we near the holiday weekend allow me to do some quick hits on some topics of interest:

  • Reaction to the Worldwide Malware Counter, launched by CEO John Prisco in his Tuesday blog post, has been exciting to say the least.  The activity to our web site has significantly spiked as people are coming to have a look.  We have gotten some interesting emails and comments, which is the most gratifying result as we had hoped to start an open debate.  I have also received some suggestions on how to enhance the counter, so stay tuned. 
  • The Gumblar attack, which loads Google searches with malicious links, has spread to over 3,000 servers and is characterized by another only-in-IT-security-term: a drive by download.  When such an attack comes out, we always get asked if we would have seen it.  Our technical people assure me we would see the malware when it hit either an endpoint machine or server.  Furthermore, when Triumfant synthesizes the situational remediation for the attack it would find all of the backdoors that Gumblar creates to survive.  This is why the fact that we see all of the changes in the machine is so critical – we can remediate all of the primary and secondary aspects of an attack and bring it to a halt.  I read one AV company’s blog about Gumblar and they noted that their AV software detects “some of the malicious code and malware” and likened the process of stopping Gumblar to “wac a mole”.  I am sorry, if I am a customer I would want to know if terms like “some” and “wac a mole” are good enough when it comes to protecting my data and my public perception.  This is why we created the counter to point out that signature based tools are no longer a sustainable protection.
  • I see that my old friend Conficker is still at large and infecting 50,000 computers a day.  This attack is 6+ months old and out in the open and still infecting 50,000 computers a day! Maybe we should start a Conficker counter.  I think we should have called it the Cher worm – it never goes away. Anna Kournikova got a virus named after her, why not Cher?

That is all for now. Time to start thinking about the BBQ plans for the long weekend.

Leave a Comment » | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

Questions Answered About the Worldwide Malware Counter

May 20, 2009

The Worldwide Malware Counter introduced in Triumfant CEO John Prisco’s blog post yesterday has gotten a lot of interesting response and some questions that I thought I would address.

Why should I care about this counter?  Because if you are reading this, you are likely engaged in IT security in some form, and the tectonic plates of that world are shifting rapidly beneath your feet.  This counter is meant to give you a small taste of just how much it is shifting.  Consider that a signature is written in response to a new attack or a new variant of an attack, and signature based tools fail at a fifty percent or higher rate to detect the attacks that have no known signature.   If you are not looking at alternatives to signature based tools you should be.  Because as other organizations do, the cyber criminals are going to find those organizations who continue to rely solely on signature based tools because they will offer the least resistance.  

Is the counter just a timed linear count?  No. We actually modeled the numbers from Symantec Threat Report and built a counter that we think fits the represented data as best as possible.  The counter’s pace will actually escalate throughout the year to represent the growth rates from the data.  So we start the year at one every 20 seconds, and will end the year at one every 8 seconds.  The counter is representative, but we made it as accurate as possible – no hype or fear mongering.

What, no sound effects?  As a big fan of 24, I really wanted to use the same sound they have on their timer, but maybe we can add something in release 1.1 of the counter.  Like the agonizing screams of a user realizing their machine just got infected.

Will you adjust the counter as Symantec updates their numbers?  Absolutely.  The counter was built with variables so we can do just that.  Again, our goal was to provide a graphical representation that was fair and erred on the side of being conservative.  When we see new numbers from Symantec we will update our model and the counter.  If we were too high, we will say so.  We think we will be low.

Are you picking on Symantec?  Nope.  We used the Symantec numbers because they are in the public domain and they represent a broad, worldwide sampling of what organizations are encountering.  We commend Symantec for making the information available, and we have the utmost respect for their research.   Triumfant is not an antivirus replacement, we have never positioned ourselves that way, and we therefore have no quarrel with Symantec (or Mcafee, or Trend, or Sophos, or <insert antivirus vendor name here>).   If someone knows of similar research that is in the public domain that we should consider, please let me know.

Why did Triumfant do this?  To catalyze awareness and discussion because a picture is worth a thousand words (feel free to use that quote if you like it).  Triumfant believes that organizations, particularly those organizations that are continuously bombarded with persistent targeted threats, need to know what they are up against.  And while they may feel safe now, they need to look to alternatives to traditional signature based tools now before this counter gets to the 10’s of millions.  Someone sent us a comment yesterday that until they saw the counter they had not considered the potential load on their computer to sift through so many signatures.  That is what we were after – to stimulate some thinking.  And of course if that thinking were to drive people to consider Triumfant as one of those alternative technologies, then that would be a plus (come on folks, we are not a philanthropy).

Are we to believe a marketing guy built an analytical model that extrapolates and performs intelligent escalation? Luckily, my CEO went to MIT and he built the model.  But in my defense I did get a “B” in ordinary differential equations.

2 Comments | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

Introducing the Worldwide Malware Signature Counter

May 19, 2009

Today Triumfant added a malware signature counter to our Web site to represent an up-to-the-second counter of the number of signatures required by traditional signature based tools.  The counter is designed to graphically reinforce what many in the IT security industry believe is a growing problem that is being largely ignored – that the reliance on signatures to protect endpoints and servers against malicious attack is simply unsustainable.

The counter uses the statistics from Symantec’s “Global Internet Security Threat Report – Trends for 2008″, published in April of 2009 as the statistical foundation and simply extrapolates the growth rates in new attacks – and therefore the companion signatures – seen in 2008 into 2009.  We used the Symantec data because it is in the public domain, because they are a credible market leader, and because they have an exemplary research capability.  But we also used this report because we thought it was a fair set of numbers given that they come from a vendor who, like most in the IT security market, relies heavily on signatures for defensive capabilities and were therefore not inflated to make a point.

Just what is that point?  The world of cyber crime is simultaneously accelerating and evolving in ways that no one would have predicted three years ago.  According to Symantec, the total number of signatures increased approximately 265% year-to-year from 2007 to 2008.  The total number of signatures created in 2008 exceeded the total number of signatures written to-date by 60%, adding 1.6M signatures to the cumulative total of 1M signatures.  If these growth rates continue, and the curve appears to be actually geometric instead of linear, over 4M new signatures will need to be written in 2009.

Customers are promised innovation, but are delivered more of the same in what we have come to call the process of “perfecting the obsolete”.  So why is the industry moving slowly?  I address this in detail in a previous post called An RSA Keynote from the Outer Aisles – Demand Disruption, but essentially the movement away from the reliance on signatures is simply too disruptive to the comfortable ecosystem that has been created, and even the customers are partially complicit because they do not demand change. 

Triumfant is not looking to beat the “AV is dead” drum as we believe that antivirus software will always have a place in a defense-in-depth strategy.  but we do believe that continued reliance on antivirus software in the face of the mounting evidence is not a reasonable or prudent strategy.   And do not lose the perspective that each one of the 1.6M new signatures represents a response to a new unknown attack or a variant of an existing attack that therefore evaded the signature based software at a rate generally reported to be fifty percent.  I would be remiss to add that there are likely many more such attacks that have yet to be discovered, as the daily headlines point to attacks that go months undetected.

So the questions begged by the counter are simple.  How many signatures must we write before we hit the tipping point?  How much data and money and intellectual property must be stolen before the market demands change?  How many people who have entrusted personal data to organizations with the belief that these organizations would protect that data must have their privacy compromised?  When is the market going to stop supporting the self serving ecosystem and engage in some constructive conversation about evolving defensive software to meet the obvious threat?

The counter was designed to be a visual reminder of the mess we are sliding toward.  The counter will accelerate to match the accelerating rate of the problem, and soon will be incrementing every eight seconds by year end.   There are alternative ways to detect and remediate malicious activity and I would respectfully suggest that you and your organization owe it to yourself and your stakeholders, customers, and employees to start to look into these alternatives to signature based tools sooner rather than later.  The counter is ticking.

8 Comments | Endpoint Security | Tagged: , , , , , , | Permalink
Posted by John Prisco

Three Malware Timelines – Infinity, Days, Three Minutes

May 18, 2009

When an endpoint machine or server encounters a malicious attack that has no signature, your organization is set upon one of three timelines that is predetermined by the software you have in place.

The first timeline is not a good one, as it simply begins and runs into potentially infinity.  Dramatic?  Perhaps, but infinity is the proper term when the timeline has no apparent endpoint.  Why no endpoint?  Traditional signature based software misses attacks where there is no known signature at a rate of fifty percent or higher, depending on whose stats you use.  I use fifty percent because that seems to me the median of the research I have found, and whilst I suppose I could hype toward the higher numbers, fifty seems fair.  The bottom line is that reliance on signature based software puts your organization on a timeline where once the attack occurs, there is no detection, and therefore no remediation, and therefore a line extending forward into time with no logical endpoint.   One out of every two times.  The infected machine becomes part of a botnet, or serves as the portal for cyber criminals to begin silently removing valuable data from your organization. 

The second timeline assumes you have signature based software and it in fact detects the attack.  The next point on the timeline is your call to your vendor, who gets back to you with a signature.  Vendors brag about four hours, but every security professional I have spoken to says 24 hours at a minimum.  Next step is that you have to test the signature, because at the rate the antivirus guys are spitting them out – one every 20 seconds – I think there is reasonable suspicion about how much testing is being done.  Then you have to begin the process of updating the endpoints and servers with the signature.  This could be quick – a day or two - or extend into weeks (some research says 30-60 days).   During the lag between infection and the push of the new signature, there is reasonable risk that other machines are being similarly infected.

Somewhere in that timeline in parallel you have to build a remediation script or your vendor has to build a remediation script, or you have to re-image the infected machine.  Because even if your vendor says they have remediation capability, the remediations are pre-written scripts for known issues and this is not a known issue.  The remediations follow the same path as the signature, or lack thereof.  If you go the script route, the script has to be tested and then pushed out like a patch.   Given that it is a generic patch, there is risk that all of the problems created by the attack and the nuances of the attack that result from the different profiles of each machine will not be addressed and the machines left in a vulnerable state.

The third timeline is the exclusive domain of the Triumfant customers.  When the attack hits, Triumfant detects the unusual activity because it does not rely on signatures for detection.  Triumfant scans machines every thirty seconds looking for marker of malicious activity, and when it sees such activity will send a message to the Triumfant server, which then launches an in-depth probe of the machine.  If it is determined that an attack has indeed taken place, Triumfant will build a situational remediation on the fly and send it to the infected machine, ending the attack.  Elapsed time: three minutes (see the video that proves it).  Since Triumfant sees all of the changes to the machine caused by the attack, the remediation completely addresses everything done to the machine and restores it to its pre-attack condition.  No re-imaging is required.  The markers used to detect the attack can then be captured and a full scan initiated of the endpoint population.  If the attack is found elsewhere and had not been already detected and remediated, it will be remediated by this full scan.  A broad based attack can be stopped in under an hour.

Infinity, days, or three minutes.   The choice is yours and I will leave it to you to consider the relative consequences of each.

Leave a Comment » | Endpoint Security | Tagged: , , , , , | Permalink
Posted by Jim Ivers

Exhibit A for Bad Advice – A Questionable Recommendation from the New York Times

May 15, 2009

Yesterday a friend sent me an article in the New York Times asking my opinion on a recommendation made by the author regarding improving performance on home PCs.  In the article Five Controversial Ways to Speed Your PC, author Paul Boutin recommends that users “uninstall your antivirus software” because he perceives the threats are an overhyped and basically scaremongering by his fellow journalists. 

I hope the writer has the guts to come back and tell his readers just how long his machine survived unprotected.  I have seen studies where unprotected PCs have been connected to the Internet and are infected in minutes and part of a botnet in hours.  In my opinion, this recommendation was irresponsible and could cause a lot of people to lose personal data on their home machines. 

But this is just the kind of behavior that I pointed out in my recent post about “Stopping Stupid”.  All of the security software, policies and configurations cannot protect against the human element, especially when it looks to do something like the recommendation for this NY Times article.  Because you know that there are people in the workplace that read the article, decided that their AV software was the reason their machines at work were not as fast as they want, and started the process of disabling or eliminating their AV software on their work PC.  If this were an old horror movie, CISOs and IT techs would be an angry mob on their way to Mr. Boutin’s office with torches and pitchforks. 

That is why security configuration management tools have got to be more than a one-way push of configurations to ensure endpoint security.  These products must have every machine, every day vigilance to verify that the configurations and policies are in place and take the steps to remediate the machines if they are not.  The only way to fight incompetence or ignorance is through relentless repetition.   And since stupid is a free-style art form, signature based tools and pre-written remediation scripts will not get the job done.  The security configuration management tool has to be able to do situational remediation to address problems as they are encountered.

Lots of endpoint protection and configuration management tools may say they do exactly that, but they don’t.  They are pushing scripts.  I suggest you ask for more from your security configuration management tool and make sure you choose one that will stand against the crafty work of the maliciously intended cyber criminal as well as stand in the gap against user incompetence and ignorance.

Leave a Comment » | Compliance and Configuration Management, Endpoint Security | Tagged: , , | Permalink
Posted by Jim Ivers

The FAA Incident Report and the Remediation Problem

May 14, 2009

I spent the past two days on a business trip to Detroit.  After a great sales call Wednesday morning I had some time to kill in the Detroit airport and while browsing the Internet I came across the FAA report on the penetration testing done against the FAA systems.  The report lists the results of an audit done on FAA Web applications by KPMG in response to a request by Congress.  The audit tested 70 Web applications, many of them customer facing.  Some highlights of the findings:

  • The test identified a total of 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities.
  • Exploiting these vulnerabilities provided paths for unauthorized access to information stored on Web application computers and to gain unauthorized access to ATC systems.
  • The vulnerabilities also served as a path to attack FAA user computers by injecting malicious code onto the computers.

To illustrate the potential consequences of the vulnerabilities discovered, during the audit the KPMG reportedly:

  • Gained access to information stored on Web application computers and an ATC system.
  • Gained access to information stored on Web application computers associated with the Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower.
  • Gained access to an ATC system used to monitor critical power supply at six en route centers.

Combine this with the findings release that day of the suspected pilot error in the recent commuter plane crash in Buffalo, and obviously I am now ready to jump on my plane.  Not.

After digesting the statistics of the FAA report, one statement really stuck out to me: “Cyber incidents were not remediated in a timely manner.”  The report noted that in 2008, 17% of the 877 cyber related incidents reported in 2008 had gone unresolved by year end. 

I talk a lot about the ability of Triumfant to detect attacks that frequently evade other defensive software, particularly traditional signature based software.  But the ability of Triumfant to build a remediation on the fly and stop an attack is a significant and considerable advantage when it comes to endpoint protection.  I know the FAA incidents were predominantly network intrusion type problems, but the need for speed in regards to remediation is a universal concept. 

In the video of the Triumfant 3 minute Malware Challenge, we show live the process of detecting, analyzing and remediating an actual malware attack in 3 minutes.  The conversation often stops at detection because we have such a growing problem seeing today’s attacks.  But if we are not fixing what we find, the problems run much deeper.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Stopping Stupid – Dulling the Edge of Hanlon’s Razor

May 12, 2009

There is a corollary to Murphy’s Law called Hanlon’s Razor that goes as follows:

“Never attribute to malice that which can be adequately explained by stupidity, but don’t rule out malice.”

In the world of IT security, much risk and ultimately damage is caused by stupid in the form of ignorance or selfishness or just plain zero brainwave activity.  Because nothing can render defenses useless faster than human stupidity. 

So how do you stop stupid?  It is not easy, because a quote by Friedrich Schiller says:

Against stupidity, the gods themselves contend in vain.” 

What is needed is something that is doggedly persistent and tireless in its defense against stupid.  Something that never throws up its hands in the face of relentlessly repetitive stupid.  Something that no matter how many times it must turn stupid away will do so with a singular purpose.   

Triumfant resolution Manager does a great job of security configuration management.  It will continuously enforce security policies and configurations, and when it sees non compliance it will automatically create a remediation to return the endpoint machine to compliance.  It will also detect machines that have been changed in such a way that is anomalous to other like machines in the endpoint population, and based on how anomalous the change is, either create a remediation or alert the administrator. 

In other words, Triumfant will stand tirelessly, continuously, and relentlessly against stupid.  Every time a user sets his or her machine to a configuration or state that would create a vulnerability, Triumfant will set it back.  If the user then changes the setting the next day, Triumfant will set it back.  If the user disables their antivirus agent, Triumfant restores it.  

No other tool that I know of is equipped to address the human element of security at the endpoint like Triumfant.  The ability to continuously scan a machine and build a remediation on the fly is completely unique in the market and is uniquely capable to mitigate the effects of stupid.  Given that there is no human intervention needed to remove the effects of stupid, your organization gets a solution that delivers with near zero human costs. 

A loosely attributed quote from Einstein summed up stupid as follows:

“Only two things are infinite, the universe and human stupidity, and I’m not sure about the universe.”

But combining Triumfant’s configuration management capabilities to Triumfant’s ability to detect, analyze, and remediate a malicious attack without signatures and without human intervention, and you have a really powerful tool to add to your security strategy.  It won’t completely mitigate stupid, but it will win one small skirmish in the war and dull the edge of Hanlon’s Razor.

4 Comments | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

« Previous Entries