My Briefing on Symantec Quorum Part 2 – Why I Think Triumfant Offers a Stronger Solution

July 28, 2009

Yesterday I detailed my impressions after being briefed by Symantec on their new Quorum product.  In summary, I was impressed with the implementation of the technology, but was not convinced that it solves the malware detection gap for enterprise customers, particularly those under the dynamic persistent threat scenario that see precise, well engineered and targeted threats on a continuous basis.

For such customers I believe that Triumfant’s approach to prevalence is far more applicable and practical.  When Triumfant scans an organization’s endpoint population, it builds a rule in the Adaptive Reference Model for every piece of software it discovers, along with information about the files and other elements associated with that software.  In other words, the model builds a functional whitelist that contains prevalence data specific to the organization and not based on the collective wisdom of a community.  And you can build models that address the entire endpoint population, or build models to specific groups of machines as appropriate.  The model is refreshed weekly to ensure that it accurately represents the desired evolution of the endpoint population.

You do not have to tell the model what is acceptable in your specific environment, it learns it.  You can, however, build policies and explicitly define authorized applications through a wizard driven interface.  If there is software already on the machines that ultimately is not in the desired list of authorized applications and programs for the organization, then it is a simple act to build what we call a filter to exclude specific software from the model and therefore the whitelist. 

Once the model is built, any application or program added to an endpoint machine or server that is not in the model as an authorized application is called to the attention of the administrative console.  Resolution Manager synthesizes a situational remediation to remove the application from the machine and ensure that every change to the machine made as part of the installation is reversed.  The remediation can be configured to execute automatically, or be set to require confirmation by an administrator prior to execution.  Either way, no human intervention is required to write the remediation, and every remediation if fully reversible.

Because Triumfant sees all of the changes to the affected machine that were part of the unauthorized software’s installation process, it has the information necessary to build a remediation that removes the malicious code and all collateral elements from the machine.  Why is this important? The installed application could be a trojan horse or be desgned to make configuration changes to weaken the defenses of the machine. So if the install included a secondary malicious payload, Resolution Manager will see it and kill it.  If the install opened a port or changes a security configuration setting, Resolution Manager will see it reverse the process.  

Symantec allows you to build custom alerts based on prevalence data returned from the Symantec reputation database, but from what I saw it does not included automated remediation.  The information I saw from Symantec indicated that it was the role of the client to block a file when an unacceptable reputation score was returned.  Given we can’t teach users to not open suspicious emails or click through social engineering; this would seem to be problematic. And because the application must install for it to be checked by the Symantec product, removal of the suspicious executable and all associated changes to the machine becomes critical. That is why Triumfant would seem to offer a superior solution.

Finally, I would add that the capabilities I describe for Triumfant exist today and are up and working at customer sites – this is not a future. 

I want to take the time again to acknowledge the Symantec team and their willingness to share the details of the product, as well as reiterate my belief that this technology will serve them well in the consumer market.  But for large organizations, I do believe that organization based prevalence is more practical than a community based prevalence.  I also think that Triumfant’s remediation capabilities address a significant shortcoming in the Symantec offering. 

But more importantly, just how much of the detection gap does Symantec expect this to solve? By my calculations, Symantec added approximately 1,700,000 in new signatures in the first half of 2009. More than they added in 2008 total.  That equates to just about 9,000 new signatures a day.  McAfee noted in an entry in their Avert Labs blog that they were writing over 6,000 new signatures a day and they don’t count what is caught by their generic filters and heuristics. Will this catch 10% of the attacks already evading the other protections? 50%?  Unless Symantec thinks this will be a near 100% solution, there would still seem to be a gap.

And that is where Triumfant really stands out: we believe Triumfant closes far more of the gap than any alternative detection and remediation tool.  We would never stand up and say that we close the gap completely, but we think we can make a case that we are pretty darn close.  Because we track all of the changes to each and every endpoint, you would have to be able to construct an attack that does its malicious activity without changing  the attacked machine for Triumfant to not see the attack.  So while prevalence may close part of the gap, why have a gap at all?  And for you folks that are not Symantec customers and like the idea of adding prevalence to your existing protections, we can do that for you and – a lot more – by providing the perfect complement to your antivirus software regardless of the vendor.

Leave a Comment » | Endpoint Security | Tagged: , , , , , | Permalink
Posted by Jim Ivers

My Briefing on Symantec Quorum – Impressed But Not Convinced

July 27, 2009

On July 9 I wrote a post about Symantec’s soon-to-be-released reputation based technology they are currently calling Quorum.  My post was a bit tongue in cheek asking how something unknown could have a reputation, but it appeared to have been taken seriously by the folks at Symantec who pinged me back on Twitter and offered to help me better understand the product and the value of the reputation based approach.  I took them up on the offer and one of their product management folks walked me through the technology.

First let me say that I respect the earnestness and professionalism that the Symantec people had in seeking to correct what they thought were my perceptions of the product.  In return, I will refrain from providing any details of what they shared with me as they are rolling out the product as we speak and I certainly do not want to inadvertently include any information that they have not yet taken public.  I don’t want to damage my reputation score.

What I will share is my general conclusion: which is that while I was impressed with the technology I was not ultimately sold on was the benefit to larger enterprise customers that have to stand against a barrage of precision guided exploits and new attacks on a daily basis. 

The Symantec solution is extremely complete and obviously very thoughtfully constructed.  They have clearly considered a lot of the angles in reputation based technology, including safeguarding against methods to artificially influence reputational scores.  In my opinion, the technology will be a good addition for consumer customers and small businesses that should benefit from reputational comparatives given they have a small number of machines or only one machine to watch.   It also allows Symantec to leverage their large user base as well as integrate and showcase their data storage capabilities to their security customers.  Like I said – in regards to the implementation I was really quite impressed. 

For large enterprises, particularly those customers who are under what we call the dynamic persistent threat scenario, I am not convinced that the prevalence data from a broad community will fill the existing gaps in malware detection. These are organizations that fend off deliberate and precisely targeted attacks designed to extract critical financial data or confidential strategic information by exploiting new attack vectors, recently identified exploitable flaws, or variants of known attacks to evade the traditional defensive software that relies on prior knowledge of attacks for detection.  While these customers might find a community based prevalence score interesting, they frankly are of a profile where such a score – or lack thereof – is not sufficient to make determinations of the potential malicious nature of applications.  The fact that it has been installed in a number of other organizations does not mean that it is acceptable to be installed on their endpoints.

I am grateful to the Symantec team and their willingness to share the details of the product.  I exited the process very confident that while the reputation based technology may help Symantec in the consumer market it has not addressed the shortcomings their tools have in detecting attacks where there is no prior knowledge or the dynamic persistent attacks that many organizations battle on a given day.  In fairness, I am admittedly biased and these shortcomings are not specific to Symantec and are shared by endpoint security vendors as well as their customers. 

Tomorrow I will make my case and detail how I think the Triumfant approach is more applicable and ultimately, more practical.  For example, we already have organization specific prevalence baked into our model.  And we build automated remediations for what we find.  Have a look tomorrow and see if you agree.

1 Comment | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

McAfee Publishes Numbers On Aggressive Malware Growth

July 24, 2009

McAfee has just posted some number of their own regarding the growth in new attacks (and the subsequent need for new signatures) via a blog post by McAfee Avert Labs.  In that post, McAfee says that the number of new attacks is three times the rate over the same period last year, and that the number of attacks for the first half of the year nearly eclipsed the total for all of 2008. 

We have been leveraging the Symantec numbers for our Worldwide Malware Signature Counter, and it is nice to see that the McAfee numbers back up our basic thesis.  McAfee reports their numbers a bit differently from Symantec, in that McAfee excludes those attacks that were picked up by generic filters and heuristics (much more on that next week).  This makes the McAfee numbers smaller in total, but they represent the same aggressive growth curve as Symantec’ numbers.  For example, if you read between the lines, McAfee saw roughly 500,000 new threats in the first half of 2008, nearly 1,000,000 in the second half, and 1,200,000 in the first half of 2009. 

There has been some interesting new language from the AV vendors regarding the aggressive growth of new attacks and the growing strain to build signatures fast enough to protect their customers. Symantec is trotting out their Quorum whitelist/reputation based technology as the cure, but it remains to be seen if it can really close what these numbers illustrate is a large and growing detection gap.  In shifting the emphasis on the Quorum technology, Symantec is publicly falling on the signature sword.  In the Quorum press release, a Symantec executive is quoted as saying: “Looking at the sheer volume of infected systems in the world, one thing is resoundingly clear: basic security protection is not good enough.” 

Clearly the “elephant in the room” problem has gotten large enough that the AV vendors can no longer act like it is not there.  Because if I interpret the language in this blog post properly, the numbers presented by McAfee are those attacks that fell through all of their nets – signatures, generic filters, and heuristics – at a rate of 6,000 per day.  I do not single out McAfee as I am quite certain that these numbers are representative  just how much is getting through the existing endpoint security defenses of all of the AV vendors, Symantec included.

When you point out a problem - such as the unstustainable nature of the reliance on signatures – publicly the way that Triumfant has done, you draw criticism along the lines of fear mongering or that the sky is falling.  But the McAfee and Symantec research numbers present an objective case and the language of the AV vendors in the press clearly support our position.   Half the problem for us was creating awareness that there was a problem and that it was sizable and growing rapidly. 

We do agree with Symantec in that the IT security market is in need of new thinking and a new approach to counter this growing threat, and we think Triumfant is that new thinking and approach.  Now that the numbers support the story and even the AV vendors are recognizing the problem, we invite you to take the next step and hear what Triumfant has to offer (today, not a future release) as the solution to this problem.  I am willing to go on the line and say that you will at a minimum find it interesting and enlightening and won’t feel like it was wasted time.   We think we have filled the detection gap in a way that is both powerful and elegant, and is already addressing the problem for real customers today. 

What do you have to lose except the exposure to what McAfee says is 6,000 new threats per day?

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Triumfant Elevated to McAfee’s Sales Teaming Program

July 22, 2009

Last week, McAfee announced that Triumfant had been elevated to McAfee’s invitation-only Sales Teaming Program tier in the Security Innovation Alliance (SIA).   In the words of McAfee, partners participating in the Sales Teaming Program “complement the McAfee product portfolio, and enable the McAfee sales force and channel to drive more complete security solution relationships with enterprise customers.” You can view the entire McAfee press release here.

We at Triumfant are excited about our growing relationship with McAfee and are very pleased how their partner team has been open minded about learning what our offering can do and how it can be of benefit to McAfee’s customers.  We have spoken to all of the major AV vendors in the past six months and we have found McAfee to be the most progressive in this regard, which I believe speaks volumes about their commitment to their customers and their broader security requirements. 

When we present Triumfant Resolution Manager to prospective customers, writers and analysts, we are often asked if we see our product as a replacement to traditional signature based protection.  Our answer has always been an emphatic “no” as we believe that such technology has a vital and necessary place in endpoint protection, and that Triumfant is a logical and synergistic complement to antivirus software.  To their credit, McAfee took the time to understand our position and had the vision to view Triumfant as accretive to their portfolio rather than as competitive. 

We look forward to working with McAfee more closely over the next several months as we continue to deepen our integration with both the McAfee sales team and at the product level with ePolicy Orchestrator.  McAfee’s renewed vision for endpoint security is helping them gain tremendous momentum in the market, and it is our privilege to experience some of their enthusiasm and energy as a partner.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by John Prisco

Tackling the Pressing One Handed Security Topics of the Day

July 20, 2009

I had some shoulder surgery on Thursday so I will ease back into the work flow with some short, typeable-with-one-hand subjects.

  • In past blogs we have talked about the ecosystem between Microsoft and the antivirus vendors. The “circle of life” is roughly: MS releases operating systems and software, software has flaws, cyber criminals exploit flaws, people buy AV software. In a recent article in Canada.Com a writer puts some numbers on the affect of an OS release for McAfee and Symantec. Of course, the writer does not single out security related spend so it is very non-specific. But it does put some real numbers into the context of enterprise valuation tied to OS releases and the “positive impact on the entire PC value chain.” There is nothing inherently wrong with such ecosystems and they evolve quite naturally in business. But sometimes protection of a comfortable, mutually beneficial ecosystem can slow innovation, and I am of the opinion that this is the case with IT security at times.
  • A new study shows CEO’s and their management team often disagree on key security issues and the threats to the organization. In short , CEOs do not perceive their organizations as vulnerable, while the next level execs see a different picture. We are not talking wide layers of management between these two views as many of the senior execs report directly to the CEO. There is clearly a disconnect and false sense of security on behalf of the CEO, which leads to obvious issues in funding security initiatives. It would seem we still have some way to go in educating CEOs on the threat level and the potential impact to the organization.
  • Cyber criminals are doing brisk business with malicious sites aimed at those looking to download pirated copies of the new Harry Potter movie. A correlation between Harry Potter fans and computer geeks – who would have predicted?
  • I have led a charmed life and have not had surgery since I was six for tonsils (I never got ice cream, BTW – someone owes me because they always promise ice cream when you get your tonsils out). Prior to the surgery, I cannot tell you the number of times my identity was verified by someone who would look on the information on my bracelet and then ask me personally identifying questions. The number on my bracelet was continually cross matched to the forms. I even had to initial the affected shoulder with the Doctor. Such thorough multi-factor authentication was impressive and laudatory, but threat of malpractice is a major driver to such discipline. This takes us back to the cold hard fact that any security compliance is only as effective as the teeth behind it. Our CEO has been saying as much about the White House Cyber Security Policy and the need for enforcement teeth for it to succeed. What I saw at the hospital is policy driven by real monetary dynamics (avoiding malpractice) that is given high priority from the top.

Leave a Comment » | Endpoint Security | Tagged: , , | Permalink
Posted by Jim Ivers

The Korean DoS Attacks UnSpools Like a Great Summer Movie

July 14, 2009

Summer is the time to get uncomplicated.  Read a mystery or detective novel that stays away from probing the deep problems of humanity.  Spend a hot day in a cool theatre watching what I call a summer “popcorn” movie like Independence Day or Transformers that provides a two hour escape without a lot of heavy thinking about the deeper allegories presented in the film (they are talking robots folks, not symbols of man’s constant search for meaning). 

The Korean DoS attack has emerged as our summer distraction and it has taken yet another turn as today South Korean officials announced that the hackers extracted data in the attacks.  But here is the twist – they only extracted lists of files, not the files themselves.  Why you may ask.  No one is sure.  But it is twists like this that makes this story so fun to follow.

Is it some diabolically intelligent plan that we are slowly unraveling only to see a new fiendishly clever layer?  Or is it a half baked, unsophisticated attack by rank amateurs who used an ancient attack vector and happened to hit it lucky to find poorly protected machines in places such as the White House and the Washington Post?   Is the attack from North Korea, or as some are now suggesting, the United Kingdom.  Is it the sophisticated work of a notorious and unfriendly nation state, or a pack of bumbling novices.  Are the protagonists more like Jack Bauer or Chief Inspector Jacques Clouseau?  The bad guys more like Keyser Söze or Dr. Evil?

Theories abound as the plot thickens.  In the latest post on The Last Watchdog, Byron Acohido forwards the idea that this was a “stalking horse” attack meant to test the attack capabilities in the wild and perhaps advertise the capabilities for hire.   In his ThreatChaos blog on July 13, Richard Stiennon cites several analysts as characterizing the attack as “amateurish” and “wimpy”.  A new article on FederalTimes.Com notes that while the attacks were “primitive” that they caught many agencies off guard and these same agencies had issues in responding on a timely manner.  Lots of angles by very respected people in the IT security field.  

I often use such times to talk about Triumfant could help in such attacks, but such a commercial interruption would spoil the mood. We are watching a real summer thriller unspool in real time and for now I am content to observe the twists and turns and try to see who can crack the case and who will emerge as the mastermind.  As for me, I think the butler did it, but time will tell.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

The Korean DoS Attacks, Securing the Sofware Supply Chain and More

July 13, 2009

I will take potpourri for $200 Alex…

  • Triumfant CEO John Prisco is quoted in the July 10 post of Byron Acohido’s The Last Watchdog blog regarding the Korean DoS attacks. These attacks have taken an interesting turn as the botnets created by attackers are now literally turning on the infected machines, deleting files and ultimately corrupting the system until it will not boot.  I have read a lot about this attack from many respected members of the IT security community.  Some have assessed the attacks as unsophisticated and poorly executed while others like Acohido and Brian Krebs of Security Fix (which was targeted in the actual attack) are speculating on if is a practice run – a war game – for more targeted attacks down the road.  Either way, it is one of the most interesting story lines since we were all gripped with Conficker fever in the early spring.  I suspect there will be more intrique to come.  If it was a war game, it will be interesting to see how the good guys grade themselves. 
  • I posted a blog entry in June about Securing the Software Supply Chain and how Triumfant can help manage that important part of any organization’s security strategy.  The white paper on the subject is now available on the Triumfant web site for your reading pleasure.  Since many defensive products do their monitoring as malicious software is inbound to the machine, attacks imbedded in what appears to be legitimate software may evade protection.  Because Triumfant looks for changes on endpoint machines, it will detect the event where the imbedded malware “wakes up” and begins its malicious activity.
  • I recently was away at the beach for a week with my family.  I mention that because I did not tweet or blog about the fact that I was gone as there have been reports that people have been robbed after letting the world know through social media outlets that they would be away from their home for extended periods. Which brings me to two points.  First, never underestimate the speed in which the bad guys will find and exploit new paths – in this case social media – to do their criminal work.  Second, security, whether it is IT security or physical security, requires an element of good old prudent thinking to succeed no matter how much technology is deployed.  Human factor eengineering (or stopping stupid as I call it) has been and will always be the biggest failure point in security.
  • Isn’t it time for someone in the Obama Administration to tell us why we do not have a cyber czar yet? I mean really.  I agree with our CEO John Prisco completely and join him in wondering why they would first make the announcement without a person in the spot much less go six weeks after the announcement without a nomination.  The claims of IT Security being a priority are starting to sound very hollow.

Leave a Comment » | Endpoint Security | Tagged: , , , , , , , | Permalink
Posted by Jim Ivers

Symantec’s Reputation Based Detection (Quorum) – How Can Something Unknown Have a Reputation?

July 9, 2009

I am confused. I just read another article about Symantec’s new roadmap and, in particular, their new reputation based product called Quorum.

Symantec has been all over the media touting their reputational based approach as the fix for the signature problem (more on that in a second).  Quorum leverages Norton’s Community Watch program, which essentially collects data from the Norton customers about applications and other things on the Web.  Quorum uses this data to create a reputation score that characterizes the application as good or malicious.  This is integrated with Symantec’s existing signature and behavioral based technologies. 

So here is where I get confused.  A Symantec representative has been quoted as saying that Quorum will offer “much higher detection rates against unknown malware”.  By definition, doesn’t the establishment of a reputation require some knowledge of the person or thing? How can you rely on the collective anecdotal evidence of a community for something that is, using Symantec’s word, unknown?  I have a lot of respect for the folks at Symantec but even they must see the irony in this positioning.

Thousands of machines were simultaneously attacked on July 4 by North Korea or a group sympathetic with North Korea.  Did the malware used in that attack have a “reputation”? This week’s exploits of the Active X flaw in Internet Explorer were previously unknown attacks in the forms of rootkits and Trojan downloaders. Again, it is doubtful that there was any prior reputation. 

It would also be interesting to find out from Symantec how many members of the community must post their reputational opinion to get a statistically relevant sample and therefore eliminate the potential for false positives.  If this number is high, that would indicate a significant number of attacks must be reported before the reputation could be established and therefore used as a preventative.

The bottom line is that while this reputation based technology may offer some additional endpoint protection, it still does not close the gap in traditional defensive software to address unknown attacks.  That is because no matter how you package it, no matter what you call it, the traditional defensive software from the established AV vendors requires prior knowledge of the attack to succeed.  Behavioral analysis, heuristics, and now reputational based protections are an upgrade from signatures, but make no mistake about the fact that they rely heavily on prior knowledge. The bad guys will always have the edge on any software that requires previous knowledge of an attack to detect it as malicious.

It is nice that Symantec is publicly stating that signatures are no longer a sustainable technology, as we have been pointing out with our Worldwide Signature Counter. Reputation based protection may play well in the consumer market, but for businesses and government agencies under the dynamic persistent threat scenario, the announcement by Symantec falls flat. 

As Symantec rolls out their new product line through the summer and into the fall, my guess is that the hype machine for reputation based technology will be running at full throttle.  You can put me down as unimpressed, underwhelmed, and mildly amused at the choice of words.

1 Comment | Endpoint Security | Tagged: , , , , , | Permalink
Posted by Jim Ivers

A Practical Primer on Triumfant – the ActiveX IE Exploit

July 8, 2009

In his blog The Last Watchdog, Byron Acohido discusses the recent zero day attacks that exploit a flaw in the video Active X component of the Internet Explorer browser. Acohido goes on to discuss why Microsoft may not have a patch ready in time for the next Patch Tuesday on July 14.   The exploits and associated problems described by Acohido are a perfect context for a very practical primer on what Triumfant can do for an organization.

First, we would detect the zero days that exploit the flaw, including the two attacks described that use a Trojan downloader and a rootkit. No signature required.

But of course we do not stop at detection. Triumfant Resolution Manager will build a remediation and remove the detected attacks. This includes ejecting the rootkit attack and cleaning up the various hooks it established, and repairing all of the collateral damage made by the Trojan downloader to configure the machine for subsequent incursions as described in the post. No humans needed to write the script, no re-imaging required.

Third, it would be a simple task to build a policy in Resolution Manager that would address the registry changes Microsoft has recommended as a stopgap for the problem until a patch is issued. The policy would be enforced on all machines and the organization would get an up-to-date report on what machines had been updated and what machines were still vulnerable until a patch is created. Given the length of time Acohido describes for Microsoft to build a patch and the well known time gaps in organization’s distributing the patch, the action by Triumfant would protect machines for the weeks and even months until the patch was in place.

This is not meant to be a sales pitch – this is a perfect and very practical example of how the unique functionality and capability of Triumfant would step into a gap not currently filled by any other product that I (or any industry expert or analyst or writer) am aware. As a new technology it is sometimes hard for people to get their heads around what Resolution Manager can do and the benefit it delivers. And exploits like this ActiveX IE exploit show up on an all-too-frequent basis.

Leave a Comment » | Endpoint Security | Tagged: , , , , , | Permalink
Posted by Jim Ivers

The White House Cyber Security Initiative: One Month Gone, No Cyber Czar, No Progress

July 6, 2009

On May 29, President Obama stepped to the microphone and assured all of us that cyber security would be a top priority for his administration. He cited the need to protect the country against the direct attacks on our infrastructure by other countries. He spoke of a “cyber czar” that would help centralize the cyber security activities of the federal government and build bridges to the private sector. And the White House delivered the Cyberspace Policy Review.

The White House has followed up this grand show with…absolutely nothing. Zip. Zilch.

While many in the IT Security industry applauded the event and used all of the hyperbolic adjectives to praise the announcement, I could not help but be concerned. And so far the follow-up and execution has done nothing to take away my fears. One of my specific concerns was why the announcement was made without the cyber czar in place. It is now July and the Obama administration has not yet identified the person to lead this effort. Most concerning is that names for frontrunners have been scarce in a town where speculating on who-will-get-what-post is a full-time hobby. I simply cannot believe that no one is qualified, so my logical conclusion is that those being considered are being scared away by a role that either lacks real power or is too poorly defined (or both). If I am correct, then landing an effective leader will be problematic and the initiative will have little hope of success, as the role absolutely requires someone who can facilitate effective first steps and overcome the obstacles of the politics at hand.

I normally like to be right, but in this case I would have welcomed the opportunity to have been proven wrong. But unless we can roll up the Cyberspace Policy Review and use it to beat away malicious attacks, the cyber initiative is off to a less than promising start. We are stuck at the starting line without a leader, and from all appearances without even the most modest of next steps on the horizon.

I think it is time for the IT Security community to cease the platitudes to the Obama Administration and instead call for immediate progress. We are already behind, and we will never catch up if we cannot make even the first constructive steps forward.

2 Comments | Endpoint Security | Tagged: , , , | Permalink
Posted by John Prisco