Intel Notes Attack on 10K – Are We Heading to Mandated Disclosure of Cyber Attacks?

February 25, 2010

As we move toward RSA I am really intrigued by the fact that Intel included a note in their recent 10K that they experienced an attack resembling the recent Google attack.  I am not surprised about the attack, but I think the mention in the 10K is interesting.

Intel noted the recent attack in the section of the 10K called “Risk Factors” where a company discloses to investors and potential investors external factors that can affect company performance.  In other words, potential problems that may cause direct impact to the stock price.  In the words of Intel “Our business could be subject to significant disruption, and we could suffer monetary and other losses, including the cost of product recalls and returns and reputational harm, in the event of such incidents…”.

I have written 10Ks and I can tell you that items are not put onto the document on a whim.  I cannot speak for Intel, but I think it is reasonable to say that the frequency, complexity and depth of the attacks they experience has reached a place where the company feels compelled to explicitly reference these attacks as a potential risk to company performance.  We truly have come a long way from the Anna Kournikova virus and attacks for bragging rights.

Are we nearing a point where the government will step in and require disclosure of attacks?  The analogy can be found in the laws that emerged around personally identifiable information (PII) where companies were required by law to notify individuals if their PII was acquired by an unauthorized party from company systems such as California law SB 1386.  Many of the PII breaches we have seen over the past five years may have never surfaced into the public eye without such laws.

So will the SEC come to the place where the relentless attacks on corporate IP and confidential data will be seen as something that must be disclosed when such an attack is successful in order to protect investors from the potential fallout of such an attack?  What will be the criteria to require disclosure?

This much is sure – the stakes for IT security get higher every day.  If attacks are being discussed on 10Ks, then we can reasonably assume that there is much greater visibility to things such as the Advanced Persistent Threat at the executive level.  That visibility can only help the cause and move IT security from a grudge spend to a strategic investment in the fiscal health of the company.

Leave a Comment » | Endpoint Security | Tagged: , | Permalink
Posted by Jim Ivers

Beware the “Denial of Innovation” Attack at RSA

February 24, 2010

We are on the final countdown to RSA and I find myself at an interesting place mentally and emotionally about the conference.  I enjoy the interaction with customers, analysts and the other vendors.  I enjoy the opportunity to connect with old acquaintances that I sometimes only see this one time a year.  I learn some things and come away energized – particularly about our product and the obvious gaps that we fill in the industry.

I also come away frustrated and a little sad by what I have named the “denial of innovation” attack that is becoming increasingly prevalent at the show.  RSA is full of noise and FUD, and the larger companies in the middle of the floor rule both the microphone and the exhibit floor, and to some extent, throttle the smaller voices of innovation in the room.   They do so by using their industry standing and deep pockets to overwhelm the mental bandwidth of the attendees – hence the use of the “denial of innovation” descriptor.

For these companies, their huge revenue streams are their power and their problem.  It is their power because they can afford to buy the premium sponsor slots and deliver “keynotes” that are in fact well crafted marketing messages.   Their booths are an adventure in excess – people, show floor technology and the best give-aways.   At least one will have a display device that costs as much or more than what Triumfant will spend on our entire booth.

It is their problem because the message they deliver is predicated on protecting the revenue stream, and the act of protecting revenue is often an inhibitor to innovation.   This is not unique to the security industry – it is a well worn path as companies grow large and make decisions based more on the effect to stock price over advancing technology.  The problem may be in fact more pronounced in IT security because so many of the largest companies are so closely wed to older technologies such as signature based tools, and they simply cannot afford to put the revenue streams from these products at risk by admitting it is time for a new approach.  You can also read numerous discussions about the Advanced Persistent Threat where the DoD and other agencies and organizations have been pleading with the large A/V vendors for years to step up to the evolving threats and the waning ability of antivirus tools to address such threats.  In Mike Cloppert’s blog he notes that the “defense industrial base has been pleading with the AV industry for innovation to address more sophisticated threats and detection resiliency for at least 5 years, likely longer”.

Those big vendors that will have a new approach to tout at this year’s show will likely be doing so because of technology obtained through acquisition and not through internally driven innovation.  While the vendor may earnestly believe their new offering is a step forward, do not discount the fact that the financial markets and shareholders demand that they show a positive effect to the bottom line from that acquisition.

Lest you think this is a jealous rant of a small vendor, Bill Brenner of CSO magazine today reported on a movement called Security B_Sides has started that offers a forum for the innovative companies that are squeezed out of forums like RSA by the big guys (full disclosure: Triumfant submitted a proposal for a presentation on how our analytics eliminate the false positive problems of anomaly detection, and was rejected).  Such forums are a positive step toward getting exposure to new and innovative technologies that address very real problems.   If smaller, innovative companies had a voice at places like RSA, there would be no need for something like Security B_Sides.

I also understand that there is a buying dynamic at work in the IT security market.  The volume of vendors and offerings on the RSA floor is a confusing mass of noise to buyers who have strained budgets and their own professional standing on the line.  The old saying “no one gets fired for picking IBM”  gets translated in IT security to the choice to go with the larger omnibus product set of a large and well known security vendor rather than having to pick smaller vendors to cover requirements and then be faced with the very difficult task of integrating those products.   And for some companies the big vendors may be the right choice and all that they need.  But for other organizations who are under the constant barrage of advanced threats, the easier path may not be the answer.

The big vendors know this, and if you see something innovative and raise it to someone in a big vendor booth, they will very likely tell you they “have that” and you don’t need another product.  I am not accusing these vendors of being deceptive – they honestly believe they have that capability. Remember the famous line by George Kostanza from Seinfeld: “if you believe it, it is not a lie”.  I cannot tell you how many times I provide an overview of the Triumfant product to someone from such a vendor and get that response.  But if that person will take the time to drill down to our actual approach and functionality, they understand the innovative nature of the product and will sheepishly admit that they really do not have comparable capabilities.

RSA has become the embodiment of a self-perpetuating cycle that seems to become more pronounced every year, and this is what makes me frustrated and sad.  I wrote a somewhat fanciful piece on the animals of the RSA zoo, describing the various company profiles on the floor.  Savvy veterans of the show know that the innovation is on the edges of the exhibit floor in the smaller, less descript booths.   But unfortunately, the bright lights and “don’t worry, be happy” messaging at the large booths in the middle provide many a warm sense of assurance even if it may be at least partially false.

So if you are on the way to RSA, do yourself a favor and don’t give yourself over to the denial of innovation attack.  Go and enjoy the bright lights and frothy promises at the booths in the middle of the floor, grab that invite to the swanky party, and get your stash of give-aways to bring back to the office or home to the kids.  But then break away and head for the edges of the exhibit floor.  You may find something that really solves a problem you have in a way that cannot be found in the glitz and glamor.   Because the heart of RSA is not at the center of the floor – it beats strongly in the innovative vendors that reside at those edges.

1 Comment | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Triumfant Malware Detection Challenge at RSA – You Bring It; We Find It

February 22, 2010

Today we are announcing that Triumfant will be holding a malware detection challenge in our booth (756) at RSA 2010.  The challenge is amazingly simple: you bring us malware on a USB stick or CD, and we will put it onto a Windows XP machine running our software and detect it.  No smoke, mirrors, celebrity look-alikes, flashing lights, or slickly animated and over-produced presentation.  Just your malware against our ability to detect what evades other traditional malware detection tools.  Straight up, and we will show you the results.

We are doing the challenge because sometimes when a product breaks down constraints that have been generally accepted as unbeatable that product can be perceived as too good to be true, raising doubt and suspicion even people see the product work in person.  Such was the case at last year’s RSA when we did our three minute malware challenge – people were really impressed, but some looked to discount what they observed firsthand as a set-up given that the malware used was selected by us.

So this year we will remove all doubt by using malware that anyone is willing to bring to the booth.  The information and rules about the challenge can be found here and here.

“But wait, there are restrictions!”, you say.  Yes there are and unashamedly so because we at Triumfant have always been very clear as to what we can and cannot do.  That is because we enjoy the luxury of having software so unique and so differentiated that we do not have to stretch the truth.  We have always said that Triumfant sees attacks with at least some form of persistence, and is not effective for attacks that are completely memory based or bios based.  We also know that there will be some (we think 5%-10%) rootkits that can get lower in the stack than we will see, but we will still gladly take rootkits in the challenge.  And even with the restrictions, we are still addressing a very significant and sizable problem.

“What if you fail?”, you may ask. Let me start with the easy answer – we are quite sure we will have a far higher detection rate than any of the traditional tools.  Of course the bar is pretty low (ok, that was a cheap shot).  The better answer is that we are very confident that we will succeed convincingly, if not perfectly.  Our success rate will certainly be high enough to effectively show the power and value of our product.

The bigger question may be how the market reacts to our success.  Detecting the attacks that evade other tools under live conditions pretty much removes reasonable objections.

But wait, there is more (I am in marketing, after all).  We have not mentioned the automated remediation capabilities of Triumfant.  For persistent attacks and rootkits, we will be able to take the detailed information generated during the detection process and generate a situational and contextual remediation for the attack, returning the victim machine to its pre-attack condition.  The only attacks that we will not be able to remediate will be those that exist partially in memory – we will identify the persistent artifacts but not all of the memory based elements.

So come by the booth and see for yourself.  If you can’t find a snarling nasty bit of malware to bring along, we will have plenty to demonstrate the product to you.  Or you can watch while someone brings their sample to the booth.  Either way, I am absolutely sure you will be impressed.

1 Comment | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

Oh the Animals You Will See at the RSA Zoo (Conference)

February 17, 2010

We are now 10 days away from the RSA Show.  For those of you who have never had the pleasure of attending the yearly security conference, it is, to say the least, a happening. It is certainly a loud, confusing and busy show with hundreds of undifferentiated vendors screaming for your attention.

Some would characterize RSA as a zoo and zoos of course have animals, and I, being the helpful guy that I am would like to give you a short guide to some of the animals you will see.

Hamster. As in the “hamster wheel of pain” graphic prominently displayed on the booth (see examples here and a fun cartoon inspired by Andrew Jaquith here) to illustrate why the vendor’s product is essential to you.  Ever since I was introduced to the term I vowed never to use a wheel graphic in my materials again.  Each year at RSA I do a “hamster wheel” walk and laugh at the examples.  The more items on the wheel the better – the record sighting is 14.

Fudasaurus. These are the easiest booths to spot at RSA because of their size, noise, and the fact that they have graphical display devices that cost far more that I will spend on our entire booth.  Because the fudasaurus was built on traditional (translation: aging) product like signatures and antivirus, there will be an emphasis on how the latest acquisition really (no, really) solves the known gaps in their product.  The fudasaurus is always surrounded by swirling hoards of like-dressed acolytes that share a common ailment: pre-mature affirmation or PMA.  PMA is characterized by the afflicted answering “yes” before the person asking the question completes the query.  Here is a sample dialogue:

Attendee: “Does your product…”

Acolyte: “Yes – we are in fact the world leader”

Attendee: “But I did not finish.”

Acolyte: “Yes”

Attendee: “But what if I was to say male pattern bald…”

Acolyte: “Yes”

PMA is somewhat analogous to the very advanced application of Maslow’s quote “If the only tool you have is a hammer, you tend to see every problem as a nail.”  This year’s new hammer and newly acquired problem solver for the fudasaurus is whitelisting.

Ants. These are the complete antithesis of the fudasaurus, relegated to small, non-descript booths at the edges of the show.  But pound for pound, an ant’s product may lift ten times its body weight, and the ants are tireless and industrious. Unfortunately, attendees are so distracted by the other animals they often do not take the time to visit the ants, which is a shame because it is the ants who may actually have the solution for their problem. (see last year’s blog entry about a View from the Edges)

Blowfish.  These are the vendors that want to look like they cover far more security functions than their actual technology will support.  Luckily the blowfish does eventually have to breathe out and if you are lucky you will be able to spot their true capabilities.  Blowfish are also spotted by the use words like comprehensive, suite, single pane of glass, one stop shop, and holistic. The blowfish aspires to be a fudasaurus.

Peacock. These are the booths where the inhabitants all strut gloriously as if they have invented sliced bread and cold fusion.  The peacock often has interesting technology that, while visually compelling and breathlessly described, seems to solve a problem no one has.  Perhaps a hamster wheel graphic would help.  The relentless strutting and preening is mostly to catch the eye of the Fudasaurus for mating…sorry… acquisition activity. The most aggressive peacocks will claim a solution for the Advanced Persistent Threat at the risk of great ridicule from the roaming bloggers.

Chameleon. These are the vendors that have one basic type of product and are now passing themselves off as something much different and hopefully grander.  For example, patch management and helpdesk tools that now present themselves as security configuration management tools.  Hmmm, I thought we have configuration management issues because patch management has historically failed, but I digress…

So have fun, spot the hamster wheels, and enjoy the show.  And do yourself a favor and make sure you visit the ants.

2 Comments | Endpoint Security | Tagged: | Permalink
Posted by Jim Ivers

Triumfant and Operation Aurora – Detecting the Advanced Persistent Threat

February 16, 2010

When new malicious attacks get a lot of attention in the press, we get asked the same question: “would Triumfant have seen that attack?”. Such is the case with the recent Google Attack, aka Operation Aurora. Given the discussions around the Advanced Persistent Threat (APT) and attacks like Aurora, I asked our CTO, Dave Hooks, to analyze the available data and provide details on how Triumfant would respond if Resolution Manager had been deployed on an endpoint machine or server that was exposed to this attack.   Dave’s response is illustrative of how Triumfant works in the context of an actual attack and how our unique capabilities enable Triumfant to detect an attack with characteristics common to those attacks seen in APT.

I offer Dave’s analysis with the full disclosure that it is based solely on detailed analysis of the attack, and that we had no firsthand exposure to the attack itself.  Dave broke his analysis into four parts: initial detection, diagnosis, knowledge base, and remediation, showing how Triumfant can identify an attack without prior knowledge, diagnose the attacks and correlate all of the changes to the machine associated with the attack, and build a situational and contextual remediation to return the machine to its pre-attack condition.

———-

Analysis of Operation Aurora

Initial Detection

Operation Aurora creates several service keys during three specific steps: execution of the dropper, the first stage of installation, and the second stage of installation.  Some of these keys are subsequently deleted but at least one is persistent.  The appearance of one or more of these keys would trigger the Triumfant agent’s 30 second scan cycle for markers of malicious activity, resulting in the agent requesting permission to execute a fast scan.  The Triumfant server would respond within seconds, green lighting the scan.  The agent would then capture the state of the machine immediately after infection and send the data to the server for analysis within 3 minutes.

Diagnosis

The Triumfant server would receive the snapshot, recognize that is was executed as a result of suspicious behavior, and immediately compare it to the adaptive reference model (the unique context built by our patented analytics).  The result of this comparison would be a set of anomalous files and registry keys.  The fact that the files and keys associated with Operation Aurora have random names would guarantee that they would be perceived as anomalous despite the fact that humans might tend to confuse them with legitimate Windows services.  Further analysis would then be applied to the anomaly set to identify important characteristics and functional impacts.  In this case the salient characteristics would be an anomalous service and a number of anomalous system32 files.

The discovery of an anomalous service would cause the Triumfant server to launch a probe requesting the Triumfant agent to explore the service further.  The probe would contain a list of all of the anomalous attributes found by the server during its analysis.  The Triumfant agent would activate a series of correlation functions to partition the anomalous attributes into related groups.  In this case it would group all of the anomalous attributes related to Operation Aurora.  It would then perform a threat analysis on this group and discover, for example, that it was communicating over the internet.  The results of the correlation and threat analysis would then be sent back to the Triumfant server.

At this point the diagnosis would be complete and the Triumfant server would alert the appropriate personnel that an “Anomalous Application” had been discovered and the data would be available on the console.  It would then be possible for an analyst to view all of the persistent attributes of Operation Aurora as well as the corresponding threat analysis, as well as readily share the data with CIRT and forensics teams.

Knowledge Base

An analyst can save the analysis for an Anomalous Application such as Operation Aurora to the Triumfant database.  This would allow the analysis to be converted into a new recognition filter.  Recognition filters have a number of benefits.  First, they provide a very precise mechanism for storing and sharing knowledge about an incident.  Second, they allow the system to search for any other instances of that particular condition in other environments.  Third, they enable the operator to pre-authorize automatic responses such as remediation should that incident be detected again in the future.

Remediation

If a Triumfant server detected Operation Aurora as an anomalous application, it would have sufficient knowledge of the anomalous attributes to synthesize a remediation response.  This remediation would be custom built to exactly match the attributes of the anomalous application on an attribute by attribute basis.  The ability to create remediations on the fly would enable the Triumfant system to surgically and reliably remove the components of Operation Aurora without reimaging the machine.  It would also enable follow on variants to be addressed without the need for new signatures.

———-

Again, let me state for the record that this is based on Dave’s analysis and not actual “live fire” data of our software responding to an actual attack.  But we are quite confident that Triumfant would have responded as described, detecting the attack and building a situational and contextual remediation.

Leave a Comment » | Endpoint Security | Tagged: , , , , , | Permalink
Posted by Jim Ivers

The Case for Triumfant as a Detection Tool for the Advanced Persistent Threat

February 9, 2010

Over the past two weeks I have jumped into the conversation about the Advanced Persistent Threat (APT) and how Triumfant represents an effective tool for detection of such threats.  Before I continue, let me level set.

- APT is characterized by a sophisticated adversary that is engaging in long term pursuit of sensitive data or intellectual property.  APT is not about malware – APT is not a specific attack or an attack vector.

- Because of the nature of APT, there is not a tool or set of tools that can protect an organization from APT.

We are on record as stating that while we would never characterize Triumfant as a protection for, or solution to, APT, we do represent a very effective tool for detecting the APT (or the Advanced Persistent Adversary as some would prefer).  As I also said previously, most security people that deal with APT will tell you that anomaly detection or change detection has long been viewed as the right tool for detecting APT type attacks, but there was not an effective implementation available.  We of course now think there is.

Triumfant is fundamentally different from any tool on the market.  First, we represent the most comprehensive sensor grid on the endpoint available today.  We monitor every piece of data or attribute about each machine that we can access.  This includes all of the registry keys, an MD5 hash of every file, performance data and physical data.  Second, we use our patented analytics to correlate and group all of that data to create a multi-dimensional model of the endpoint population that provides a unique context for later analysis. 

Now the fun begins.  We continuously monitor the over 200,000 attributes on each and every machine for changes, because it is change that triggers analysis for Triumfant.  All of the other tools on the market still rely on prior knowledge of the attack or the attack vector, and we have established that APT is not about a specific (or even a well defined population) attack or attack vector.  And this is precisely why the traditional endpoint security tools fail against APT – their very foundation is based on knowing about an attack to detect it.  But the edge Triumfant enjoys is a complete disconnection from the need for prior knowledge.

The elemental nature of using change detection to trigger analysis is what gives it so much power.  Most attacks – APT or pedestrian – share a common thread: they make changes to the machine.  And as Dave Hooks, our CTO and the creator of our analytic model will tell you: “If it wiggles, we will see it”.  Triumfant sees every change, analyzes it in the context of our model, and determines if the change is benign or potentially malicious. It is this context that has allowed us to effectively eliminate the false positives previously inherent with change detection.  

In the case of malicious activity, the analytics bear down to ensure that all of the changes that are part of a given attack are found and appropriately grouped.  This may include the use of additional probes to the affected machine to perform dependency walks on files or any number of other correlation algorithms.  The result is presented as an unnamed (no signatures so no name) anomalous application and all of the effects of that application on the machine: the registries modified, files added, deleted or corrupted, physical changes such as opened ports, new processes, and corrupted system calls.  The analytics capture and correlate all of the changes to the machine for the APT attack, and use that data to build a situational remediation for that attack.  You get all of the data behind the attack and the fix to restore the machine to its pre-attack condition. 

The data about the attack can be saved and shared with incident response and forensics teams for further analysis.  Their analysis can then be used to make the appropriate modifications to organizational defenses to protect against a reoccurrence of that attack.  But of course by now the advanced persistent adversary has already moved on to a new attack, and the game plays on. 

So back to my original assertion.  Are we a solution for APT?  No.  Does our combination of comprehensive endpoint sensor grid, deep context, and the use of change detection to trigger analysis make us an effective tool for detecting APT attacks?  We certainly think so.

1 Comment | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Being a Friend of SCAP and the Continuing Emergence of Security Standards

February 8, 2010

I had the privilege last Thursday to attend an informal session on the Security Content Automation Protocol (SCAP) at the Information Assurance Expo held last week in Nashville.  Attendees included representatives from the NSA, the DoD and other federal agencies, and the vendor community.  It was a positive, productive session, and I am pleased that Triumfant is actively involved in the SCAP movement, because I believe strongly in the need for standards for security. 

When I first entered the security market in early 2005, I had just come from the integration space where standards were a crucial part of doing business.  I had teamed with others at webMethods to get staff onto such groups such as the World Wide Web Consortium (W3C) effective ensuring that webMethods was in the thick of the standards process.  When I arrived at Cybertrust and built my marketing plan, I looked to identify security standards groups and was shocked to find a lack of standards activity in the market. 

While Cybertrust was diverse and global, we did not do a lot of business with the federal government, so SCAP never caught my attention.  That changed when I joined Triumfant, who had already taken steps to be SCAP compliant and was one of the very early companies (third, I believe) to obtain FDCC validation.  I quickly ramped up on FDCC, but soon realized that the broader notion of SCAP as a common language for sharing and integrating security processes was a significant subject.

SCAP is critical to Triumfant, because beyond the what we do of enforcing security configurations and detecting and remediating malicious attacks, what we are is the most comprehensive sensor grid for endpoint machines coupled with some very innovative (and patented) analytics.  So the ability to share the content we create with other consumers of security data dramatically expands our reach and value.  And clearly the only real way to predictably and practically share that data is through content standards. 

The people who have been carrying the SCAP flag the longest have done so with remarkable patience and resolve, as standards are something people clamor for right until the moment they are asked to comply.  Their patience and resolve is especially important as I am not altogether sure the security market is all that eager for interoperability because it upsets the well established ecosystem of selling product layers to address specific needs.  Of course, maybe that is another reason I like SCAP because I do love being part of something constructively disruptive.

So the SCAP faithful have soldiered on and continue to make sure and steady progress.  You could see it on the faces of those persevering souls at the NIST Security Automation Conference in Baltimore last October, when they recalled that early meetings were held in NIST conference rooms and hallways and now they were filling large halls at the Baltimore Convention Center.  They also saw representatives from private industry pick up SCAP, bridging the standard from the federal space into the commercial world.

These folks have my admiration because they are forwarding these standards not for selfish reasons or monetary gain – they are doing it because it is the right thing to do, and in the long run it will help make sensitive data for our country more secure.  The forward looking early supporters of SCAP picked up a difficult rope and have pulled tirelessly.  We at Triumfant are excited about grabbing that rope and pulling where and when we can.  I hope others take the opportunity to do the same.

Leave a Comment » | Endpoint Security | Tagged: , , | Permalink
Posted by Jim Ivers