Tired of the Term Advanced Persistent Threat – How About Cold Harsh Reality?

March 15, 2010

I read a very insightful guest editorial in the Zero Day blog in ZDNet by Matthew Olney of Sourcefire on Friday about how the term “Advanced Persistent Threat” had reached a level of overexposure and may have, as they say, jumped the shark.  After reading his article I started to think about some new alternative terms for the evolving nature of malicious attacks while putting some of the hype into perspective.

My first new alternative name for APT is Cold Harsh Reality (CHR).  As Olney points out, the term APT has been used by the defense industrial base (DIB) for years.  Of course, if something works to steal military data, it will soon find its way to the hands of those who seek financial gain.  The attacks once seen only in the intelligence and DIB community are now being aimed at financial institutions, retailers, energy companies and just about anywhere else where financial data or sensitive information can be had.

This is not rocket science, just good coding methodology.  The bad guys do not have to build elaborate zero day attacks to evade detection as there are plenty of ways to get around traditional defenses without expending massive amounts of effort.  And of course if the bad guys run out of exploits, Microsoft and Adobe stand ready to snap off a couple of new ones for their convenience.

My point, maybe we don’t need the term APT anymore, because it was used to characterize something that started in a relatively isolated world that has moved into the mainstream.  It is our new cold, harsh reality, and therefore requires no special designation. There will still be pedestrian attacks that AV will continue to block well, but these now look amateurish in the face of the CHR attacks that many are dealing with on a continuous basis.

The other alternative is Uncomfortable Inconvenient Truth (UIT – hey, AL Gore got us into this mess by inventing the Internet, so I don’t feel bad for borrowing from him).  While I agree that some of the noise around APT is hype, a lot of the shouting is from innovative companies that are struggling to be heard above the FUD from the AV vendors who know they are exposed by their failure to evolve to the changing threats.

This is where the uncomfortable and inconvenient part comes in.  The large AV vendors have sold a lot of companies on the idea of the consolidated suite for protection, and those companies have invested a lot of money in those suites.  Such decisions are strategic and large enough to get visibility at the highest levels of the organization and the individuals who made the ultimate choice have much of their personal reputation riding on the results.

As the game changed and it became increasingly obvious that the AV tools cannot stem the tide of evolving attacks, the AV vendors and the internal sponsor in the organization that made the decision to buy the suite are at risk.  The AV vendors don’t want to lose control of the account and have new tools added to the mix, and the internal sponsor does not like the idea of having to tell management that they need additional software.  The increasing evidence only serves to make facing the truth more uncomfortable (but unavoidable), while the tight economy makes having to take action increasingly inconvenient.

The AV vendors have been countering their risk by telling everyone that they have it covered by trotting out extensions to the suite such as heuristics and behavioral analysis, and when those did not get the job done, whitelisting and prevalence.   The internal sponsor is motivated to believe that their vendor will find a way to address the problem, because it represents the least friction organizationally and professionally.  To be clear, I am not suggesting malfeasance or coercion or any other malicious intent – it is an observation of human nature and buying psychology.

But the tide continues coming in. This is where smaller companies (even the ones that have a legitimate product that can help) are driven to hype.  Trust me when I tell you that it takes enormous energy and perseverance to get your message heard above the “don’t worry, we have that covered” message from the big AV companies.  So if APT is getting the attention of security people and organization decision makers, you can bet that small companies will jump on the bandwagon.  Because even when I do get in and get the chance to tell my story, I know the big AV vendor is just outside the door ready to do dismiss what we say.  Such is the cold, harsh, uncomfortable and inconvenient reality of my world.

I am not defending my fellow marketers who take it the use of APT too far; I am just saying there is a perspective here worth examining.  The APT hype cycle is not all the fault of marketers – it is a symptom to a larger problem as the security market ecosystem is forced to deal with the evolving threats.  What is true is that organizations are getting attacked, and as Olney and others have said, there is no magic silver APT bullet.  But there may be some products that can help if you can filter out the noise on the subject.

Let me end with some disclaimers.  You will not see the term Advanced Persistent Threat on the Triumfant web site or in our materials, and if it is mentioned in the context of Triumfant it is used to reference the types of attacks characterized by APT.  I have discussed the topic hear on the blog, but I am always very clear that while we are a good detection tool for the attacks most associate with APT, we do not claim to be a solution for APT.  I agree with those who say that anyone claiming to be so should be instantly ignored.


RSA Shocker (Not): Symantec Admits Traditional Signature Based Tools are “Not Keeping Up”

March 9, 2010

“Traditional signature-based approaches to security are not keeping up.  What we’ve had to do is come up with a new approach. The idea is it has to be able to deal with attacks that we’ve never seen.”

Words from some maverick security company?  Hardly.  These are the words of Symantec CEO’s Enrique Salem from his Tuesday RSA Conference keynote.  And he is about to tell the assembled RSA crowd that Symantec’s prevalence technology is the answer to the vexing problem of rapidly emerging and constantly evolving threats.  I can’t fault his message – his company paid handsomely for that keynote spot so he can proclaim his new technology as the 2010 silver bullet.  But in my opinion, Salem and Symantec’s new found honesty regarding the efficacy of AV is late, awkward, and does little to provide real leadership to the market.  The industry leaders should not feel all self congratulatory in finally admitting a problem they have ignored for far too long.

I had a similar experience listening to a CEO in denial say something equally late and awkward before at the 1999 Sapphire Conference (SAP user conference) in Philadelphia.  SAP was acting like the World Wide Web was simply not happening all around them because it was so foreign to their core technology.  In his keynote, then SAP CEO (or COB) Hasso Plattner grudgingly referenced the internet as an “emerging technology” but was still ultimately dismissive.  I remember thinking “sir, I think the internet has already emerged and no dismissal from you can change that fact”.  Actually, I think my exact thought was “Emerging? Dude, internet done emerged!”

What confounds me is that companies still somehow either believe or want to believe that companies like Symantec can solve this problem.   Not one person in a company or government agency that fights what has been called the advanced persistent threat tells me that they believe that prevalence technology is a viable solution for what Salem calls “the attacks that we’ve never seen”.  Same with whitelisting, which is the proposed answer for companies like McAfee and Lumension.

(As a complete aside, one vendor actually touted “intelligent whitelisting” at RSA, I assume implying that somehow intelligence had been left out of previous whitelisting attempts.  I could see people everywhere saying “AH! I was supposed to be intelligent about whitelisting!  Now I get it.”)

I think it is disingenuous for companies that have been at the front of the A/V wave to feign public shock that signatures are no longer viable when their own customers have been pleading with them for years and years to step up and make the jump to newer technology.   We of course have been pointing out the problem for some time, with our Worldwide Malware Signature Counter providing a visual for the problem.  I also think it odd that a company like Symantec would post a reports showing that 100% of the enterprises they polled for a recent study had been attacked (see an interesting view of FUD surveys in John Pescatore’s blog here).  The math is simple: if Symantec represents 40% market share and 100% were attacked, aren’t they saying that they failed to protect 40% of the enterprises represented in the survey? Seriously, am I missing something here?

Let me be clear.  The answers to the problem Salem raises do exist.  You and your organization are simply going to have to look outside of your AV suite vendor to find it.


More Random Thoughts, Observations, and Musings from RSA 2010

March 4, 2010

More quick hits from RSA as I get ready for the last day on the show floor:

  • Great traffic to our booth with great conversations about how we can help organizations plug gaps in their endpoint security.  Given we are such a different approach, it is always fun to watch people process how we approach endpoint security and configuration management.  My favorite is their parting words which are usually something like “thank you, that was interesting”, then there is a pause as they continue to process what they have seen and heard, followed by a “very interesting”.  I always like that response because they get it and now they are mentally extending what they have heard to the needs of their organization.  I think most people think the time at the booth is time well spent.
  • Triumfant will be included in an announcement by SRA today aboutTriumfant being part of the team for SRA’s One Vault Cyber Security Suite.  We are excited to be teaming with SRA and are looking forward to being a part of this exciting offering.  SRA is extremely progressive about finding new ways to help secure their customers and we are pleased to be part of that process.  More announcements about Triumfant and SRA to come.
  • We have been seeing a steady stream of vendors coming to the booth to learn about what we do.  This is a good indicator that the word is spreading about our capabilities and that these vendors have to answer their customers and prospects pointed questions about how they compare.  Some are open about working for a vendor, some try to sneak in.  Just walk up and shake hands, folks – we have nothing to hide.  Besides – it is for your own good: the more you know about what we do the less likely you will be to tell customers and prospects that you can do it when they hear about us.   Sorry, but true.
  • Not one person has come to the booth looking for a solution to the advanced persistent threat (APT).  Or any other phrases that get knocked around the press and the blogs.  Sure you hear some of the concepts, but at least the people coming to our booth don’t adopt the names such as APT.  I guess when you spend the day fighting it you don’t get caught up in what to call it.
  • RSA is a great show but it is very frustrating for a new vendor.  Getting a speaking slot is next to impossible, and the system for booth placement almost guarantees you a less than favorable slot.  Money in the form of a larger booth or an expensive sponsorship will of course fix a lot of that problem, but it is a huge bite of any smaller company’s budget.  I can see why the B-sides movement is gaining momentum.
  • I am always amazed at the amount of money companies will literally dump onto the floor at RSA.  I get marketing obviously, but I can’t imagine anyone altering a buying decision based on a room drop card, a beer tap at the booth, or some fabulous take-away trinket.  I must be getting old and either wise or jaded.
  • I was invited to Mitre’s celebration of the 10 year anniversary of CVE last night.  Great party full of the dedicated folks who tirelessly continue to promote standards for security.  Like I said in a previous blog – I have all the respect for the patience and perseverance of the people who continue to push for these standards.
  • Went to the bloggers meetup last night.  Thanks @RSABloggers2010 for the invite.  I normally stay along the back because the group is gracious enough to let me attend even with my two strikes: being a vendor makes me suspect, but having a Chief Marketing Officer title is the real kicker.  I am sure many of the bloggers feel a disturbance in the force when I enter the room.  So I see some familiar faces and make sure I don’t engage in anything resembling marketing speak.  It is a fun group and the reception is always lively and I always appreciate the invite.

This has been a great RSA, but I am ready to finish this last day of the exhibit hall and start packing for home.  Thanks to all who came by the booth.


Random Thoughts, Observations, and Musings from Monday at RSA

March 2, 2010

I have lost my normal first-morning-of-a-west-coast-trip battle with my body clock so what better thing to do at 5:15 am than to provide you some random observations and musings from Monday at RSA.

  • My initial read of the show is that there is a general sense of renewed optimism that is a marked reversal from the heavy gloom that seemed to permeate last year’s conference.  Let’s hope that this optimism continues, because I like this year’s vibe much better.
  • I took a pre-opening walk around the exhibit floor and found myself experiencing some serious booth envy because the booths in this year’s show are some of the best designed I have seen in many years.  I am human with an ego, and sometimes I miss the days of having a big budget for the show, particularly when you see high levels of creativity.
  • After dealing with my booth envy issues I came to an important realization:  I can honestly say that I would not trade products with anyone on the show floor.  The Triumfant product is truly different and continually proves that delivers as advertised.  Our engineers have made change detection a viable process for detecting malware and enforcing configurations and policies.  So much of what I see on the floor sounds and feels like slight variations of the same themes.  I can honestly say we represent something very different that fills real gaps in endpoint security.  No booth budget can buy me that.
  • I have made two quick passes through the floor looking for “hamster wheels of pain” to photograph and share with you.  So far I have found none to report.  Well done, my fellow marketers.
  • Across the aisle from our booth is a China-based security company.  As a marketing person my first thought was: could there be a harder job than to market a Chinese security company?  I have no knowledge of this company and my comment is in no way designed to cast any aspersions or doubts their way.  But the current association between China and cyber crime would seem to make it a difficult sell.
  • I actually had someone come to the booth and say that they read this blog.  I was humbled and flattered.  I enjoy doing the blog and try to make it informative and at least a little entertaining, but you never really know if anyone really reads what you write until someone says something like that.
  • For those of you who have never been to RSA there is are two main sets of doors into the exhibit hall and between them is a coffee counter.   I would really like to know what one’ day’s receipts are from that counter during RSA, because my guess is that it is remarkable.  Location, location, location.
  • Our team walked about 15 blocks for dinner last night and passed countless homeless along the way.  The juxtaposition between the amounts of money spent on the exhibit floor and the view of someone sleeping in a doorway can’t help but stir the heart and mind.  When you see yards of white thick pile carpeting being laid out in booths and wonder what the cost of that carpeting could do for any one of these people on the street it keeps what we do in stark perspective.
  • Today I start my analyst briefings, which is always a fun part of the trip.  Analysts are both leading (what is on the horizon) and trailing (are their customers asking about Triumfant and what problem do those customers think Triumfant will address) indicators of the market and are valuable to small companies looking to chart a clear path.  The analyst/vendor relationship is always an interesting dynamic, but if you are willing to be open minded and really listen to their feedback, there is always valuable data and insights available.
  • According to the forecast and the drops on my hotel window, we start what looks to be two days of non-stop rain.  At least it is a change from snow.

Please come by the booth (756) and say hello if you are on the floor.  And don’t forget the malware detection challenge.


Intel Notes Attack on 10K – Are We Heading to Mandated Disclosure of Cyber Attacks?

February 25, 2010

As we move toward RSA I am really intrigued by the fact that Intel included a note in their recent 10K that they experienced an attack resembling the recent Google attack.  I am not surprised about the attack, but I think the mention in the 10K is interesting.

Intel noted the recent attack in the section of the 10K called “Risk Factors” where a company discloses to investors and potential investors external factors that can affect company performance.  In other words, potential problems that may cause direct impact to the stock price.  In the words of Intel “Our business could be subject to significant disruption, and we could suffer monetary and other losses, including the cost of product recalls and returns and reputational harm, in the event of such incidents…”.

I have written 10Ks and I can tell you that items are not put onto the document on a whim.  I cannot speak for Intel, but I think it is reasonable to say that the frequency, complexity and depth of the attacks they experience has reached a place where the company feels compelled to explicitly reference these attacks as a potential risk to company performance.  We truly have come a long way from the Anna Kournikova virus and attacks for bragging rights.

Are we nearing a point where the government will step in and require disclosure of attacks?  The analogy can be found in the laws that emerged around personally identifiable information (PII) where companies were required by law to notify individuals if their PII was acquired by an unauthorized party from company systems such as California law SB 1386.  Many of the PII breaches we have seen over the past five years may have never surfaced into the public eye without such laws.

So will the SEC come to the place where the relentless attacks on corporate IP and confidential data will be seen as something that must be disclosed when such an attack is successful in order to protect investors from the potential fallout of such an attack?  What will be the criteria to require disclosure?

This much is sure – the stakes for IT security get higher every day.  If attacks are being discussed on 10Ks, then we can reasonably assume that there is much greater visibility to things such as the Advanced Persistent Threat at the executive level.  That visibility can only help the cause and move IT security from a grudge spend to a strategic investment in the fiscal health of the company.


Beware the “Denial of Innovation” Attack at RSA

February 24, 2010

We are on the final countdown to RSA and I find myself at an interesting place mentally and emotionally about the conference.  I enjoy the interaction with customers, analysts and the other vendors.  I enjoy the opportunity to connect with old acquaintances that I sometimes only see this one time a year.  I learn some things and come away energized – particularly about our product and the obvious gaps that we fill in the industry.

I also come away frustrated and a little sad by what I have named the “denial of innovation” attack that is becoming increasingly prevalent at the show.  RSA is full of noise and FUD, and the larger companies in the middle of the floor rule both the microphone and the exhibit floor, and to some extent, throttle the smaller voices of innovation in the room.   They do so by using their industry standing and deep pockets to overwhelm the mental bandwidth of the attendees – hence the use of the “denial of innovation” descriptor.

For these companies, their huge revenue streams are their power and their problem.  It is their power because they can afford to buy the premium sponsor slots and deliver “keynotes” that are in fact well crafted marketing messages.   Their booths are an adventure in excess – people, show floor technology and the best give-aways.   At least one will have a display device that costs as much or more than what Triumfant will spend on our entire booth.

It is their problem because the message they deliver is predicated on protecting the revenue stream, and the act of protecting revenue is often an inhibitor to innovation.   This is not unique to the security industry – it is a well worn path as companies grow large and make decisions based more on the effect to stock price over advancing technology.  The problem may be in fact more pronounced in IT security because so many of the largest companies are so closely wed to older technologies such as signature based tools, and they simply cannot afford to put the revenue streams from these products at risk by admitting it is time for a new approach.  You can also read numerous discussions about the Advanced Persistent Threat where the DoD and other agencies and organizations have been pleading with the large A/V vendors for years to step up to the evolving threats and the waning ability of antivirus tools to address such threats.  In Mike Cloppert’s blog he notes that the “defense industrial base has been pleading with the AV industry for innovation to address more sophisticated threats and detection resiliency for at least 5 years, likely longer”.

Those big vendors that will have a new approach to tout at this year’s show will likely be doing so because of technology obtained through acquisition and not through internally driven innovation.  While the vendor may earnestly believe their new offering is a step forward, do not discount the fact that the financial markets and shareholders demand that they show a positive effect to the bottom line from that acquisition.

Lest you think this is a jealous rant of a small vendor, Bill Brenner of CSO magazine today reported on a movement called Security B_Sides has started that offers a forum for the innovative companies that are squeezed out of forums like RSA by the big guys (full disclosure: Triumfant submitted a proposal for a presentation on how our analytics eliminate the false positive problems of anomaly detection, and was rejected).  Such forums are a positive step toward getting exposure to new and innovative technologies that address very real problems.   If smaller, innovative companies had a voice at places like RSA, there would be no need for something like Security B_Sides.

I also understand that there is a buying dynamic at work in the IT security market.  The volume of vendors and offerings on the RSA floor is a confusing mass of noise to buyers who have strained budgets and their own professional standing on the line.  The old saying “no one gets fired for picking IBM”  gets translated in IT security to the choice to go with the larger omnibus product set of a large and well known security vendor rather than having to pick smaller vendors to cover requirements and then be faced with the very difficult task of integrating those products.   And for some companies the big vendors may be the right choice and all that they need.  But for other organizations who are under the constant barrage of advanced threats, the easier path may not be the answer.

The big vendors know this, and if you see something innovative and raise it to someone in a big vendor booth, they will very likely tell you they “have that” and you don’t need another product.  I am not accusing these vendors of being deceptive – they honestly believe they have that capability. Remember the famous line by George Kostanza from Seinfeld: “if you believe it, it is not a lie”.  I cannot tell you how many times I provide an overview of the Triumfant product to someone from such a vendor and get that response.  But if that person will take the time to drill down to our actual approach and functionality, they understand the innovative nature of the product and will sheepishly admit that they really do not have comparable capabilities.

RSA has become the embodiment of a self-perpetuating cycle that seems to become more pronounced every year, and this is what makes me frustrated and sad.  I wrote a somewhat fanciful piece on the animals of the RSA zoo, describing the various company profiles on the floor.  Savvy veterans of the show know that the innovation is on the edges of the exhibit floor in the smaller, less descript booths.   But unfortunately, the bright lights and “don’t worry, be happy” messaging at the large booths in the middle provide many a warm sense of assurance even if it may be at least partially false.

So if you are on the way to RSA, do yourself a favor and don’t give yourself over to the denial of innovation attack.  Go and enjoy the bright lights and frothy promises at the booths in the middle of the floor, grab that invite to the swanky party, and get your stash of give-aways to bring back to the office or home to the kids.  But then break away and head for the edges of the exhibit floor.  You may find something that really solves a problem you have in a way that cannot be found in the glitz and glamor.   Because the heart of RSA is not at the center of the floor – it beats strongly in the innovative vendors that reside at those edges.


Triumfant Malware Detection Challenge at RSA – You Bring It; We Find It

February 22, 2010

Today we are announcing that Triumfant will be holding a malware detection challenge in our booth (756) at RSA 2010.  The challenge is amazingly simple: you bring us malware on a USB stick or CD, and we will put it onto a Windows XP machine running our software and detect it.  No smoke, mirrors, celebrity look-alikes, flashing lights, or slickly animated and over-produced presentation.  Just your malware against our ability to detect what evades other traditional malware detection tools.  Straight up, and we will show you the results.

We are doing the challenge because sometimes when a product breaks down constraints that have been generally accepted as unbeatable that product can be perceived as too good to be true, raising doubt and suspicion even people see the product work in person.  Such was the case at last year’s RSA when we did our three minute malware challenge – people were really impressed, but some looked to discount what they observed firsthand as a set-up given that the malware used was selected by us.

So this year we will remove all doubt by using malware that anyone is willing to bring to the booth.  The information and rules about the challenge can be found here and here.

“But wait, there are restrictions!”, you say.  Yes there are and unashamedly so because we at Triumfant have always been very clear as to what we can and cannot do.  That is because we enjoy the luxury of having software so unique and so differentiated that we do not have to stretch the truth.  We have always said that Triumfant sees attacks with at least some form of persistence, and is not effective for attacks that are completely memory based or bios based.  We also know that there will be some (we think 5%-10%) rootkits that can get lower in the stack than we will see, but we will still gladly take rootkits in the challenge.  And even with the restrictions, we are still addressing a very significant and sizable problem.

“What if you fail?”, you may ask. Let me start with the easy answer – we are quite sure we will have a far higher detection rate than any of the traditional tools.  Of course the bar is pretty low (ok, that was a cheap shot).  The better answer is that we are very confident that we will succeed convincingly, if not perfectly.  Our success rate will certainly be high enough to effectively show the power and value of our product.

The bigger question may be how the market reacts to our success.  Detecting the attacks that evade other tools under live conditions pretty much removes reasonable objections.

But wait, there is more (I am in marketing, after all).  We have not mentioned the automated remediation capabilities of Triumfant.  For persistent attacks and rootkits, we will be able to take the detailed information generated during the detection process and generate a situational and contextual remediation for the attack, returning the victim machine to its pre-attack condition.  The only attacks that we will not be able to remediate will be those that exist partially in memory – we will identify the persistent artifacts but not all of the memory based elements.

So come by the booth and see for yourself.  If you can’t find a snarling nasty bit of malware to bring along, we will have plenty to demonstrate the product to you.  Or you can watch while someone brings their sample to the booth.  Either way, I am absolutely sure you will be impressed.


Oh the Animals You Will See at the RSA Zoo (Conference)

February 17, 2010

We are now 10 days away from the RSA Show.  For those of you who have never had the pleasure of attending the yearly security conference, it is, to say the least, a happening. It is certainly a loud, confusing and busy show with hundreds of undifferentiated vendors screaming for your attention.

Some would characterize RSA as a zoo and zoos of course have animals, and I, being the helpful guy that I am would like to give you a short guide to some of the animals you will see.

Hamster. As in the “hamster wheel of pain” graphic prominently displayed on the booth (see examples here and a fun cartoon inspired by Andrew Jaquith here) to illustrate why the vendor’s product is essential to you.  Ever since I was introduced to the term I vowed never to use a wheel graphic in my materials again.  Each year at RSA I do a “hamster wheel” walk and laugh at the examples.  The more items on the wheel the better – the record sighting is 14.

Fudasaurus. These are the easiest booths to spot at RSA because of their size, noise, and the fact that they have graphical display devices that cost far more that I will spend on our entire booth.  Because the fudasaurus was built on traditional (translation: aging) product like signatures and antivirus, there will be an emphasis on how the latest acquisition really (no, really) solves the known gaps in their product.  The fudasaurus is always surrounded by swirling hoards of like-dressed acolytes that share a common ailment: pre-mature affirmation or PMA.  PMA is characterized by the afflicted answering “yes” before the person asking the question completes the query.  Here is a sample dialogue:

Attendee: “Does your product…”

Acolyte: “Yes – we are in fact the world leader”

Attendee: “But I did not finish.”

Acolyte: “Yes”

Attendee: “But what if I was to say male pattern bald…”

Acolyte: “Yes”

PMA is somewhat analogous to the very advanced application of Maslow’s quote “If the only tool you have is a hammer, you tend to see every problem as a nail.”  This year’s new hammer and newly acquired problem solver for the fudasaurus is whitelisting.

Ants. These are the complete antithesis of the fudasaurus, relegated to small, non-descript booths at the edges of the show.  But pound for pound, an ant’s product may lift ten times its body weight, and the ants are tireless and industrious. Unfortunately, attendees are so distracted by the other animals they often do not take the time to visit the ants, which is a shame because it is the ants who may actually have the solution for their problem. (see last year’s blog entry about a View from the Edges)

Blowfish.  These are the vendors that want to look like they cover far more security functions than their actual technology will support.  Luckily the blowfish does eventually have to breathe out and if you are lucky you will be able to spot their true capabilities.  Blowfish are also spotted by the use words like comprehensive, suite, single pane of glass, one stop shop, and holistic. The blowfish aspires to be a fudasaurus.

Peacock. These are the booths where the inhabitants all strut gloriously as if they have invented sliced bread and cold fusion.  The peacock often has interesting technology that, while visually compelling and breathlessly described, seems to solve a problem no one has.  Perhaps a hamster wheel graphic would help.  The relentless strutting and preening is mostly to catch the eye of the Fudasaurus for mating…sorry… acquisition activity. The most aggressive peacocks will claim a solution for the Advanced Persistent Threat at the risk of great ridicule from the roaming bloggers.

Chameleon. These are the vendors that have one basic type of product and are now passing themselves off as something much different and hopefully grander.  For example, patch management and helpdesk tools that now present themselves as security configuration management tools.  Hmmm, I thought we have configuration management issues because patch management has historically failed, but I digress…

So have fun, spot the hamster wheels, and enjoy the show.  And do yourself a favor and make sure you visit the ants.


Triumfant and Operation Aurora – Detecting the Advanced Persistent Threat

February 16, 2010

When new malicious attacks get a lot of attention in the press, we get asked the same question: “would Triumfant have seen that attack?”. Such is the case with the recent Google Attack, aka Operation Aurora. Given the discussions around the Advanced Persistent Threat (APT) and attacks like Aurora, I asked our CTO, Dave Hooks, to analyze the available data and provide details on how Triumfant would respond if Resolution Manager had been deployed on an endpoint machine or server that was exposed to this attack.   Dave’s response is illustrative of how Triumfant works in the context of an actual attack and how our unique capabilities enable Triumfant to detect an attack with characteristics common to those attacks seen in APT.

I offer Dave’s analysis with the full disclosure that it is based solely on detailed analysis of the attack, and that we had no firsthand exposure to the attack itself.  Dave broke his analysis into four parts: initial detection, diagnosis, knowledge base, and remediation, showing how Triumfant can identify an attack without prior knowledge, diagnose the attacks and correlate all of the changes to the machine associated with the attack, and build a situational and contextual remediation to return the machine to its pre-attack condition.

———-

Analysis of Operation Aurora

Initial Detection

Operation Aurora creates several service keys during three specific steps: execution of the dropper, the first stage of installation, and the second stage of installation.  Some of these keys are subsequently deleted but at least one is persistent.  The appearance of one or more of these keys would trigger the Triumfant agent’s 30 second scan cycle for markers of malicious activity, resulting in the agent requesting permission to execute a fast scan.  The Triumfant server would respond within seconds, green lighting the scan.  The agent would then capture the state of the machine immediately after infection and send the data to the server for analysis within 3 minutes.

Diagnosis

The Triumfant server would receive the snapshot, recognize that is was executed as a result of suspicious behavior, and immediately compare it to the adaptive reference model (the unique context built by our patented analytics).  The result of this comparison would be a set of anomalous files and registry keys.  The fact that the files and keys associated with Operation Aurora have random names would guarantee that they would be perceived as anomalous despite the fact that humans might tend to confuse them with legitimate Windows services.  Further analysis would then be applied to the anomaly set to identify important characteristics and functional impacts.  In this case the salient characteristics would be an anomalous service and a number of anomalous system32 files.

The discovery of an anomalous service would cause the Triumfant server to launch a probe requesting the Triumfant agent to explore the service further.  The probe would contain a list of all of the anomalous attributes found by the server during its analysis.  The Triumfant agent would activate a series of correlation functions to partition the anomalous attributes into related groups.  In this case it would group all of the anomalous attributes related to Operation Aurora.  It would then perform a threat analysis on this group and discover, for example, that it was communicating over the internet.  The results of the correlation and threat analysis would then be sent back to the Triumfant server.

At this point the diagnosis would be complete and the Triumfant server would alert the appropriate personnel that an “Anomalous Application” had been discovered and the data would be available on the console.  It would then be possible for an analyst to view all of the persistent attributes of Operation Aurora as well as the corresponding threat analysis, as well as readily share the data with CIRT and forensics teams.

Knowledge Base

An analyst can save the analysis for an Anomalous Application such as Operation Aurora to the Triumfant database.  This would allow the analysis to be converted into a new recognition filter.  Recognition filters have a number of benefits.  First, they provide a very precise mechanism for storing and sharing knowledge about an incident.  Second, they allow the system to search for any other instances of that particular condition in other environments.  Third, they enable the operator to pre-authorize automatic responses such as remediation should that incident be detected again in the future.

Remediation

If a Triumfant server detected Operation Aurora as an anomalous application, it would have sufficient knowledge of the anomalous attributes to synthesize a remediation response.  This remediation would be custom built to exactly match the attributes of the anomalous application on an attribute by attribute basis.  The ability to create remediations on the fly would enable the Triumfant system to surgically and reliably remove the components of Operation Aurora without reimaging the machine.  It would also enable follow on variants to be addressed without the need for new signatures.

———-

Again, let me state for the record that this is based on Dave’s analysis and not actual “live fire” data of our software responding to an actual attack.  But we are quite confident that Triumfant would have responded as described, detecting the attack and building a situational and contextual remediation.


The Case for Triumfant as a Detection Tool for the Advanced Persistent Threat

February 9, 2010

Over the past two weeks I have jumped into the conversation about the Advanced Persistent Threat (APT) and how Triumfant represents an effective tool for detection of such threats.  Before I continue, let me level set.

- APT is characterized by a sophisticated adversary that is engaging in long term pursuit of sensitive data or intellectual property.  APT is not about malware – APT is not a specific attack or an attack vector.

- Because of the nature of APT, there is not a tool or set of tools that can protect an organization from APT.

We are on record as stating that while we would never characterize Triumfant as a protection for, or solution to, APT, we do represent a very effective tool for detecting the APT (or the Advanced Persistent Adversary as some would prefer).  As I also said previously, most security people that deal with APT will tell you that anomaly detection or change detection has long been viewed as the right tool for detecting APT type attacks, but there was not an effective implementation available.  We of course now think there is.

Triumfant is fundamentally different from any tool on the market.  First, we represent the most comprehensive sensor grid on the endpoint available today.  We monitor every piece of data or attribute about each machine that we can access.  This includes all of the registry keys, an MD5 hash of every file, performance data and physical data.  Second, we use our patented analytics to correlate and group all of that data to create a multi-dimensional model of the endpoint population that provides a unique context for later analysis. 

Now the fun begins.  We continuously monitor the over 200,000 attributes on each and every machine for changes, because it is change that triggers analysis for Triumfant.  All of the other tools on the market still rely on prior knowledge of the attack or the attack vector, and we have established that APT is not about a specific (or even a well defined population) attack or attack vector.  And this is precisely why the traditional endpoint security tools fail against APT – their very foundation is based on knowing about an attack to detect it.  But the edge Triumfant enjoys is a complete disconnection from the need for prior knowledge.

The elemental nature of using change detection to trigger analysis is what gives it so much power.  Most attacks – APT or pedestrian – share a common thread: they make changes to the machine.  And as Dave Hooks, our CTO and the creator of our analytic model will tell you: “If it wiggles, we will see it”.  Triumfant sees every change, analyzes it in the context of our model, and determines if the change is benign or potentially malicious. It is this context that has allowed us to effectively eliminate the false positives previously inherent with change detection.  

In the case of malicious activity, the analytics bear down to ensure that all of the changes that are part of a given attack are found and appropriately grouped.  This may include the use of additional probes to the affected machine to perform dependency walks on files or any number of other correlation algorithms.  The result is presented as an unnamed (no signatures so no name) anomalous application and all of the effects of that application on the machine: the registries modified, files added, deleted or corrupted, physical changes such as opened ports, new processes, and corrupted system calls.  The analytics capture and correlate all of the changes to the machine for the APT attack, and use that data to build a situational remediation for that attack.  You get all of the data behind the attack and the fix to restore the machine to its pre-attack condition. 

The data about the attack can be saved and shared with incident response and forensics teams for further analysis.  Their analysis can then be used to make the appropriate modifications to organizational defenses to protect against a reoccurrence of that attack.  But of course by now the advanced persistent adversary has already moved on to a new attack, and the game plays on. 

So back to my original assertion.  Are we a solution for APT?  No.  Does our combination of comprehensive endpoint sensor grid, deep context, and the use of change detection to trigger analysis make us an effective tool for detecting APT attacks?  We certainly think so.