Digitally Signed Malware Proves Again That Attacks Get Through Your Shields

So what, Triumfant guy, exactly gets through my shields?  You tell me I will be breached and you give me statistics, but I have AV, whitelisting, deep packet inspection, and every other acronym and buzzword in place. Oh yea, and I have “the cloud” (pause for tympani emphasis) providing me prevalence information and other cloud-based stuff.

Well, digitally signed malware gets past your protections.  Not according to me, but according to several sources – Symantec, Kaspersky, AlienVault and BitDefender – cited in a March 15, 2012 PC World article “Digitally Signed Malware Is Increasingly Prevalent, Researchers Say”.

It is the blackhat version of “these are not the droids The Droids You Are Looking Foryou are looking for”, using the certificates to get the malicious code waved through.  Some of the first evidence of this technique was found in 2010 in the analysis of Stuxnet.  The PC World article provides evidence that the technique is showing up with increasing frequency.  The article tells in good detail how it works and what protections it can evade, including whitelisting.

This technique is illustrative of the ongoing battle between good and evil in IT security.  Operating system advances in Windows 7 and other OS versions were thought to advance the security of systems, and the adversary then takes the very techniques used to make the systems more secure and subverts them to find new ways to deliver malicious code and evade protections.  I have no interest in impugning the efficacy of prevention software and I have never said to turn off protection software.  What I have said consistently is that attacks will get through your shields.  Here is yet another example of how, and demonstrates that the adversary will always find a way to get through.  No FUD here – I would point out that every vendor cited in this story is a protection software vendor.

This story also illustrates that there are no silver bullets in protection.  Prospects often cite the use of whitelisting tools as their raison d’etre  of why they do not need something like Triumfant, but here is a clear example of how such tools are being evaded.  If you need more, there is a video from Shmoocon that shows multiple techniques for evading several whitelisting tools.  Yet another silver bullet falls short. I am not singling out whitelisting – it is just the current “It” tool of IT security.

Lastly, it is illustrative of how the foundations of trust have become less…well…trustworthy.  I have seen the validation process of a certificate authority up close, and let’s just say I am not shocked to know that malware writers can obtain certificates with false identities. With the RSA breach and other certificate authorities being hacked, the foundation of trust was already showing cracks.  Now we see examples of how trust can be subverted using this technique.

So if this technique essentially waves malware through your shields, how are you going to detect the infiltration?  That is where Triumfant fills the gap, detecting the zero day attacks and targeted attacks, including the advanced persistent threat, that infiltrate your endpoint machines and servers.

I once had a product manager from another company disdainfully tell me “when you find something that gets past my shields, you call me”.  I am looking for his number as soon as I finish this post.

Targeted Attacks Make Remote Adversaries Malicious Insiders

“Wow, your tool would be great against malicious insiders!”

This is a common conclusion made by those introduced to the Triumfant solution.  That is because instead of looking for applications or malicious executables, we detect malicious activity through change, whether a threat actor working programmatically creates the change or a malicious insider directly makes the change.

The term “malicious insider” has been gnawing at me since I delivered a short presentation for the Intelligence and National Security Alliance Innovators Showcase last week.  My new slides had several screen shots from the Poison Ivy Remote Administration Tool (RAT) that we use in demos of the Triumfant product.  It was interesting to see the reaction to those screen shots as people grasped in a very graphical way what it meant to “own” a machine.  I realized that perhaps while people have intellectually grasped what a RAT can do, they might not have fully appreciated the term “own” until they actually saw one in action. (More on RAT tools in the previous post)

Today’s attacks are not smash and grab operations – they methodically evade network and endpoint protections to establish a long-term and comprehensive presence on the machine.  These are carefully crafted incursions onto target networks that rely on persistence and stealth.

In short, they turn the outsider into an insider.  This of course is not news to those in infosec, but to the people we serve, this is an idea they are still wrapping their head around these sophisticated targeted attacks.

Once a RAT is in place, the hacker has the same access as if they were looking over the shoulder of the machine’s user.  The user literally guides them through the applications and systems on the network, providing them user IDs and passwords along the way.  This allows the hacker to spread their influence to other places in the network until they are able to access their targets.   Time is on their side, as every statistic says that they will have at least a month and on average six months to identify and exfiltrate the intellectual property or sensitive data they seek.

Attacks rarely start at the machine that holds the targeted information.  Hackers now patiently gain access to the network where they can, and then stealthily move about until they find what they need.  And new Advanced Persistent Threats like Duqu illustrate that hackers are now using sophisticated attacks to gather all manner of information to then plan their payoff attack.  As I said in the previous post, these attacks put the adversary in your boardroom, laboratories, production lines, and CFO’s office.

If six months and virtually unlimited access does not qualify the hacker as an insider, I do not know what does. Recruiting physical insiders is a long and costly process and smacks of too much Mission Impossible.  And even well placed insiders may have trouble moving outside of their areas of responsibility.  Why go through all of that risk and effort when an outsider can easily become an insider.  If the operation is discovered, the outsider simply moves to the next target.

There is another aspect to being an insider: once you are inside, all of the security measures designed to keep you an outsider are now irrelevant.  All of the carefully crafted shields an organization has in place are all pointing outward and are not equipped or designed to catch the work of an insider.  Once these shields are evaded they are no threat to the insider.  Statistics from the 2011 Verizon Business Data Breach Investigations Report say that less than 6% of data breaches are discovered by the organization’s IT shop.  That sound’s like a pretty wide gap that requires some new thinking to me.

The answer to the original question is yes, Triumfant rocks against malicious insiders.  All types.

I Smell a RAT – Breaking Into Your House to Prove a Point About Breaches

I am going to break into your house.  This is obviously a hypothetical, so there is no need to report me to the local authorities. But stay with me.

As I said, I am going to break into your house.  I can get in one of two ways.  I could use simple psychology to entice you to essentially opening the door and letting me in (social engineering) or I could use some basic information gathered about you to let me know where you are vulnerable and force my way in (hacking).  I say force, but I am a pro and in spite of your protections, if I want in I will get in and the amount of force used will be minimal.

Either way, I will break into your house undetected.

The funny thing is that once I am in, all of the money you have spent on technology to keep me out will be useless.  Not one of those technologies will be able to detect that I have evaded those technologies and am now inside.  Since I am now inside, I could turn them all off, but why bother? They are no longer of consequence to me.  The thought of that makes me chuckle as I take steps to further obfuscate my presence from the inside.

If this scenario unsettles you, I am afraid it gets worse.  Because once I am inside and have had sufficient time to cover my tracks, I am, for all intents and purposes, undetectable.  That gives me full access to your home and I will now live with you for as long as I choose.  What you see, I will see, and eventually I will know where everything in you home is, including your secret stuff.  Access to all of your accounts? Well, I was looking over your shoulder every time you logged into an account, so I have all of your IDs and passwords. When you are not home I will even have time to rummage around the house at will.  Remember that valuable thing you thought you lost? I found it.

After a while, I do not even have to watch, because you decided that all of that stuff about not using the same User ID and password for your accounts was just a bunch of scare tactics.  Anyway, even if you got the slightest bit suspicious and changed anything, I am right there and will actually watch you change your password in real-time.

If I am found, odds say it will not be by you.  You would never find me on your own.  A business partner might notice something odd, or law enforcement may get a lead on my whereabouts, but you only have a one in sixteen chance of finding me.  Even if I am found out, my average stay is about six months.  Not much more to see here anyway.

And good luck getting rid of me.  Did you think I spent all of my time eating bon-bons on the couch watching Dr. Phil? Nope. I created a little thing I like to call persistence.  There are little bits of me inside the house so if you do sweep me out I can sweep right back in.  Like those little ants that come back under your sink.  I have also used your house to control other houses I have also occupied.  After all, yours was not the first.

I write this because when we do demos, we use Poison Ivy, a generally available Remote Administration Tool (RAT) to build a RAT Trojan and take over a machine.  I am surprised to learn that this is often the first time many people see exactly what it means when a hacker owns a system.  That the hacker can see the screen, capture everything that was typed, access every application and file.  People hear about RAT tools, but in my experience, they only have an academic understanding of what it means.  Showing them firsthand gives them a very jarring emotional understanding.  If you would like to see more, we have a short (5 minute) demo video that shows exactly that.

When (not if, kids) I access your system, bypass your defenses, and install a RAT on that machine, I am by definition now a malicious insider, a topic I will expand further on my next post. I am not after Grandma’s jewels, I am after the Crown Jewels.  I am after your intellectual property and your most sensitive data.  I am looking to steal things that can set your company back financially and strategically. I am not on your couch – I am in your boardroom and in your labs and on your production line and I am watching every keystroke your CFO makes.

And I am a malicious insider with staying power.  A recent statistic published in the Trustwave 2012 Global Security Report said that on average a breach lasts 173.5 days before being discovered.  Furthermore, studies show that organizations are not equipped to discover such breaches on their own.  The 2011 Verizon Business Breach Investigation Report states that breaches are discovered by the breached organization only 6% of the time.

I would tell you to wake up and smell the coffee but you are out of coffee and you should pick up a gallon of milk while you are out.  And those new curtains? Please.  I would also tell you to lock the door on the way out, but somehow that would be a bit too ironic.

The Worldwide Malware Signature Counter Lives On

At the bottom of the Triumfant home page is the Worldwide Malware Signature Counter, a fixture on the site since May of 2009.  The Counter was designed, according to the associated blog post marking its debut, “to graphically reinforce what many in the IT security industry believe is a growing problem that is being largely ignored – that the reliance on signatures to protect endpoints and servers against malicious attack is simply unsustainable”.  My only regret is that I never found a way to add the hard clunking sound from the timer on “24” to add emphasis.

I periodically check the Counter against reported malware counts to ensure that it is an accurate and fair representation of the signature story.  Truthfully, the Counter was designed to err on the side of understatement to avoid the impression of FUD or sensationalism, so I normally have to correct it up instead of down. Yes, IT security folks, there are actually marketing people with restraint.  Go figure.

Last week I updated the Counter to track to the signature counts reported by Symantec at the close of 2011.   Doing so led to a time of reflection on the genesis and objective of the Counter, and the changes in the threat landscape between then and now.

When Triumfant introduced the Counter three years ago, the world was still coming to terms with the evolution of malicious attacks and the hard realization that signature based protections could no longer be their primary shield. I would hope that there are very few serious members of the IT security community who need further convincing today.

Ironically, in the past three years the large vendors that owe their market presence largely on selling AV software have shifted their messaging.  Most dropped signature counts from their annual threat reports in spite of such counts being a featured staple in years past.  I noted in one blog post that one such vendor dropped any mention of the word “signature” completely.  In an interesting twist, some of these vendors now use the large malware sample numbers to sell other products and solutions in their portfolio.  The flood of annual reports that are the precursor for the RSA Conference scream numbers such as 75 million and 250 million for malware samples.  You have to feel for signature software: it made these vendors market leaders and it is now being dismissively kicked to the curb. Think Sunset Boulevard for security software.

Meanwhile, the battle to protect sensitive data and intellectual property continues to rapidly evolve.  The first malware sprung to life when sensitive information moved from corporate systems to the first personal computers.  Those early attacks now seem laughable against the volume and sophistication of the threats we face today, and things will only get more complicated when you consider the flood of mobile devices and BYOD machines that will soon be accessing corporate systems.  Furthermore, the adversary has changed from basement hackers to well organized, well funded, and highly motivated groups driven by monetary gain or political motives.  The sum total of this evolution creates a gap between signature based protections and the current reality that grows faster than a simple signature counter can capture.

The counter was a great visual to help people grasp the shift in the IT security world and helped bring attention to Triumfant’s ability to detect malware without signatures.  The counter often provoked people to ask if we were a replacement for signature based protections, and we always said no.  Signature based protections are a logical brick in the wall around IT assets, but they are just a brick, not the entire wall.  I should add that the Counter now serves as a symbol for all solutions that based their detection capability on some form of prior knowledge, not just AV.

My next thoughts went to the Counter itself and its continued existence on the Triumfant site.   After some consideration, I decided to keep it around because while the thinking of the IT security world has evolved there are still plenty of other business people outside of security that are still coming to terms with the concept.  Truth be told, I have an emotional fondness for the Counter and it is still a place for people to discover Triumfant and the uniqueness of our approach.

The Triumfant Worldwide Malware Signature Counter will live on.  Maybe I will finally add that sound effect.  Clunk…Clunk…Clunk…

RSA Conference 2012 Fearless Forecast – The Cloud of FUD

Next week, something insidious and life-choking will settle over the San Francisco Bay area and threaten everyone with confusion, nausea, and full loss of body hair.

The cloud of FUD.

For you South Park fans, yes, this is far more dangerous than the Cloud of Smug introduced in one of the classic South Park episodes (The Perfect Storm of Self Satisfaction). In the episode, the South Park residents begin to purchase hybrid cars (the Toyonda Pious) in large numbers, and their self-satisfaction in their eco-friendly ways creates a dangerous cloud of smug.  Unfortunately, the South Park cloud collides with two other clouds of smug, one from the general self-satisfaction of the SF Bay inhabitants and a rogue cloud from George Clooney’s Academy Award speech.  This creates the perfect storm of self-satisfaction with catastrophic results, destroying San Francisco and causing general havoc in South Park.

The RSA Conference is next week, and the amount of FUD in any normal RSA week can be problematic.  But this year, the IT security world is at an interesting crossroads.  The underpinnings of trust have been called into question through breaches of companies like Diginotar, and more recently, VeriSign.  Analysis released last week called into question encryption algorithms used by RSA, who is still reeling from a highly public breach last year. Studies indicate that breaches are on the rise, and targeted attacks (including the Advanced Persistent Threat) are hitting their mark with increasing frequency.  And we have no idea how many breaches are yet undiscovered and when we do discover them, we lack the tools to fully assess the damage.  The public disclosure of the VeriSign breach included language from VeriSign management that they were still not quite sure what had been stolen, in spite of the breach occurring in 2010.   Attacks like Duqu were illustrative of the growing sophistication in data gathering techniques to build even more sophisticated follow-on attacks.

We have entered a new phase in IT security to be sure, and all of this uncertainty will amplify the FUD volume to deafening levels.  That is because while there are several innovative companies offering real solutions to these new problems, the majority are scrambling.  When companies scramble in the IT security market, the result is a Perfect Storm of Self Preservation.  Those who lack real answers will look to duck and cover, and the predictable result will be epic volumes of FUD with a healthy undercurrent of smug.

Seriously, we should consider renaming the RSA 2012 exhibit area FUDapalooza! I am not talking about the usual “hamster wheels of pain”, “yes, I do that” (before a question is asked) level of FUD.  This will be highly advanced, super concentrated FUD.

For example, everyone, including the nice people that serve old, stale sandwiches in the lobby for $18, will have “The Solution for the Advanced Persistent Threat”.  Everyone will have the “Next Generation of Threat Protection” and “Your Weapon for Cyber Warfare”.  Companies that went the M&A route will have the “First Truly Comprehensive Security Suite/Platform”.  The large, “usual suspect” companies with the huge booths at the center of the floor will promise to plug the massive gaps that studies now show their own products to have.

I remember my first RSA Conference in 2005.  I was immediately struck by the signal to noise ratio (very little signal, copious amounts of noise) and lack of clear messaging and differentiation on the exhibit floor.  One of the more popular posts for this blog was about the animals you will see at RSA.  I can only imagine what 2012 will be like.

At the end of the South Park episode, Kyle points out to the citizens that driving a hybrid is really a good thing, but they have to learn to drive them without being smug.  The townspeople go back to their old gas guzzling cars, saying that “it’s simply asking too much”.  The RSA Conference could be an excellent place to explore ways to meet the new challenges we collectively face today.  Unfortunately, I think for most of my vendor comrades “it’s simply asking too much”, and most will instead take the Gladiator approach and unleash FUD hell.

The Cloud of FUD is coming.  Bring your Hazmat suit.

The Evidence is Overwhelming: Organizations are not Prepared for the Inevitable Breach

84 and 173.5.

These are two significant statistics I picked up from the “Trustwave 2012 Global Security Report”.  I downloaded the report yesterday to review the analysis and the salient numbers from the study.  If you read this blog, you know I quote liberally from the Verizon Business “2011 Data Breach Investigations Report”.  I felt it prudent to see if the Trustwave report aligned with the VBDBIR and my frequent calls to wake up and smell the coffee about breaches.

The short answer is that they do and it does.  84 represents the percentage of breaches that were discovered by someone other than the breached organization.  This aligns with the VBDBIR number of 86%.  I noted that the 84% is actually up from the 2011 Trustwave Report number of 80%.

The numbers on self-detection are of interest to me for two reasons.  One, they scream that organizations are quite ill-equipped to detect a breach and the problem is getting worse.  They dump money in pursuit of the perfect shield, but are essentially unable to know when those shields fail.  And frankly, if I have to convince you that your shields are failing, you may be in the wrong profession.

Second, they underscore that when an organization gets breached, knowledge of the breach is not being contained within the organizational walls.  If a third party finds it, the secret is out.  Organizations cannot ignore the reputational risk that comes from a breach. And there is a coming storm of breach notification legislation that will make the problem even harder to ignore.

The real thunderbolt comes from the 173.5.  Because 173.5 is the average number of days between the initial infiltration and discovery for those attacks discovered by third parties.  173.5 represents the average amount of time that the adversary has free access to the systems and confidential information of the attacked organization.  The report notes that for companies with active discovery initiatives, this number goes down to 43 days.  Better, but no less unacceptable.

I will say it again (and again, and again).  Organizations are going to be breached.  Organizations are not equipped to detect breaches, and once a breach is detected, organizations are not equipped and prepared to respond.  Stop trying to build the perfect shield, step back, and address your exposure to breaches now.  Embrace the fact that you will be breached, and build a rapid detection and response capability.

Need to see something beyond statistics? Just today an article on the Wall Street Journal Online noted that Nortel had been breached without detection for over ten years.  The article discusses SEC breach notification guidelines and the impact on acquiring companies, the potential impact of the breach on Nortel equipment, and implies that the breaches may have contributed to the ultimate decline of the company.

The lesson is simple really.  The Trustwave report and the Nortel story show (again) that while you are busily trying to build that perfect shield, you may already have an adversary working undetected on your systems with relative impunity.

Targeted Attacks Versus Advanced Persistent Threat – Pragmatic Versus Dogmatic

In some circles of IT security, debating the exact definition of what constitutes an Advanced Persistent Threat (APT) is far more incendiary than debating politics or religion.   I was forced to wade into these tumultuous waters this week as I was making updates to the Triumfant Web site.   Specifically, I was curious to see if there was some industry consensus as to the dividing line between the two classifications. Silly me.  I should have known better.

The volatile nature of the definition of APT makes the dividing line between targeted attacks and APT equally volatile.  The industry has not settled on any one dimension to distinguish and APT attack, much less a specific point on that dimension.  For some, APT is determined by the nature of the attack, or the target of the attack.  Some, most notably Richard Bejtlich (@taosecurity) define APT by the threat actor.

After some research, it became obvious that the one thing the debate needed was yet another attempt to differentiate APT attacks and targeted attacks, and being shallow and self-centered, I knew I was just the guy for the job.  My simple classification came down to pragmatic (targeted attacks) versus dogmatic (APT) and actually incorporates most of the elements of the debate.

At the high level, I consider APT attacks as a subset of the broader category of targeted attacks as both are attacks written to perform a specific purpose against a specific target.  Both value stealth and seek long-term infiltrations.  Both involve sophisticated adversaries that often use many of the same techniques.  Given the two categories are not exclusive, what I am attempting to capture is the point where a targeted attack becomes an APT.

Targeted attacks are pragmatic because their motivation, and therefore their approach and behavior, lies in monetary gain.  A targeted attack is likely designed to extract confidential information or intellectual property.  It is conceivable that the attack could be disruptive, but pragmatically, disruption does not provide a return on investment.   Targeted attacks value stealth and long-term infiltration, but only to the point where they serve the pragmatic need.   Not quite smash and grab, but not the longer-term persistence sought with APT.  Targeted attacks rely heavily on techniques that leverage human nature (social engineering) because the adversary lacks access to the human-gathered intelligence available to the APT threat actor. Finally, a targeted attack may be reusable against other targets, albeit with some modification and mutation of the malware.

I use the term dogmatic to describe APT attacks because APT attacks are largely driven by emotional/philosophical motivations, primarily politics.  This places higher value on stealth and persistence than a targeted attack because it enables the adversary the freedom to alter post-infiltration activity to respond to evolving external events.   This is the proverbial low and slow approach that places high value on maintaining an established presence in the targeted system or network.  APT attacks may also be broader in their impact to the targeted organization because disruption may provide the same political impact as exfiltration.  APT attacks often consist of multiple parallel attacks to ensure infiltration and ensure that discovery of one path does not cut off presence in the network.   That is because a pragmatic adversary may be able to move onto the next target, but the target for a dogmatic adversary is dictated by the politics of the moment.

I am going to be very candid and say that I really have no real emotional or professional stake in this debate.  Triumfant excels at detecting these attacks, and the dividing line has no affect on that capability.  I simply was creating a web page on targeted attack detection and a separate page for APT detection, and I was doing the due diligence to be as accurate as possible.  Why separate pages? Both terms (“targeted attacks” and “advanced persistent threat”) are frequently used search terms, so it was all about providing information to those who get to the Triumfant site through organic search.

So there is my take on the debate.  Not sure if the pragmatic versus dogmatic designation helps, but it resonated with me, so who am I to not feed the fire?


VeriSign Breached – Who Can You Trust Redux

It was reported by Reuters today (“Key Internet operator VeriSign hit by hackers“) that VeriSign has disclosed that the company was hacked in 2010.  This is significant at many levels.

First, VeriSign essentially handles the credentials for over half of all Web sites, specifically sites ending in .com, .net and .gov.  VeriSign executives could only say that they “do not believe” that the critical domain name services, leading many to speculate that VeriSign does not yet know the extend of the breach.  And even if the domain name services were not compromised, compromise of any of VeriSign’s other services could still represent significant risk to a very large number of companies and government agencies.

Given that VeriSign has not been forthcoming with details and frankly does not seem to know yet the full extent of the breach, the security of an enormous amount of Web sites is in question this morning.  I am not sure that this can be understated.  Depending on what we learn about this breach, the tectonic plates of online security may have just shifted significantly.

Second, the VeriSign breach is a huge blow to the topic of trust on the Internet (see  the blog post “Certificate Authorities Hacked – So Who Can You Trust?“).  This trust was already significantly impacted by the RSA breach last year and the compromise of several certificate authorities (CAs) such as DigiNotar.  But the aggregate affect of these breaches, in my opinion, is dwarfed by a compromise of VeriSign.  Consider that the “s” in “https” is based on Secure Sockets Layer (SSL) certificates, the majority of which are issued by VeriSign.  Suddenly the ubiquitous lock icon and green indicator of  web site trust suddenly do not feel so secure and trustworthy.  The past months have been filled with questions about the trustworthiness of SSL, and this breach will pour gasoline on that fire. In a broader sense, the article points out the RSA and VeriSign attacks are designed to undermine the fundamental underpinnings of authentication.  This puts all transactions – business, government, personal – at risk.

Third, the VeriSign breach came to light in a 10Q filing with the SEC that listed the breach in accordance to the new SEC guidance on breach disclosure.  Reuters did a search of such disclosures and found the VeriSign admission.  Without the SEC guidance, this breach may never have come to light and the companies that trust the integrity of VeriSign’s services would have never known.  I draw the conclusion that there was no communication of VeriSign to their customer given that the CTO of VeriSign at the time of the breach learned about the problem from Reuters.

The potential impact of this breach could make this event the tipping point in the call for more strict guidance and perhaps even legislative action in regard to breach disclosure (see “Prediction Regarding Data Breach Detection – Soon to be a Regulatory Requirement“). Proponents will have a field day with the idea that VeriSign may have never disclosed the breach without the SEC guidance.  But opposition to such action will also use the event as an argument against such action. The article intimates that the breach is a persistent attack done by a nation-state, or an Advanced Persistent Threat attack.  Such an attack at a company such as VeriSign has far reaching impact on national security, so there are those who would not want the attack disclosed before there was reasonable time to perform analysis, attribution, and potentially launch a counter attack.  Mix this attack in with a presidential election year and I predict the skies will darken will calls and counter arguments for legislation.

Fourth, this event may finally take many over the emotional hump  of clinging to the hopes that 100% prevention is still possible (see “The Emotional Barriers to Embracing the Presumption of Breach Doctrine“).  The article quotes security consultant Dmitri Alperovich as saying “prevention is futile”.  Those who have clung doggedly to prevention in the face of mounting evidence will find it hard to continue to do so.  It is okay.  Those of us who have already accepted the inevitable are here, waiting for you without judgement.  Just let go.

Fifth.  I will have much more to say about this subject, but notice that although the breach happened in 2010, VeriSign still does not know the extent of the damage.  There were even intimations that they may not have completely eradicated the adversary from their systems.  This is proof to my ongoing statement that organizations are not equipped to detect, analyze, and respond to breaches.  Trust me when I say I have much more to say on this topic in the very near term.

Watching this story unfold should prove to be quite interesting.  Quite interesting.

Prediction Regarding Data Breach Detection – Soon to be a Regulatory Requirement

In a post last week titled “Proposed EU Data Protection Fines Push the Lack of Breach Detection Capabilities into the Light“, I noted that the proposed European Union data protection rules would impose fines against organizations who did not report data breaches in a timely manner.  After that post I came across a story (“Companies worry about SEC’s advice to disclose cyberthreats“) in the San Jose Mercury News that noted that the SEC is continuing to amp up the pressure on companies to disclose breaches in their public disclosures.

I am not usually in the prediction business, but I noted in a blog post on February 25, 2010 titled “Intel Notes Attack on 10K – Are We Heading to Mandated Disclosure of Cyber Attacks?” that the SEC might soon mandate disclosure of breaches.  Given the increasingly digital economy, it would make sense that investors would consider breaches material information.

I am old enough to have seen similar patterns like this through the years.  Guidance by the SEC is one very public data breach away from being regulation, and those organizations that read the tealeaves and are prepared have a distinct advantage over those who ignore the signs and signal and are forced to play catch-up.

So I will break from form and make a prediction: by the New Year, we will either have or will be on the way to having multiple regulatory provisions that will require prompt (24 hour) notification of breaches.  Organizations can scramble then, or they can start looking at technologies (like Triumfant) that are focused on detecting the attacks that evade their protection software (shields).  Given that knowing when (again, the IF ship has sailed) you have been breached is critical information that every organization should want and have anyway, this is not the worst initiative ever catalyzed by regulatory mandate.

Why not beat the rush?

Proposed EU Data Protection Fines Push the Lack of Breach Detection Capabilities into the Light

Recently proposed updates to the European Union’s data protection rules may force companies in the U.S. and abroad to take a hard look at solutions that tell them when they have been breached.  According to a WSJ article, the proposed updates will affect U.S. companies that “are active in the EU and offer their services to EU citizens”.

Of specific note is the requirement to notify authorities and customers of data breaches within 24 hours.  Breach notification laws are not new and there are notification statutes in the U.S. at the state level.  But the breadth of the EU provisions, the 24-hour requirement, and the fines for noncompliance have seriously amplified the debate.

In particular, the 24-hour requirement has companies really nervous.  This is justified when you consider that the Verizon Business “2011 Data Breach Investigations Report” showed that less than 5% of data breaches were discovered in the first 24 hours.   An article on the EU updates in CSO Online leads with the subheading “Many companies don’t have the sophisticated systems for identifying breaches in the first place”.

I have no sympathy here.  There are solutions that can detect an intrusion to corporate systems within minutes of the infiltration, so the lack of capability is not from a lack of technology.  Companies have long settled for shielding the perimeter with traditional approaches to defense from the usual suspects of IT security.  Forgive my lack of compassion, but the EU requirements are the bill coming due for stubbornly sticking with old approaches to new problems and blindly relying on the large IT security vendors rather than considering innovative solutions.

In the interest of disclosure, Triumfant does provide a solution that will detect a breach within minutes of the infiltration.  Triumfant is not a DLP tool, but what Triumfant will do is quickly detect an attack that gets past the company’s shields and provide a very detailed analysis of the attack within minutes.  Triumfant uses change detection and contextual analytics to detect the attacks that evade other security software, making Triumfant able to detect new malware attacks, detect targeted attacks, and detect the advanced persistent threat.  Security professionals tell me that the analysis Triumfant returns would take a seasoned security professional hours or days to produce.  We call this Rapid Detection and Response: the ability to detect the problem, provide actionable analysis, and remediate the attack within minutes of the infection.  Once the point of entry is identified, the company can then determine if data has been compromised, and if so, the extent of that compromise.

Companies continue to ignore the realities in front of them (such as the 5% statistic) and continue to pour their resources into shields.  Plugging in another appliance onto the network or installing another solution that requires prior knowledge to detect attacks won’t fix the problem.  Nor will blindly trusting the large IT security companies.

The time to look beyond traditional approaches and the usual suspects has not only come, it has passed.  Companies have resisted change for reasons only they know, but I suspect they are not willing to look past traditional approaches and embrace technologies that re-write their perceptions of how IT security tools work.

The EU requirements are not causing the problem; they are pushing the problem into the light.  And in doing so, they are also dragging into the light the companies that have too long ignored the changing realities of security.  Companies that were unwilling or unable to step into the light themselves.


Get every new post delivered to your Inbox.

Join 478 other followers