Crossing Into a New Phase of How We View IT Security

July 21, 2010

I believe the evidence is now sufficient to say that we have crossed into a new phase of how IT Security is viewed in a broader perspective.  To be clear, I am not saying that the new phase is about recognizing that the adversary and the attacks that they build have evolved – that is well documented.  The new phase is about a pragmatic discourse about how IT security must accept fundamental change to effectively address the evolving threats at a much broader level.  This new phase  is all about embracing a much harsher reality than the previous phase, because at its core, this new phase is about accepting that we cannot effectively shield endpoint computers and servers from every attack.  This new phase goes beyond analysts and strategists to the people on the front line of the daily battle.

Don’t dismiss the emotional transition centered around admitting – and accepting – that we simply cannot build enough walls or create a good enough shield to completely protect machines from attack.  It is human nature to seek protection first, and then come to terms with dealing with the consequences of when that protection fails only when it is clear that it will fail.  Walls bring protection, but they also imbue a false sense of security that people will cling to even when the evidence begins to build that the wall is no longer sufficient.

Many sources fueled this line of thinking.  The vendors all raced to sell the perfect shield and therefore the tide of messaging around prevention was overwhelming.  Executives were far more comfortable talking about protection than incident response, forensics, and remediation.  The rapidly growing number of attacks artificially inflated the antivirus detection rates in security reporting, creating a false sense of security.  Rank and file users were still generally under more pedestrian attacks and therefore felt no perceptible change in the greater threat landscape.

There have long been insightful thinkers and those on the front line protecting the information targeted by the Advanced Persistent Threat who have attempted to raise the level of discourse over the past several years.  The evolving threats have reached a point of saturation that the pain has become more widespread.  This new reality has forced organizations to get past the emotional attachment to a 100% shield and we now have a critical mass large enough to drive the broader discourse.

So what are the general themes of this discourse and the new phase of IT Security?  Here is my summary:

Old Phase Thinking New Phase Thinking
Build as many walls as possible to prevent anything from getting to the machine You cannot prevent everything, so you must be able to detect successful attacks
Assume the machine is clean unless I am told differently Assume every machine is compromised
Re-image as a matter of policy Remediate and fight through
Detection reports say I am more secure because I detect more attacks every month Detection reports show more attacks being detected because there are more attacks to detect

Several new articles came out in the past several weeks about assuming that your machine has been attacked – one such article by Andrew Jaquith can be found here.  I hear the shift in many of the presentations at conferences such as the Gartner Security Conference in late June.  It is a healthy discourse, and the right step toward a better set of thinking toward meeting the evolving threats.  It also creates a much healthier set of expectations for all concerned.  IT security can balance prevention and detection and look into technologies that help them detect successful attacks.  Executives will be aware that there is no 100% shield and therefore understand the associated organizational risk.  All of this opens a far more pragmatic approach to the realities of today.  Or as Roger Grimes puts it in a recent article in Infoworld: “Accept that your company’s IT system have been compromised — then get to work defending them”.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Have No Fear: Triumfant’s Remediation Capability is Automated, Not Automatic

July 9, 2010

In my previous blog entry I attempted to unravel some of the fear, uncertainty and doubt around our automated remediation capabilities.  After a week of quiet contemplation at the beach and writing a whitepaper on the subject I had an epiphany.  I think the fear comes from a misunderstanding between the words “automated” and “automatic”.  Allow me to explain.

Triumfant has automated the construction of a remediation for any malicious attack or anomalous incident it finds.  The detail is all there in the blog entry.  But in short, because Triumfant knows what has changed and knows the value of every attribute or file before it was changed, it is a logical next step to build a remediation script to return the affected attributes to their pre-attack condition.  No spooky “thinking computer” stuff, just sound logic driven by the capabilities of our granular change detection.

The automated remediation Triumfant creates is not automatic in its execution.  The Triumfant administrator must perform a one-touch confirm of the remediation before it is sent to the agent for execution.  Triumfant does the heavy lifting of analyzing the attack or problem and building a comprehensive remediation script.  It is automated.  There is still the failsafe of human interaction as a confirmation.  It is not automatic.

There does exist easily implemented mechanisms to make remediations automatic for incidents encountered in the past and for configuration and policy enforcement.  In these cases the remediations are known and the customer is comfortable with their effects.  For example we have customers who identify specific applications they want removed from endpoint machines and these remediations are automatic.  But for anything new encountered by Triumfant such as a zero day attack or an Advanced Persistent Threat type attack, the default is the one-touch confirm by the administrator, providing oversight and control.

Why am I writing about this subject?  People seem to have a love/fear relationship with the concept of automated remediation.  For example, at the NIST Security Automation Conference last October in Baltimore I asked the attendees in my presentation two questions:

Q1: Who wants automated remediation?  A: Every hand in the room enthusiastically shot up.

Q2: Who is ready to implement automated remediation?   A: Crickets.

All I can surmise is that security people suffer from what I have dubbed “SkyNet Syndrome” – the lingering effects of watching science fiction movies and television series that ultimately play the “smart computer comes to life and destroys the world” card.  The list is long and distinguished: M5 and Nomad on Star Trek the Original Series, V’Ger on the first Star Trek Movie, Colussus from Colossus: The Forbin Project, Proteus on The Demon Seed, and, of course, SkyNet from The Terminator.

Notice that I did not include W.O.P.R. from WarGames as he was hacked and did not become sentient.  Of course he was hacked because he had poorly configured endpoint protection that could have been easily recognized through change detection and quickly addressed by Triumfant through an automated remediation.  But I digress.

Leave a Comment » | Compliance and Configuration Management, Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

Triumfant’s Automated Remediation – Not Voodoo, Sensible Can-Do

June 14, 2010

It has come to my attention that many have a hard time getting their heads around our automated remediation capabilities.  The concepts around the way Triumfant performs automated remediation are really quite simple, so allow me to explain:

We know what changed. We continuously scan the machine for changes and if we see an indication that the machine is under attack we perform an accelerated full scan to kick off the analysis process.  So when Triumfant’s patented analytics perform the analysis of a malicious incident, each and every change to the machine is available for consideration.   Triumfant not only sees what has changed, but we are uniquely able to group changes to identify what changes are part of each specific incident.  The analytics leverage over 25 different correlation algorithms to determine all of the primary and secondary artifacts from any given attack.  We identify the attack and all of the changes associated withe the attack such as configuration changes and opened ports.  The changes break down into three basic change types: unexpectedly present means that something new has been added, unexpectedly absent means that something that was there is no longer there, and unexpectedly modified means that the value has been changed.

We know what the attribute or file looked like before it changed. The first step performed by the Triumfant agent is to take a snapshot of the over 200K attributes we monitor.  This includes an MD5 hash of every file on the machine.  A copy of this snapshot is continuously maintained on the endpoint and on the Triumfant server.   Therefore, Triumfant has a very logical and unique set of data that serves as the ingredients to write the remediation: we know what has changed, we know the current (changed) value, and we know the value prior to the change.  Brutally simple in concept, but elegantly and efficiently executed.

We therefore can build a script to modify the things that changed back to what they used to be before they were changed. Once you know what attribute or file has changed and know what the attribute of file looked like before it was changed, it is not hard to construct a script to change things back.  Actually, there are some challenges, but luckily our engineers have made it look simple.  For example, it is easy to delete things that are not supposed to be on the machine, and it is easy to restore modified or deleted attribute values.  It is not that simple to restore missing or corrupted files.  That is why Triumfant’s donor technology (patent pending) is so remarkable.  Triumfant uses our knowledge base (automatically generated) to find a donor machine that has the same missing or corrupted file (version, OS, validated by the MD5 hash) and uses that donor machine to provide a copy to move to the affected machine.  I will explore the donor technology and the context that powers it in a future post, suffice to say the capability is completely unique to Triumfant and is an elegant solution to a very difficult problem when considering automated remediation.

Makes sense when you lay it out this way, doesn’t it?  Triumfant uses this very simple logic flow to build a custom remediation script for each and every incident that is contextual, situational, and surgical.  The script is constructed without the need for human intervention at the server and sent to the agent for execution after confirmation by an administrator.  The remediation only affects those attributes and files that were part of the attack and does not affect any of the changes done to the machine outside of the incident.  None of the user’s work or any of the benign changes to the machine are lost.  And you should not have to re-image the machine out of fear that there may be artifacts of the attack still lurking on the machine.

This is not a rollback to an image, there is no interaction required by the end user, including the requirement (accept in the most extreme cases) to reboot.  We are not pulling from a library of pre-written remediations that can’t possibly know enough to address all of the primary and secondary artifacts of an attack.

This is not VooDoo, but sound, sensible science.  It takes the concepts of change detection and extrapolates it to the logical end – not only can Triumfant see the attacks that evade other defenses, it can build a remediation that stops the attack and removes all of the collateral damage of the attack.   We are not a shield, but we go from infection (not detection, which for many tools takes days, weeks, even months) to remediation in less than five minutes.  So given that the shields miss so much, the fact that malware exists on the machine for five minutes is a more than equitable trade-off for those organizations dealing with the advanced persistent threat, zero day attacks, and rootkits.

Finally, I know the term “automated” gives everyone heartburn.  Everyone likes the concept, but is skittish on actually implementing.  Not to worry.  We build the remediation automatically, but by default it does not run automatically.  The administrator will get an alert that malware has been detected, and the administrator can then evaluate Triumfant’s findings and validate the remediation before it is executed.  And every remediation is completely reversible.  We provide all of the analysis and write the remediation script, you actually put it into motion.

1 Comment | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

The Google Microsoft Security Dust-up and the Marketing Genius Behind the Scenes

June 3, 2010

I have watched in amusement as people have responded to the claims by Google that they will no longer use the Microsoft operating systems because of the alleged security problems with the MS software.  There are some painfully obvious elements of genius by Google here that people are simply missing in the hysteria:

  • Genius Idea #1:  Google is introducing an operating system, Chrome OS, by the end of the year.  So of course they need to move their staff to Google products and more specifically, away from the Microsoft products.  Given Google is smart enough to not move their entire operations to a new OS on day one, they can get off of MS now to Linux or MAC OS to eliminate the PR ambiguity.  In other words, they cut the MS chord without putting all of the their operational chips on the Google OS square.  Genius.
  • Genius Idea #2:  Where is the official statement by Google?  Everything I have read had quotes from “one Google employee”.   They get the word out, enjoy all of the publicity, and keep their executive team free from any involvement.   There are no defamation suits to file and no one at Google for Microsoft to attack in the press.  Genius.
  • Genius Idea #3:  Google’s decision means that any other company that wants to move away from Microsoft no longer has to bear the risk of going first.  Google is respected (well, they keep trying to screw that up) technology leader.  If they can ditch MS, then so can any other company.  Genius.
  • Genius Idea #4:  They have clearly planted the flag on why organizations will want to look at the Chrome OS – security.  It is unlikely that the Chrome OS will have a wealth of differentiating OS features, so Google needed to create a clear reason to make the switch.  Declaring (albeit through “one Google employee”) the move is security based and pulling in the Operation Aurora buzz as a catalyzing factor, Google has kick-started the brand for Chrome OS.  Genius.

I wear many hats at Triumfant – CMO, product management, product marketing – but when I look at this from a marketing point of view I am really impressed by this move.  Google has managed to make multiple strategic moves at near zero costs and no “official” entanglements.  They create buzz, establish some brand awareness, and begin the “eat our own dog food” process with some perceptive guerrilla marketing.  Genius.

I have long contended that the disclaimer at the end of erectile dysfunction medicine commercials was added not by legal but by marketing.  You know, the disclaimer about certain conditions lasting longer than four hours.  The marketing person likely said “You really want everyone to remember this commercial? Then put in this disclaimer and everyone will be talking about it.”   It worked.  Genius.

So today the blogosphere and Twitterverse is buzzing loudly with the Google move.  Bravo Google marketing person.  Well done.  Genius.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

The Advanced Persistent Threat Means We Need a Third Bucket

May 25, 2010

Gartner has always taken a simplistic approach to dividing their analysts in the consulting practice:  keep the bad guys out (defense) and let the good guys in (access).  I have no quarrel with these two buckets and they have made sense for some time, but I respectfully believe it is time the industry accepts a broader reality and adds a third bucket that addresses when the adversary has thwarted the first two buckets, which is happening with alarming frequency.

I was at the Capital Connection Show last week and had the pleasure to attend a luncheon roundtable discussion that included Gary Gagnon of MITRE and Debora Plunkett, NSA’s Information Assurance Director.  I found it interesting that the call to arms was not for better shields but for a better understanding of how to detect and eradicate adversaries that have made it through the defenses.  It was clearly a pragmatic view that offense is always ahead of defense, and that a continued emphasis on chasing the perfect shield was no longer viable.  Regardless of if you like the term, the Advanced Persistent Threat is a reality, and the advanced persistent adversary is now organized, competent, and highly motivated.

Unfortunately, the IT security industry formed in a simpler time when the two buckets of defense and access were enough.  The entrenched thinking and alignment of products into these buckets have seemingly left no room for a third bucket.  When we brief the analysts or the press it is clear that while they understand what Triumfant does and the value our solution represents, there is a struggle to process the information because we do not neatly fit into a bucket or one of the sub-classifications in those buckets. I fear that it actually puts Triumfant at a disadvantage even though we effectively fill critical gaps in endpoint security and configuration management.

There is an interesting corollary when one looks at the evolution of the defense of the United States over the past 30 years.  When I entered the professional workforce in 1981 at what was then Martin Marietta, the U.S. Armed Forces focused on fighting a broad, land-based conflict in Eastern Europe against the Soviet Bloc.  For those too young to remember, military vehicles and uniforms were not desert khaki, but green.

Ten years later, America was fighting the first Gulf War and the military was scrambling to find khaki and brown paint – literally.  Military vehicles would pass on the highways and you could see they were hastily painted from forest green to desert brown.  Many of the vehicles and weapons built for the woods of Eastern Europe were not so effective in this new theatre.  The adversary was also different in nearly every aspect.  So we quickly found that our strategies and techniques had to be completely reset.  In spite of these challenges, the public was served multiple images of the sophistication of our weapons, creating a sense of confidence that our military superiority would shield our home soil from aggression.

Ten more years later on September 11, 2001, I stood at a window on the 27th floor of a high-rise office building in mid-town Manhattan as my brain struggled to process the data from my eyes as I watched the first of the Twin Towers of the World Trade Center shudder and fall.  The enemy was no longer in some far away land most of us would never see, the enemy was among us.  The enemy had in fact lived among us, and we had trained them to have the skills to perform their acts of aggression.  Iconic building on our own soil had been attacked, and non-combatants were killed.

I did watch both towers fall, and I can assure you I do not invoke 9/11 lightly or use it as a casual metaphor.  That day the United States understood that defense was no longer about keeping the bad guys out, because they were already in.  The nation was forced to completely rethink security and come to grips with finding and removing embedded adversaries and admit to the hard truth that there was no way to completely secure the perimeter.  The myth of the shield fell in the flames of the WTC and the Pentagon

We are at that place with IT security and have been for some time.  The pragmatic know this and are well on their way to addressing the problem.  But the industry itself and many within organizations and government agencies are stuck on the concept of perfecting shields rather than dealing with the cold harsh reality of an adversary that has long since found ways to penetrate those shields in a targeted and systematic way at a rate that increases daily.

The larger, incumbent security software companies that started with shields predictably hold onto the premise and respond to problems by introducing new shields that the bad guys soon evade.  Organizations buy into the story because it simply feels better to think about keeping the bad guys out than admitting they have long since found their way in.  They rest on reports from AV software that show increasing detection statistics that create a false sense of security because there is no statistics on what is getting through.  Yet outside statistics prove conclusively that things are getting through.

Folks, the world has changed and there is no denying it nor can we turn back the clock.  There has to be a third bucket that addresses what we do when the bad guys get past our defenses and infiltrate our systems.  My problem – I don’t have a good name for the bucket, so I am open to suggestions.  Regardless of what we call it, it is time to face the uncomfortable truth and adjust our thinking accordingly.

Leave a Comment » | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

Maintaining a State of Zen in the Face of the Matousec KHOBE Attack

May 17, 2010

I have reached a nirvana of sorts during my tenure with Triumfant.  First, we have a product that is truly and completely differentiated from any other endpoint protection product in the security market.   If you know how noisy, undifferentiated and confusing the security market is, you know that is a strong statement.  Second, I have the comfort of knowing that our product’s differentiation puts us in a position where the market moves toward us daily.

Which brings me to the Matousec dust-up of last week.  For those of you who missed the fun, Matousec.com published a paper that defined an attack that bypassed a list of over 30 broadly used endpoint security program.  The paper (found here) describes an attack Matousec calls KHOBE (Kernel HOok Bypassing Engine) but goes by the more generic description of an argument-switch attack.

I won’t restate the particulars (good article with more details in the Register here), but the general gist of the attack is to send a benign piece of code to the A/V software on the targeted machine and then swap out the benign code for malicious code just before execution begins.  The attack seems particularly useful on multi-core machines where it can use multiple threads to facilitate the code switch.  It should be noted that this attack is strictly a lab-based manifestation, and has not been reported in the wild.  Matousec did test a broad spectrum of AV products and reports the following (emphasis by Matousec): “If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100 % of the tested products were found vulnerable.”  Included in that list were Symantec, McAfee, Trend Micro, Kaspersky, Sophos and the other usual suspects.

Several of the AV companies gone on the defensive and responded by noting that the attack is complex and would be difficult to execute in the wild.  Others have noted that it is plausible that known exploits in commonly used programs such as Adobe Reader could turn that software into a delivery vehicle for the malicious code payload needed to execute the KHOBE attack.

As for me, I sit in a zen like state, calmly observing the fuss.  Because Matousec is just the latest, albeit technically progressive, technique for evading defensive shields and getting a malicious payload to the machine.  My zen comes from knowing that Triumfant would be there after KHOBE did all of its complex machinations.  In spite of the technical sophistication of the argument-switch attack, the end result is the same basic trigger – the endpoint will be changed, and we will detect the change, and then we will step in to protect the machine.  Triumfant waits in an equally blissful state of zen, completely unaffected by the sophistication (or lack of sophistication) that got the attack to the machine.

My zen state is only deepened by the knowledge that even if this attack never makes it into the wild, it is a harbinger of new attacks being developed as we speak.  We just passed the ten-year anniversary of the “I love you” virus that rocked the world in May 2000.  Looking back now it seems rather quaint in the context of the malware we face today.  I am quite sure KHOBE is an example of the same phenomenon – except it will look quaint in 2 to 3 years instead of 10.

The bottom line is what I have said in numerous posts (here and here) – attacks will get through your shields.  Write it in stone, because that fact will never change.  Ever.  It is the one absolute you can bank on.  That absolute is the source of my zen state because we provide a really unique and interesting solution that will detect what gets through the shields and restore attacked machines to pre-attack condition in less than five minutes.  This capability is that unique differentiation I spoke about earlier.

The term Nirvana is often defined as “a state of total bliss or happiness”.  I am not happy that organizations are being attacked and I find no bliss in seeing new attacks such as the argument-switch attack being created.  Quite the opposite, my bliss comes from knowing I have the right solution at the right time, and that we can help organizations protect their intellectual property and sensitive data as the complexity and volume of attacks continues to grow. We do not promise a sense of zen, but Triumfant sure can help protect you against whatever new attacks created to evade your defenses.  And just maybe you will find just a little more peace along the way.

Leave a Comment » | Endpoint Security | Tagged: , , , , , | Permalink
Posted by Jim Ivers

The Worldwide Malware Signature Counter – A One Year Report Card

May 4, 2010

About a year ago we had the idea of the Worldwide Malware Signature Counter as a graphical representation of how the reliance on previous knowledge of attacks for detection was no longer a serviceable approach for protecting endpoint machines.  Much of the actual data used to build the math behind the filter (yes, it has thoughtfully constructed, sound mathematical principles behind it) was taken from the Symantec Internet Security Threat Report (ISTR).  Since Symantec just released the annual update to that report, it seemed an appropriate time to look back at the counter and see how well our analysis held up a year later.

All things considered, the counter was remarkably accurate.  Charting both the year-over-year and cumulative signature counts through 2008, we concluded that new signatures were growing at 60% of the cumulative rate on an annual basis.  This proved to be a bit aggressive, as Symantec’s actual numbers showed 2009 growth to be 51% of the cumulative number, or just under 2.9M new signatures.   But because we conceived the counter to be instructional and not hyperbole, we built the calculations on the conservative side and the counter in fact lagged just slightly behind the actual numbers reported by Symantec throughout the year and eventually in the ISTR.

When I first did the math on the numbers from the ISTR in 2009, I was struck on how the signature numbers broke down as a practical drag on the resources of the AV companies.   Of course a 51% increase year-over-year only exacerbates the problem.  Using the numbers from the recent ISTR, that burden translates to 241,316 signatures per month, roughly 7,934 signatures per day, 5.5 signatures per minute, and ultimately one signature every 12 seconds.  It is a model that is simply not sustainable, and by every indication, it will only get worse.

The bigger question after a year is “so what?”.  Well, the language from the AV vendors has certainly changed.  In fact, the following is a direct quote from the Symantec document:

Signature-based detection is lagging behind the creation of malicious threats—something which makes newer antivirus technologies and techniques, such as behavioral-based detection, increasingly important. …. This trend suggests that security technologies that rely on signatures should be complemented with additional heuristics, behavioral monitoring techniques, and reputation-based security. (page 48, Symantec Global Internet Threat Report – Trends for 2009,  Volume XV, Published April 2010)

During his keynote at this year’s RSA, Symantec CEO’s Enrique Salem was quoted as saying “Traditional signature-based approaches to security are not keeping up.”  Of course, such admissions are directly colored by the alternative technologies the AV companies recently introduced to the market after ignoring calls from the rest of the industry for alternative detection methods.  But at least they have stepped away from their defense of signature based AV in the face of all evidence to the contrary.  I am not claiming they were driven to such mea culpa’s by our signature counter, but I do think we helped point out the issue.

Unfortunately, while organizations have also come to terms with the limitations of signature based AV, many are adopting the alternatives provided by the AV vendors instead of looking to more promising technologies.  Symantec brought Quorum to the market, so reputation based security is their answer.  McAfee bought a whitelisting technology so – surprise! – whitelisting is their answer.  I guess I was hoping that organizations would see the past the entrenched vendors for alternatives given that these vendors were so slow to come to terms with the signature problem, but factors such as risk avoidance have suppressed some innovative alternatives from getting play.

Meanwhile, the counter continues to increment, and recently passed 7 million signatures on pace to add over 4 million signatures for 2010.  I was recently asked if we planned on retiring the counter given the shift in sentiment toward signature based AV.  We still see enough executives and security people that don’t yet understand the problem, so the counter will live on to help us make the point.

So in regards to a grade, how about an gold star for creativity, an “A” for the math, and an “I” (incomplete) for changing the world.

Leave a Comment » | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

Antivirus Detection Rates – Undetected Attacks Are Still Attacks

April 26, 2010

I came across an article in The Business Times this morning that contained a quote that caught my eye.  The article was called “Singapore a growing platform for cyber attacks on region” which talked about the growing number of cyber attacks originating in Singapore.  In the article there was a definition attributed to Symantec:

“By Symantec’s definition, an attack denotes any malicious activity carried out over a network that has been detected by a firewall, intrusion detection or prevention systems.”

Obviously, the word that stuck out in this definition was “detected”.  Why?  Because I have news for you – malicious activity that goes undetected is also an attack.  In fact, I would say that undetected attacks would be placed in a higher tier of the definition, because Rule One of criminal behavior is Don’t Get Caught.  Attacks that would fall under the characterization of an Advanced Persistent Threat are engineered to evade detection and are very much an attack.

(This reminds me of one of my favorite movie scenes.  In Stripes, Harold Ramis and Bill Murray are sitting in the Army recruitment office and the recruiter asks them if they have “ever been convicted of a felony?”.  Bill Murray’s response: “Convicted?”.)

In fairness to Symantec, I am not sure if this quote from the article was paraphrased or misquoted, and I am not out to pick on Symantec.  What I do want to point out is a huge flaw in how in the industry measures malicious activity.  Let me explain.

Both AV software vendors and internal security groups often report on what was detected.  Makes sense, right?  If you could count undetected attacks they would instantly be now detected.  But according to the Symantec Internet Security Threat Report: “Symantec created 2,895,802 new malicious code signatures in 2009, a 71 percent increase over 2008”.  It therefore makes sense that the number of detected attacks would go up proportionately with the number of identified signatures.  An organization could be doing a worse job year over year detecting attacks but their raw volume of detected attacks would still go up, giving a perception of success.

Executives look at the bulk score and are mollified that the organization is protected.  But if the number of attacks grew by 71%, the number of attacks detected by the organization better track to that same 71% or the organization is losing ground.  If you think it through, that 71% may be deceiving because what Symantec and the other AV vendors don’t tell you is how long your organization was exposed between when the attack actually was first introduced and when they finally detected it and wrote a signature. It could have been six hours, but it could have also been six months.

In short, gauging success from bulk detection numbers is a quick way to obfuscate the real risk to any organization.  But if you are selling a shield that has known flaws, it is a great way to use the steadily growing malware volume to present either software or organizational effectiveness in a successful light.

Because Triumfant uses change detection to identify malicious attacks, we have always been open about our ability to see attacks that are resident prior to our installation.  That being said, we inevitably see anomalies that are artifacts of attacks that have passed through the organization’s shields soon after we are installed.  Once installed, we can readily detect what does make it through the organization’s shields or attacks being done by maliciously intended insiders.  It is eye opening to the organization just how many attacks have and are getting through.

Don’t let yourself be lulled to sleep by bulk detection rate numbers.  A lot of attacks are getting through, so counting detected attacks is potentially a false gauge of success.

2 Comments | Endpoint Security | Tagged: , , , , , , , | Permalink
Posted by Jim Ivers

Defense in Depth – There is No Perfect Shield

April 20, 2010

Everyone wants the perfect shield for their endpoint population.  All malware should be detected and blocked before it has a chance to do anything bad to any given machine.  Nothing less is acceptable.

Not going to happen.  Sorry.  Truly I am.   See “Why Bad Things Happen to Good Endpoints” and “It is Raining and You Will Get Wet

Defense is always playing catch up.  Always has been, always will be.  Today’s stellar defense is one offensive innovation from being compromised.  It is the nature of the game and examples abound.

A failed defense in depth strategyMy family spent spring break in London and Paris and saw all manner of personal armor that was quite effective – until the crossbow was perfected.  In the 19th century, the best and brightest were trained as military engineers because the construction of earth works was critical to defending fortified positions against cannon fire – until the airplane arrived and munitions could be delivered from directly above a position.

The gap does not always come from leaps of technology or sophistication.  When the U.S. forces entered Iraq it was the improvised explosive device (IED) – crude, homemade weapons – that forced the need to retrofit our advanced vehicles with additional armor.  Statistics abound how major threats (Conficker) were based on simple vulnerabilities that had been identified six months or more before their use.

Today we in IT security chase the same elusive goal and ignore the obvious: there will always be gaps and stuff will always get through.   It is time that government agencies and businesses come to terms with the inevitable and think about technologies that can help them detect what does make it through their defenses instead of continuously chasing the promise of the perfect shield.

The adversary is tirelessly creating new attacks that evade existing defenses.  Sometimes those attacks evade detection for weeks and even months.  And when they are detected, there is lag between when the attack is analyzed, a protection built, and the protection deployed.  During that gap organizations are at risk.  And given that so much of the detection tools still rely on previous knowledge of an attack to see the attack, organizations are often left unaware that they were breached, much less empowered to fight back.

Stuff will get through.  Any vendor or expert that tells you otherwise is not being honest.  There is nothing wrong with seeking protection from attacks, but you are putting your organization at risk if you do not have something in place when the inevitable happens.  It also makes sense that a new approach is needed, because if the attack got through it follows that the normal protection techniques have been evaded.

Change detection has long been viewed as the right approach for detecting attacks that make it to a machine.  The logic is simple – unless the attack can enter the machine, start itself and perform its malicious activity without changing the machine, change detection is an effective triggering mechanism for analysis and ultimately identifying the attack.

Triumfant can not only detect and analyze these attacks, it will correlate changes so you can see the full extent – primary and secondary artifacts – of the attack and will even build a remediation that is contextual to that attack on that specific machine.  It can take what it learns and recognize subsequent attacks, or if the attack morphs it will still see it based on the changes.

One of the most downloaded blog entries was called “Antivirus Detection Rates – It Is Clear You Need a Plan B”.  The more I think about the title, the more I realize I was wrong: having a tool in place that will detect what passes through your shields is a Plan A item and must be part of any defense in depth strategy.  Stuff will get through, and you need some form of detection capability when all of the shields fail.

Leave a Comment » | Endpoint Security | Tagged: , , , , , , | Permalink
Posted by Jim Ivers

Face to Face With a Zealot – Why Innovation Gets Throttled

March 23, 2010

I had an interesting brush with zealotry the other day that served as a stark reminder of what those of you who make IT security decisions for your respective organizations face on a daily basis.  This experience folded nicely with a great blog post by Rich Mogull in the Securosis blog (“There is No Market for Security Innovation“) because I think the zealotry I experienced is one of many factors that throttle innovation.

I was on the phone with a partner discussing how we could align our respective products to cooperatively go to market.  Joining the call was a product manager (who I shall call PM going forward) for a specific product within the partner’s product line.  I was asked to describe what our product could do, and after doing so, was immediately met with PM conveying a general sense of “my product does all of that and more” as I was subjected to an enthusiastic Gatling gun fusillade of breathless features and counterclaims.

By the time the PM was done describing the length, breadth and depth of PM’s product, I could almost feel the hair growing back on my bald spot and my previously receding hairline reclaiming lost ground on my forehead.  I am quite sure world hunger was also on the decline and cold fusion was only minutes from discovery.  Fortunately, as my cynicism and hair loss problem probably indicate, this is not my first rodeo, and I had done some pretty extensive competitive research on PM’s product.  Suffice to say the general consensus amongst the analysts and reviewers (including user feedback) does not reflect the unbridled enthusiasm of PM.

After the call I stepped back to think about the exchange and tried to put myself into the shoes of the prospects I see almost daily.  I got the sense that PM either did not care to hear me or the zealotry simply overwhelmed him/her.  What was most important to PM was to tell me all of the things the product could do rather than align with me as a partner.  I am quite certain the same thing would have happened if I was a buying prospect – I would have been told what the product would do rather than how it would help address my specific problem.  Any question I had would have been met with an enthusiastic “Yes” before I got half of my sentence out.  I am not accusing PM of being deceptive – I choose the word zealot because zealots honestly believe they have that capability.

Mogull notes that buyers don’t consider innovative products until they believe “existing tools are failing so badly that you can’t keep the business running”. An exchange with a zealot such as I experienced would certainly give a buyer enough assurances – whether the buyer believes it or wants to believe it to avoid a purchase – to step away from making a bet on a newer product.

Prior to RSA I had a blog entry where I described similar zealotry on the exhibit floor under the name denial of innovation attack (Beware the “Denial of Innovation” Attack at RSA).  My encounter with PM reminds me that this is not an RSA specific phenomenon and is in fact a daily occurrence.  I appreciate that PM was doing his/her job, but it was a stark reminder to be on the other side of the equation and it certainly gives me a renewed appreciation for those of you who make buying decisions for your respective organizations.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

« Previous Entries