December 10, 2009
As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security. While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009 in hopes that we can learn from the mistakes of the (recent) past. So without further adieu, here is the first of the Security Fails of 2009.
In early March it was reported that the detailed plans for the refresh of the Marine One Helicopter used by the President had been compromised. Soon after, detailed data about the new Joint Strike Fighter were also compromised. Both incidents were traced back to peer-to-peer software that was exploited to get to the data.
These high profile incidents catalyzed some interesting dialogue about peer-to-peer applications in specific and unauthorized applications in general. There was an immediate rush to unilaterally remove all peer-to-peer software from endpoint computers without any qualitative analysis of what other contributing factors led to the loss of sensitive data. Such baby with the bathwater thinking never leads to true progress, and my guess is that peer-to-peer applications have proliferated, not decreased through the year. In fact, an article in CIO magazine cited a study that showed that “an average of six peer-to-peer applications were found in 92 percent of the organisations surveyed”.
A much broader and constructive dialogue emerged around the control of unauthorized applications. Whitelisting has emerged prominently in 2009 as everyone comes to terms with the continued challenges of antivirus software in keeping up with the evolving threatscape. But for whitelisting to be effective – actually block unauthorized applications – the organization must be in lockdown. Otherwise, the endpoint user becomes the greylist administrator and is asked to make a decision to block the software that is suspect. This is where my cynical nature kicks in because in many cases it is the user that initiated the install, and heck yes they want to proceed. Alas, whitelisting joins the distinguished list of “not the silver bullet”.
The dialogue also causes investigation of personal use policies for company endpoint machines. It has become broadly assumed that the computer provided by the employer is an open invitation to load just about any software the user desires. Obviously this has enormous consequences in regards to surety readiness and risk. I have no hard statistics for you, but I can offer an interesting anecdote. Triumfant detects and catalogs all of the applications running an organization’s endpoint population. When we install our software we often ask the customer what would be their worst guess as to how many applications they have in their environment. Then we run our application inventory report and show them the actual count. For any customer that allows for personal use, the number on the report is normally a minimum of ten times of that worse case guess.
The Marine One fail brought the unauthorized application conundrum squarely into the spotlight. For the DoD and the intelligence community, they have already locked down their environment, but the Marine One plans were leaked from a contractor’s machine, so the wall is not airtight. The more vexing question comes for commercial organizations competing for talent in the market, as the use of a PC has become an expected perk of employment – the genie is already out of the bottle. As a result, the IT security folks who already have their hands full protecting the corporate treasures from the bad guys must deal with the increased risk from applications that are loaded by their own employee peers. Add to the problem the growing use of social media applications and this problem brought to light by the Marine One fail is clearly not going away as we close the year.
1 Comment | 
Endpoint Security | Tagged: application whitelisting, Marine One Breach, peer-to-peer | 
Permalink
Posted by Jim Ivers
August 26, 2009
Ever walk down the street on a rainy day? You can have the best umbrella in the world and you will still get wet. When I get asked the question “why do I need Triumfant when I have other defensive software?” the answer is found in that rainy walk – because you will still get wet. Malicious stuff will get through your defensive shields and when it does you need something that will address these problems on your endpoint machines.
Notice that I am not looking to convince you I have a better umbrella, because we never portray Triumfant as a shield. Nor am I telling you to throw away your existing umbrella, because we never position Triumfant as a replacement for antivirus software, nor do we claim that having Triumfant means you no longer need AV.
But you do need to recognize it is raining and you will get wet. I have touched on the proof points separately at times but I have never laid them end to end until now. So here they are:
- It rains harder every day. Symantec reported in their Global Internet Security Threat Report, 2009 that there were 1.6M new malware instances in 2008, exceeding the 1M counted as the number of attacks for all previous years combined. Both McAfee and Symantec show that this 1.6M number was passed sometime mid-summer for 2009. If you graph the numbers you will see that they increase geometrically. For example, McAfee saw twice as many attacks in the second half of 2008 than the first half of that same year.
- It is raining sideways more than ever. McAfee Avert Labs noted in a recent blog post that they see 6,000 new malware instances per day that pass through their signatures, generic filters and heuristics. Extrapolating this number for the entire year would get you to over 2M attacks that pass through the traditional protections.
- The rain comes from a different direction every second. An August 13 article in SC Magazine notes a study that found that cyber criminals are now designing malware to last 24 hours before becoming inactive. The study noted that 52 percent spread for just 24 hours, nineteen percent last for two days, and nine percent persist for three days. Malware designers produce hundreds of unique samples that carry the malicious payload to evade detection. Essentially, by the time the malware is detected, analyzed and a signature created, the cyber criminals have long since moved on.
- The rain is straining the capacity of your umbrella. A recent White Paper called the Cyber Intelligence Report, August 2009 by Cyveillance provided average daily detection rates for the period of 5/12/09 through 06/10/09. Cyveillance fed active attacks consisting of confirmed malicious files they had detected from the Web into 13 of the top antivirus solutions and tracked the detection rates. The results are, to say the least, eye opening, as the average detection rate reported was roughly 30 percent.
It is raining hard and relentlessly on your endpoints and sometimes it is coming down sideways. But it is not just the traditional attack vectors that you must address in the fight for endpoint protection. There are increasingly nasty rootkits that evade traditional defenses. There are polymorphic attacks with rotating binaries that automatically morph themselves to never look the same way on any two machines. There are new classes of attacks like drive-by SQL injections and registry based attacks. There is the work of the maliciously intended insider who either directly corrupts the machine or alters its defenses so it can be corrupted by outside influences. There are new ways to subvert software assurance and the software supply chain to imbed malicious code in what is thought to be trusted software. And as always, there is the most nefarious problem of them all – the carbon based life form installing peer-to-peer software, using Facebook, and going to Jessica Biel picture sites. It is not just raining sideways, sometimes it must feel like it is raining up!
What is clear is that bad things will get past the traditional defenses to the endpoint, and it is time to consider what will protect your organization when that happens. That is where we come in – we see the malicious attacks that make it to your endpoints. The stuff that falls through the other defenses, the zero day attacks, and the newest variations of existing attacks. And all of the attacks that come through exotic vectors that defensive endpoint security software may not yet address. We build a normative whitelist of your environment and can tell you if something is installing that does not exist anywhere else in your environment.
And once we detect it, we can also remediate it. The context provided by our patented analytics enables Resolution Manager to see all of the changes to a machine that are part of the attack, making our solution uniquely able to build a remediation to address the entire scope of the attack and restore the machine to its pre-attack condition. BTW, that context I speak of is what really sets us apart – for example it allows us to beat the false positive problem – so you may want to look at the associated post.
Folks, it is raining, and don’t look for the rain to quit or even subside because it gets worse by the day. And you will get wet. That is the value of Triumfant – we are that last line of defense when you do.
2 Comments | Endpoint Security | Tagged: endpoint protection, Endpoint Security, Maliciously Intended Insider, peer-to-peer, Rootkits, Symantec Internet Security Threat Report, Worldwide Malware Counter | Permalink
Posted by Jim Ivers
March 6, 2009
There was a lot of chatter earlier in the week about the data breach regarding the plans for the next version of Marine One, the POTUS helicopter (http://government.zdnet.com/?p=4387). Seems that a contractor on the project had a machine with a peer-to-peer application that has been identified as the source of the leak.
The amount of unauthorized software on computers creates untold vulnerabilities that result in incidents such as this one around Marine One. The fact is, employees now see their company machines as their personal computers, and install all manner of potentially dangerous applications, regardless of the consequences. Many organizations are really in the dark about the amount of unauthorized software on their machines. I had one company relay a story about expecting to find 150 to 200 applications in their endpoint population, and instead they were shocked to find over 9,000 applications running in the first 1,000 machines they checked.
What is more surprising is that many companies don’t take the steps and enforce policies to prevent this problem. Triumfant’s solution can continually detect and automatically remove unauthorized applications without human intervention with policies that can be tuned for specific user groups and exceptions. In fact, one customer story on our web site is about a customer that uses the product for that very purpose, and is realizing significant savings in the process.
Bottom line: there is no excuse for these types of breaches, as solutions exist today – like ours – to readily eliminate peer-to-peer and other potentially harmful applications.
2 Comments | Endpoint Security | Tagged: Endpoint Security, malware, peer-to-peer | Permalink
Posted by Jim Ivers
Click here to subscribe
