Digitally Signed Malware Proves Again That Attacks Get Through Your Shields

March 16, 2012 by Leave a comment

So what, Triumfant guy, exactly gets through my shields?  You tell me I will be breached and you give me statistics, but I have AV, whitelisting, deep packet inspection, and every other acronym and buzzword in place. Oh yea, and I have “the cloud” (pause for tympani emphasis) providing me prevalence information and other cloud-based stuff.

Well, digitally signed malware gets past your protections.  Not according to me, but according to several sources – Symantec, Kaspersky, AlienVault and BitDefender – cited in a March 15, 2012 PC World article “Digitally Signed Malware Is Increasingly Prevalent, Researchers Say”.

It is the blackhat version of “these are not the droids The Droids You Are Looking Foryou are looking for”, using the certificates to get the malicious code waved through.  Some of the first evidence of this technique was found in 2010 in the analysis of Stuxnet.  The PC World article provides evidence that the technique is showing up with increasing frequency.  The article tells in good detail how it works and what protections it can evade, including whitelisting.

This technique is illustrative of the ongoing battle between good and evil in IT security.  Operating system advances in Windows 7 and other OS versions were thought to advance the security of systems, and the adversary then takes the very techniques used to make the systems more secure and subverts them to find new ways to deliver malicious code and evade protections.  I have no interest in impugning the efficacy of prevention software and I have never said to turn off protection software.  What I have said consistently is that attacks will get through your shields.  Here is yet another example of how, and demonstrates that the adversary will always find a way to get through.  No FUD here – I would point out that every vendor cited in this story is a protection software vendor.

This story also illustrates that there are no silver bullets in protection.  Prospects often cite the use of whitelisting tools as their raison d’etre  of why they do not need something like Triumfant, but here is a clear example of how such tools are being evaded.  If you need more, there is a video from Shmoocon that shows multiple techniques for evading several whitelisting tools.  Yet another silver bullet falls short. I am not singling out whitelisting – it is just the current “It” tool of IT security.

Lastly, it is illustrative of how the foundations of trust have become less…well…trustworthy.  I have seen the validation process of a certificate authority up close, and let’s just say I am not shocked to know that malware writers can obtain certificates with false identities. With the RSA breach and other certificate authorities being hacked, the foundation of trust was already showing cracks.  Now we see examples of how trust can be subverted using this technique.

So if this technique essentially waves malware through your shields, how are you going to detect the infiltration?  That is where Triumfant fills the gap, detecting the zero day attacks and targeted attacks, including the advanced persistent threat, that infiltrate your endpoint machines and servers.

I once had a product manager from another company disdainfully tell me “when you find something that gets past my shields, you call me”.  I am looking for his number as soon as I finish this post.

Filed under Endpoint Security Tagged with , , ,

The Reader’s Speak – the Top Ten Posts of 2011

December 19, 2011 by Leave a comment

The year is rolling to its inexorable end and it is time to look back fondly on the top blog posts from Exceptional Security in 2011.  The selection process is generally scientific, using the site stats to gauge reader interest.  But personal bias and self-indulgence are also a factor.  At least I am honest, and I refrain from clichéd predictions.

Advanced Persistent Threat: Solution – No, Effective Detection – Yes.  This post was actually written in January of 2010 but has been the most-read post on the blog.  The post addresses the qualifications of Triumfant as a viable and effective tool for detecting targeting attacks, including APT.

The UC Berkeley Breach – You Don’t Know What You Don’t Know. Another post written before 2011 that continues to resonate.  In fact, this post is a very early expression of what I now call Rapid Detection and Response – the ability to quickly detect the attacks that evade preventative software and quickly respond to the breach.

Trojan Horses, Payloads and Flamethrowers.  This post turns the most overused cliché in IT security – the Trojan Horse – on its ear to illustrate rapid detection and response and the folly of relying solely on perimeter defenses.  Not to mention gross misuse of literary license as I insert flamethrowers into classical mythology.

Sayano-Shushenskaya Accident A Model for What a Duqu/Stuxnet Combo Could Mean.  This post uses the incident at a Russian hydroelectric facility to illustrate what kind of terrorism could be performed with a Stuxnet style attack.  The images from a 900 ton turbine unit tearing free of its moorings seemed to provide readers a visual reference point for the potential of such attacks.

Purely Commercial Espionage – The Advanced Persistent Threat Targets Businesses.  The exact definition of APT is hotly debated, but most see it as cyber warfare at the nation state level and not an issue of commerce.  Regardless of definitions, this post explores the burden that commercial organizations are bearing from targeted attacks that extract intellectual property from U.S. companies, negatively affecting the economy.

Certificate Authorities Hacked – So Who Can You Trust? This post speaks to the corruption of the chain of trust caused by the hacking of several certificate authorities.  The important takeaway is that prevention mechanisms can be fail along a variety of vectors, so adding rapid detection and response is necessary and prudent.

The Emotional Barriers to Embracing the Presumption of Breach Doctrine.  Why, in the face of all statistics and other forms of evidence to the contrary, do people cling to the notion of the 100% effective preventative shield?  This post looks at the emotional component that prevents highly rational people from admitting that they are getting breached and taking the appropriate action. I think it is a concept worth exploring more broadly.

Finding a Needle in a Haystack – Child’s Play! Another alternate take on a treasured IT security cliché – the needle in the haystack.  Specifically that finding a known thing – the needle – in a homogenous population – the haystack – was a far easier proposition than locating malware without a signature in the vast IT world. Too big to do in one post, it turned into a series of posts.

Virus Attacks U.S. Drone Fleet and the Need for Rapid Detection and Response.  Sometimes when you are trying to get some traction around a concept or term, the world throws you a bone.  As I was introducing the concept of Rapid Detection and Response, the story broke about the attacks on the C&C center for the U.S. drone fleet and how that was a perfect scenario for the concept.

Time to Put Your Antivirus Software on a Diet.  This was posted in late 2010 but got a lot of reader momentum in 2011.  The post is an answer to the question frequently asked when we present Triumfant: “Are you saying you replace antivirus tools?”.   As a bonus, it contains my favorite phrase of 2011: fusillade of FUD.

Well, that wraps 2011 for Exceptional Security unless something big happens that requires comment.  Otherwise, thank you for reading – it is always humbling to know that someone takes the time to read.

See you in 2012.

Filed under Endpoint Security Tagged with , , ,

The Emotional Barriers to Embracing the Presumption of Breach Doctrine

November 1, 2011 by 5 Comments

Every day, another breach.  For every breach story we read, what would you guess is the number of known breaches that do net get reported? 1? 5? 100?  Then there is the big unknown.  The “you don’t know what you don’t know”.  How many breaches are there that will go undiscovered for yet another day?  I have used the following numbers from the  Verizon Business 2011 Data Breach Investigations Report (published May 2011) times: 60% of breaches go undiscovered for a month or more and 84% are discovered by someone outside of the organization.

I witness a very interesting response to the inescapable reality of today’s IT security environment every day from a somewhat unique position.  How Triumfant works and what it does requires organizations to make the fundamental recognition that attacks are getting past their shields and therefore they are getting breached.  In the overwhelming face of the available evidence this would seem to be an easy and completely defensible position for any organization to take.  Yet I consistently see a resistance that seems to be rooted in emotion rather than reason.

As Commodus put it in Gladiator: “It vexes me. I’m terribly vexed.”  So much so I have thought long and hard about the emotional side of this problem and have come to what I think are interesting and valid conclusions.

First is the inability to let go of the notion of full protection against attack and embrace the “Presumption of Breach” doctrine.  It is far more comforting to have 100% faith that your shields will protect your systems without fail and without regard to the attack or attacker. Everyone wants to be protected, and is far more comfortable thinking about prevention versus detection.  When you have spent 20+ years building walls and feeling protected (albeit a false comfort) behind those walls, a conversation about breaches rocks that world profoundly.  Another paradox is that the more organizations are in denial, the less likely they are to have detection capability, which means they won’t know they have been breached, which only feeds their denial.

The IT security market feeds on the myth of the 100% shield and continually sells the next layer to organizations with the promise that this time, THIS TIME, we have the answer.

If an organization faces the uncomfortable reality that they have been breached, then there is an emotional backlash: “How could this be?  My IT security team assured me we were protected!  My vendor partner also assured me we were protected! Who is to blame?”  The problem also cuts across personal boundaries to the heart of the reputation and job security of key people in the organization, because assuming that the organization has been breached creates the misconception that someone has to be at fault.

Let’s address these backlash issues directly.

This is not the fault of the CSO/CISO or the IT Security team, nor have these people failed the organization.  They are up against a motivated, organized, and relentless adversary who benefits from the advantage that offense always has on defense.  A motivated, well-funded and patient adversary that wants to target a specific network for a specific organization is really hard to stop.  The roster of recently breached organizations is a who’s who of the most sophisticated and disciplined security practitioners on the planet.  If they were breached, why would your organization be different or exempt?  Doing the prudent thing and putting a solution in place to detect breaches and provide a rapid response is not an admission of failure by IT security.

This is not the fault of the shield software in place.  At least not completely. There is no 100% shield and in spite of vendor claims there is no silver bullet.  If you bought a shield product believing to be 100% effective, then the fault is yours.  Embracing the cold hard fact that every shield can be evaded is the first step toward progress.  This logic also applies to the notion that getting breached does not imply that the person who bought the shields failed.

This is not the fault of IT management.  Pushing through a new tool that detects successful breaches may raise all manner of questions to the executive level and the board who likely received assurances that the necessary shields were in place.  Breaches now bring reputational risk that could negatively affect consumer trust and even business valuation.  Getting breached is a business risk as well as a security risk, and executive management and the board must be educated accordingly.

This is not going to happen to our organization.  Hope is not a strategy.  Neither is denial.  There are two types of organizations: those who know they have been breached and those who don’t yet know.  The Advanced Persistent Threat is not just a problem for the DoD or the NSA.  The recent Duqu attack is yet another wake-up call that organizations can no longer gnore.

Uncomfortable realities are, well, uncomfortable.  But they are reality nonetheless.  Organizations need to embrace the reality of the moment, get past the emotional objections and associated finger pointed, and face the challenges that this new reality brings.  You will get breached.  Attacks will evade or get past you shields.  You must have a tool in place to perform rapid detection and response to those breaches.

Filed under Endpoint Security Tagged with , , , ,

Making the Case for Rapid Detection and Response

October 4, 2011 by 9 Comments

In my post “You Need a Plan B for Security“, I cited two numbers from the Verizon Business 2011 Data Breach Investigations Report (published May 2011): 60 and 86.  These two numbers jumped out at me from the report because they are subjective numbers that emphatically support the need for rapid detection and response to identify those attacks that get through preventative IT security software. The attacks that either evade perimeter and endpoint shields, or the attacks that the shields simply fail to detect.

“60” represents the percentage of attacks in the study that went undiscovered for a month or more.  Three out of five attacks that got past the organization’s shields were free to do damage on the host machine and the network for an extended period.  Free to establish command and control, spread to critical systems, and exfiltrate sensitive data and intellectual property.  By the way, there is nothing to indicate that these attacks were super sophisticated zero days or the advanced persistent threat.  The lack of rapid detection and response makes such sophistication unnecessary.

Organizations rest in the false security of security suite reports that show a steady increase in malware detection rates artificially inflated by the always-increasing number of attacks.  Or they are willing to take a gamble that the number of attacks that do get through will be minimal.  Ask Sony how many attacks it takes to cause an enormous amount of seemingly endless headaches and public relations hits.  Better yet, ask their CEO who is under pressure to resign because of the incident.

“86” represents the percentage of reported attacks that were discovered by a third party.  Conversely, this means the attacked organization found the problem only one out of eight times.  If a third party had not brought the attack to their attention, it may have never been discovered.  One could easily surmise that if left to the attacked organization to detect the problem, the 60% number above could have been much worse.

It is clear that organizations are not prepared to detect and respond to successful attacks.  One out of eight is a horrible rate given the accelerating pace that attacks are getting through the shields.  They most certainly are not prepared to detect these attacks rapidly before they can cause significant damage.

There is another component to consider.  Detection of the attack by a third party means that the attacked organization’s dirty laundry is now public.  At a minimum this erodes public and consumer trust and at its worse can negatively impact the organization’s brand and potentially affect valuation.

Budgets are tight, the economy staggering.  Rather than spend more money on yet another shield that will get compromised, organizations may want to take the numbers 60 and 86 to heart and take a hard look at their rapid detection and response capability.  Because by ignoring the need for rapid detection and response, organizations are enabling the adversary to establish a long term and highly destructive presence in their environments.

Attacks are getting through.  You must have a way to effectively identify successful attacks and provide the actionable information to make an informed and rapid response.

Filed under Endpoint Security Tagged with , , , , , ,

Plan B Gets a Name: Rapid Detection and Response

September 22, 2011 by 3 Comments

I have been openly evangelizing for a Plan B for malware detection for three years.  I have also been looking for a name for this approach, and today I saw an article that used a term that I have seen in several places lately that I think has some merit:

Rapid Detection and Response.

Great way to describe the concepts offered in a general sense here, and a great way to describe one of the fundamental benefits of Triumfant.

In short, the perimeter is porous, and attackers are smart, motivated and well funded and will target specific things at specific organizations.  The net is that attacks are getting past shields at an increasing rate.  You must have a way of quickly identifying the attacks that do get through and have the information to trake an immediate and informed response.

Triumfant detects the attacks that evade your defenses.  Detection is within minutes of the attacks and returns a comprehensive forensic analysis of the attack including every granular attribute affected.   Triumfant will also build a contextual remediation that will repair the machine, stopping the attack and fixing the collateral damage to the machine.  For details, I suggest you go to the solution brief and the white paper on Malware Detection and Remediation.

Triumfant detects, it does so rapidly, and it formulates a response automatically.  Triumfant detect rootkits.  Triumfant detects zero day attacks.  Triumfant detects the advanced persistent threat.  That sounds like Rapid Detection and Response to me.

Filed under Endpoint Security Tagged with , , , , ,

Time to Take an Open Minded Plunge

August 31, 2011 by Leave a comment

This blog entry is unique because it is the first one written on my new Apple MacBook Pro that I put into service yesterday. The move to the Mac is one of two personal paradigm shifts I have experienced recently, and the process speaks to the changes the IT security industry is experiencing today.

The second paradigm shift was the move from a BlackBerry to a Droid. As near as I can remember, I have had a BlackBerry device of some form for at least the past 10 years. It was an extension of my everyday activity, and that connection only deepened when the PIM device was merged to a phone. As other SmartPhone platforms grew smarter I was able to reconcile my BB loyalty based on my belief that the BB was a better e-mail platform, which of course had long ago became a myth. When the trackball on my BlackBerry stopped working and I was forced to change devices, I finally acquiesced and grabbed a Droid device.

Not only do I not miss my BlackBerry, I never looked back for a second. No misty eyed nostalgia, no frustration that I had somehow lost productivity or functionality. Only the periodic “What took you so long?” self-flagellation as I realized how much I had been missing by clinging to the past in the face of all evidence to the contrary.

I am less that 24 hours into my Mac ownership and I am feeling the same. The transition has been as painless as my departure from the BlackBerry world, and equally pleasing from a business perspective and from a personal perspective. What really surprised me is just how little I brought from my Windows PC to the Mac. Part of that is easy to explain: the world has shifted from host-based applications to web-based applications. The world has changed.

Much of what frustrates me in the security space is the irrational insistence to cling to the tools and techniques of the past. When it comes to attacks and attackers, the world has changed dramatically in the past five years, yet organizations doggedly cling to the security technologies and tools of the past. Headlines scream to the need to change, but new ideas seem to be viewed with enormous skepticism. And the large IT security companies that have traditionally dominated the space are allowed to wield incredible influence and drive the market based more on what they offer versus what the customer needs. I see heated arguments over the definition of the Advanced Persistent Threat, but little to help organizations detect APT attacks.

Funny, but Windows and BlackBerry both promised me that they could step up and give me everything that the new technologies offered, and I bought it for a time. I had to really take an open-minded plunge to really see the folly of that line of thinking. I would encourage the decision makers in IT security to do the same.

Filed under Endpoint Security Tagged with , , , ,

Einstein Could Smell the Coffee – Can You?

July 21, 2011 by 1 Comment

We cannot solve our problems with the same thinking we used when we created them” Albert Einstein

The past weeks have been on a Headline-per-day rate of high-profile hacks (today it is NATO). What makes these hacks stand out is that they are mostly organizations that you would expect to be secure – Citigroup, Booz Allen, and MIT are a short representative list. Sony is still reeling from their PS3 hack, and shareholders are calling for the resignation of the CEO.

Yet even at the companies that have been hacked, old thinking is being employed as the solution. Or as Einstein put it: the same thinking we used when we created the problem. The bigger tragedy may be that companies continue to look toward vendors who have rested on old technologies and have pushed half-hearted spackle jobs to cover the holes in their products as “innovation”.

Wake up. Smell the coffee. Because it is brewing and it is strong. The adversary has moved on to new techniques and is operating with a new boldness because of tepid defenses we put in their path. Heck, they don’t even have to come up with new techniques or reach the lofty designation of Advanced Persistent Threat, because we don’t adequately defend against the well-known vulnerabilities and attack vectors. We either forego locks on the door or install them only to not bother with turning the dead bolt and engaging the lock. And in the face of enormous evidence that the locks are no longer effective, we continue to install new, shiny versions of the same old technology, only to scratch our heads when tomorrow’s headline is revealed.

How many more lead headline hacks will companies need to see before looking to innovative approaches? Has everyone become so numb that they look the other way until they are the headline? The recent attacks have been characterized as “unsophisticated” as if that should be somehow comforting. I think it is the opposite, because it is likely the sophisticated attacks are working undetected, busily extracting confidential data and corporate IP.

I believe Einstein would tell us that it does not take a genius to see the problem, and it does not take a genius to determine that it is time to embrace new approaches to security. Funny thing is that I discovered this Einstein quote while verifying the attribution of another quote that also applies here:

Insanity: doing the same thing over and over again and expecting different results.” Albert Einstein

Filed under Endpoint Security Tagged with , , , ,

USB Drives – Cool Tool or Malware Delivery Device

May 17, 2011 by 1 Comment

Behold the USB drive. Simple. Functional. Efficient. The USB device is also a symbol of all that makes IT security so difficult. But take heart, because the USB device is also illustrative of the functions and benefits of Triumfant.

Why does the USB key represent the difficulties with IT security? Because a USB device
is an infiltration and exfiltration method wrapped into one tidy package. The bad guys are using USB devices to deliver malicious payload to host machines because this vector readily evades perimeter network defenses that use techniques like deep packet inspection and sandboxing. Unfortunately, techniques require that the attack come across the wire to work, so the attacks delivered by a USB device easily fly under their radar. The USB device has become a very effective mechanism for delivering the targeted and sophisticated zero day attacks and advanced persistent threats that are becoming increasingly difficult to detect.For an example, start with Stuxnet, the malicious attack that grabbed more headlines than a Britney Spears midnight trip for a haircut. Stuxnet evaded protection by using USB drives for transport to the host machines from which the attack spawned.

In regards to exfiltration, there is no simpler tool for offloading data than a USB device. While this has great utility, it is a major problem in the context of data loss prevention (DLP) activities, as once data is loaded onto a device there is absolutely no control of where that data may land. All bets are off.

You would think that USB devices would be the bane of every IT security person on the planet, yet security vendors give them away at industry tradeshows. Most people will pop in a USB key with little thought of the risk, so a “just say no” approach is not effective. Our CTO was at a customer recently and was told that USB devices were not allowed at the site. Minutes later he produced a report that showed that USB devices had been used in over 20% of the machines in the past two weeks. So much for strongly worded guidelines.

The problems surrounding USB devices are useful in pointing out the value of Triumfant:

Malware detection and remediation. Triumfant will detect attacks that are delivered to a machine via a USB device, analyze the attack, and build a remediation to stop the attack and repair all of the damage to the machine. Infection to remediation in minutes. Remember, Triumfant detects attacks by identifying and analyzing changes to the machine, and is therefore attack vector agnostic.

Continuous enforcement of policies and configurations. With Triumfant you can build and enforce policies that disables the use of removable media like USB devices. Triumfant will set the policy and remediate any machine found to be out of compliance.

Continuous monitoring/situational awareness. Your organization may choose to not disable USB devices. Triumfant can provide information about what machines have had a USB device inserted and can identify machines with unusually high levels of data movement. Alternately, if you do disable the devices you may also have users with Admin rights to their machines, enabling them to change the configuration of the machine to override the policies. Triumfant can provide information about what machines have had a USB device inserted and identify those machines where the policy has been altered. Triumfant is not a data loss prevention (DLP) tool and therefore cannot tell you what, if any, data was exfiltrated, but we can tell you that such an exfiltration was possible.

In summary, Triumfant is able to protect machines from attacks delivered by USB devices,
is able to enforce configurations that disable the use of USB devices, and provide insight into usage patterns of USB devices.

If only Triumfant could help me find the numerous USB devices my teenagers borrow and never return. Of course, once they have them, perhaps it is best I don’t plug them into my machine.

Filed under Configuration and Compliance Management, Continuous Monitoring, Endpoint Security Tagged with , , , , , , ,

Needle in a Haystack? How to Find an Unknown in an Ill-Defined, Shifting Maelstrom

March 18, 2011 by Leave a comment

In the March 17,2011, post, I demolished the “Finding a Needle in a Haystack” analogy by pointing out that in IT Security we don’t know what we are looking for (the needle) and our haystack is not a homogonous pile of hay but is instead a continuously changing, utterly non-homogenous population of one-off configurations and application combinations.  We went from “Finding a Needle in a Haystack” to “Finding an <unknown> in a <ill-defined, shifting maelstrom>”.

I ended by promising you a solution and that is where I begin.

The first step toward a solution is getting your hands around the “ill-defined, shifting maelstrom” that is your endpoint population.  To find what is unwanted or anomalous in that population, you first need a way to establish what is normal for that population.  You could build and dictate normal, and then enforce that normal in a total lockdown.  That is expensive and hard to do, and in my many travels, I have seen exactly two such environments.  The alternative is to monitor the machines in that population, and accurately create a baseline learned from the environment itself.  One that captures all of the exceptions and disparity in all of its glory.  The end result is a normalized, well defined representation of your ill-defined, shifting maelstrom.  A normalized haystack, as it were.

Easy, right?  Not really.  You have to remember that your target is unknown, so you have no idea where it will appear and in what form.  You must also consider that whoever is putting the unknown in your haystack does not want it to be found, and will so design the unknown to evade detection.  Zero day attacks don’t show up as shiny needles.  You can assume nothing; therefore, you must monitor everything as part of your normalized haystack.  You must also remember that the population shifts (wanted change) and drifts (unwanted change) by the moment, so you will need to keep it current.

In short, you will need continuous monitoring that is comprehensive and granular.  Not the kind the scanner vendors sell you that sees some of the machines in weekly or monthly increment, or the kind the AV vendors sell you that sees parts of the machine and not the entire picture.  You will need comprehensive and truly continuous monitoring.

In yesterday’s post, I noted that if you had a homogonous haystack you could remove everything that was hay and what is left should be the thing you are looking for, even if you do not know what that thing was.  Our haystack is not homogonous, but now we have created a baseline that provides the next best thing.  We can’t throw out the hay, so we need a slightly modified approach that uses changes to the machines as our potential indicators to compliance issues and malicious attacks.

If we are smart, we can use this approach to our advantage because once we establish our normative haystack we can continuously monitor the machines and identify changes.  This fuels our detection process and drives efficiency in managing the shift (we want to control the drift, but that is another post) in the population.  By capturing changes, we can keep the image of the population current with minimal drag on the endpoints and the network by moving changes across the wire.  No need to move large images when incrementally smaller change captures will do.

Once we identify the changes, we will need analytics that assess the impact of those changes to the associated machine.  These analytics will leverage the context provided the normalized model of the haystack to identify those changes that are anomalous.  Changes identified as anomalous are further analyzed to gauge their effect on the state of the machine and identify those changes believed to be malicious.  We can use the context and other analytic processes to group changes so that we see the malicious code and all of the damage done to the machine by the malware.

We have successfully identified the unknown in our ill-defined, shifting maelstrom, which, like I said yesterday, is infinitely harder than finding a needle in a haystack.  We did not just find the unknown, we have detailed its composition, analyzed the effect to the machine, and identified its path of destruction.

I think we are onto something here.  This could revolutionize malware detection, creating a detection capability that is agnostic to attack type, vector, and delivery.

But wait, there is more

Filed under Continuous Monitoring, Endpoint Security Tagged with , , , , ,

Finding a Needle in a Haystack – Child’s Play!

March 17, 2011 by 1 Comment

“Finding a Needle in a Haystack” is without doubt one of the most overused analogies in IT security.  After seeing it repeatedly at RSA I offer the following analysis of the analogy:

Finding a needle in a haystack is child’s play.  A walk in the park.  Enormous oversimplification.  Luxury (yes, this is a reference to Monty Python’s “Four Yorkshiremen” sketch – look it up, it fits).

First, the “needle” component is all wrong because it presumes what we are looking for is known.  The problem in malware detection is in seeing those attacks for which there is no prior knowledge.  We don’t know what we are looking for, but we are expected to find it – whatever “it” is.  Unfortunately, the vast majority of malware detection software relies upon prior knowledge to detect malware, leaving a wide detection gap for unknown attacks such as zero day attacks and the advanced persistent threat.  This is problematic as the number of unknown attacks increases in volume and complexity daily, and, as we saw in the recent report of the Nasdaq breach, some needles remain undetected in the haystack for over a year.

The analogy has now degraded to “Finding a <unknown something> in a Haystack”.  Obviously not knowing what it is you are looking for causes some complication, but this problem is addressable given that we are looking for an unknown thing in a well-defined, consistent population, namely the hay in the haystack.  Logic dictates that if you were able to remove everything that was hay, what is left should be the thing you are looking for, even if you do not know what that thing was.

The trouble with that solution is that the people hiding stuff in your haystack do not want you to find it.  So they will make their stuff look, feel, and smell like hay, making it very difficult to readily distinguish what is hay and what is the unknown.  You also face the very real possibility of discovering multiple non-hay unknowns after the hay is removed.  Do you assume they are all undesirable?  If not, how do you differentiate the benign unknowns from the undesirable unknowns?

None of that matters anyway, because the analogy breaks down further because endpoint populations are most definitely not haystacks.  In fact, unless you have instituted the most epically draconian lock-down process of all time, there is very little homogeneity in any endpoint population.  Consequently, you are not looking for something in a well-defined, consistent population, you are looking for something in a confusing maelstrom of one-off configurations that changes daily.  It is the furthest possible opposite of homogenous.

We are now left with “Finding an <unknown> in a <ill-defined, shifting maelstrom>”.  Makes you yearn for the luxury of “Finding a Needle in a Haystack”, doesn’t it?

Finally, no one really suffers from a needle in a haystack, unless you metaphorically jump into the metaphorical hay and through a turn of enormous bad luck get inadvertently, metaphorically stuck.  Needles do not exfiltrate intellectual property or financial data.  Needles do not turn computers into spam spewing Conficker zombies.  Moreover, needles do not land your organization on the front page of the New York Times and create reputational risk that can lower the market cap of the company.  Of course, the <unknown> in your <ill-defined, shifting maelstrom> certainly can.

The obvious question: how do I find an <unknown> in my <ill-defined shifting maelstrom>?  I will offer you one solution tomorrow.

Filed under Continuous Monitoring, Endpoint Security Tagged with , , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 451 other followers