The Readers Speak! – Top 10 Posts for 2010

December 22, 2010 by Leave a comment

The Triumfant blog has been up and running for two years now and I am always flattered that anyone would take time from their day to read a post.  As we end the year, I thought I would post a list of the top 10 posts for the year, as determined by the number of views.

Advanced Persistent Threat: Solution – No, Effective Detection – Yes

This post is about how Triumfant uses its unique approach – change detection and contextual analysis to see the attacks characterized by the Advanced Persistent Threat.

Antivirus Detection Rates – Undetected Attacks Are Still Attacks

This is one of my favorites and addresses a critical concept – the reporting from your current defenses will obviously not tell you what attacks are getting through.  The see no evil approach does not mean that you are not getting attacked.

Antivirus Detection Rates – It is Clear You Need a Plan B

There are any number of reports and studies that clearly show that AV detection rates are bad and getting worse.  So what are organizations doing about that fact (if anything)?

Tired of the Term Advanced Persistent Threat – How About Cold Harsh Reality?

This post followed a spirited exchange in the blogosphere and twitterverse about the term Advanced Persistent Threat and whether APT is more about the adversary or the attacks.  This post was my entry into the conversation.

Intel Acquires McAfee, IBM Acquires BigFix – What Does It Mean to You?

2010 was a tumultuous year for the security industry and these two acquisitions are at the front of that tumult.  This post is my take on what these acquisitions mean and what happens to smaller companies when subsumed by larger ones.

Antivirus Detection Rates Study Shows the Real Exposure to Your Organization

Another post that follows yet another study on AV detection rates.  The goal was simple: there are lots of these reports and studies published, but very little pragmatic assessment about what that means in regards to risks for the organization.

Triumfant and Operation Aurora – Detecting the Advanced Persistent Threat

Remember back before Stuxnet?  When Operation Aurora hit, I got lots of inquiries of whether Triumfant would have detected the attack.  Because none of our customers were hit by the attack, our CTO Dave hooks broke down all of the data on Aurora and created this in depth case study.

Oh the Animals You Will See at the RSA Zoo (Conference)

This was written as a bit of a joke but reflects my many years of exhibiting at the RSA show.  It was one of those posts that sounded good when written, but gives pause before you post because of the fear that it will be funny to no one else but you.  I was pleased with the spirit in which it was received.

Security Configuration Management – Plugging the Holes in Your Endpoint Security

This post dug into the concepts of security configuration management in depth and provided a pragmatic conversation about the approach of Triumfant that includes our normative baseline and our automated remediation capabilities.

The Yin and Yang of Triumfant – Agent Based Precision With Network Level Analytical Context

This very recent post grabbed a significant quantity of views faster than just about any post.  The post discusses the ability of Triumfant to deliver agent level precision with the power and context of server based analysis.

So there you have the top ten as voted by you, the readers.  Thank you for reading and the feedback you provide.  Have a great holiday and a Happy New Year.

Filed under Configuration and Compliance Management, Endpoint Security Tagged with , , , , ,

Cisco Study Shows the Basic Flaw in Whitelisting Solutions

November 10, 2010 by 2 Comments

Some days you wake up and the world hands you a completely unexpected gift.  This morning I found an article on the SC Magazine site that provided statistics from a Cisco survey about employees and IT security policies.  Some stats from the article:

  • 24% of employees are unaware that IT policies exist.
  • 10% said that IT policies are never communicated.
  • 32% of employees said that the policy was only communicated once per year.
  • 35% of employees that are aware of IT policy said IT does not provide an explanation or rationale for why it exists.
  • 20% of employees make a conscious decision to break IT policy because they believe these policies are not enforced.

These statistics do not paint a picture of a well informed user community.  Users do not know the policies, don’t understand the policies, or don’t understand why there are policies.  The few that seem to understand often choose to willingly ignore them.

The most telling statistic indicated that 40% of the employees break IT policy because ”they need restricted programs and applications to get their job done”.  In other words, they know they are breaking policy but make the decision to willingly do so and feel justified because they feel it is critical to their jobs.

So why is this study a gift for me?  I am frequently asked to contrast and compare Triumfant and our capabilities against whitelisting tools.  I have a good answer, and while I normally become extremely animated about the subject and speak in authoritative tones, I did not have hard evidence to fully back up my position.  Until now.

You see, whitelisting sounds really smart and effective in explanation, and are often cited as an alternative to signature based tools and falling malware detection rates.  There are animated claims about its effectiveness aginst zero day attacks, the advanced persistent threat, rootkits, and the cough due to cold.

If you dig deeply past all of the hype, you will find that whitelisting tools work in three modes:

  • Notify mode will notify the appropriate IT staff if a user installs an application not on the white list.
  • Warn mode will notify the user that they are installing an unauthorized application and provide them the option to stop the install or proceed.
  • Block mode will automatically block the installation of any unauthorized application.

These are not my descriptions – they are from the literature and documentation of the whitelist vendors.  They just don’t surface in the sales presentations.

The documentation clearly states that block mode is only available if the environment is locked down.  For those environments that have even small degrees of flexibility and some personal use capabilities, whitelist solutions only work in warn mode.  Their words, not mine.

Therefore, the efficacy of the whitelist solution now rests in the hands of the user of the machine.  Yes – the very same users statistically characterized by the Cisco study.  The user who likely made a conscious decision to install the program, has a one in four chance of being completely unaware of IT policies, and, if aware of the policies, either does not understand them or is willing to break them.  Hardly sounds like a recipe for closing gaps in endpoint security.

This is not my first rodeo and I have been dealing with the user community since I helped support a quaint old notion called the “Information Center” back in the early 80’s.  Since then, every shred of evidence and experience tells me that most users presented with a warning screen from the whitelist tool will blithely blow right past it.  Now I have the statistics to back that up.

My contention is that only a small number of organizations are locked down, and therefore implementation of a whitelist tool can only be done in warn mode, therefore putting critical protection decisions into the hands of the general user population.  The population that may not know, may not care, and will likely be perturbed that they get a warning screen.  These statistics clearly indicate that there will be more than a trivial amount of users that will circumvent the protection either through ignorance, apathy or choice.

So excuse me if I do not jump on the “whitelisting will cure all of your problems” bandwagon.  And BTW, the same warning process is employed by the prevalence based technologies such as Symantec Quorum that Symantec and McAfee are touting so highly.  The reliance on the user as part of the protection mechanism is equally flawed.

Triumfant does not rely on the user to make evaluations or give them the option to violate policies.  We enforce configurations and policies on a daily basis, and it is an informed administrator that evaluates potential malicious activity and makes the decision to remediate such problems.

So now I have some statistics to support my animated hand waving. Amazing what a little gift like some statistics will do for your day.

Filed under Endpoint Security Tagged with , , , , ,

As Antivirus Performance Declines, Organizations Must Reconsider Endpoint Security

November 9, 2010 by Leave a comment

There has been some interesting response to the previous blog post entitled “Time to Put Your Antivirus Software on a Diet”.  In the short time since the posting there has been some interesting news that intersects nicely with the conversation.

Microsoft announced (ZDNet article here) that it has finished the Release Candidate test build for its Forefront Protection software.  Forefront is Microsoft’s endpoint protection offering for business of all sizes for Windows based machines, but is based on the Microsoft Essentials AV engine that tested comparably in a recent group test report by NSS Labs on anti-malware products.  Microsoft literature and third party evaluations indicate that the Forefront offering will have the centralized command and control that an enterprise would require to administer the product across an organization.

Microsoft is also making waves (CNet article here) by adding a feature to their OS update service to offer home users the option of providing Microsoft Essentials to machines when the update service senses there is no AV software running on the machine.  This is not an automatic download – the user must opt in.  This change to the update process started on November 1 in the U.S. and is raising the ire of other AV vendors who focus on the home/consumer market.  These vendors believe that MS is using the unfair competitive advantage of their OS update process to plant non-OS software on machines.  The fact that MS Essentials is free and could significantly cut into the consumer revenue for these vendors may also be a factor.

While neither of these news items are earth shattering I think they are indicators of a trend: AV software is on the track toward commoditization and that track is gaining speed and momentum daily.  You simply cannot ignore the evidence – I can assure you the adversary has not and will gladly exploit those organizations that are slow to see the signals.

My point in the previous blog post was that organizations might want to take a fallback position on AV software and look for options that place less of a burden on the endpoint machines and less of a burden on the IT security budget.  I made that recommendation based on two facts: 1) Attacks get past AV at a steadily increasing rate 2) The layers the AV companies have put on top of AV are not slowing down the decline and are costing your organization money and slowing down the machines.  The new math of endpoint protection has to include prevention (such as AV) and detection.  Apply the money saved by putting your AV on a diet toward a solution that does not require signatures or any other form of prior knowledge.  Your organization becomes better protected, the end user gets better performance, and you get both of these benefits for the same or less investment.

Now for the disclaimers.  I am not an industry analyst and Triumfant is one of those no signatures, no prior knowledge type of alternatives, so the recommendation is definitely not from a neutral source as I would clearly like for Triumfant to be the alternative of choice.  Triumfant did not perform the broad testing on the AV software, and I personally have not done testing of either MS Essentials or MS Forefront.  Triumfant is not an MS partner and we have absolutely no vested interest in the adoption of their products.

These disclaimers may color my opinions, but they do not change the evidence around you.  For example, the MSS study is one of many that show declining malware detection rates.  At the very least, it is time to start the conversation and coming into a new year’s budget cycle is great time to start.  Examine your protection strategy and get comfortable about adding detection capabilities.  Evaluate the spend on prevention and determine if you are getting real value for that spend.

And please, don’t look toward the AV vendors for advice, as the results there will be highly predictable.  The AV market has been a lucrative cash cow for some time and it is not one they are looking to give up without a fight.

Filed under Endpoint Security Tagged with , , , , ,

Time to Put Your Antivirus Software on a Diet

November 4, 2010 by 1 Comment

In my last post I used a recent group test report by NSS Labs on anti-malware products to recap what I think are critical points in considering endpoint protection strategies.  Today I want to make what may be to some a disruptive recommendation based on those points: It is time to take a hard look at your approach to antivirus software.  Specifically, you need to take a hard look at what you are running and how much you are paying for it.

The evidence for this recommendation is everywhere.  We are fast approaching 9 million signatures, yet the NSS Labs study stated that cybercriminals have between a 10% – 45% chance of getting past your AV with Web Malware and between a 25% – 97% chance of compromising your machines using exploits.  The AV vendors have seen the cracks in their offerings and have added all sorts of new wrinkles to their endpoint protection suites over time.  Each new layer added some value but because they still relied on some form of prior knowledge, the detection gap was never closed.  This resulted in agents that carry too large a footprint and often noticeably affect endpoint performance.  As attacks continue to evolve, more layers – and the associated complexities and performance hits – were added.

Gartner Distinguished Analyst John Pescatore noted this in a blog post titled “Twelve Word Tuesday: More Layers of Flawed Shingles Leads to Roof Collapse, Not Fewer Leaks” which stated “Adding levels of ineffective security: really only spending (not defense) in depth.”

You must consider just how much you are paying for something that has demonstrated declining performance.  Those extra layers likely cost you something, but I would suggest that a dollar spent is not resulting in a dollar of protection.  The NSS Labs report would suggest that with AV software you do not get what you pay for, as Microsoft’s Security essentials performed on par or better with other name brands.  For those of you who do not know, MS Essentials is free.

I may be a dumb country boy, but I understand that free is a good price to pay when I can get the same value.  I switched my personal machines to MS Essentials and have had stellar performance.  I find it telling that Sophos just announced a free version of their AV software for the Mac.  Economics would teach us that the relative scarcity of Mac AV products would allow Sophos to charge a premium, but instead they are charging nothing.  I would argue that this is a good indicator of where the AV market is heading.

Before you run with the dumb country boy thing, I do understand that MS Essentials and the Sophos Mac offering are intended for home use and do not have the centralized command and control components needed for a large enterprise.  However, as AV software continues its inexorable march to commoditization, it seems foolish to burn sizable chunks of security budget on unnecessarily bloated AV suites.  Market forces should dictate that large enterprises should be able to get AV protection that meets foundational needs at a commoditized price.

I offer two recommendations.  First, put your AV on a diet.  Peel off some of the extra layers that bog down the agent and affect user performance.  Either push your current AV vendor to provide you a streamlined and more efficient version or consider an alternative vendor willing to provide the best coverage-to-price ratio you can negotiate.  Treat AV is a commodity and pay accordingly – we have reached the point where good enough is good enough.

Second, heed all of the evidence that surrounds you and accept that attacks get through your shields and move toward a tool that will detect those attacks.  (Full disclosure: Triumfant falls under this category).  Such a tool will provide you the backstop you need to confidently shed the extra layers of your current AV offering and offer detection for zero day attacks and the advanced persistent threat.

This is not trading some layers for others, even if it appears so at first blush.  Whether you keep your bloated AV or trim down, the NSS Labs report and others like it all prove that attacks are getting through, so you must make the mental jump toward embracing a detection tool regardless.  The key is to leverage the protections offered by a detection solution and remove the AV layers that are delivering diminishing returns.  Furthermore, a solution like Triumfant requires no prior knowledge (such as signatures) and therefore should have a much smaller and efficient footprint on the endpoint.  You get the protections you require with a reduced burden on the endpoint. You also start the inevitable process of reducing your reliance on signature based shields.

Make no mistake – the AV vendors know this day is coming and they will respond with a fusillade of FUD that will epic in its scope and ferocity.  That is because the AV market has been a cash cow that will not be ceded without a fight.  But the evidence is real and the problem gets worse by the day.

It is time to rethink your AV strategy and make some bold steps toward adapting your endpoint protections to the new realities of the attacks you face today.

Filed under Endpoint Security Tagged with , , , , ,

Study on Malware Detection Rates Makes the Point(s)

October 26, 2010 by 1 Comment

Last week I was pointed to a recent group test report by NSS Labs on anti-malware products by a blog entry by Andy Greenberg on the Forbes web site.  Triumfant does not have a massive research group so I rely on data such as this report to back up many of the things written on this blog.  The NSS labs study is done independently and without sponsorship, so it is a good source of supporting data.

Allow me to step through some of the points I touch on frequently (links added for your convenience) and use the NSS data to support those points:

The odds are not in your favor. The NSS summary offers two key takeaways from the numbers:

  • Cybercriminals have between a 10% – 45% chance of getting past your AV with Web Malware (depending on the product)
  • Cybercriminals have between 25% – 97% chance of compromising your machine using exploits (depending on the product)

One of the more popular posts that addresses this issue further is “Antivirus Detection Rates – It is Clear You Need a Plan B“.

Adding more layers to your AV product will never get you to the 100% shield. In previous posts such as “Defense in Depth – There is No Perfect Shield“ , I discuss how everyone wants a 100% shield.  The NSS Labs study shows there is no 100% shield now nor is there one in sight.  You are not getting closer to a 100% shield, it is moving away from you.  The statistics show that the only AV software that actually improved their detection score from the previous test was McAfee, who went from 81.6% to 85.2% in one year.  McAfee threw the considerable weight of their very large organization at the problem, and are still missing one in every seven attacks.  One can also assume just the increased volume of attacks ate away any of the gain McAfee was able to realize.  Kudos to Mcafee, because on average…

The detection rates are decreasing. According to the NSS Labs report “products slipped by 6% on average from 2009 to 2010” in their ability to detect malware.  The press is full of claims by the AV vendors that they have either upped the capabilities of their AV products or added elements to their AV suites to close the gap.  All evidence to the contrary.  Detection reports from AV suites use volumes of detected attacks artificially inflated by the increasing number of attacks to obfuscate the declining detection rates as a percentage of attacks (“Antivirus Detection Rates – Undetected Attacks Are Still Attacks“).  And yes, the proper conclusion is that decreasing detection rates translates into more attacks reaching your endpoints.

Attempts at closing the detection gaps are negatively affecting performance. As AV vendors attempt to plug the leaks with add-ons to their AV suites, there is an effect on the performance of the machine that is not proportional to the extra protection.  If you look at the performance data on pages 13-17 of the report you will see that the Microsoft Essentials offering consistently rates low on system impact.  Given that Microsoft is not generally lauded for their efficient design, one can conclude that it is the lack of add-on capabilities that at the very least contributes to the proportionately less impact of MSE on the machines.

Exploits must factor into the equation. The NSS Labs report has a separate section on the ability of the products to protect against exploits encountered while using the World Wide Web.  The reports shows that “over half of the AV products stop less than 50% of the exploit attacks” and many of the products that score best in malware protection are the worst for exploit protection.  Exploits are just as dangerous to your organization as traditional malware and you must consider the performance against these exploits when considering the efficacy of your protections.

All of these points lead to the two most important points that you can simply no longer ignore:

Attacks are getting through to your endpoints. The best-case scenario according to the NSS Labs study is that one out of every ten malware attacks and one out of every four exploits makes it past your defenses to the endpoint.  We often address the challenges of protecting endpoints in terms of the growing number of signatures, increasing complexity of attacks, and other factors, but these numbers are right there for you to either accept or ignore.  You could spend every dollar you have on shields and it will not change this fact.  In fact, I would argue that for every additional dollar you spend on shields you are getting pennies back (“New Math of Endpoint Protection“).

The equation for endpoint protection has changed, and detection must now be added to prevention. The data in the NSS Labs study clearly supports the fact that you must have a tool in place that will use an alternative approach to detect when a malicious attack or exploit has successfully infiltrated your machines at a rate ranging from 10% – 45% (and trending downward, BTW).  The facts dictate that you revisit your endpoint protection strategy and embrace the fact that “Endpoint Protection Must Be About Prevention AND Detection“.  Better yet, you need a tool that can help you address the detected attacks quickly and efficiently to contain the attack from spreading and minimize the operational impact.

Two weeks ago an article in Information Week called “Outgunned: How Security Tech Is Failing Us” took a hard look at why organizations are losing the battle against the evolving threats.  The statistics behind this study support my response that asks the question “Is Security Tech Failing Us or Are We Failing to See the Light?“.  The numbers in the report suggest that we are the ones who are failing because we stare directly at the hard evidence and choose to ignore it.  Regardless of how we interpret the numbers and reconcile what they are telling us, the hard truth is that at least one out of every ten attacks are getting through.  No amount of denial will change that.

Filed under Endpoint Security Tagged with , , , ,

Have No Fear: Triumfant’s Remediation Capability is Automated, Not Automatic

July 9, 2010 by Leave a comment

In my previous blog entry I attempted to unravel some of the fear, uncertainty and doubt around our automated remediation capabilities.  After a week of quiet contemplation at the beach and writing a whitepaper on the subject I had an epiphany.  I think the fear comes from a misunderstanding between the words “automated” and “automatic”.  Allow me to explain.

Triumfant has automated the construction of a remediation for any malicious attack or anomalous incident it finds.  The detail is all there in the blog entry.  But in short, because Triumfant knows what has changed and knows the value of every attribute or file before it was changed, it is a logical next step to build a remediation script to return the affected attributes to their pre-attack condition.  No spooky “thinking computer” stuff, just sound logic driven by the capabilities of our granular change detection.

The automated remediation Triumfant creates is not automatic in its execution.  The Triumfant administrator must perform a one-touch confirm of the remediation before it is sent to the agent for execution.  Triumfant does the heavy lifting of analyzing the attack or problem and building a comprehensive remediation script.  It is automated.  There is still the failsafe of human interaction as a confirmation.  It is not automatic.

There does exist easily implemented mechanisms to make remediations automatic for incidents encountered in the past and for configuration and policy enforcement.  In these cases the remediations are known and the customer is comfortable with their effects.  For example we have customers who identify specific applications they want removed from endpoint machines and these remediations are automatic.  But for anything new encountered by Triumfant such as a zero day attack or an Advanced Persistent Threat type attack, the default is the one-touch confirm by the administrator, providing oversight and control.

Why am I writing about this subject?  People seem to have a love/fear relationship with the concept of automated remediation.  For example, at the NIST Security Automation Conference last October in Baltimore I asked the attendees in my presentation two questions:

Q1: Who wants automated remediation?  A: Every hand in the room enthusiastically shot up.

Q2: Who is ready to implement automated remediation?   A: Crickets.

All I can surmise is that security people suffer from what I have dubbed “SkyNet Syndrome” – the lingering effects of watching science fiction movies and television series that ultimately play the “smart computer comes to life and destroys the world” card.  The list is long and distinguished: M5 and Nomad on Star Trek the Original Series, V’Ger on the first Star Trek Movie, Colussus from Colossus: The Forbin Project, Proteus on The Demon Seed, and, of course, SkyNet from The Terminator.

Notice that I did not include W.O.P.R. from WarGames as he was hacked and did not become sentient.  Of course he was hacked because he had poorly configured endpoint protection that could have been easily recognized through change detection and quickly addressed by Triumfant through an automated remediation.  But I digress.

Filed under Configuration and Compliance Management, Endpoint Security Tagged with , , , ,

Triumfant’s Automated Remediation – Not Voodoo, Sensible Can-Do

June 14, 2010 by Leave a comment

It has come to my attention that many have a hard time getting their heads around our automated remediation capabilities.  The concepts around the way Triumfant performs automated remediation are really quite simple, so allow me to explain:

We know what changed. We continuously scan the machine for changes and if we see an indication that the machine is under attack we perform an accelerated full scan to kick off the analysis process.  So when Triumfant’s patented analytics perform the analysis of a malicious incident, each and every change to the machine is available for consideration.   Triumfant not only sees what has changed, but we are uniquely able to group changes to identify what changes are part of each specific incident.  The analytics leverage over 25 different correlation algorithms to determine all of the primary and secondary artifacts from any given attack.  We identify the attack and all of the changes associated withe the attack such as configuration changes and opened ports.  The changes break down into three basic change types: unexpectedly present means that something new has been added, unexpectedly absent means that something that was there is no longer there, and unexpectedly modified means that the value has been changed.

We know what the attribute or file looked like before it changed. The first step performed by the Triumfant agent is to take a snapshot of the over 200K attributes we monitor.  This includes an MD5 hash of every file on the machine.  A copy of this snapshot is continuously maintained on the endpoint and on the Triumfant server.   Therefore, Triumfant has a very logical and unique set of data that serves as the ingredients to write the remediation: we know what has changed, we know the current (changed) value, and we know the value prior to the change.  Brutally simple in concept, but elegantly and efficiently executed.

We therefore can build a script to modify the things that changed back to what they used to be before they were changed. Once you know what attribute or file has changed and know what the attribute of file looked like before it was changed, it is not hard to construct a script to change things back.  Actually, there are some challenges, but luckily our engineers have made it look simple.  For example, it is easy to delete things that are not supposed to be on the machine, and it is easy to restore modified or deleted attribute values.  It is not that simple to restore missing or corrupted files.  That is why Triumfant’s donor technology (patent pending) is so remarkable.  Triumfant uses our knowledge base (automatically generated) to find a donor machine that has the same missing or corrupted file (version, OS, validated by the MD5 hash) and uses that donor machine to provide a copy to move to the affected machine.  I will explore the donor technology and the context that powers it in a future post, suffice to say the capability is completely unique to Triumfant and is an elegant solution to a very difficult problem when considering automated remediation.

Makes sense when you lay it out this way, doesn’t it?  Triumfant uses this very simple logic flow to build a custom remediation script for each and every incident that is contextual, situational, and surgical.  The script is constructed without the need for human intervention at the server and sent to the agent for execution after confirmation by an administrator.  The remediation only affects those attributes and files that were part of the attack and does not affect any of the changes done to the machine outside of the incident.  None of the user’s work or any of the benign changes to the machine are lost.  And you should not have to re-image the machine out of fear that there may be artifacts of the attack still lurking on the machine.

This is not a rollback to an image, there is no interaction required by the end user, including the requirement (accept in the most extreme cases) to reboot.  We are not pulling from a library of pre-written remediations that can’t possibly know enough to address all of the primary and secondary artifacts of an attack.

This is not VooDoo, but sound, sensible science.  It takes the concepts of change detection and extrapolates it to the logical end – not only can Triumfant see the attacks that evade other defenses, it can build a remediation that stops the attack and removes all of the collateral damage of the attack.   We are not a shield, but we go from infection (not detection, which for many tools takes days, weeks, even months) to remediation in less than five minutes.  So given that the shields miss so much, the fact that malware exists on the machine for five minutes is a more than equitable trade-off for those organizations dealing with the advanced persistent threat, zero day attacks, and rootkits.

Finally, I know the term “automated” gives everyone heartburn.  Everyone likes the concept, but is skittish on actually implementing.  Not to worry.  We build the remediation automatically, but by default it does not run automatically.  The administrator will get an alert that malware has been detected, and the administrator can then evaluate Triumfant’s findings and validate the remediation before it is executed.  And every remediation is completely reversible.  We provide all of the analysis and write the remediation script, you actually put it into motion.

Filed under Endpoint Security Tagged with , , ,

The Advanced Persistent Threat Means We Need a Third Bucket

May 25, 2010 by Leave a comment

Gartner has always taken a simplistic approach to dividing their analysts in the consulting practice:  keep the bad guys out (defense) and let the good guys in (access).  I have no quarrel with these two buckets and they have made sense for some time, but I respectfully believe it is time the industry accepts a broader reality and adds a third bucket that addresses when the adversary has thwarted the first two buckets, which is happening with alarming frequency.

I was at the Capital Connection Show last week and had the pleasure to attend a luncheon roundtable discussion that included Gary Gagnon of MITRE and Debora Plunkett, NSA’s Information Assurance Director.  I found it interesting that the call to arms was not for better shields but for a better understanding of how to detect and eradicate adversaries that have made it through the defenses.  It was clearly a pragmatic view that offense is always ahead of defense, and that a continued emphasis on chasing the perfect shield was no longer viable.  Regardless of if you like the term, the Advanced Persistent Threat is a reality, and the advanced persistent adversary is now organized, competent, and highly motivated.

Unfortunately, the IT security industry formed in a simpler time when the two buckets of defense and access were enough.  The entrenched thinking and alignment of products into these buckets have seemingly left no room for a third bucket.  When we brief the analysts or the press it is clear that while they understand what Triumfant does and the value our solution represents, there is a struggle to process the information because we do not neatly fit into a bucket or one of the sub-classifications in those buckets. I fear that it actually puts Triumfant at a disadvantage even though we effectively fill critical gaps in endpoint security and configuration management.

There is an interesting corollary when one looks at the evolution of the defense of the United States over the past 30 years.  When I entered the professional workforce in 1981 at what was then Martin Marietta, the U.S. Armed Forces focused on fighting a broad, land-based conflict in Eastern Europe against the Soviet Bloc.  For those too young to remember, military vehicles and uniforms were not desert khaki, but green.

Ten years later, America was fighting the first Gulf War and the military was scrambling to find khaki and brown paint – literally.  Military vehicles would pass on the highways and you could see they were hastily painted from forest green to desert brown.  Many of the vehicles and weapons built for the woods of Eastern Europe were not so effective in this new theatre.  The adversary was also different in nearly every aspect.  So we quickly found that our strategies and techniques had to be completely reset.  In spite of these challenges, the public was served multiple images of the sophistication of our weapons, creating a sense of confidence that our military superiority would shield our home soil from aggression.

Ten more years later on September 11, 2001, I stood at a window on the 27th floor of a high-rise office building in mid-town Manhattan as my brain struggled to process the data from my eyes as I watched the first of the Twin Towers of the World Trade Center shudder and fall.  The enemy was no longer in some far away land most of us would never see, the enemy was among us.  The enemy had in fact lived among us, and we had trained them to have the skills to perform their acts of aggression.  Iconic building on our own soil had been attacked, and non-combatants were killed.

I did watch both towers fall, and I can assure you I do not invoke 9/11 lightly or use it as a casual metaphor.  That day the United States understood that defense was no longer about keeping the bad guys out, because they were already in.  The nation was forced to completely rethink security and come to grips with finding and removing embedded adversaries and admit to the hard truth that there was no way to completely secure the perimeter.  The myth of the shield fell in the flames of the WTC and the Pentagon

We are at that place with IT security and have been for some time.  The pragmatic know this and are well on their way to addressing the problem.  But the industry itself and many within organizations and government agencies are stuck on the concept of perfecting shields rather than dealing with the cold harsh reality of an adversary that has long since found ways to penetrate those shields in a targeted and systematic way at a rate that increases daily.

The larger, incumbent security software companies that started with shields predictably hold onto the premise and respond to problems by introducing new shields that the bad guys soon evade.  Organizations buy into the story because it simply feels better to think about keeping the bad guys out than admitting they have long since found their way in.  They rest on reports from AV software that show increasing detection statistics that create a false sense of security because there is no statistics on what is getting through.  Yet outside statistics prove conclusively that things are getting through.

Folks, the world has changed and there is no denying it nor can we turn back the clock.  There has to be a third bucket that addresses what we do when the bad guys get past our defenses and infiltrate our systems.  My problem – I don’t have a good name for the bucket, so I am open to suggestions.  Regardless of what we call it, it is time to face the uncomfortable truth and adjust our thinking accordingly.

Filed under Endpoint Security Tagged with , , , ,

Maintaining a State of Zen in the Face of the Matousec KHOBE Attack

May 17, 2010 by Leave a comment

I have reached a nirvana of sorts during my tenure with Triumfant.  First, we have a product that is truly and completely differentiated from any other endpoint protection product in the security market.   If you know how noisy, undifferentiated and confusing the security market is, you know that is a strong statement.  Second, I have the comfort of knowing that our product’s differentiation puts us in a position where the market moves toward us daily.

Which brings me to the Matousec dust-up of last week.  For those of you who missed the fun, Matousec.com published a paper that defined an attack that bypassed a list of over 30 broadly used endpoint security program.  The paper (found here) describes an attack Matousec calls KHOBE (Kernel HOok Bypassing Engine) but goes by the more generic description of an argument-switch attack.

I won’t restate the particulars (good article with more details in the Register here), but the general gist of the attack is to send a benign piece of code to the A/V software on the targeted machine and then swap out the benign code for malicious code just before execution begins.  The attack seems particularly useful on multi-core machines where it can use multiple threads to facilitate the code switch.  It should be noted that this attack is strictly a lab-based manifestation, and has not been reported in the wild.  Matousec did test a broad spectrum of AV products and reports the following (emphasis by Matousec): “If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100 % of the tested products were found vulnerable.”  Included in that list were Symantec, McAfee, Trend Micro, Kaspersky, Sophos and the other usual suspects.

Several of the AV companies gone on the defensive and responded by noting that the attack is complex and would be difficult to execute in the wild.  Others have noted that it is plausible that known exploits in commonly used programs such as Adobe Reader could turn that software into a delivery vehicle for the malicious code payload needed to execute the KHOBE attack.

As for me, I sit in a zen like state, calmly observing the fuss.  Because Matousec is just the latest, albeit technically progressive, technique for evading defensive shields and getting a malicious payload to the machine.  My zen comes from knowing that Triumfant would be there after KHOBE did all of its complex machinations.  In spite of the technical sophistication of the argument-switch attack, the end result is the same basic trigger – the endpoint will be changed, and we will detect the change, and then we will step in to protect the machine.  Triumfant waits in an equally blissful state of zen, completely unaffected by the sophistication (or lack of sophistication) that got the attack to the machine.

My zen state is only deepened by the knowledge that even if this attack never makes it into the wild, it is a harbinger of new attacks being developed as we speak.  We just passed the ten-year anniversary of the “I love you” virus that rocked the world in May 2000.  Looking back now it seems rather quaint in the context of the malware we face today.  I am quite sure KHOBE is an example of the same phenomenon – except it will look quaint in 2 to 3 years instead of 10.

The bottom line is what I have said in numerous posts (here and here) – attacks will get through your shields.  Write it in stone, because that fact will never change.  Ever.  It is the one absolute you can bank on.  That absolute is the source of my zen state because we provide a really unique and interesting solution that will detect what gets through the shields and restore attacked machines to pre-attack condition in less than five minutes.  This capability is that unique differentiation I spoke about earlier.

The term Nirvana is often defined as “a state of total bliss or happiness”.  I am not happy that organizations are being attacked and I find no bliss in seeing new attacks such as the argument-switch attack being created.  Quite the opposite, my bliss comes from knowing I have the right solution at the right time, and that we can help organizations protect their intellectual property and sensitive data as the complexity and volume of attacks continues to grow. We do not promise a sense of zen, but Triumfant sure can help protect you against whatever new attacks created to evade your defenses.  And just maybe you will find just a little more peace along the way.

Filed under Endpoint Security Tagged with , , , , ,

Tired of the Term Advanced Persistent Threat – How About Cold Harsh Reality?

March 15, 2010 by Leave a comment

I read a very insightful guest editorial in the Zero Day blog in ZDNet by Matthew Olney of Sourcefire on Friday about how the term “Advanced Persistent Threat” had reached a level of overexposure and may have, as they say, jumped the shark.  After reading his article I started to think about some new alternative terms for the evolving nature of malicious attacks while putting some of the hype into perspective.

My first new alternative name for APT is Cold Harsh Reality (CHR).  As Olney points out, the term APT has been used by the defense industrial base (DIB) for years.  Of course, if something works to steal military data, it will soon find its way to the hands of those who seek financial gain.  The attacks once seen only in the intelligence and DIB community are now being aimed at financial institutions, retailers, energy companies and just about anywhere else where financial data or sensitive information can be had.

This is not rocket science, just good coding methodology.  The bad guys do not have to build elaborate zero day attacks to evade detection as there are plenty of ways to get around traditional defenses without expending massive amounts of effort.  And of course if the bad guys run out of exploits, Microsoft and Adobe stand ready to snap off a couple of new ones for their convenience.

My point, maybe we don’t need the term APT anymore, because it was used to characterize something that started in a relatively isolated world that has moved into the mainstream.  It is our new cold, harsh reality, and therefore requires no special designation. There will still be pedestrian attacks that AV will continue to block well, but these now look amateurish in the face of the CHR attacks that many are dealing with on a continuous basis.

The other alternative is Uncomfortable Inconvenient Truth (UIT – hey, AL Gore got us into this mess by inventing the Internet, so I don’t feel bad for borrowing from him).  While I agree that some of the noise around APT is hype, a lot of the shouting is from innovative companies that are struggling to be heard above the FUD from the AV vendors who know they are exposed by their failure to evolve to the changing threats.

This is where the uncomfortable and inconvenient part comes in.  The large AV vendors have sold a lot of companies on the idea of the consolidated suite for protection, and those companies have invested a lot of money in those suites.  Such decisions are strategic and large enough to get visibility at the highest levels of the organization and the individuals who made the ultimate choice have much of their personal reputation riding on the results.

As the game changed and it became increasingly obvious that the AV tools cannot stem the tide of evolving attacks, the AV vendors and the internal sponsor in the organization that made the decision to buy the suite are at risk.  The AV vendors don’t want to lose control of the account and have new tools added to the mix, and the internal sponsor does not like the idea of having to tell management that they need additional software.  The increasing evidence only serves to make facing the truth more uncomfortable (but unavoidable), while the tight economy makes having to take action increasingly inconvenient.

The AV vendors have been countering their risk by telling everyone that they have it covered by trotting out extensions to the suite such as heuristics and behavioral analysis, and when those did not get the job done, whitelisting and prevalence.   The internal sponsor is motivated to believe that their vendor will find a way to address the problem, because it represents the least friction organizationally and professionally.  To be clear, I am not suggesting malfeasance or coercion or any other malicious intent – it is an observation of human nature and buying psychology.

But the tide continues coming in. This is where smaller companies (even the ones that have a legitimate product that can help) are driven to hype.  Trust me when I tell you that it takes enormous energy and perseverance to get your message heard above the “don’t worry, we have that covered” message from the big AV companies.  So if APT is getting the attention of security people and organization decision makers, you can bet that small companies will jump on the bandwagon.  Because even when I do get in and get the chance to tell my story, I know the big AV vendor is just outside the door ready to do dismiss what we say.  Such is the cold, harsh, uncomfortable and inconvenient reality of my world.

I am not defending my fellow marketers who take it the use of APT too far; I am just saying there is a perspective here worth examining.  The APT hype cycle is not all the fault of marketers – it is a symptom to a larger problem as the security market ecosystem is forced to deal with the evolving threats.  What is true is that organizations are getting attacked, and as Olney and others have said, there is no magic silver APT bullet.  But there may be some products that can help if you can filter out the noise on the subject.

Let me end with some disclaimers.  You will see the term Advanced Persistent Threat on the Triumfant web site, but we are always very clear that while we are a good detection tool for the attacks most associate with APT, we do not claim to be a solution for APT.  I agree with those who say that anyone claiming to be so should be instantly ignored.

Filed under Endpoint Security Tagged with , , ,

Older posts

Newer posts

Follow

Get every new post delivered to your Inbox.

Join 439 other followers