Research

As we return to our Advanced Endpoint and Server Protection series, we are back working our way through the reimagined threat management process. After discussing assessment you know what you have and what risk those devices present to the organization. Now you can design a control set to prevent compromise from happening in the first place. Prevention: Next you try to stop an attack from being successful. This is where most of the effort in security has gone for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It has become a question of reducing your attack surface as much as practical. If you can stop the simplistic attacks you can focus on more advanced ones. Obviously there are many layers you can and should bring to bear to protect endpoints and servers. Our PCI-centric brethren call these compensating controls. But we aren’t talking about network or application stuff in this series, so we will restrict our discussion to technologies and tactics focused on preventing compromise on endpoints and servers themselves. As we described in 2014 Endpoint Security Buyer’s Guide, there are a number of alternative approaches to protecting endpoints and servers that need to be discussed, compared, and contrasted. Traditional File Signatures You cannot really discuss endpoint prevention without at least mentioning signatures. You remember those, right? They are all about maintaining a huge blacklist of known malicious files to prevent from executing. The Free AV products on the market now typically only use this approach, but the broader endpoint protection suites have been supplementing traditional signature engines with additional heuristics and cloud-based file reputation for years. To expand a bit on file reputation, AV vendors realized a long time ago that it wasn’t efficient to download hashes for every single known malware file to every single protected endpoint. So they took a cloud-based approach which involves keeping a small subset of frequently-seen malware signatures on each device, and if the file cannot be found locally the endpoint agent consults the cloud for a determination on the file. If the file isn’t known by the cloud either it may be uploaded for analysis. This is similar to how cloud-based network-based malware detection works.   But detection of advanced attacks is still problematic if detection is restricted to matching files at runtime. You have no chance to detect zero-day or polymorphic malware attacks, which are both very common. So the focus has moved to other approaches. Advanced Heuristics You cannot rely on matching what a file looks like, so you need to pay much more attention to what it does. This is the concept behind the advanced heuristics used to detect malware in recent years. The issue with early heuristics was having enough context to know whether an executable was taking a legitimate action. Malicious actions were defined generically for each device based on operating system characteristics, so false positives (blocking a legitimate action) and false negatives (failing to block an attack) were both common: a lose/lose scenario. Heuristics have evolved to also recognize normal application behavior. This advance has dramatically improved accuracy because rules are built and maintained at a specific application-level. This requires understanding all the legitimate functions within a constrained universe of frequently targeted applications, and developing a detailed profile of each covered application. Any unapproved application action is blocked. Vendors basically build a positive security model for each application – which is a tremendous amount of work.   That means you won’t see every application profiled with true advanced heuristics, but that would be overkill. As long as you can protect the “big 7” applications targeted most often by attackers (browsers, Java, Adobe Reader, Word, Excel, PowerPoint, and Outlook), you have dramatically reduced the attack surface of each endpoint and server. To use a simple example, there aren’t really any good reasons for a keylogger to capture keystrokes while filling out a form on a banking website. And it is decidedly fishy to take a screen grab of a form with PII on it at the time of submission. These activities would have been missed previously – both screen grabs and reading keyboard input are legitimate operating system functions in specific scenarios – but context enables us to recognize these actions as attacks and stop them. To dig a little deeper let’s list some of the specific types of behavior the advanced heuristics would be looking for: Executables/dependencies Injected threads Process creation System file/configuration/registry changes File system changes OS level functions including print screen, network stack changes, key logging, etc. Turning off protections Account creation and privilege escalation Vendors’ ongoing research ensures their profiles of authorized activities for protected applications remain current. For more detail on these kinds of advanced heuristics check out our Evolving Endpoint Malware Detection research. Of course this doesn’t mean attackers won’t continue to target operating system vulnerabilities, applications (including the big 7), or the weakest link in your environment (employees) with social engineering attacks. But advanced heuristics makes a big difference in the efficacy of anti-malware technology for profiled applications. Application Control Application control entails a default deny posture on devices. You define a set of authorized executables that can run on a device, and block everything else. This provides true device lockdown – no executables (either malicious or legitimate) can execute without being explicitly authorized. We took a deep dive into application control in a recent series (The Double-Edged Sword & Use Cases and Selection Criteria), so we will just highlight some key aspects. Candidly, application control has suffered significant perception issues, mostly because early versions of the technology were thrust into a general-purpose use case, where they significantly impacted user experience. If employees think a security control prevents them from doing their jobs, it will not last. But over the past few years application control has found success in a few use cases where devices can and should be totally locked down. That typically means fixed-function devices such as kiosks and ATMs, as well as servers. Devices where a flexible user experience isn’t an issue. It is possible

You didn’t think you would need to wait long for a Snowden reference, did you? Well, you know we Securosis guys like to keep you in suspense. But without further ado, it’s time. Snowden time! CryptoZoology The biggest noisemaker at RSA this year – besides Rothman – will be everyone talking about the NSA revelations. Everyone with a bully pulpit (which is basically everyone) will be yelling about how the NSA is all up in our stuff. Self-aggrandizing security pundits will be preaching about how RSA took a bribe, celebrating their disgust by speaking in the hallways and at opportunistic splinter conferences, instead of at the RSA podia. DLP, eDiscovery, and masking vendors will be touting their solutions to the “insider threat” with Snowden impersonators (as discussed in APT0). Old-school security people will be mumbling quietly in the corners of the Tonga Room, clutching drinks with umbrellas in them, saying “I told you so!” One group who will be very, very quiet during the show: encryption vendors. They will not be talking about this! Why? Because they really can’t prove their stuff is not compromised, and in the absence of proof, they have already been convicted in the security star chamber. Neither Bruce Schneier nor Ron Rivest will be pulling proofs of non-tampering out of magic math hats. And even if they could, the security industry machine isn’t interested. There is too much FUD to throw. What’s worse is that encryption vendors almost universally look to NIST to validate the efficacy of their solutions – now that NIST is widely regarded as a pawn of the NSA, who can provide assurance? I feel sorry for the encryption guys – it will be a witch hunt! The real takeaway here is that IT is – for the first time – questioning the foundational technologies data security has been built upon. And it has been a long time coming! Once we get past Snowden and NSA hype, the industry won’t throw the baby out with the bathwater, but will continue to use encryption – now with contingency plans, just in case. Smart vendors should be telling customers how to adjust or swap algorithms if and when parts of the crypto ecosystem becomes suspect. These organizations should also be applying disaster recovery techniques to encryption solutions, just in case. Share:

There is no stopping the train now that it’s rolling. Here is the final key theme that we expect to see at the show, and yes it’s all about the cloud. And yes, I managed to work a Jimmy Buffett lyric into the piece. Rich 1, Internet 0. Cloud Everything. Again. We’re Bored Now. The cloud first appeared in this illustrious guide a mere three or four years ago. The first year it was all hype – with no products, few vendors realized that cloud computing had nothing at all to do with NOAA, and plenty of security pros thought they could just block the cloud at the firewall. The following year was all cloud washing, as booths branded themselves with more than sticky notes saying “We Heart Cloud,” but again, almost nobody did more than wrap a custom-hardware-accelerated platform onto a commodity hypervisor. But the last year or so we saw glimmers of hope, with not only a few real (okay, virtual) products, cloud curious security pros starting to gain a little experience, and more honest to goodness native cloud products. (Apologies to the half-dozen cloud native vendors who have been around for more than a few years, and don’t worry, we know who you are.) We honestly hoped to drop the cloud from our key themes, but this is one trend with legs. More accurately, cloud computing is progressing nicely through the adoption cycle, deep into the early mainstream. The problem is that many vendors recognize the cloud will affect their business, but don’t yet understand exactly how, and find themselves more in tactical response mode. They have products, but they are mostly adaptations of existing tools rather than the ground-up rebuilds that will be required. There are more cloud native tools on the market now, but the number is still relatively small, and we will still see massive cloud washing on the show floor. While we’re at it, we may was well lump in Software Defined Networking, though ‘SDN-washing’ doesn’t really roll off the tongue. Two areas you will see hyped on the show floor which provides real benefits are Security as a Service (SECaaS – say it loud and love it), and threat intelligence. Vendors may be slow to rearchitect their products to protect native cloud infrastructure and workloads, but they are doing a good job of pushing their own products into the cloud, and collective intelligence breaks some of the information sharing walls that have held security back for decades. But here is all you need to know about what you will see across the show – big financial institutions are all kicking around various cloud projects. The sharks smell the money, unlike in previous years when it was about looking good for the press and early adopters. In the immortal words of the great sage Jimmy Buffett, “Can you feel them circling honey, can you feel them schooling around? You got fins to right, fins to the left, and you’re the only game in town.” Share:

Sitting at my feet is the brand spanking new Kindle I ordered for XX1. It arrived before the snow and ice storm hits the ATL, so we got pretty lucky. She’s a voracious reader and it has become inefficient (and an ecological crime) to continue buying her paper books. She has probably read the Harry Potter series 5 or 6 times, and is constantly giving me new lists of books to buy. She has books everywhere. She reads on the bus. She gets in trouble because sometimes she reads in class. It’s pretty entertaining that the Boss and I need to try to discipline her, when her biggest transgression is reading in class. I kind of want to tell the teacher that if they didn’t suck at keeping the kid’s attention, it wouldn’t be a problem. But I don’t. I have used the Kindle app on my iOS devices for a couple years. I liked it but my older iPads are kind of heavy, so it wasn’t a very comfortable experience to prop on my chest and read. I also had an issue checking email and the Tweeter late at night. So I bought a Kindle to just read. And I do. Since I got it my reading has increased significantly. Which I think is a good thing. So I figured it was time to get XX1 a Kindle too. The Boss was a bit resistant, mostly because she likes the tactile feeling of reading a book and figured XX1 should too. Once we got past that resistance, I loaded up the first Divergent book onto my Kindle and let her take it for a test drive. I showed her two features, first the ability to select a word and see it in the dictionary. That’s pretty awesome – how many kids do you know who take the time to write down words they don’t know and look them up later? I also showed her how to highlight a passage. She was sold. A day and half later, she was ready for book 2 in the Divergent series. Suffice it to say, I loaded up book 3 as well, preemptively. Of all the vices my kids have, reading is probably okay. Before I go to bed tonight I will set up her new device and load up a bunch of books I have which I think she’ll like. We will be snowed in for at least a day, so they will give her something to do. The over/under in Vegas is that she reads two books over the next couple days. I’m taking the over. What’s really cool is that in a few years, she will hardly remember carrying a book around. That will seem so 2005. Just like it seems like a lifetime ago that I loaded up 40-45 CDs to go on a road trip in college (or cases of cassette tapes when I was in high school). Now I carry enough music on my phone to drive for about 3 weeks, and never hear the same song twice. It’s the future, and it’s pretty cool. –Mike Photo credit: “Stack of Books” originally uploaded by Indi Samarajiva Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and, well, hang out. We talk a bit about security as well. We try to keep these less than 15 minutes, and usually fail. Feb 10 – Mass Media Abuse Feb 03 – Inevitable Doom Jan 27 – Government Influence Jan 20 – Target and Antivirus Jan 13 – Crisis Communications 2014 RSA Conference Guide We’re at it again. For the fifth year wea re putting together a comprehensive guide to what you need to know if you will be in San Francisco for the RSA Conference at the end of February. We will also be recording a special Firestarter video next week, because you obviously cannot get enough of our mugs. Key Themes Key Theme: Retailer Breaches Key Theme: Big Data Security Key Theme: APT0 And don’t forget to register for the Disaster Recovery Breakfast Thursday, 8-11 at Jillian’s. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. The Future of Information Security Implications for Cloud Providers Implications for Security Vendors What it means Six Trends Changing the Face of Security A Disruptive Collision Introduction Leveraging Threat Intelligence in Security Monitoring Quick Wins with TISM The Threat Intelligence + Security Monitoring Process Revisiting Security Monitoring Benefiting from the Misfortune of Others Advanced Endpoint and Server Protection Assessment Introduction Newly Published Papers Defending Data on iOS 7 Eliminating Surprises with Security Assurance and Testing What CISOs Need to Know about Cloud Computing Defending Against Application Denial of Service Security Awareness Training Evolution Firewall Management Essentials Continuous Security Monitoring Incite 4 U Hot or Not: We spend a ton of time working with security startups (and lately cloud startups looking for security help). So we will be the first to admit we don’t know all of them, and it can sometimes be hard to evaluate broad market perception – our instincts and research are good but we don’t do quantitative market surveys. Justin Somaini just published his personal survey results on security startups and issues and it’s pretty interesting. (Full disclosure: Justin is Chief Trust Officer at Box, who is licensing a paper of ours). Justin got 500 responses from people rating the perceived value of every security startup he could find, and also teased out a bit on perceived top security issues. I’m sure there is survey bias, but if you want a sense of which startups have the best recognition this is a great start, and Justin published all the results in the open, just the way we like it. (Note to Mike: I call dibs on the new prospect list.). – RM Attacks are