1. Application Control / Whitelisting Solutions. Whitelisting solutions change the security approach from one that allows software to install/run unless otherwise specified on a “blacklist” (“default allow”) to one that requires explicit permissions on a “whitelist” for software to be executed (“default deny”).

Clearly, the goal of whitelisting is to reduce the number of malware infections by preventing unidentified software from running thus saving the aforementioned recovery costs. Given the common predisposition for organizations to consider infections separately from incidents, whitelisting solutions also are intended to reduce the likelihood of a bigger incident.

The tradeoff for whitelisting solutions is determining whether costs associated with false positives – legitimate software that is kept from running – will offset these additional benefits. Generally speaking, the more dynamic and decentralized an organization is, the larger the problem. Nowadays, whitelisting solutions have varying ways to deal with this known issue.

2. Sandboxes and Virtual Machines. Perhaps the most varied set of solutions addressing malware these days are the sandboxes and virtual machines. Some sanboxes – primarily on the network – are designed simply to provide an out-of-band (and sometimes near-real-time) environment to execute suspicious software and determine whether it is malware. As with whitelisting, the goal is to identify more malware more quickly, thereby reducing costs.

Other solutions – focused on the endpoint – actually isolate the production operating environment to reduce recovery costs by reducing the downtime associated with re-imaging a solution, and/or reduce the impact by containing malware in an environment separate from other production resources.

There are some tradeoffs in the sandbox/virtual arena depending on the architecture. Network solutions may not see as much traffic in highly mobile environments. Endpoint solutions have performance considerations and/or architectural dependencies to consider.

3. Active Forensics. Recently, a number of solutions have arisen to offer a near-real-time approach to forensics. By recording system calls and/or scanning system state looking for anomalies, their goal is to identify malware infections within shorter time periods than existing methods can.

Active forensics solutions look to reduce the costs of recovery by providing detailed information on changes that were made by malware so a responder can recover more quickly. In addition, the solutions provide comprehensive information so that recovery may be possible without re-imaging. In environments where users can install their own software, this could significantly reduce end-user productivity losses associated with recovery techniques. In addition, active forensics attempt to reduce the time-to-discovery such that further exploit and escalation chances are reduced.

The tradeoff with active forensics is determining whether the detailed information is enough to ensure completeness of recovery so that recovery without re-imaging is a possibility. On the risk side, enterprises must determine whether the new insight provided will lead to a fast enough response time to offset the cost of the solution.

Each of these product categories (as well as others) have a value proposition that may provide benefits to organizations looking to augment their antimalware protection programs. The key is for companies to understand exactly what benefits they provide and decide for themselves which particular type of solution, if any, is likely to have the largest benefit.

Pete Lindstrom is Principal and VP of Research for Spire Security, LLC, a research and advisory firm. Learn more about Advanced Malware Protection by “Drinking from the Firehose” in New York City on 9/17/13. Details at www.regonline.com/AMPFirehoseNYC. Complimentary access for those who qualify. Contact petelind@spiresecurity.com for details.

1. Need. I choose the word “need” with caution, since, as you will find out below, it does not necessarily mean there is “demand” for a better solution. However, I don’t think techrisk professionals can deny that the malware dropping attack vector is alive and well. It is highlighted as the key to the Aurora attacks that catalyzed the “advanced persistent threat” concern.
2. Varied Solutions. There are a number of vendors that have cropped up through the years with solutions to address the malware problem, and the techniques vary significantly. Whitelisters only allow identified executables to run; sandboxes isolate malware and/or identify actions; and real-time forensics track system calls and/or configured state.
3. Mature Market. Even with an identifiable need and newer interesting solutions, the most powerful security market in the world – antivirus (nee antimalware) – operates in pseudo-commodity mode and dominates in endpoint security.

As an industry analyst, I have had the opportunity to interview over a dozen solution providers and even more enterprise security architects and executives on the state of antimalware in the enterprise. Here are a few of my conclusions:

• Companies are moderately satisfied (and perhaps complacent) with their existing antimalware solutions. They acknowledge that these solutions are not blocking all malware but believe that every solution in the category has similar problems and so are reluctant to switch.
• The only factor that could affect existing signature-base antimalware is price – a lower-cost solution (which many agree is unlikely) could have a strong-enough value proposition. Notably, a few organizations are evaluating Microsoft’s free antimalware solution as one of these alternative options.
• Organizations are looking to gain more benefit from their existing antimalware solutions. Many are still focused on signature-based functionality and are now looking at more advanced capabilities. In addition, organizations are considering and employing new capabilities like Microsoft’s EMET functionality.
• For those times when malware gets through and infects a system, re-imaging is the standard approach, though some organizations are mildly reluctant to do it. Most of these malware infections are not classified as “incidents” per se – there is an ad hoc evaluation process to decide whether any infection should be escalated into being classified as an incident.
• Organizations are looking at architectural changes and not product changes when it comes to endpoint client-side security. This means they are focusing on BYOD and/or VDI (or even dumb terminals) as options in their client security strategies.
• Control over (physical) clients continues to relax, with certain “pockets” of exceptions (kiosks or manufacturing systems). For some, this was after a long period of control strengthening (e.g. finally taking away local administrative rights).

As I mentioned at the start, the market dynamics fascinate me here. I don’t think there is a techrisk professional left that believes signature-based antimalware is “good enough” and yet we see its dampening impact everywhere. At this stage, it has simply become the “checkbox compliant” easiest approach.

As someone extremely interested in cybersecurity economics I am encouraged by the attention being given to the bottom line – organizations should be very careful about cost-benefit in their security programs. While some of the organizations I interviewed had done a comprehensive analysis, it appeared to me that a number of organizations had not undergone a thorough review of their strategies.

I will be addressing these issues at my “Drinking from the AMP Firehose” workshop in New York City in a couple of weeks. The workshop concept was driven by these ideas and aims to break through the logjam brought on by complacency and confusion. Regardless of the conclusions that individual organizations come to, I think the entire field will be better off for it.

Pete Lindstrom is Principal and VP of Research for Spire Security, LLC, a research and advisory firm. Learn more about Advanced Malware Protection by “Drinking from the Firehose” in New York City on 9/17/13. Details at www.regonline.com/AMPFirehoseNYC.

“Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure”

and

“Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT).”

So, surprise, surprise we are getting folks discussing whether this actually fits in the most ambiguous category in the history of infosec – APT, and heck I am going to throw in my literal interpretation for the single word that actually has some specificity associated with it: Persistent. I suppose you could look at it two different ways – persistent in the manner of identifying recurring attacks from the same source, or persistent in its ability to compromise resources and stick around for a while. Neither seem to be the case here.

I feel RSA’s pain, because there is no honor in being hit with your general garden-variety plain old “T” especially if you are a security company. But they should also feel better because as we know both “Ts” and “APTs” use the same techniques… which of course also means that you can’t tell if it was an APT or not unless you have recurring information of correlated attacks or actually find out their motives later.

Seriously, are we really going to be stuck for the rest of our careers deciding what is or isn’t an APT? Let’s hope the term flames out quickly.

It started with Google suggesting (but not explicitly stating) that the Chinese government was responsible for a series of attacks against a few dozen U.S. companies. Many folks took up the charge, further strengthening the position that the Chinese government was involved with sparse new evidence but significantly more outrage. (There was some recognition that it is difficult to confirm the source of any attack let alone one coming from a country of several billion.)

The APT advocates are adamant that APT is something new and worthwhile despite the fact that they can’t say much more about it. Detractors simply laugh and say there is nothing new here. Marketers salivate because they know that new or not they have a great buzzworthy term around which to plan their next marketing campaign, to the chagrine of the advocates and the chiding of the detractors.

My take:

Whether or not APT is new only matters to the extent that it can (or should) change the nature of the defender. So, a change to the “heart and mind” of the threat is insignificant unless it provides us with some other means of defense. For those in the military-industrial complex, there may be diplomacy methods or other stealthy actions that can be taken to address the APT. But for most, there isn’t a change here.

It is worth noting two different aspects of APT that are meaningful as we continue to develop our defenses. First, there is an increase in risk. APT is indicative of a higher benefit to the attacker and therefore a higher level of threat to the defender. In addition, given the persistence of the attacker it is reasonable to believe that the consequences could be higher. Therefore, overall risk is increased.

Second, there may be a shift in focus from incidence to prevalence. In epidemiology, this is the difference between the number of new instances of compromise to the total number of compromises at any given point in time.  This may trigger a move from prevention to (compromise) detection.

There is a power struggle going on between attacker and defender that will determine the extent to which detection techniques should be emphasized. As prevalence numbers go up (if they go up) then more attention is needed on detection.

As far as the marketing buzzworthiness is concerned, it is not something generally controllable by security professionals, so a little serenity praying can go a long way. My recommendation is to ignore it.

1. Hidden Manipulation
2. Cookie Poisoning
3. Backdoor and Debug Options
4. Buffer Overflow
5. Stealth Commanding
6. 3rd Party Misconfiguration
7. Known Vulnerabilities
8. Parameter Tampering
9. Cross Site Scripting
10. Forceful Browsing

Looks like a pretty timely list, doesn’t it? Actually, I pulled this list out of my archive. I got it from Sanctum when they called it “10 Types of Web Perversion” (yes, I spent a lot of time trying to convince them not to call it perverse). My list is from September, 2000.

For comparison, here is what OWASP’s Top Ten Web Security Risks for 2010 (at least the release candidate):

1. Injection
2. Cross-Site Scripting
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross Site Request Forgery
6. Security Misconfiguration
7. Failure to Restrict URL Access
8. Unvalidated Redirects and Forwards
9. Insecure Cryptographic Storage
10. Insufficient Transport Layer Protection

Congratulations!

Canary accounts are a great idea (and its a great name for the concept). I believe there was a company out there at one point that would do this for individuals and their email addresses, and I've talked to a few folks who have used the concept in databases. It requires good planning to ensure that all business processes are factored into managing the accounts.

In this case, a quick scan of Amazon's Mechanical Turk reveals all sorts of "hit" opportunities to add comments, reviews, and other feedback for various entities – websites, photo sites, personal injury lawyers (yep, saw that one), etc…

Once again, it isn't like this stuff wasn't happening already, but online reputation in today's world is too flimsy to be useful. That is why adding "real name" tags like Amazon does is so meaningful.

Doesn't scale as well as a real botnet, but there are some possibilities here…

What is more interesting to me is how you might use the passive takeover of a control server (the way F-Secure and the German researchers did) to further security. So this is more like a detection mechanism that may then communicate with a responsder that is authorized on the same client.

For example, Symantec could intercept communications at the botnet server level through passive takeover (I don't support actively hacking a botnet server unless given explicit authorization by some authority) and then either set up its own version of a "real-time blackhole list" for compromised clients and/or communicate with those clients it has an agent on to respond to the problem.

This still doesn't eliminate the problem of false accusation should someone replace a botnet server…