Well, I find myself in the position today of being the doting parent. Only in this case, the “child” is a major overhaul of our flagship product, BOUNCER V6.0. With this new release the “child” has grown into an adult. You’ll have to pardon my metaphor here, but I believe building a product is, in many ways, like watching your kid grow up. With V6, we’re realizing the vision we developed for the product when I joined CoreTrace more than 3 years ago.

Why is this release so special? As I’ve said many times before, the historical “knock” against whitelisting (largely propagated by blacklist-based antivirus companies with a revenue stream to protect) was the notion that the management overhead outweighed the significant security benefits. At CoreTrace we’ve focused like a religion on “operationalizing” application whitelisting. By this I mean being able to realize the security advantages of whitelisting while at the same time becoming increasingly transparent to the end users and actually easing the burden on the IT shop. The best of both worlds, if you will.

With whitelisting, that means making it very easy and simple to add and subtract applications from the “whitelist”. With V6, we do this by adding “self-approval queues” to our already best-in-class “Trusted Change” mechanisms (even the names of these new user privilege options are cool–”AllowQ” and “BlockQ”–with the “Q” meaning “queue”). In addition, we’re adding “Application Intelligence” to our product so that the BOUNCER admin can quickly determine if they want to ban or allow applications that are requested through these queues. Not only does our new CoreTrace Software Intelligence (CSI) service include millions of “known good” applications, it also even includes millions of “known bad” pieces of malware. That is right; it provides intelligence based on blacklisting! We have always felt that whitelisting and blacklisting would coexist–we fundamentally believe that the primary enforcement mechanism will be based on whitelisting (for efficacy and performance reasons) and blacklists will be used in a supporting capacity (like ensuring that any *known* malware is identified, stopped and removed from all systems).

Add in a slick new web-based interface and enterprise-class scalability improvements (including a software-only solution, with the management servers shipping as virtual appliances) and it’s recipe for me whipping out my wallet and showing some pictures. In fact, you can go here for more detailed info on BOUNCER V6.

We’ve been able to preview this release with a great many customers, partners, and analysts. In all cases, I asked for brutal honesty and feedback. The reactions have been overwhelmingly positive. Can’t wait to get this into production environments.

You know, it’s pretty cool when your baby really ISN’T ugly…

Later this week, we are launching a fun (and funny) awareness campaign, called Planet Antivirus, highlighting the weaknesses of antivirus and focusing on the need to completely rethink our approach to how we defend endpoints. Today I am kicking this campaign off by highlighting the top five failures of antivirus technology:

• Antivirus is a performance hog — One of the most common complaints we hear about antivirus is its performance impact. This can weigh heavier on the minds of IT managers than its problems with catching new threats. A perfect example of this is a description from CNET Labs on how they test antivirus:

  “Antivirus programs are designed to detect and intercept harmful files downloaded to your computer. In order to monitor incoming files, however, antivirus programs — like all applications — need to use system resources. The degree to which an antivirus program detrimentally affects a system’s performance varies from one application to another. CNET Labs tests three areas of antivirus application performance: how deep-file virus scanning impacts overall system performance, how quickly files can be scanned for viruses, and how system boot time is affected by the antivirus program. We also report on how effective the antivirus programs are at identifying viruses by citing the studies of established industry authorities.”

  It is telling that the majority of their test is concerned with how antivirus detrimentally impacts system performance. The effectiveness of the antivirus solution is almost an afterthought.

• Antivirus is an after the fact cleaner and it doesn’t even do that well — The simple fact is that antivirus can’t protect you from getting infected. This is indisputable and has been empirically proven time and again. So why do we still use it? One reason people continue to use antivirus is that it is used to identify infections and to clean up the mess. Unfortunately it doesn’t even do that well. If you are infected by a particularly nasty piece of malware, many times the best option you have is to completely rebuild your system. There is a great post on this on the Cornell Information Technology site titled, “Rebuilding Your System Is the Safest Road to Recovery after a Malware Attack,” that does a good job of making this case:

  “Dangerous software hides from repair tools: The IT Security Office recommends formatting one’s hard drive followed by a complete software reinstallation in response to a system compromise. Modern malware relies on rootkits to hide itself from antivirus software and administrator analysis. Rootkits use a variety of techniques, such as executable encryption, alternate data streams, innocently-named files or registry keys, concealment in system restore points or patch clusters, or the use of portions of the disk not conventionally accessible to the operating system. These elaborate, and effective, concealment methods make it difficult or impossible to return a computer to a safe, functional state. Often removal of the malware can render the system nonfunctional. Worse yet, incomplete or ineffective removal means the attacker may regain control of the computer.

  strong>Complete reinstallation is necessary: A reinstallation includes not only the operating system, but also application software. It is important to realize that any application software currently on the computer may be tainted by the attacker and only trusted original sources should be used for reinstallation.”

• Antivirus was designed to address a different threat — Despite the addition of heuristics and behavioral models to detect variants of malware, the fact remains that blacklisting is the foundation of antivirus and it was designed to address a different threat than today’s malware. Antivirus originated to protect against propagating threats. These threats either propagated through the sharing of disks and files by individual users or were self propagating worms that identified weaknesses in networked computers and subsequently infected vulnerable systems. Blacklisting in this model was feasible and effective because it was both easy to collect samples of the malware and protect against a limited set of threats.

  Today’s threats are different. Today, online crime hinges on the combination of social engineering and vulnerability exploitation that allows the attacker to place a custom piece of malware on the targeted system. This is a much harder problem to solve by blacklisting. The attacks can be customized for uniquely targeted online businesses or groups of businesses with software that would elude even the most sophisticated antivirus solution. My main concern if I was Google or any of the other companies targeted in Operation Aurora wouldn’t be what data they stole from me, but what malware they left behind to use at another time. Most likely they will have to resort to reinstalling those systems as I mentioned in the previous point.

• Antivirus updates are too frequent and can cause problems — In order to keep up with the exploding world of malware most antivirus applications issue updates at a very regular interval. This can be as frequently as an update a day in some cases. The problem with this is not only does it require regular distribution of these updates to all endpoints with its corresponding performance impact, but the frequency of updates also means that problems from the updates are more likely to occur. The result of a decrease in reliability of signature updates means that many organizations try to test updates before they roll out the new signatures. This simply isn’t practical. The frequency of signature updates means that testing won’t work or even be completed before the next update arrives. Organizations either need to revert to a less frequent update schedule to allow testing, potentially extending the time they are exposed to a new threat, or they need to simply trust that the update files from their antivirus company won’t cause problems. Neither of these options is optimal.

• Relying on antivirus ties companies to fire drill software patching — The side effect of relying on antivirus to protect endpoints is that companies are now tied to reactive software application patching as well. Because we can’t trust our antivirus software to protect the endpoint, we also must remain constantly aware and vigilant about identifying and fixing vulnerabilities in our applications on the endpoint. The resulting combination of rushed patches and signatures is a significant drain on the human resources of an organization.

2010 needs to be the year that we begin a healthy discussion of completely re-evaluating the approaches we use to protect our endpoints.

As people search for alternatives, application whitelisting has moved to the front as the most promising technology to address today’s endpoint security failures. That said, as with any new technologies, there are challenges to be addressed. With whitelisting, this can include how to properly baseline an existing system that may be infected, as well as how to managed updates and changes to applications. Another challenge with whitelisting systems is how to address attacks that target applications that are whitelisted with memory based attacks.

Attacks that inject code into existing processes in memory can bypass most of today’s whitelisting solutions (not to mention almost all blacklist based ones) and is an important consideration for companies considering moving to application whitelisting. Ideally, a whitelisting solution should be able to look at all running processes and track the originating binary application rather than associating it to the application that loaded it. On our site, we provide a demonstration of how these attacks can work, to take advantage of a browser application for example, and explain the approach we take to stop these attacks.

Protection from these types of attacks are particularly important on servers that tend to run continuously and rarely are restarted. Single purpose machines, point of sales systems, SCADA systems and other servers are especially attractive targets for memory based attacks.

The discussion has already begun. Companies are very seriously looking at how application whitelisting can be added to their endpoint security strategy. Be sure you don’t neglect protecting against attacks that target active processes in memory.

The IANS founders kicked things off with some into “keynote” observations.

• Signs of economic recovery may bode well in the fight against crimeware. According to the founders (I am not sure I completely agree yet) economic indicators (using the Dow and NASDAQ) show that we are back to where we were this time last year. The founders made a point that a tough economy is correlated to an increase in crimeware.
• There is a significant amount of concern about increasingly sophisticated APT’s (advanced persistent threats) and their proliferation. These threats are designed to bypass blacklist antivirus. These threats get on a box and then morph to avoid detection by new signatures distributed by the antivirus vendors. The general dissatisfaction with existing desktop security solutions, i.e. antivirus, is evident.
• Cloud computing remains a hot topic. Revenue from these services is expected to triple from 2008-2012.
• Desktop virtualization is a key CIO initiative, and security teams are trying to keep up. One professional quipped that “the virtualization train is flying down the tracks without brakes and the security caboose isn’t even attached.” Organizations will clearly need to address virtualization in their overall security plan.
• Social networking security implications was a point of significant concern and merited an individual session by Allen Carey, svp of research for IANS. I believe that social networking in business is inevitable as users demand access; social media is simply too tied up with business to eliminate from the enterprise. In addition to use policies, security teams will need a solution to prevent drive-by malware and ensure link integrity.
• As a representative of an application whitelisting company, I was especially encouraged to see that interest in application whitelisting is growing, as evidenced by full sessions and lively discussions. In general, all the feedback we got from attendees was positive, especially with respect to our key capabilities around trusted change and memory protection. Attendees emphasized the need for “enterprise scalablity” with whitelisting, but defined it under both technical and operational terms. The operational terms were focused on handling new applications and updates. We certainly agree with this and see the way whitelisting vendors handle application updates as the key to success. Our “trusted change” concept was very well received. Following our session 80% of the attendees joined us for lunch to continue the discussion.

All in all this was a great first day and I look forward to today’s sessions.

“My overall impression: this is an elegant and effective solution to some of the security challenges we face with Windows servers and workstations in control systems.”

Jason hits on many of the reasons why application whitelisting has been so popular in the energy industry and why, more than ever, it is being used to protect critical SCADA and DCS systems as well as met NERC CIP requirements.

He goes on to say:

“If you have NERC CIP responsibility, some light bulbs are probably going off about now. Can I deploy a product like Bouncer and not have to do AV updates and patches? The CEO of Encari (Matthew Luallen) and the Midwest-ISO chairman (Paul Feldman) make a case for meeting “both the spirit and letter of the law” in this whitepaper: Malicious Software Prevention for NERC CIP-007 Compliance. The case is pretty clear for anti-malware. For patching it may at least buy you some time as a compensating control.”

Our customers have been discovering that for their control system and SCADA needs that application whitelisting is a more effective alternative than blacklist anti-virus and patching. Not only is it significantly cheaper and easier to protect your systems in this way, it doesn’t incur the significant performance penalty that comes from today’s anti-virus solutions.

We think that application whitelisting is starting to gain significant momentum as an alternative to blacklist anti-virus. Adoption is accelerating in the area of single purpose machines like those in control systems, but is also generating significant interest as a viable alternative in the enterprise as well. The bottom line is that existing endpoint security is simply so broken that people are actively seeking an alternative to the legacy systems they have in place.