Some of the issues they explored include:

1. You have more virtual systems than you know: Virtual sprawl is the ability to rapidly provision systems. However, it can also increase vulnerabilities such as unknown systems that aren’t properly patched or kept up with from a configuration or security standpoint. Understanding everything in your environment is a major problem in the virtual world. It’s really all about inventory, and keeping up with systems and making sure you’ve got change management in place.

2. You aren’t leveraging virtualization for security: Virtualization is like a double-edged sword from a security and operational efficiency perspective. On one side, virtualization gives an organization the ability to tighten and standardize everything in an environment, making sure it is all being kept up to date. On the flip side, if the foundations aren’t in place from the start things like change management can go completely off track.

3. You need more visibility: In the virtual world, you have to keep tabs on everything in your physical and virtual environments. Monitoring virtual network traffic, particularly between VMs, can be difficult. In order to understand everything that’s running in a virtualized environment, organizations need to take a step back and look at what their entire security looks like. Visibility is critical to making sure you know the condition of all your systems and servers, and that they are being fully utilized.

4. All eggs are in one basket: Dumping the responsibility of running and maintaining virtualized platforms onto one group is a frightening picture, not to mention a step backwards in the concept of separation of duties. While nobody wants one group to have this type of control over their infrastructure, that’s exactly what’s happening with most of these virtualized platforms. What you want is very specific rules within an organization so each group can maintain their own areas.

5. You’re back to 1997 for network security: The reality of virtual environments is you don’t get in-depth security capabilities out-of-the-box with any virtual solution. Often times, you find yourself relying on VLANs for security because that’s all you’ve got. As far as security is concerned, that’s like stepping back into 1997 for network security, and that’s no place you want to be. To meet your security and policy requirements, you need to think about your existing physical infrastructure and try to match that inside your virtual environment.

6. Your existing security programs are probably not adapted for virtualization: Most security programs need to adapt a bit to accommodate virtualization. Evaluating where virtualization affects security operations and creating policies that address virtual systems or include virtualization in existing policies is a good place to start. While things are going to vary from organization to organization, the fact is infrastructures are changing, which makes it worthwhile to move ahead and adapt like everyone else.

7. Your auditors probably don’t know what’s going on: Most auditors are not comfortable with virtualization technology. They generally don’t understand the fundamental concepts of virtualization and how everything impacts different data classification levels and compliance data versus non-compliance data. Part of the education process includes making sure all internal audit teams understand all of the controls that are inherently available within the platforms and tools that are already in place.

8. Storage is a huge security hole: Storage is fundamental to virtualization deployment. Unfortunately, security and storage don’t often mingle in the same circles. Because there are typically no strong access control mechanisms in place with most storage deployments, which can create flaws in the virtualization platform, it’s now critical that organizations implement a defense-in-depth strategy in the storage infrastructure for protecting their virtual environments.

9. Virtualization software DOES have vulnerabilities: No system is perfect. Even for virtualization software, exploit POC code and malware attack toolkits are available for hackers to penetrate a virtual environment. The key is to keep up with what’s going on in the realm of virtualization and vulnerabilities, which are constantly evolving and becoming more sophisticated every day.

10. Availability is the new No. 1: While most security folks focus on confidentiality and integrity, virtualization architectures require availability to be a top priority for your business and operational teams. With a shared pool of resources relying on the availability of multiple systems, a different approach is needed. Organizations need to change the way they use traditional antivirus and anti-malware agents that are increasingly ineffective and consuming too many resources that impact day-to-day operations.

In order to succeed in the virtual world, there are lots of things to think about when it comes to security. The first step is to re-evaluate what you are doing today and figure out how your existing security processes can be re-worked to accommodate virtualization. This requires working with the virtualization and other IT teams to make sure you’ve carefully delineated the roles to better match what you’ve had in place to begin with. Also, making sure the storage infrastructure is secure should not get left out.

All in all, putting more new tools that are a little more “virtualization conscious”, and that have resource-consumption issue top of mind, are critical to alleviating security tools that eat up resources. This is part of the reason why people are turning to application whitelisting and application control for virtual environments. With solutions like CoreTrace’s Bouncer application whitelisting, you’re not running virus scans that consume valuable resources on every virtual machine, which is resulting in poor performance and denial of service incidents. You have a sure list of what’s allowed to run and what’s not allowed to run.

While blacklisting is still useful for identifying known malware already on your endpoints, the fact is organizations are getting hit more than ever despite running the latest security sweeps from all the major vendors. Blacklist simply cannot keep up anymore. Having total control of what is running on your box prevents the malware from executing. As your infrastructure changes with virtualization, you have to adapt for the long haul. This is why we believe application whitelisting and application control is the approach that’s needed to protect today’s rapidly changing virtual environments.

On the surface, this week’s breach of 90,000 military e-mails and password hashes may look the same. After all, the hackers claiming responsibility for the break-in did so through an unsecured server in a network that basically had no security measures in place. What’s different about this attack, however, is the exploited server was not the military’s. The server belonged to government contractor, Booz Allen Hamilton. In other words, this criminal strategy went beyond the walls of an organization’s own network defenses.

In the case of the Epsilon security breach, where millions of customer email addresses were compromised, hackers targeted a single entity to steal private data on many of the marketing giant’s big-name customers like Chase, Citi and Target. The Booz Allen hack reverses that scenario. Instead of going after one to get to many, cyber criminals targeted multiple entities to get to one.

Much like the supply chains of the 1990s that tied systems together, today’s business enterprises are built on the same idea. Unfortunately, with a number of different partners connecting in real-time to a central network, an organization’s security is only as good as its partners’ security practices. If even a single partner does not adhere to today’s best practice security standards, what will result is a weakest link of the chain. Cyber criminals know this, and this week’s military breach is a prime example of what happens when hackers exploit a business partner to get to another business.

In today’s world, the epicenter of a cyber attack isn’t necessarily at the core of your network anymore. With so many endpoints connecting to your enterprise, how can you protect yourself when you can’t control the assets people use to get to your network? The fact is, organizations and people are getting hit in and between companies. The fight against cyber crime is becoming more about the weakest link in the entire value chain, not the organization, itself.

Insisting on best practice security standards from all of your partners can be a first step to protecting your endpoints from attacks that start outside of your network. However, relying on your partners to maintain updates to ensure your corporate policies are enforced can potentially leave your network vulnerable to outside attacks. That’s why when pushing security standards, we recommend mandating a proactive security posture for your own endpoints and those of all of your partners. Naturally, we feel strongly that deploying an application whitelisting solution like CoreTrace Bouncer is a key component of that proactive strategy.

On one hand, whitelisting stops all unauthorized applications from running, essentially blocking any malicious/unauthorized software from executing on all network endpoints–regardless of whether it was a previously known application/attack or a new, unknown one. But as Richard Stiennon observes, simple whitelisting can be too restrictive and potentially require too much administrative overhead to maintain. On the other hand, blacklisting stops known bad applications from exploiting a system, but lets programs execute on a system by default if they are not on the blacklist. This reactive approach means users can execute software, including malicious attachments, thereby leaving networks and data vulnerable until after a threat is identified. Blacklisting also forces a steady stream of patching requirements and fire-drill reactions that become a black hole of IT time and money (e.g., trouble shooting poorly functioning machines, reimaging and even purchasing new systems prematurely).

As the whitelisting versus blacklisting debate rages on, instead of focusing on the limitations or weak points of each technology, what we should really be discussing are the strengths that these two fraud detection super powers bring to the table — and when used together — can help organizations gain complete control over all applications across their enterprise. CoreTrace calls this Total Application Control (TAC). (Basically, we need to create the “Blue Ocean” strategy for endpoint security. If you are unfamiliar with the concept/book, check out: www.blueoceanstrategy.com.)

First, we need to clear some of the misconceptions that many still have, such as whitelisting being the same as “lockdown,” or that it doesn’t include cloud-based blacklists. The truth is, today’s leading application control solutions like CoreTrace Bouncer have evolved beyond straightforward whitelisting functionality. They’ve addressed the shortcomings around basic application whitelisting and blacklisting products by leveraging both technologies to provide the visibility organizations require to see all known good and bad applications in their environment. For a solution to achieve Total Application Control, it minimally needs to include three essential components:

1. Application Whitelisting: Whitelisting on all endpoints as the enforcement mechanism to ensure established policies are enforced and all unauthorized applications are prevented.

2. Change Management: The ability to seamlessly handle change (new authorized applications and upgrades) even in dynamic environments without impacting IT production or user productivity.

3. Cloud-based Whitelists… and Blacklists: Cloud-based reputation service to assign risk profiles to all applications, including identifying known-good applications and any known pieces of malware. “Cloud-based” is key phrase: use the information in a offline capacity, so as to not impact system performance with onerous scans.

I’ve often wondered if hackers are taking full advantage of the rhetoric that goes on between competitive security vendors, who despite having the same anti-malware objectives, continue to create a cloud of confusion throughout the industry that actually stalls innovation, and new proactive ways to defend networks against more dangerous modern malware. Maybe bringing longtime adversaries like whitelisting and blacklisting together to create Total Application Control is the last thing cyber criminals want to see. We certainly think so.

So stop debating and start controlling your systems with a blend of the top defense mechanisms. Move past confusion and into enlightenment and receive all the control and performance benefits of whitelisting with the reporting and compliance benefits of offline blacklisting.

That said, what continues to baffle me is the ongoing practice of re-applying beatable security technologies to evolving malware, and expecting a different outcome. Time and time again, we’ve seen how increasingly ineffective traditional anti-malware products like antivirus software are at stopping modern attacks.

More recently, we’re seeing how cyber criminals can rapidly rewrite code overnight to evade even the latest security updates. The article, “Apple’s malware detection update circumvented in 8 hours,” shows us how quickly malware developers are creating new variants that can bypass security updates mere hours after the update is available. But this doesn’t apply to Macs alone. I’ve also recently talked about the Microsoft security update that was out all but three days before hackers were conducting active attacks on the same patched vulnerability.

The way I see it, it’s wrong to apply a known broken security approach to any platform, but especially wrong to do so on new ones. Whether it is a Mac, Linux, tablet or smartphone, why on earth would you use an old, ineffective approach to secure a new platform?? Doing so puts your network endpoints and critical business data at risk, and it gives cyber criminals the upper hand.

Putting short-term fixes on long-term problems is not the answer. Instead of deploying reactive solutions and hoping for the best, we need to approach IT security with a proactive vision in mind. We need a solution that provides proactive security, minimal performace impacts and clear visibility / risk profiling of all applications installed in our environment. What we need are application control solutions like CoreTrace Bouncer.

In the article, “Hackers move fast to exploit just-patched IE bug,” Symantec reported that after Microsoft issued a patch for 11 bugs in Internet Explorer last week, active attacks were spotted on one of the “patched” vulnerabilities just three days later. Although the vulnerability has seen limited attacks at this point, it is another in a long line of examples that demonstrate why enterprises need multiple layers of protection–most of which truly need to be completely out of the hands of users.

What good are security updates if hackers can jump right back in and exploit the same vulnerability? Honestly, the impact of an unpatched vulnerability would be significantly less if the endpoint protection (specifically antivirus technology) was effective at stopping the payload. As is becoming more and more evident, this is not the case. Traditional antivirus solutions are continuing to fall further behind in stopping the growing volume of malware exploits and variants.

[Time for the shameless plug. You can exit now if you don't want to know how to help actually solve the dilemma.]

Rather than reactively patching or depending on blacklists to identify and stop the tens of thousands of new online threats that come along each day (60,000 a day, according to Gartner), organizations need to take a proactive approach to not only protect their endpoints from all known and unknown malware threats, but also gain total application control of their systems to allow only what they want to run on their networks at all times.

CoreTrace’s Bouncer application whitelisting solution does this by providing complete insight and control over all installed applications across a highly distributed environment. By combining total application control with advanced, non-intrusive self-defending mechanisms, Bouncer helps organizations stop all known bad and unauthorized applications from running on any endpoints–including those that exploit a known, unpatched vulnerability.