Well, I find myself in the position today of being the doting parent. Only in this case, the “child” is a major overhaul of our flagship product, BOUNCER V6.0. With this new release the “child” has grown into an adult. You’ll have to pardon my metaphor here, but I believe building a product is, in many ways, like watching your kid grow up. With V6, we’re realizing the vision we developed for the product when I joined CoreTrace more than 3 years ago.

Why is this release so special? As I’ve said many times before, the historical “knock” against whitelisting (largely propagated by blacklist-based antivirus companies with a revenue stream to protect) was the notion that the management overhead outweighed the significant security benefits. At CoreTrace we’ve focused like a religion on “operationalizing” application whitelisting. By this I mean being able to realize the security advantages of whitelisting while at the same time becoming increasingly transparent to the end users and actually easing the burden on the IT shop. The best of both worlds, if you will.

With whitelisting, that means making it very easy and simple to add and subtract applications from the “whitelist”. With V6, we do this by adding “self-approval queues” to our already best-in-class “Trusted Change” mechanisms (even the names of these new user privilege options are cool–”AllowQ” and “BlockQ”–with the “Q” meaning “queue”). In addition, we’re adding “Application Intelligence” to our product so that the BOUNCER admin can quickly determine if they want to ban or allow applications that are requested through these queues. Not only does our new CoreTrace Software Intelligence (CSI) service include millions of “known good” applications, it also even includes millions of “known bad” pieces of malware. That is right; it provides intelligence based on blacklisting! We have always felt that whitelisting and blacklisting would coexist–we fundamentally believe that the primary enforcement mechanism will be based on whitelisting (for efficacy and performance reasons) and blacklists will be used in a supporting capacity (like ensuring that any *known* malware is identified, stopped and removed from all systems).

Add in a slick new web-based interface and enterprise-class scalability improvements (including a software-only solution, with the management servers shipping as virtual appliances) and it’s recipe for me whipping out my wallet and showing some pictures. In fact, you can go here for more detailed info on BOUNCER V6.

We’ve been able to preview this release with a great many customers, partners, and analysts. In all cases, I asked for brutal honesty and feedback. The reactions have been overwhelmingly positive. Can’t wait to get this into production environments.

You know, it’s pretty cool when your baby really ISN’T ugly…

Even before Cisco announced CSA’s end-of-life, CSA customers have been interested in CoreTrace’s application whitelisting solution, BOUNCER, because of BOUNCER’s ability to protect endpoints at a fraction of the HIPS administration effort. BOUNCER can do this by:

• Rapidly secure endpoints without requiring manual tuning
• Auto-generate whitelists for each computer
• Protect against even the most sophisticated malware like memory attacks
• Prevent unauthorized applications
• Dynamically update each system’s whitelist for new authorized applications and upgrades

Today, we announced the Cisco Security Agent (CSA) Transition Program to help customers cost-effectively transition to BOUNCER without incurring any additional license fees. Promotional pricing that includes custom professional services and training is available, as well as extended support agreements through December 31, 2010.

To further explain the value of transitioning from CSA to BOUNCER, we are sponsoring a live webinar featuring Eric Ogren, the founder and principal analyst of the Ogren Group and former executive at OKENA, the company whose technology formed the basis of CSA. The webinar, “Transitioning from Cisco Security Agent: The Case for Enterprise-level Application Whitelisting”, will take place Tuesday, June 29th, at 2 p.m. EDT.

What intended to be a routine McAfee software update to its antivirus definitions for corporate customers has likely turned into a costly nightmare for the antivirus software maker and many of its customers. Instead of updating the security software, the faulty virus definitions removed the Svchost.exe file, a critical component of the Windows operating system.

According to the article, “Defective McAfee update causes worldwide meltdown of XP PCs,” this points to the severity of the problem.

“Now, it is hard to imagine picking a more crucial file to torpedo. Svchost.exe is one of the most crucial of all Windows system files. It hosts the services that make just about every OS function possible. As the symptoms described here suggest, Windows simply won’t start if Svchost.exe isn’t there.”

As a result, affected systems were left endlessly rebooting until tech support repaired the problem manually. Early reports have estimated tens of thousands of machines were affected worldwide. McAfee’s official recommendation for repairing the damage involved copying Svchost.exe from a working machine and manually copying it to an affected system.

If anything, what yesterday’s incident highlights the fact that antivirus is not designed to stop any threat — even their own code — from doing harm.

Believe it or not, the McAfee debacle could have been avoided with application whitelisting, which doesn’t allow any unauthorized applications to run on a system. For example, in its default setting, CoreTrace’s BOUNCER application whitelisting solution prevents the deletion or modification of any whitelisted executables — which certainly includes critical OS files like Svchost.exe. In other words, machines protected by BOUNCER were working today rather than spending time in a reboot loop.

“These attacks have demonstrated that companies of all sectors are very lucrative targets. [APTs are] the equivalent of the modern drone on the battlefield. With pinpoint accuracy, they deliver their deadly payload, and once discovered — it is too late.”

One of the methods the article suggests to protect systems from targeted attacks is using a whitelist to allow specific traffic over its networks while excluding everything else. In other words, they want to limit exposure to social engineering by limiting user access to potentially dangerous sites. Plans like these make some sense, but don’t address the core problem. There are too many ways that users can be tricked into accessing something that isn’t protected against for this to work. And for institutes such as higher education that conduct research at random places, restricting site access gets in the way of users doing their job and simply is not going to fly.

As we pointed out in the blog, “Cisco’s 2009 Security Threat Report: We need a patch for the common user!” people are the primary vulnerability going forward. Whether we like it or not, our employees, contractors and partners are continually accessing sites and other media that can cause problems. Rather than dealing with user behaviors that are simply out of our control or are required for them to be effective, enterprises should focus on the real problem — which is to stop the payload of these attacks.

As long as there are people in the mix, they will continue to unknowingly bring things into the network that cause all sorts of havoc. The reality is people make mistakes. They go on sites their company knows nothing about. They open bad emails and download the wrong stuff on their machines. Since we can’t realistically stop what users are doing, we have to address the results of normal, but risky behavior.

The bottom line is we need to stop the payload from getting on the network and becoming a threat. That needs to be the primary thrust, and is the focus of BOUNCER, which protects against unwanted applications while permitting users to go about their business.

Yesterday, Stan Schroeder at Mashable wrote a great blog about the French and German governments strongly urging users to stop using Internet Explorer and to use other browsers like Safari and Firefox. The recommendation was made because of a similar vulnerability in Internet Explorer 6, 7, and 8 that allows malicious hackers to remotely execute arbitrary code.

I do not want to cause an international incident (especially with countries that I love to ski in), but I think the recommendation is shortsighted and purely based on the status quo mentality of reactive responses to the du jour threats. Today, the recommendation is to stop using IE. When a vulnerability is discovered in Safari, Firefox or Opera tomorrow, the recommendation will be to stop using those browers.

The recommendations will be the same for every application: word processing, spreadsheets, project management, games, etc.

Folks, we need to shift our thinking. At the risk of being repetitive and to paraphrase my earlier assertion: we should not be worrying about which browers our people are using, and instead we should focus on stopping the real threat: the payload. The best way to do that is application whitelisting. With solutions like BOUNCER, malware (including those that are deposited via vulnerabilities in browsers like IE) will not be on the approved list of applications and will therefore be stopped cold.