Well, I find myself in the position today of being the doting parent. Only in this case, the “child” is a major overhaul of our flagship product, BOUNCER V6.0. With this new release the “child” has grown into an adult. You’ll have to pardon my metaphor here, but I believe building a product is, in many ways, like watching your kid grow up. With V6, we’re realizing the vision we developed for the product when I joined CoreTrace more than 3 years ago.

Why is this release so special? As I’ve said many times before, the historical “knock” against whitelisting (largely propagated by blacklist-based antivirus companies with a revenue stream to protect) was the notion that the management overhead outweighed the significant security benefits. At CoreTrace we’ve focused like a religion on “operationalizing” application whitelisting. By this I mean being able to realize the security advantages of whitelisting while at the same time becoming increasingly transparent to the end users and actually easing the burden on the IT shop. The best of both worlds, if you will.

With whitelisting, that means making it very easy and simple to add and subtract applications from the “whitelist”. With V6, we do this by adding “self-approval queues” to our already best-in-class “Trusted Change” mechanisms (even the names of these new user privilege options are cool–”AllowQ” and “BlockQ”–with the “Q” meaning “queue”). In addition, we’re adding “Application Intelligence” to our product so that the BOUNCER admin can quickly determine if they want to ban or allow applications that are requested through these queues. Not only does our new CoreTrace Software Intelligence (CSI) service include millions of “known good” applications, it also even includes millions of “known bad” pieces of malware. That is right; it provides intelligence based on blacklisting! We have always felt that whitelisting and blacklisting would coexist–we fundamentally believe that the primary enforcement mechanism will be based on whitelisting (for efficacy and performance reasons) and blacklists will be used in a supporting capacity (like ensuring that any *known* malware is identified, stopped and removed from all systems).

Add in a slick new web-based interface and enterprise-class scalability improvements (including a software-only solution, with the management servers shipping as virtual appliances) and it’s recipe for me whipping out my wallet and showing some pictures. In fact, you can go here for more detailed info on BOUNCER V6.

We’ve been able to preview this release with a great many customers, partners, and analysts. In all cases, I asked for brutal honesty and feedback. The reactions have been overwhelmingly positive. Can’t wait to get this into production environments.

You know, it’s pretty cool when your baby really ISN’T ugly…

First, while Siemens says these security solutions can detect the Trojan, then why wasn’t it stopped by customers using such antivirus software in the first place? Since there has not been an example of malware targeting control systems to this point, in all likelihood even if the antivirus was fully updated the Trojan would have got there anyway.

Second, if their customers weren’t using such security solutions, then why in the world not? In our interactions with customers in the energy space, the answer is that many process control systems — which this particular malware targets — can’t handle the weight of antivirus solutions or be online to get regular signature updates because of the impact they have on system performance. This point was reiterated by our friend, Dale Peterson, who recently wrote in his article, “Trojan Targeting Siemens and APT Thoughts,” that:

“… many control systems today have little patching, minimal security configuration, shared and default user accounts, … So it is likely that the attacker has compromised multiple systems in multiple ways if they wanted persistence.

This begs the question that once targeted malware has been detected and removed, how do we know that an attacker’s presence has been entirely eradicated from the system? With antivirus software, we don’t. As I mentioned in the recent post, “U.S. proactive cybersecurity measures lack proactive solutions,” reactive solutions cannot stop persistent attacks. Unfortunately, this is yet another example of a reactive approach to a proactive problem.

The bottom line is the recommended virus scan programs are the same ones that have caused the problem either by missing it in the first place, or the fact that control systems simply can’t use it to protect their environments. Either way, antivirus is not a viable solution for stopping exploits that can maintain a stealth-like presence in a system. Until a network can completely stop the payload from executing, malware variants will continue to penetrate systems and gather information that is of the most value to them.

In the article, “U.S. Plans Cyber Shield for Utilities, Companies,” the program calls for the NSA to monitor and detect cyber assaults on private companies and government agencies running our critical infrastructure. While much still has to be worked out, the surveillance would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by any unusual activity suggesting an impending cyber attack. The information could also serve as a data bank to help companies who call upon the NSA to help investigate cyber attacks, as Google did after the Aurora attacks last year.

With increasing concerns around security threats, I commend the government for taking action to protect our nation’s most critical infrastructure from such attacks. However, at this point, the plan is nothing more than a surveillance program that monitors, processes and stores information; not a solution that proactively prevents attacks against systems that run important infrastructure.

Politics aside, the goals of the program are to better understand the nature of cyber threats to national security networks and find ways to close the security gaps that make them vulnerable to such attacks. Rather than simply monitoring suspicious activities that could evolve into a full-scale attack, additional security technologies–most notably application whitelisting — will be required if we are all going to better protect the infrastructure that is critical to our national security.

Study finds security software ineffective against growing malicious programs

Further research confirms that security software companies continue to have a difficult time keeping up with an explosion of malicious software programs. A recent independent study showed that a wide range of endpoint security software from top vendors take an average of two days to block a website designed to attack a computer visiting the site. The findings indicate that security companies still need to make vast improvements in their ability to detect the more than 50,000 new malicious programs that are found each day. According to the report:

“The magnitude of these findings should be nothing short of an alarming wake-up call for the security industry.”

The study concluded that today’s enterprises are most at risk from fresh customized malware. Security companies share malware samples, but if no company sees or detects the malware, it could quietly circulate and potentially infect machines, stealing data and leaving clients unaware of new threats. Even if malware is undetected for a short period of time, it still is enough of a window to infect a corporate network.

Modern security threats require defense-in-depth approach

Targeting an organization’s crown jewels, money or infrastructure, today’s more organized cyber criminals are launching attacks that infiltrate company networks and steal data over time without being detected. Unfortunately, traditional perimeter-based solutions are no longer effective in fighting advanced persistent threats and other malware attacks that may already be inside a network.

Rather than focusing on perimeter defenses to stop the next wave of cyber threats, John Wang, security architect at NASA, said understanding hackers’ motivations and determining what information a company wants to protect is an important part of any cybersecurity strategy.

“The fight starts with understanding what you’re trying to protect. Perimeter defenses are no longer effective, if they ever were. It’s harder to fight a war from the inside than maintaining the perimeter. It requires additional resources.

Wang added that organizations need to take a defense-in-depth approach — a strategy that hasn’t received as much attention with all the focus on perimeter defenses. That approach includes log aggregation, application whitelisting, “encryption everywhere,” and a security operations center for incident response.

Cybersecurity bill is a step in the right direction

One of today’s most debated U.S. Senate bills is the Protect Cyberspace as a National Asset Act (PCNAA). Opponents argue the bill gives the president too much power to shut down parts of the Internet in the event of a cyber emergency. Supporters say the bill will strengthen the mechanisms by which the government and private industry protect the safety and security of the Internet. In late June, the bill was approved by the U.S. Senate committee, but currently waits for a vote on the Senate floor.

Many agree that the U.S. is not adequately prepared for a major cyber attack that could disable power grids, essential water and sewage systems, and hamper our financial systems. But while both sides continue to debate on how much control the government should have in a cyber emergency, the fact that Congress is focused on passing legislation that will boost the country’s cyber defense is a step in the right direction.

Zero day flaws found in popular web malware exploitation kits

A team of security researchers found 12 zero day flaws targeting some of the most commonly used web malware exploitation kits such as Eleonore, Neon, Liberty, Lucky and Yes. The use of these vulnerabilities could lead to hijacking of the admin panel or retrieving the admin password, potentially disrupting a criminal campaign and expose the person behind it.

For the security community, such flaws could help efforts to launch offensive attacks against cyber criminals by exploiting the same malware kits they use to infect thousands good users every day. For more collaborative efforts such as the Internet Fraud Service Alert, exploits like these can provide companies with information about compromised credentials that would allow them to take quick, appropriate action to thwart criminal activity and protect their customers.

Thanks for stopping by and reading this blog. I encourage any feedback or comments on these relevant security topics.

While it is good news that Congress is taking proactive steps before things explode, their solution to consolidate power within the government to legally monitor and respond to cyber threats as they occur is no way to get on top of the actual problem. Instead of proactively addressing the situation with a reactive set of solutions, they need to carry these measures through with proactive solutions that prevent the situations in the first place.

As I mentioned in a previous blog about malware that is already resident in a system but is waiting for the opportune time to launch, no matter where these attacks come from, and no matter which ATPs are involved, the vast majority of attacks have to do with malware in some way, shape, or form running on local machines. Even if organizations have taken adequate steps to protect their private networks, they need to make sure the solutions that they put in place prevent any malware from executing, no matter how they enter the system. Plans that deal with attacks after the fact will continue to keep the bad guys one step ahead and in charge.

It’s almost become a cliché to say we need be more proactive, not reactive, in the fight against cyber crime. Unfortunately, this simple message needs to be reinforced because too many companies and organizations continue to operate with a reactive mindset. If we expect to successfully protect our networks from the thousands of new cyber threats, public and private sector organizations need to follow up their proactive security talk with real proactive solutions.