BREAKING NEWS: “Endpoint Security Earthquake Hits: McAfee Actively Endorses Application Whitelisting. Magnitude & Ramifications Are Significant.”

This week, McAfee, one of the two dominant forces in reactive, blacklist-based endpoint security, actively and unequivocally endorsed Application Whitelisting. Ironically, in hard coverage of Symantec’s recent problems with pcAnywhere, the industry is actively recommending application whitelisting too.

First, let’s cover the major quake: McAfee’s active endorsement of application whitelisting—for corporate desktops and laptops. In a series of videos on the popular video sharing site, YouTube, McAfee joins CoreTrace in educating the market about the shortcomings of traditional blacklist-based solutions, the advantages of application whitelisting, and McAfee Application Control’s purported advantages (most of which are unique compared to other whitelisting solutions but are not unique compared to CoreTrace (e.g., trusted change and memory protection)). You can view the initial video here here . While you are at YouTube, make sure to check out CoreTrace’s video channel too.

While CoreTrace has successfully competed with our friends from McAfee on application whitelisting projects on fixed function systems (e.g., critical infrastructure, POS terminals, servers), the antivirus giant has never publically announced that whitelisting can and should be used on corporate desktops and laptops—until now. In the introductory video, McAfee senior product manager Swaroop Sayeram directly states: “Simplistic whitelisting might fit just fixed function systems… Dynamic whitelisting is a great fit for servers… and it is now a good fit for corporate desktops as well. These days, most of the deals we are seeing are to secure servers and corporate desktops.”

Second, let’s cover the story of the related tremors: The industry’s recommendations to utilize application whitelisting to solve problems like those created by Symantec’s pcAnywhere code theft. While Symantec’s own advisory to pcAnywhere users only includes its boilerplate old-school recommendations, experts throughout the industry are recommending whitelisting as one of the main solutions. As an example, as a part of his recommendations in a FoxNews.com interview , Anup Ghosh, founder and CEO of Virginian security firm Invincea, told FoxNews.com “Businesses should deploy application ‘whitelisting.’ This will prevent unauthorized malware from running on computers.”

So, McAfee has dramatically shifted the endpoint anti-malware landscape. Now the question is, with the ground shifting beneath its feed, what will Symantec do? Stay tuned for future coverage of this developing story…

DoD’s cybersecurity plan creates more questions than answers

In July, the Department of Defense released its new strategy for operating in cyberspace, and how it plans to protect our nation’s computer systems and networks from cyber attacks. The plan includes a number of initiatives such as treating cyberspace as a domain it defends (with land, air, sea and space), introducing new network defenses to detect and stop malicious code, coordinating with the private sector, and working with other countries. However, in the article, “Critics: U.S. cyber security plan has holes, few new items,” the document has many analysts like Rich Mogull of Securosis wondering if the DoD can pull it off.

“Some of these things have been written about for years. The real challenge is, are they going to actually execute this?”

While Mogull is glad to see the government is finally getting serious about improving cyber defenses, he doesn’t see anything in the new plan that the DoD isn’t already working on. For example, the government has been talking about establishing partnerships with the private industry and international community for years now. Why hasn’t this already been done? But while critics may agree developing a strategy is a good first step, achieving the initiatives is paramount to securing our nation and critical infrastructure from more dangerous, harmful cyber attacks.

Shift to virtualized environments shaking up security practices

As more and more businesses move to virtualized computing environments, they’re quickly learning that the shift to server virtualization is creating a number of new security challenges. For companies that are beyond the halfway mark of operating a 100% virtualized environment, some of the top security concerns include access control, data encryption, monitoring virtual network traffic, and improving threat detection and rogue-device identification.

Along with a heightened security awareness, many organizations agree they need to re-evaluate their existing strategies and look at new security approaches that will adequately protect their virtualized environments without impacting the availability and performance of their systems. Either way you look at it, today’s infrastructures are changing fast. Organizations moving to virtualized environments need to adapt their security programs and policies to accommodate virtualization.

Will virtualization mark the end of host-based antivirus software?

In a related story, organizations are finding that traditional host-based anti-malware is not as effective as it was in the pre-virtualized era because the main problems they face are coming from Web-based malware. According to the article, “Is hosted-based antivirus software losing luster?” companies are choosing not to run antivirus software in their virtualized environments because it’s no longer useful in detecting malware and can disrupt application performance, said Johnny Hernandez, VP of information security at PrimeLending.

“Today, we don’t run A/V in the current virtualization environment because it does have an impact on the back-end and system utilization.”

More telling is the fact that IT folks like Albert Gore, director of information technology operations at the John F. Kennedy Center for the Performing Arts in Washington, D.C., doubt that most desktop antivirus software can even stop malicious code that is being unintentionally passed from employees to contractors to partners and others over the Web.

Hackers target intelligence contractors

The recent cyber attacks against Lockheed Martin and Booz Allen have shown that hackers are actively trying to steal classified government data by way of the computer networks of U.S. defense contractors.

In the article, “Hackers target intelligence agency contractors,” cyber criminals send emails with malicious software to employees of contractors that work for U.S. government agencies. Spear phishing attacks contained person information designed to deceive the highly targeted victims to click on infected links within the corrupt email. Once the software was installed on a computer, it downloaded payloads that enabled criminals to control a victim’s computer, access sensitive data and communicate with hackers.

Because the attacks target specific government contractors, experts say they are likely distributed and carried out by foreign actors, who persistently target multiple individuals to penetrate the network. To counter such attacks, government agencies and contractors need to push security standards across all endpoints within their networks and beyond the walls of their own defenses. Otherwise, their sensitive and proprietary information is only as safe as their partners’ vulnerabilities.

FBI arrests 14 alleged Anonymous members

As part of an international effort to crack down on cybercrime, the FBI conducted more than a dozen raids across the U.S. in July that resulted in the arrests of 14 members of the notorious hacker group, Anonymous, which has claimed responsibility for multiple high-profiled online attacks including the Internal Affairs and PayPal websites.

This is the latest in a number of international arrests that have shaken up the cybercrime underworld. A handful of others have been arrested in the UK and the Netherlands for alleged related cyber attacks, including an individual connected to attacks carried out by the theoretically disbanded hacktivist organization, LulzSec.

The ongoing cybercrime investigations are part of a concerted effort by multiple international, federal and domestic law enforcement agencies who are working together to stop coordinated cyber attacks targeting major companies and organizations.

I appreciate your interest in reading our blog and encourage you to provide comments and your unique perspective on the biggest stories in the security industry.

Some of the issues they explored include:

1. You have more virtual systems than you know: Virtual sprawl is the ability to rapidly provision systems. However, it can also increase vulnerabilities such as unknown systems that aren’t properly patched or kept up with from a configuration or security standpoint. Understanding everything in your environment is a major problem in the virtual world. It’s really all about inventory, and keeping up with systems and making sure you’ve got change management in place.

2. You aren’t leveraging virtualization for security: Virtualization is like a double-edged sword from a security and operational efficiency perspective. On one side, virtualization gives an organization the ability to tighten and standardize everything in an environment, making sure it is all being kept up to date. On the flip side, if the foundations aren’t in place from the start things like change management can go completely off track.

3. You need more visibility: In the virtual world, you have to keep tabs on everything in your physical and virtual environments. Monitoring virtual network traffic, particularly between VMs, can be difficult. In order to understand everything that’s running in a virtualized environment, organizations need to take a step back and look at what their entire security looks like. Visibility is critical to making sure you know the condition of all your systems and servers, and that they are being fully utilized.

4. All eggs are in one basket: Dumping the responsibility of running and maintaining virtualized platforms onto one group is a frightening picture, not to mention a step backwards in the concept of separation of duties. While nobody wants one group to have this type of control over their infrastructure, that’s exactly what’s happening with most of these virtualized platforms. What you want is very specific rules within an organization so each group can maintain their own areas.

5. You’re back to 1997 for network security: The reality of virtual environments is you don’t get in-depth security capabilities out-of-the-box with any virtual solution. Often times, you find yourself relying on VLANs for security because that’s all you’ve got. As far as security is concerned, that’s like stepping back into 1997 for network security, and that’s no place you want to be. To meet your security and policy requirements, you need to think about your existing physical infrastructure and try to match that inside your virtual environment.

6. Your existing security programs are probably not adapted for virtualization: Most security programs need to adapt a bit to accommodate virtualization. Evaluating where virtualization affects security operations and creating policies that address virtual systems or include virtualization in existing policies is a good place to start. While things are going to vary from organization to organization, the fact is infrastructures are changing, which makes it worthwhile to move ahead and adapt like everyone else.

7. Your auditors probably don’t know what’s going on: Most auditors are not comfortable with virtualization technology. They generally don’t understand the fundamental concepts of virtualization and how everything impacts different data classification levels and compliance data versus non-compliance data. Part of the education process includes making sure all internal audit teams understand all of the controls that are inherently available within the platforms and tools that are already in place.

8. Storage is a huge security hole: Storage is fundamental to virtualization deployment. Unfortunately, security and storage don’t often mingle in the same circles. Because there are typically no strong access control mechanisms in place with most storage deployments, which can create flaws in the virtualization platform, it’s now critical that organizations implement a defense-in-depth strategy in the storage infrastructure for protecting their virtual environments.

9. Virtualization software DOES have vulnerabilities: No system is perfect. Even for virtualization software, exploit POC code and malware attack toolkits are available for hackers to penetrate a virtual environment. The key is to keep up with what’s going on in the realm of virtualization and vulnerabilities, which are constantly evolving and becoming more sophisticated every day.

10. Availability is the new No. 1: While most security folks focus on confidentiality and integrity, virtualization architectures require availability to be a top priority for your business and operational teams. With a shared pool of resources relying on the availability of multiple systems, a different approach is needed. Organizations need to change the way they use traditional antivirus and anti-malware agents that are increasingly ineffective and consuming too many resources that impact day-to-day operations.

In order to succeed in the virtual world, there are lots of things to think about when it comes to security. The first step is to re-evaluate what you are doing today and figure out how your existing security processes can be re-worked to accommodate virtualization. This requires working with the virtualization and other IT teams to make sure you’ve carefully delineated the roles to better match what you’ve had in place to begin with. Also, making sure the storage infrastructure is secure should not get left out.

All in all, putting more new tools that are a little more “virtualization conscious”, and that have resource-consumption issue top of mind, are critical to alleviating security tools that eat up resources. This is part of the reason why people are turning to application whitelisting and application control for virtual environments. With solutions like CoreTrace’s Bouncer application whitelisting, you’re not running virus scans that consume valuable resources on every virtual machine, which is resulting in poor performance and denial of service incidents. You have a sure list of what’s allowed to run and what’s not allowed to run.

While blacklisting is still useful for identifying known malware already on your endpoints, the fact is organizations are getting hit more than ever despite running the latest security sweeps from all the major vendors. Blacklist simply cannot keep up anymore. Having total control of what is running on your box prevents the malware from executing. As your infrastructure changes with virtualization, you have to adapt for the long haul. This is why we believe application whitelisting and application control is the approach that’s needed to protect today’s rapidly changing virtual environments.

As I was going through the plan, what struck me first was the fact that the U.S. has publicly called out to the world that cyberspace will be added as one of the operational domains, retaliating to any attacks against it in the same way it would to attacks by land, sea, air and space. Saying that it plans to aggressively train, organize, collaborate, and strengthen relationships with global partners sends a strong message to the international community about its intentions to take full advantage of cyberspace’s potential, as well as how the government plans to deal with and respond to threats against this domain. While the plan still leaves many questions around attribution and countermeasures against any such attack, I think the clear and unambiguous addition of the domain is an important step to deter cyber attacks targeting the U.S. government and our nation’s critical assets and infrastructure.

Unfortunately, a significant portion of the document is simply reiterating the government’s “business as usual” tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, “no one ever got fired for buying from” large companies and contractors. DoD and other agencies turn to these organizations to build offensive and defensive technologies without paying much attention to smaller, more innovative companies that, in my opinion, develop far better, more effective technology. From my experience, this has historically been the case with the military (just ask the innovative arms manufacturers that couldn’t get the military to adopt new weapons in the Civil War).

I did, however, find a glimmer of hope in the plan’s Strategic Initiative No. 5: “DoD will leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.” While I’m pleased to hear the government would like to work with small, nimble companies that I believe provide the rapid technological innovation that the document calls for, the reality is what I just outlined: the DoD tradition and evaluation/purchasing structures favor large companies and contractors.

The problem with the claim is the government sets an extremely high bar that almost guarantees they can’t do business with smaller companies. Take, for example, the cost of trying to meet common criteria and update certifications. The average vendor does not have the resources to put their products through all of the regulatory requirements needed for most defense-related implementations. Small businesses generally cannot afford the quarter of a million dollar certification programs that large companies can. As a result, historical precedent has shown that the DoD primarily goes with incumbents.

I commend the government for recognizing the need to innovate technology very rapidly to keep up with evolving cyber threats. Smaller, innovative companies can play a critical role for defending our nation’s networks and systems from more sophisticated attacks. However, I cannot fully believe the DoD is serious about this claim until there is action behind it. It’s a great vision, but there still exists structural impediments that don’t allow smaller companies under normal operating procedures to fulfill that promise.

As a smaller company that provides highly innovative and effective application whitelisting-based endpoint protection solutions, CoreTrace stands ready to help the DoD and other agencies deliver on the cybersecurity vision. My challenge to the DoD is this: If you say working with innovative companies is part of the national cyberwarfare strategy, prove it by bringing companies like CoreTrace in and streamlining the evaluation/procurement bureaucracy. Let us all help make your strategy a reality.

On the surface, this week’s breach of 90,000 military e-mails and password hashes may look the same. After all, the hackers claiming responsibility for the break-in did so through an unsecured server in a network that basically had no security measures in place. What’s different about this attack, however, is the exploited server was not the military’s. The server belonged to government contractor, Booz Allen Hamilton. In other words, this criminal strategy went beyond the walls of an organization’s own network defenses.

In the case of the Epsilon security breach, where millions of customer email addresses were compromised, hackers targeted a single entity to steal private data on many of the marketing giant’s big-name customers like Chase, Citi and Target. The Booz Allen hack reverses that scenario. Instead of going after one to get to many, cyber criminals targeted multiple entities to get to one.

Much like the supply chains of the 1990s that tied systems together, today’s business enterprises are built on the same idea. Unfortunately, with a number of different partners connecting in real-time to a central network, an organization’s security is only as good as its partners’ security practices. If even a single partner does not adhere to today’s best practice security standards, what will result is a weakest link of the chain. Cyber criminals know this, and this week’s military breach is a prime example of what happens when hackers exploit a business partner to get to another business.

In today’s world, the epicenter of a cyber attack isn’t necessarily at the core of your network anymore. With so many endpoints connecting to your enterprise, how can you protect yourself when you can’t control the assets people use to get to your network? The fact is, organizations and people are getting hit in and between companies. The fight against cyber crime is becoming more about the weakest link in the entire value chain, not the organization, itself.

Insisting on best practice security standards from all of your partners can be a first step to protecting your endpoints from attacks that start outside of your network. However, relying on your partners to maintain updates to ensure your corporate policies are enforced can potentially leave your network vulnerable to outside attacks. That’s why when pushing security standards, we recommend mandating a proactive security posture for your own endpoints and those of all of your partners. Naturally, we feel strongly that deploying an application whitelisting solution like CoreTrace Bouncer is a key component of that proactive strategy.