BREAKING NEWS: “Endpoint Security Earthquake Hits: McAfee Actively Endorses Application Whitelisting. Magnitude & Ramifications Are Significant.”

This week, McAfee, one of the two dominant forces in reactive, blacklist-based endpoint security, actively and unequivocally endorsed Application Whitelisting. Ironically, in hard coverage of Symantec’s recent problems with pcAnywhere, the industry is actively recommending application whitelisting too.

First, let’s cover the major quake: McAfee’s active endorsement of application whitelisting—for corporate desktops and laptops. In a series of videos on the popular video sharing site, YouTube, McAfee joins CoreTrace in educating the market about the shortcomings of traditional blacklist-based solutions, the advantages of application whitelisting, and McAfee Application Control’s purported advantages (most of which are unique compared to other whitelisting solutions but are not unique compared to CoreTrace (e.g., trusted change and memory protection)). You can view the initial video here here . While you are at YouTube, make sure to check out CoreTrace’s video channel too.

While CoreTrace has successfully competed with our friends from McAfee on application whitelisting projects on fixed function systems (e.g., critical infrastructure, POS terminals, servers), the antivirus giant has never publically announced that whitelisting can and should be used on corporate desktops and laptops—until now. In the introductory video, McAfee senior product manager Swaroop Sayeram directly states: “Simplistic whitelisting might fit just fixed function systems… Dynamic whitelisting is a great fit for servers… and it is now a good fit for corporate desktops as well. These days, most of the deals we are seeing are to secure servers and corporate desktops.”

Second, let’s cover the story of the related tremors: The industry’s recommendations to utilize application whitelisting to solve problems like those created by Symantec’s pcAnywhere code theft. While Symantec’s own advisory to pcAnywhere users only includes its boilerplate old-school recommendations, experts throughout the industry are recommending whitelisting as one of the main solutions. As an example, as a part of his recommendations in a FoxNews.com interview , Anup Ghosh, founder and CEO of Virginian security firm Invincea, told FoxNews.com “Businesses should deploy application ‘whitelisting.’ This will prevent unauthorized malware from running on computers.”

So, McAfee has dramatically shifted the endpoint anti-malware landscape. Now the question is, with the ground shifting beneath its feed, what will Symantec do? Stay tuned for future coverage of this developing story…

“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.”

Also earlier this week, McAfee released a report that just about everyone in the security industry has likely now read, “Revealed: Operation Shady RAT”. The report, written by Dmitri Alperovitch, VP Threat Research at McAfee, is an eye opening read covering targeted intrusions into over 70 global companies, governments and non-profit organizations over the last 5 years. The report covers the types of organizations hit the hardest (not shockingly, defense contractors led the list with 13 of the intrusions detected), the ramifications of the breaches, estimated times each were compromised (shortest being 1 month, an honor shared by 9 victims) and even outlines the generic attack approaches utilized:

The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

(Side note: Not to be outdone, Symantec did their own analysis of the attacks, which adds even more details. You can find that analysis here.)

In short, the McAfee report does an excellent job of driving home Dmitri’s (and most security professionals’) key message:

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”

Which finally brings me to the objective of this post. This is an Open Letter to McAfee, Symantec and the Australian DoD. Let’s find a way of making the “Operation Shady RAT” project truly useful. Please combine the known attacks from “Operation Shady RAT” with the best practice mitigation methodology utilized by the DoD in creating their 35 mitigation recommendations. Truly analyze the security processes and procedures that were in place at each victim, perhaps categorized by their effectiveness in shortening or avoiding the breach (I have to believe that the 9 entities that had the shortest compromises were doing something different than the ones that remained compromised for years), and create a modified (if necessary) version of the DoD’s mitigation recommendations. That would be truly useful… beyond the BFO (blinding flash of the obvious) from the original report: That all entities with any valuable infrastructure or information fit “into two categories: those that know they’ve been compromised and those that don’t yet know.

• It is a huge and rapidly growing market, and adoption of the devices continues to skyrocket.
• The devices are basically small computers, with many of the same types of online access, personal information, etc. that other computers have.
• Malware attacks are starting to hit the mobile community, and people need to protect their devices and themselves.
• Intel currently has very little presence in this market, and it needs a foothold — and thus, a why to differentiate themselves from the already entrenched players such as ARM and Qualcomm.

According to the article, “Intel’s walled garden plan to put A/V vendors out of business,” the world’s largest chip maker wants to change the way it approaches security “from a known-bad model to a known-good model” (read, to “application whitelisting”) and push x86 into niches that it doesn’t currently occupy such as mobile phones.

I won’t comment on all the other financial and strategic parts of the acquisition, but I do believe that this part of Intel’s strategy makes complete sense. Despite the objections of some developers, users of mobile devices like iPhones and iPods have already come to accept, and even enjoy, an excellent example of this “known-good model”: application whitelisting through Apple’s App Store!

In theory, with the “known good” approach, Intel can now offer mobile device manufacturers and providers some foundational application whitelisting enforcement tools, in silicon, to help them roll their own versions of the App Store. I say “in theory” because application whitelisting is not as simple to do in practice as it is in theory… something we know quite well at CoreTrace since we have been pioneering the technology for years now. I plan on outlining the critical components that any mobile application whitelisting approach must have in a subsequent post.

Of course, all this raises another question: How are the other chip manufacturers like ARM, Motorola and Qualcomm going to respond? Are they going to adopt a similar strategy?

I certainly know what I would do…

Rather than continuing with the current approach of adding layer upon layer of security to defend endpoints against expected attacks, Jeff Green, senior vice president of McAfee Labs and product development, said the security industry needs to get more aggressive if it expects to get a leg up on the tens of thousands of malware variants that surface every day.

“The tools and techniques of cybercrime continue to grow in number and sophistication at alarming rates. The cybercriminals prosper as they never have before because they have very little reason to fear the consequences. Maybe this is because we have really never given them a reason to fear. This must change. We must adapt our industry at its core and at all levels. It is time to send the security industry on the offensive.”

This statement comes at a time when testing continues to reinforce how much cybercriminals still have the upper hand. A recent independent study by NSS Labs found that a majority of antivirus security software suites still fail to detect malware attacks on PCs, with average protective scores of 76% even when exploits have been publicly available for months, or in some cases, years. The report concluded:

“Based on market share, between 70 to 75 percent of the market is under protected. Keeping AV software up-to-date does not yield adequate protection against exploits, as evidence by coverage gaps for vulnerabilities several years old.”

Even with the security industry in such dire straits, we all know surrender is never an option. What security professionals need to do is re-evaluate their current approaches and implement more proactive strategies for combating cybercrime. Instead of waving a white flag, the industry needs to consider other options such as application whitelisting. At a time when organizations desperately need to stay one step ahead of hackers, whitelisting solutions such as BOUNCER by CoreTrace can prevent the execution of the growing number of malware attacks that continue to slip passed even the most trusted antivirus security software on the market.

We believe that McAfee’s move further validates our belief (and that shared by Gartner) that application whitelisting will be a foundational component of all anti-malware solutions going forward. This was the theme of our recent RSA panel with Symantec, CA, and even (you guessed it) McAfee! While the parties had differing views on which technology would be the primary anti-malware prevention mechanism (we are adamant that whitelisting is the only answer for effective, zero-day enforcement and that it shouldn’t simply be used to accelerate the scan time of proven ineffective blacklisting approaches), we agreed that application whitelisting will be a key ingredient in all host-based antivirus solutions.

The announcement also reinforces that application whitelisting adoption is escalating exponentially. For our own part, despite the economic downturn, CoreTrace has experienced multiple quarters of double-digit growth with its application whitelisting solution and across multiple industries. Our forecasts are for that trend to continue.

Once again, congratulations to both McAfee and Solidcore for moving the industry forward.