Well, I find myself in the position today of being the doting parent. Only in this case, the “child” is a major overhaul of our flagship product, BOUNCER V6.0. With this new release the “child” has grown into an adult. You’ll have to pardon my metaphor here, but I believe building a product is, in many ways, like watching your kid grow up. With V6, we’re realizing the vision we developed for the product when I joined CoreTrace more than 3 years ago.

Why is this release so special? As I’ve said many times before, the historical “knock” against whitelisting (largely propagated by blacklist-based antivirus companies with a revenue stream to protect) was the notion that the management overhead outweighed the significant security benefits. At CoreTrace we’ve focused like a religion on “operationalizing” application whitelisting. By this I mean being able to realize the security advantages of whitelisting while at the same time becoming increasingly transparent to the end users and actually easing the burden on the IT shop. The best of both worlds, if you will.

With whitelisting, that means making it very easy and simple to add and subtract applications from the “whitelist”. With V6, we do this by adding “self-approval queues” to our already best-in-class “Trusted Change” mechanisms (even the names of these new user privilege options are cool–”AllowQ” and “BlockQ”–with the “Q” meaning “queue”). In addition, we’re adding “Application Intelligence” to our product so that the BOUNCER admin can quickly determine if they want to ban or allow applications that are requested through these queues. Not only does our new CoreTrace Software Intelligence (CSI) service include millions of “known good” applications, it also even includes millions of “known bad” pieces of malware. That is right; it provides intelligence based on blacklisting! We have always felt that whitelisting and blacklisting would coexist–we fundamentally believe that the primary enforcement mechanism will be based on whitelisting (for efficacy and performance reasons) and blacklists will be used in a supporting capacity (like ensuring that any *known* malware is identified, stopped and removed from all systems).

Add in a slick new web-based interface and enterprise-class scalability improvements (including a software-only solution, with the management servers shipping as virtual appliances) and it’s recipe for me whipping out my wallet and showing some pictures. In fact, you can go here for more detailed info on BOUNCER V6.

We’ve been able to preview this release with a great many customers, partners, and analysts. In all cases, I asked for brutal honesty and feedback. The reactions have been overwhelmingly positive. Can’t wait to get this into production environments.

You know, it’s pretty cool when your baby really ISN’T ugly…

• Migrate to a newer and supported operating system
• Pay Microsoft for a Custom Support Agreement (CSA), running $50,000 per quarter
• Pay Microsoft for Custom Support Essentials (CSE), to receive critical security fixes
• Continue using Windows 2000-based systems without new patches

For many organizations, the first three options are time intensive and extremely expensive, but they feel concerned about running legacy systems without ongoing security patching. If your organization feels the need to continue to run Windows 2000, application whitelisting, such as our CoreTrace BOUNCER solution, may be exactly what your company needs.

For most of these systems application whitelisting, which can lock down the system and explicitly define what applications are allowed to run, is an ideal approach toward protecting against new malware and attacks. In particular, a solution like BOUNCER, provides the following advantages for protecting these systems.

• Explicitly define what is allowed to run — Most of these systems are running in a known state with very little need to run any new applications
• Prevent all unknown applications from running — New vulnerabilities aren’t a problem any longer as no new malware will be able to run, no matter what the vulnerability.
• Eliminate the need for patching and signature updates — These systems are protected without the need for any new antivirus signatures or custom security fixes through a costly service agreement with Microsoft
• Implement a unified endpoint security approach that protects both legacy and modern operating systems — BOUNCER is able to implement and enforce your security policy whether the system is Windows 2000 or Windows 7.

Neil MacDonald specifically calls out application whitelisting as an important component of protecting these systems:

“Whitelist the applications that are allowed to execute on the Windows 2000-based system, desktop or server. If malware somehow makes it on to the Windows 2000 system, another way to thwart attacks is to prevent unauthorized code from executing using a whitelisting approach (only run applications that have been preconfigured on a whitelist).”

We wholeheartedly agree.

In the article, “Attackers can take out critical infrastructure, but profit lies elsewhere, researcher says,” Jason Larson, a security researcher at the Idaho National Laboratory, said there’s plenty of evidence that hackers have already infiltrated control systems that run power generation plants, gas and oil refineries, and other chemical factories, but so far their activity is observational.

“If you are going to wait for the explosions you’re going to be waiting for a long time. They don’t seem terribly interested in wrecking the place — at least not yet… Destroying processes completely is not really profitable. It’s more profitable to monitor and wait for the perfect opportunity.”

According to Larson, once inside the network of critical infrastructures hackers appear to be focusing on monitoring how the processes within the facilities work. Speaking at the Forum of Incident Response and Security Teams (FIRST) Conference 2010, Larson suggested that an increase in wireless field equipment, including embedded devices and the high speed communication links they connect to, are making control systems more vulnerable. As a result, much more research needs to be done to improve the security of embedded devices and produce standards so security experts can access firmware in the event of a breach.

As we know, regulations alone won’t solve the problem. I agree with Larson when he says that compliance does not equal security. While we all know meeting industry standards helps increase network security and defend our infrastructures against new threats, it does not completely provide it. It can take years to create Federal mandates, which are never updated fast enough to keep up with evolving cyber threats.

The longer a company waits, the more intrenched malware can sit silently monitoring network processes and waiting for the best opportunity to attack. That’s why it is so important for organizations to be proactive instead of waiting for a catastrophe to happen and reacting. Because when it comes down to it, network penetration can and does occur, whether we know if or not.

Relying on antivirus ties companies to fire drill software patching — The side effect of relying on antivirus to protect endpoints is that companies are now tied to reactive software application patching as well. Because we can’t trust our antivirus software to protect the endpoint, we also must remain constantly aware and vigilant about identifying and fixing vulnerabilities in our applications on the endpoint. The resulting combination of rushed patches and signatures is a significant drain on the human resources of an organization.

It’s rare that such a post has supporting evidence appear just days after it is published, but this week, that is exactly what happened. It was reported this week that a Windows XP security update resulted in the notorious Blue Screen of Death (BSOD), locking up many users’ Windows XP PCs. In the article, “Windows patch cripples XP with blue screen, users claim,” hundreds of Windows users expressed their frustrations on the company’s support forum throughout the week.

The problem appears to have originated with one of the 13 updates the company issued on Tuesday to patch a 17-year-old kernel bug in all 32-bit versions of Windows. After users updated and tried to restart their PCs, they ran into the infamous Blue Screen.

Unfortunately, this is yet another example of the growing problems organizations experience when relying on patches to secure their network and the dangers of rolling out patches quickly. This isn’t an isolated case as the article points out:

This was not the first time that a Microsoft update has incapacitated Windows PCs. Two years ago, a set of updates for Vista sent an unknown number of machines into an endless series of reboots. Similar problems stymied users who tried to upgrade to Windows XP Service Pack 3 (SP3) in May 2008, and others attempting to upgrade from Vista to Windows 7 last October.

There was once a time when patching was an effective way of dealing with security flaws and vulnerabilities within their operation system. However, in today’s world the sheer volume of new patches combined with the time is takes to disclose a vulnerability, create and distribute the updated code, systems are practically sitting ducks to new malware and viruses ready to exploit a network at every opportunity. In addition, when the patch finally comes out, smart organizations take the time to ensure that the fix itself won’t cause problems with their systems. That’s where a solution such as application whitelisting can help. Whitelisting gives organizations time to test patches and roll them out on a regular schedule avoiding fire drill patching and more time exposed to attacks.

Later this week, we are launching a fun (and funny) awareness campaign, called Planet Antivirus, highlighting the weaknesses of antivirus and focusing on the need to completely rethink our approach to how we defend endpoints. Today I am kicking this campaign off by highlighting the top five failures of antivirus technology:

• Antivirus is a performance hog — One of the most common complaints we hear about antivirus is its performance impact. This can weigh heavier on the minds of IT managers than its problems with catching new threats. A perfect example of this is a description from CNET Labs on how they test antivirus:

  “Antivirus programs are designed to detect and intercept harmful files downloaded to your computer. In order to monitor incoming files, however, antivirus programs — like all applications — need to use system resources. The degree to which an antivirus program detrimentally affects a system’s performance varies from one application to another. CNET Labs tests three areas of antivirus application performance: how deep-file virus scanning impacts overall system performance, how quickly files can be scanned for viruses, and how system boot time is affected by the antivirus program. We also report on how effective the antivirus programs are at identifying viruses by citing the studies of established industry authorities.”

  It is telling that the majority of their test is concerned with how antivirus detrimentally impacts system performance. The effectiveness of the antivirus solution is almost an afterthought.

• Antivirus is an after the fact cleaner and it doesn’t even do that well — The simple fact is that antivirus can’t protect you from getting infected. This is indisputable and has been empirically proven time and again. So why do we still use it? One reason people continue to use antivirus is that it is used to identify infections and to clean up the mess. Unfortunately it doesn’t even do that well. If you are infected by a particularly nasty piece of malware, many times the best option you have is to completely rebuild your system. There is a great post on this on the Cornell Information Technology site titled, “Rebuilding Your System Is the Safest Road to Recovery after a Malware Attack,” that does a good job of making this case:

  “Dangerous software hides from repair tools: The IT Security Office recommends formatting one’s hard drive followed by a complete software reinstallation in response to a system compromise. Modern malware relies on rootkits to hide itself from antivirus software and administrator analysis. Rootkits use a variety of techniques, such as executable encryption, alternate data streams, innocently-named files or registry keys, concealment in system restore points or patch clusters, or the use of portions of the disk not conventionally accessible to the operating system. These elaborate, and effective, concealment methods make it difficult or impossible to return a computer to a safe, functional state. Often removal of the malware can render the system nonfunctional. Worse yet, incomplete or ineffective removal means the attacker may regain control of the computer.

  strong>Complete reinstallation is necessary: A reinstallation includes not only the operating system, but also application software. It is important to realize that any application software currently on the computer may be tainted by the attacker and only trusted original sources should be used for reinstallation.”

• Antivirus was designed to address a different threat — Despite the addition of heuristics and behavioral models to detect variants of malware, the fact remains that blacklisting is the foundation of antivirus and it was designed to address a different threat than today’s malware. Antivirus originated to protect against propagating threats. These threats either propagated through the sharing of disks and files by individual users or were self propagating worms that identified weaknesses in networked computers and subsequently infected vulnerable systems. Blacklisting in this model was feasible and effective because it was both easy to collect samples of the malware and protect against a limited set of threats.

  Today’s threats are different. Today, online crime hinges on the combination of social engineering and vulnerability exploitation that allows the attacker to place a custom piece of malware on the targeted system. This is a much harder problem to solve by blacklisting. The attacks can be customized for uniquely targeted online businesses or groups of businesses with software that would elude even the most sophisticated antivirus solution. My main concern if I was Google or any of the other companies targeted in Operation Aurora wouldn’t be what data they stole from me, but what malware they left behind to use at another time. Most likely they will have to resort to reinstalling those systems as I mentioned in the previous point.

• Antivirus updates are too frequent and can cause problems — In order to keep up with the exploding world of malware most antivirus applications issue updates at a very regular interval. This can be as frequently as an update a day in some cases. The problem with this is not only does it require regular distribution of these updates to all endpoints with its corresponding performance impact, but the frequency of updates also means that problems from the updates are more likely to occur. The result of a decrease in reliability of signature updates means that many organizations try to test updates before they roll out the new signatures. This simply isn’t practical. The frequency of signature updates means that testing won’t work or even be completed before the next update arrives. Organizations either need to revert to a less frequent update schedule to allow testing, potentially extending the time they are exposed to a new threat, or they need to simply trust that the update files from their antivirus company won’t cause problems. Neither of these options is optimal.

• Relying on antivirus ties companies to fire drill software patching — The side effect of relying on antivirus to protect endpoints is that companies are now tied to reactive software application patching as well. Because we can’t trust our antivirus software to protect the endpoint, we also must remain constantly aware and vigilant about identifying and fixing vulnerabilities in our applications on the endpoint. The resulting combination of rushed patches and signatures is a significant drain on the human resources of an organization.

2010 needs to be the year that we begin a healthy discussion of completely re-evaluating the approaches we use to protect our endpoints.