Endpoint Protection needs to fully integrate Application Control and Whitelisting

According to Gartner’s latest research report on Endpoint Protection Platforms (January 16^th, 2012), the vendors highlighted continue to have problems stopping malware such as targeted attacks.  One of the key technologies that Gartner sites as lacking from these vendors and that is important to preventing these attacks is called application control.

One obstacle not highlighted in the report is the fact that a number of the early application control products have required dedicated systems that can conflict with existing endpoint protection and management systems, making it difficult to acquire and install this important capability.

In our opinion, the key to making application control generally available is for the major players to make it part of their overall offering and for the vendors of application control to make it easy to integrate.  In the meantime, at Savant Protection, we will work to make application control and whitelisting easy to add to your existing systems, without the need to change what you are doing operationally.   We continue to work behind the scenes with leaders in the space to make the technology more accessible to all.

As a dedicated application control company we have built a new generation of application whitelisting and control solutions that integrate with your existing endpoint protection and PC lifecycle management products.  We have had success in working with organizations from twenty computers to thousands in adding this critical security layer.

With Savant Protection’s flexible application control and trust system you benefit by the fact that the solution:

• Works with traditional Antivirus and HIPS products to stop attacks that bypass these technologies
• Integrates with PC Lifecycle Management products to protect and support provisioning, patching and trusted update processes
• Automatically enforces endpoint policies

To access a publically available copy of the Gartner report, click on the link “2012 Magic Quadrant for Endpoint Protection Platforms” in the first paragraph of the January 19^th press release from Symantec.  Access the Symantec press release here:  http://www.symantec.com/about/news/release/article.jsp?prid=20120119_02

To contact Savant Protection please visit our web site or request a live demo at http://www.savantprotection.com/en/resources/live_demo.php

Targeted Attacks Spike With Heavy SMB Focus

According to a recent Symantec blog, attackers are targeting SMBs at a greater rate than companies with more than 500 people. Some other interesting facts from Symantec’s cloud research:

“The percentage of employees who received a targeted Trojan during 2010 was much higher for the SMB sector than for large companies. One small business, in particular, had targeted Trojans sent to all 488 of their employees. SMB industry sectors such as mineral/fuel, non-profit, engineering, marketing and recreation received the most attacks compared with other industry sectors, showing that they are at higher risk.  They also found that attackers target intellectual property and market-leading research – focusing their efforts on education and market research organizations, in particular.”

Commtouch, a provider of antivirus technology to industry, is indicating in its blog that targeted emails with malicious attachments have increased dramatically since August to two billion or more per day.  These are not emails with links to bogus or malicious websites, but attachments that may look like normal document files typical in business. These attacks are not spam but something far more sinister.

These targeted attacks are aimed at specific individuals in specific organizations, contain embedded malware, and are designed largely to capture credentials and gain access to valuable data. Much of this targeted email with malicious attachments bypasses antivirus and gateway protections.  It lands squarely in a target’s inbox as legitimate email. The embedded malware is designed to be unique and unknown to anti-virus and anti-malware.

If you find yourself reading an email with an attachment that seems to be legitimate, think twice, it may not be. A targeted email attack often uses information about you to gain your trust. It will seem like a normal email.

So what do you do? Symantec’s blogger suggests that you “use common sense” and “be smart.”  Your business associates send you data files that you open all of the time. The attacker will pose as one of them, but will bury a program inside. You can’t possibly know for sure, regardless of how much common sense you apply.

The new Savant Enforcer client will block malicious attachments automatically because it denies by default any unknown executable. It’s a simple and powerful antidote for the avalanche of targeted malware and it can be installed on a computer for about a dollar per month. Should you use common sense, good security practices and keep your software protection up to date?  Of course you should.  But you may also want to consider a solution that gives you the confidence to open an attachment without the risk of compromise.

Can You Get The Money Back If Your Business Bank Account is Drained by Malware?

Most small to medium businesses don’t know that if a key-logger gets onto a computer that accesses the businesses checking account, the attacker can withdraw funds, and the business is out the money! Gone, see ya, have a nice day.

The banks DO NOT insure against this type of loss. Malware phishing attacks on businesses are up dramatically. While many publications will mention this fact, you won’t hear about the losses that are hitting local businesses. While privacy laws may require a business to notify its customers of a database breach, a checking account that gets robbed in cyberspace, does not necessarily fall into the notification category. After all it is the cash of the business, not necessarily directly associated with customers. So the local business gets robbed and no one knows. This is a huge issue for the FBI which is hamstrung to deal with the issue because the money moves offshore without a trace (increments of less than $10,000 not reported). Malware that is plaguing business such as Zeus and other key loggers, are among the leading culprits and are even more prevalent in 2011 according to Bank Information Security, a publication that is proactive on this topic in the banking community. http://www.bankinfosecurity.com/articles.php?art_id=3228

If you assume that the credit card protection policies apply to your business checking account, they do not. This problem is ugly for the banks, because the money is withdrawn from them, but with your credentials captured by the key-logger, so they are avoiding the liability. This may change, but so far has not. The brand name security companies that offer you so-called “endpoint protection,” will not want to engage on this one either.

So what do you do?

1. Mind the cookie jar, because no one else is doing it. Protect the computers that access the checking account. After all, besides protecting your customers’ privacy, don’t you care more about the cash in your bank account for payroll and being solvent? There are a variety of new techniques such as application whitelisting, two factor authentication, and using a dedicated computer that ONLY accesses the bank checking account (although that can be impractical from the entrepreneur on the run with a laptop).

2. Ask your bank and IT service provider about this. They handle multiple businesses and have a substantial incentive to help you.

3. Insist that your endpoint protection vendor deal with the problem. Symantec and McAfee are making billions on your annual subscription payments, but somehow are not providing protection from these threats. We hear that from you consistently. You are required to used them for PCI DSS and other standards. They must be laughing all the way to their bank. Use the power of the internet and online communities. Let them know you are dissatisfied.

While many businesses have spent the past few years getting compliant, overall we have lost ground in keeping up with the new level of malware and security threats. At Savant Protection we focus on helping small to medium businesses, banks, credit unions, and managed service providers deal with the problem. Our approach has been adopted by some of the largest companies in the world, and we are making it available to SMBs and MSPs.

The Zero Day Dance

Yesterday US CERT issued an alert: TA10-238A Microsoft Insecurely Loads Dynamic Libraries. This zero day attack can load in many applications including a few names you may recognize such as Microsoft, Apple and Cisco.  The attacker can swap in a DLL and take control of a target application, by executing arbitrary code.  http://www.us-cert.gov/cas/techalerts/TA10-238A.html

As you head into the weekend you have no clue about this attack.  Your antivirus cannot stop it.  Attackers may get control of some of your computers.

What complicates this problem is the fact that end users have thousands of good DLLs on their computers.  These good DLLs are very important to keeping the computer operational.   So you can’t stop this.

What can you do?  It’s time for the Zero Day Dance.  This is your moment.  The antivirus providers and others will sound the alarm.  They will rush updates to the rescue over the next hours and days.  They will encourage many of you to join them in the Zero Day Dance.

The Zero Day Dance has lots of moves: forced updates, scans, and patches.  And you get to do special moves:  rescue infected computers and intensely monitor critical systems.  After all, you do not want to get upstaged by the latest in zero day malware.  And for the privilege of going to the dance you pay substantial money to well known security providers.  It seems odd when there is a more rational way of dealing with this problem.

Savant Protection’s application whitelisting automatically protects the good DLLs and prevents attacks like this.    If you had Savant Protection  installed,  you could go to the beach or lake this weekend instead of the Zero Day Dance.  Have a nice weekend.

www.savantprotection.com

There’s a Sucker Born Every Minute

This week yet another phishing scam made the headlines.  Facebook users were sent an email encouraging them to click a link that would then download a password stealing program.

Most of us won’t fall for the poorly written email asking us for money to help out a Nigerian prince (and of course we will be richly rewarded for helping).

There have been con men around forever.  Technology helps them reach a broader audience quicker.  Everyone is susceptible to a con that hits there soft spot.  The advertising industry and politicians have developed it into an art form.

When the disaster hit Haiti,  the good people of the world wanted to find ways to help, and they did.  But so did the con artists find ways to steal from people trying to help.

My Mom sends me emails that she has gotten for me to check if they are scams.

What if you got an email from your favorite restaurant/store offering a 30% discount coupon.  Of course it then said “Click here” to get the coupon.  Would you be tempted?  If you clicked,  and it was a targeted or day-zero attack your computer is probably infected even if you are running an Anti-Virus program.  I can hear W.C. Fields saying “Never give a sucker an even break”.  The point is that we are all suckers for something.

So what can we do about this? Savant Protection offers a layer of security  that is easy to deploy and easy to manage that addresses these kinds of attacks and more.

Savant Protection offers a flexible, low impact, easy to deploy, easy to manage layer of security that blocks unauthorized software, stops zero day attacks, prevents the creation of advanced persistent threats, prevents key loggers from running, and eliminates the need for many system rebuilds. It does this by automatically creating and maintaining an implicit whitelist of all executables on each computer system. It is a simple and effective layer of security that will only allow a process to run if it is on the whitelist.  This stops the targeted attack as described above from being successful.  I.e., if an end user mistakenly tries to run that email attachment, it will fail to run since it isn’t on the white list.

Software Quality and Security – The Development Process or How Do You Know You Are Done?

I am the father of two children and I have been managing the development of software projects for a long time and the ever present explicit or implicit question is “Are we there yet?”.  Which is another way of saying “How much longer till we get there?”.

It should be an easy question to answer.  You know how many miles are left to drive, the map, and you know the speed limit. However, you may not know about traffic or construction on your route.  And it turns out your children have a different perception of time. So the question keeps being asked.

Unfortunately, many software development projects don’t even know the destination, let alone how many miles are left to drive.  They are always running into traffic, road blocks,  the speed limit is unknown and sometimes there is no map.

To mitigate these problems many different approaches to address the development process have been created; e.g., Waterfall, Spiral, Agile …  These approaches attempt to define the process that will give you a map that leads to your destination. Related to these are quality management processes such as Six Sigma, ISO 9000, Total Quality Management, CMM and ITIL, At the next level down there are many approaches to designing software such as Structured Programming, Object Oriented Programming, Design Patterns, Functional programming, and a myriad of variants.  There are also a bunch of techniques for Quality Assurance testing including black box, white box, regression, functional, and system testing.

As an organization you need to choose which of these methodologies make sense for your organization. Depending on the size of the organization, the type of projects, the current team members and culture might dictate different approaches.  The key to them all is to be able to set expectations and then meet those expectations.

The good news is that most organizations  attempt to address how Quality Assurance fits into the development process.  Many now realize that quality cannot be tested into a product that it needs to be part of the specification, design, and implementation phases as well.

Unfortunately, security is often the orphan child.  It is either not addressed at all or it is only addressed at the end of the project.  You can’t test security into the product.  Just like quality it must be specified, designed, and implemented into the product/project.

So how do we know how long it is going to take to get there?

• Do we know the destination?
• Do we have a map?
• Do we know about traffic jams, construction, or road blocks?
• Do we have alternate routes if there is a problem?
• Do we have alternate destinations if all paths are blocked?
• Do we know when we should just cancel the trip?

You need to be able to answer these questions in order to have a successful project.

These concepts about the process of developing applications can also apply process designing your IT infrastructure.  When evaluating the software to put on the network you need to come up with criteria that addresses not only the functionality but the quality and the security of that software.  One needs to look at the whole environment to address the operational needs, keeping in mind quality and security.  Savant Protection adds to security within the organization without sacrificing operational goals.

Savant Protection offers a flexible, low impact, easy to deploy, easy to manage layer of security that blocks unauthorized software, stops zero day attacks, prevents the creation of advanced persistent threats, prevents key loggers from running, and eliminates the need for many system rebuilds. It does this by automatically creating and maintaining an implicit whitelist of all executables on each computer system. It is a simple and effective layer of security that will only allow a process to run if it is on the whitelist.

Threat Analysis

Threat analysis is a very simple concept.  One needs to determine where your organization is vulnerable.  What are the possible attack vectors and how large an attack surface do you have. Ideally one also evaluates the cost benefit of addressing any threats discovered.

Basic software threat analysis asks the developers and QA to ensure that classic threats such as cross site scripting, SQL injection, and buffer overflow attacks won’t work.  The developers also need to analyze the application and break it down into its components and determine if there are any places where communication between components could be subverted and look at all of the inputs and outputs.  I.e., looking for security flaws in the implementation of the software.

That is not sufficient or sometimes not relevant unless the use cases are taken into account.

E.g., an IT department develops software and they have an internal policy to do a threat analysis on the software before it is released.  The security team has read all of the latest documentation on threat analysis for software and has decided on some tools to use.  They focus on ensuring that cross site scripting, SQL injection, buffer overflow can’t work (Perhaps using an input fuzzing tool).  They use static analysis tools to make sure the code is “clean”.  However, they need to also take into account the use cases.  Is it an internal or external facing application?  Is some,all, or none of the data confidential?  If it is an internal facing application running on a secure corporate network there should be less concern about man in the middle attacks.  However, there should be more concern about the high level design of the applications. Are roles and privileges well defined and secure.  Is there an audit trail of actions taken ?  Is the audit trail protected?  Often a threat analysis is limited to the generic security issues that may not be relevant and ignores the high level less than secure functionality of the product.

Threats can be physical. If a laptop is stolen, lost, or left in an unprotected hotel room,  your data can be compromised. Much of the computer security focuses on external cyber-based threats but inside theft, malicious users and user error also need to be examined.  User error such as someone leaving their desk without locking the computer or leaving while still being logged into a key corporate software system can have severe repercussions but do not require a high tech approach to subvert the system.  Savant Protection is useful tool that reduces the attack surface of end points in the organization.  The attack surface is not just the internally developed applications and corporate blessed third party applications  but if users have the ability to install apps on their own (intentionally or accidentally) then that opens up more avenues of attack.  Savant Protection mitigates the risk of these attacks by preventing unauthorized software from running.

All security is about trade-offs.  One has trade-offs in deciding how much effort to invest in threat analysis.  One needs to decide which threats are most important to mitigate.  What tools to deploy and what policies to put in place.  All organizations should do some level of threat analysis even spending just a small amount of time can be valuable and help to reduce the attack surface of your organization and mitigate threats.

Savant Protection offers a flexible, low impact, easy to deploy, easy to manage layer of security that blocks unauthorized software, stops zero day attacks, prevents the creation of advanced persistent threats, prevents key loggers from running, and eliminates the need for many system rebuilds. It does this by automatically creating and maintaining an implicit whitelist of all executables on each computer system. It is a simple and effective layer of security that will only allow a process to run if it is on the whitelist.   This keeps the attack surface from expanding.

Security is Layered

Security needs are multi-dimensional and require a layered approach.  Threats come in all shapes and sizes and as I talked about in an earlier blog one needs to define the Security problem.  In the normal course of day to day living everyone lives within a layered system of security.  For example:

How secure is Joe Smith in Anytown, USA?  He lives in a country that has an army, navy, and an air force which protects him from assaults from other countries. His country has anti-missile defenses.  He is protected by anti-terrorist and counter intelligence agencies.  There is the FBI, state police, and the local police protecting him.  He could live in a gated community.  He could have a private security force.  He could wear a bullet proof vest. He could avoid traveling in “bad” parts of a city.  He could avoid driving late at night.  He doesn’t drink and drive.  He shouldn’t climb ladders. He could live near hospitals and doctors. He could eat healthy.  He could exercise daily.  He could live in a bubble!  These security measures can be expensive and intrusive. 

As an individual and as member of society one makes choices and trade-offs in regards to security.  How one makes those decision will be based on many factors.  There doesn’t exist a one size fits all best practices for security for a person’s life. If Joe lived in a rural area vs. a major city, he might consider different security options. The rural area might require more security because of a lack of local law enforcement or less, because it is a “safe” community. The city resident might depend on police presence and security and/or carry a handgun for protection. The city resident may behave differently depending on where they were and what time of day it was. The problems, risks, and requirements are different.

Computer and network security also is a layered system. A computing networked environment is just as complex as the example cited above. Many factors will play into one’s decision as to which layers of security are needed.  

At the macro level there is internet security, network security, server security, and end point security.  I will focus on some of the layers of security needed on the end point.

Each layer of security addresses both distinct and overlapping security threats.  E.g.,  an anti-virus product will create a signature to prevent a known virus from exploiting a known vulnerability in a software product at the same time the software manufacturer will release a patch to its software to remove the vulnerability. 

It is critical to have a strong security foundation.  Most security problems on a computer are due to poor configuration and unpatched software. E.g., if you have weak administrator passwords on your computers the system is much more vulnerable.  If the computer is kept up to date with patches then exploiting vulnerabilities in the software will fail.   If the endpoint is not behind a corporate firewall then it should have a personal firewall active.  There are many other possible layers of software security that may be appropriate.

Because the nature of security threats is different one needs different approaches to protect against those threats.  Targeted attacks are on the rise and often exploit the vulnerabilities in the user of the computer.  Unfortunately, these vulnerabilities are hard to patch.  E.g., one can create policies that say not to open attachments in emails or click on links on web pages or connect USB devices but people make mistakes and fail to follow the policy.  These targeted attacks are often unique and don’t match a known pattern of bad behavior.  Savant Protection offers a layer of security  that is easy to deploy and easy to manage that addresses these kinds of attacks and more.

Savant Protection offers a flexible, low impact, easy to deploy, easy to manage layer of security that blocks unauthorized software, stops zero day attacks, prevents the creation of advanced persistent threats, prevents key loggers from running, and eliminates the need for many system rebuilds. It does this by automatically creating and maintaining an implicit whitelist of all executables on each computer system. It is a simple and effective layer of security that will only allow a process to run if it is on the whitelist.  This stops the targeted attack as described above from being successful.  I.e., if an end user mistakenly tries to run that email attachment, it will fail to run since it isn’t on the white list.

Next week more security topics

Security and Operations – A Marriage Made in Heaven

Security vs. Operations

There is an inherent tension between security and operations.  The most secure computer system would exist in a locked room with no connectivity to the outside world and it would have no input or output devices and be operated by a blindfolded person.  Of course it would be difficult to get anything done that environment.

Sometimes it seems that in order to get some level of security for your computer systems one sacrifices the ability to get the job done. If you perfectly lock down a computing system it may become too slow or even prevent mission critical applications from running.  Many applications were written without thinking about security.  For example, there are still many applications that need administrative privileges to run and therefore require an end user to have those privileges.  If an organization had a policy that said end users cannot have administrative privileges, then that application would cease to work.

Many organizations have a separate security function within the IT organization and others combine the functions of operations and security into a single function. Whether the IT group is large or small it is difficult to balance the competing requirements.  And securityand operations compete for the same dollars.   In some organizations the security team may have a reputation of always saying no. Kind of like how lawyers sometimes seem to work for the Business Prevention Team.

IT organizations are continually asked to do more with less.  Security may have a budget to buy software to help mitigate security risks but it usually falls on Operations to implement and maintain that new layer of security.  It is important to evaluate both the immediate expense and the long term cost of a security product. Savant Protection offers that additional layer of protection without putting an additional burden on operations.

Last week I discussed “solving the right security problems” and this becomes more complicated because of both dollar and operational constraints. Operations and Security need to work together to find a compromise that allows the organization to get their jobs done while mitigating  security risks that are inherent in their business.

Savant Protection offers a flexible, low impact, easy to deploy, easy to manage layer of security that blocks unauthorized software, stops zero day attacks, prevents the creation of advanced persistent threats, prevents key loggers from running, and eliminates the need for many system rebuilds.  It does this by automatically creating and maintaining an implicit whitelist of all executables on each computer system.  It is a simple and effective layer of security that will only allow a process to run if it is on the whitelist.

Next week I will talk about layered security

Security – What’s the Problem?

Many years ago a colleague introduced me to the phrase “What’s the problem?”.  It was useful because it helped people take a step back when they are so focused on features and solutions but have lost sight of what problem they were trying to solve.  Sometimes the problem was not even the correct problem.  When companies or individuals are dealing with computer security, they often skip the step of defining the problem and go straight to solutions and they get an environment that has all sorts of security “solutions” but doesn’t solve their security problem.

Why should a company or an individual care about security on their computers and networks?  I overheard a fragment of a conversation when I was at dinner this weekend.  There were two elderly women  and one said ” … but the Mac’s have better security right? and the AOL helps too … “  Unfortunately, that is how a lot of security decisions are made.

Defining the security problem for IT organizations is not simple.  Many organizations large and small decide on solutions without thinking about the problem and creating requirements.  One needs to define what it means to be secure in one’s environment.  Understanding the environment and what needs to be protected and why it needs to be protected can help define the requirements for security.  No solution can be 100% foolproof but ideally one can get the right level of security that significantly mitigates risk.

Here is a list of some diverse motivations for being concerned with security:

• The company has been breached and proprietary corporate information has been stolen.
• The company has been breached and credit card information and social security numbers have been stolen
• The company lost many days of productivity due to a virus infection causing computers to slow down and need to be rebuilt.
• A home computer had a virus that loaded a key logger on the system and they stole all the personal information and stole the user’s identity.
• Laptop computers have been stolen from my company and data is at risk
• Users are wasting time playing games on computers.
• Users are using file sharing programs, putting the company at risk for violating copyright laws.
• PCI compliance, SOX compliance …

What to do? Determine which security issues are you trying to address, define the problems, define the requirements, and then implement a solution.  There is no perfect solution but based on your environment you need to choose solutions that mitigate the key risks for your organization.

If the reason you care about security is only so you can claim compliance you will likely not be secure but you will be compliant. Many of the problems listed above are caused by an executable program running on the computer that shouldn’t be running.  Somehow it was placed on the computer through a virus, social engineering trojan, user error, malicious intent …   Savant Protection can prevent such executables from running no matter how they got on the computer system.

Savant Protection offers a flexible, low impact, easy to deploy, easy to manage layer of security that blocks unauthoized software, stops zero day attacks, prevents the creation of advanced persistent threats, prevents key loggers from running, and eliminates the need for many system rebuilds.  It does this by automatically creating and maintaining an implicit whitelist of all executables on each computer system.  It is a simple and effective layer of security that will only allow a process to run if it is on the whitelist.

Next week I will talk about the relationship of Security and Operations.