Defending your Corporate Endpoints: How to go Beyond Anti-Virus

January 30, 2013

Businesses large and small continue to struggle with malware. As a result, 50% of endpoint operating costs are directly attributable to malware alone[1]. Traditional approaches to malware protection, like standalone antivirus, are proving themselves unfit for the task. Something has to give. In this roundtable discussion, independent information security expert Kevin Beaver and Lumension Security’s Chris Merritt will talk about what can be done differently.

Transcript:

Kevin: Hey, everybody. Kevin Beaver here. We are going to...okay, all right. Hang on. I totally forgot about the other verbiage. We're good? 
 
Man: Yep.
 
Kevin: Okay. Hello, everyone. Thanks for joining us today. And for any of you who had registered for the live version of this event, I apologize for this morning's emergency which caused our inability to host a live event. 
 
But this is gonna be a great discussion that I think you're going to enjoy. We're going to be discussing malware protection and how traditional antivirus controls may not be working in the ways that you need them to be. As we go along...all right, guys. I apparently am just not on top of things. I have notes here to tell people to submit questions and comments. Do we want to talk about that?
 
Man: No, don't bother.
 
Kevin: Do we want to ask people the business questions?
 
Man: Don't bother.
 
Kevin: Okay, all right. Bear with me. Hello, everyone. Thanks for joining us. For anyone who had registered for the live version of this event, I apologize for this morning's emergency which caused our inability to host a live event.
 
This is gonna be a great discussion that I think you're going to enjoy. We're going to be discussing malware protection and how traditional antivirus controls may not be working in the ways that you need them to be.
 
My name is Kevin Beaver, and having worked in IT for 24 years as a consultant, a writer, a speaker, and an expert witness, I've seen the good, the bad, and the ugly when it comes to information security. And I've made a lot of dumb mistakes and I've witnessed others do the same. Literally every week, I'm seeing something new. And when it comes to the malware threat and even the means of protection, there's a lot at stake. We've got to make sure that we're focusing on the things that matter.
 
And I'm gonna introduce Chris Merritt with Lumension. He is going to be on the webcast today discussing this topic. Chris, do you want to tell us a little bit about yourself?
 
Chris: Sure. I've been in engineering and marketing for 30 years. I've been working in various areas, primarily having to do with data. And lately, I've been spending my time looking at data protection, endpoint security, white-listing technologies, and all of that. So I'm very happy to be here with you, Kevin.
 
Kevin: Excellent. Thanks, Chris. Well, the malware threat, let's talk about this. Let's talk about what we're sort of seeing and hearing today. The threat is increasing dramatically it seems, yet so many of us are having trouble keeping up. And studies are showing that malware is a top priority for IT and businesses, yet we continue year after year struggling with this problem.
 
The number of malware-related breaches, according to privacyrights.org, shows that this is not something that we just sweep under the rug. Privacyrights.org, their chronology of data breaches found or has listed over 9 million records across 235 unique breaches in the past year alone related to hacking and malware. And they recorded some 600+ million since they started tracking this in 2005.
 
And I honestly believe that this is the tip of the iceberg. What about the malware and the incidents that go undetected and unreported? I think we're seeing the tip of the iceberg, and I know that there's some other fundamental studies and statistics that underscore this problem. And Chris, I know you have some information on that.
 
Chris: Yeah. That's certainly the net cause of all of the AV stuff that we talk about, or the malware that we see is the data breaches. And I suspect you're right. The reported incidents probably don't cover everything that is actually happening. 
 
I looked at abtest.org, they're an independent test organization. I looked at their data back in November/December-type time frame. And they reported an average of about 2.75 million new pieces of malware being created every month in 2012. Which is, when you do the math, ends up to be a little bit over one per second. In addition...
 
Kevin: How do we cope with that?
 
Chris: ...yeah, exactly. If you look at the total malware over the history, it went from about 65 million to about 95 million or about a 36% increase in just one year. So we talk a lot about the exponential rise in malware, and that's just some statistics there that kind of bare that out. I've seen other numbers from McAfee and other companies that bare this out. Generally AV tests, I consider to be kind of a good middle of the road number so they don't get overexcited. Sometimes, we see some pretty astronomical numbers. So that's a pretty good number.
 
You know, in addition to that, in addition to just the sheer quantity, we should probably spend some time talking about the evolution of malware. I mean, you know, I've been around long enough to remember when script kiddies were out doing their little hijinks. Writing little code just to say, "Hi, world" or have fun. But you know, nowadays, we're seeing the rise of weaponized malware being written by nation-states or their proxies to inflict serious damage. Certainly we've seen in the last five years or so, we've seen malware being used in warfare. Look what happened in Estonia, in Georgia, and certainly more recently, Stuxnet, Flame, Duqu, and everything. We're seeing that rise or the change in the use of malware. And a lot of folks will say, "Well, that's aimed at nation-states. That's not gonna impact me."
 
But what we're seeing is that a lot of this weaponized malware is now getting into the cyber-criminal world where they've captured some of this malware and now they're starting to use it to their own ends. Richard Steenen [SP] wrote an interesting blog post in the Optimal Security that Lumension hosts about this. And folks that are interested in this topic should really go check that blog out.
 
We're also seeing the rise of exploit kits being created that bundle together lots of different vulnerabilities, most of which have patches. And bundle that together and sell them in the Underweb to folks for $750 a month or a quarter or $1,500 a year, and these exploit kits have a multitude of vulnerabilities built into them. They come with full telfone and online support, 24/7, they come with performance guarantees. They've got checkmark kind of selection of which vulnerabilities you want to use, which AVs you want to avoid, and that sort of thing. It's pretty incredible and scary.
 
Kevin: Right. We sort of evolved into...where it's like hack in a box, you know? You just go out and you can download this malware, and go and use it against whoever you want to from wherever you want to. And it's been commoditized to the point where anybody can do this. 
 
Chris: In a way, it's kind of going back to the old script kiddies days, but with a much more nefarious end game in mind. And one of those end games that we're seeing a lot of now is this whole regeneration or regrowth of ransomware. Where we're seeing organizations getting their databases or their endpoints being held ransom. There was a case a couple months ago where an organization was held ransom for $375,000, I think it was, by a hacker group. It basically shut down the entire organization. And the shmoo thing that happened in Saudi Arabia where 36,000 endpoints were wiped clean; pretty dramatic stuff.
 
And as you say, the ultimate point of all of this stuff is to steal data or to bot the box so that they can use it to do other things.
 
Kevin: Absolutely. It's funny...I guess it's not funny, but it's interesting I see with my clients when I'm performing my security assessments. I see them struggling to keep up. I know that I...being an independent consultant, I have to keep up with this stuff all the time. But I have trouble keeping up with this. And my clients are having trouble keeping up. It's almost as if it's become so bad that we're like, "Okay, well, we're just gonna have to move along into the future and hope that we don't get hit." To me, that's a bad approach and it's something that can lead to a lot of security problems.
 
One of the interesting things that I'm seeing, Chris, is that my clients, they tend to switch up their malware protection. One year, they're using XYZ company. The next year, they've gone on to something else that costs less or has more features. And to the point where they're always bigoted about their choices. Like, "Yes, I'm using this now." And we're finally going to be secure. And the next time I go out, they're using yet another product. They're moving on constantly. And they'll go back and say "Oh, yeah, that previous antivirus was garbage, you know? It was too slow, it didn't catch enough things," or so on.
 
And it's just a constant arms race. And sadly, I think as this image portrays here, I think a lot of people in management just see this as one of those techy, propellerhead [SP] issues that IT is managing that management...Mahogany Row folks don't need to worry about that kind of stuff. But it is something they need to worry about. It is a big problem at that level.
 
Chris: Absolutely. Various things have been pushed down the pike that folks in the Mahogany Row, as you put it, need to be thinking about if you're in a public organization in the U.S. or trading on a U.S. Stock Exchange. The SEC, back in November or October of 2011, issued new guidance about the risks associated with cyber activities, cyber threats, the loss of data [inaudible 00:11:54]. How that might materially impact the organization, and that they have to disclose breaches, they have to disclose these material risks. Just like you would any other risk that a company undergoes.
 
So it is absolutely...and you know, we're not even gonna talk about the various data protection laws and so on and so forth. We'll just look at that one thing. And it really is a CEO and a board-level issue these days.
 
Kevin: It is. It is. Let's jump in. I want to have sort of a Q&A with you. We're going back and forth and sharing some of our thoughts and ideas, and I've got a question that I wanted to present to you, Chris. And then I'll ask you, get your input, and then we can sort of share our feedback. 
 
The question is...this is something that comes up fairly often with my clients, that we have this discussion, I see it in the headlines. "Is traditional antivirus useless?" What do you think?
 
Chris: Well, yeah, there's certainly...that has been a topic of conversation lately. I think Mikko Hypp√∂nen really started that off with a blog post he wrote a couple of months ago about why antivirus companies like mine failed to catch Flame and Stuxnet. That caused a reaction rightfully so, I think, in the AV industry and around. There's a lot of articles recently about that. 
 
Yeah. Certainly, the data suggests that on average, AV technologies are not doing such a good job at catching new malware. There's a report I remember from a couple of years ago which showed that, on average, AV was catching 16% of new malware on day one. And that by day 30, it only went up to 64%. And that's on average. 
 
So if you happen to have one of the good AVs that was working on virus A, then you're good. But that doesn't necessarily guarantee that that AV is gonna work on virus B. So that's quite a big hole or quite a big risk window you're putting in.
 
There's some reports from Aberdeen that suggest that organizations are carrying about 60% of the risk, cyber risk, on their books, in essence, by their reliance on AV. Now, does that mean it's [inaudible 00:14:47]? Well, we can have a conversation about that. I, at the end of the day, would suggest that it's not. And we can talk a little bit about that. What's your experience with that?
 
Kevin: Well, it's interesting. There's been some big hullabaloo in the headlines recently about some certain prominent antivirus technologies that aren't very good. This is something that we've seen all the time; these independent labs or these researchers or analysts will come out and say "Microsoft's security essentials is not catching enough stuff." Or whatever vendor they happen to be, I guess, pinpointing or focusing on at the time.
 
It is interesting that it's something where every time I go out and meet with the client to do a security assessment, we talk about their malware protection. And inevitably, they've had an infection recently. And it goes back to, "Well, yeah, it's our users," and "Yeah, we had a maintenance window where the virus signatures weren't updated properly because they're mobile users and they are the ones in control of updating their antivirus and whatnot."
 
The reality is, I think antivirus, as we've known it, it's not useless, but it certainly catches things. It's helped me over the years. It's helped me recently, traditional malware protection has. But obviously, there are some weaknesses. There's this whole arms race, cat and mouse-type game that we keep playing here. "Let's just keep throwing more and more signatures at the problem, and hopefully, we're gonna be protected." To me, that's sort of a blind way to go into this. I don't know, it's almost like, you know...like we are with firewalls. We've known this with firewalls for a few decades; you deny all and then you let everything else through that needs to go through, and sort of getting into a whitelisting-type approach or technology. 
 
And maybe that's the approach that needs to be taken, or at least that needs to be part of the equation and the discussion. Because yeah, people are still getting infected, and I feel like we're losing this race. And you mentioned the statistics, what is it...however many pieces of malware every second are coming out. How could we possibly defend against that?
 
Chris: Yeah, we did a survey of several hundred users around the world, every year we do this. And the 2013 results show that despite continuing to spend more money on various technologies, organizations in general feel that their security level is not necessarily improving. And they're really struggling with this.
 
And of course, you mentioned white-listing. Of course, that's near and dear to my heart, and we can talk about that a little bit more in a second. But I think...yeah, to kind of...you can't just rely on AV is the bottom line. Is it useless? No. Does it still have a place in the defense in depth approach to your security? Absolutely. But you can rely on it by itself? No, I don't think so. I think the evidence is in.
 
Kevin: I think, you know, a lot of this discussion needs to involve...it often doesn't, but it needs to involve "What is your perspective? What are your needs? What are you trying to accomplish? And ultimately, what is your risk tolerance?" You know? Again, it all depends on your perspective. Everybody's got their own definition of risk, you know? 
 
Chris: Absolutely.
 
Kevin: IT will have their definition of risk. Their management will have it. Their compliance officers will have something else, their legal counsel; it's all over the map. And it's as if nobody is really on the same page, and we all have our own opinions about this stuff, and nothing is really getting done.
 
Chris: Well, of course, as you say it, it's the risk appetite, and it's knowing what your risk appetite is, and it's knowing what your actual risk is. So the Aberdeen paper that I was talking about, you know, they say that organizations are carrying on average, around the world, 60% of the risk in the cyber-threat arena. Do they know this? Are they doing that with intent? Or is that...as your previous slide, is that them sticking their head in the ground? I don't know. And every organization is really gonna have to take a hard look at themselves and really understand that.
 
Kevin: You know, it's interesting, Chris. I see a big disconnect between what IT is doing and what IT is trying to accomplish, and what they know needs to be done in order to minimize these problems. And then management is just kind of off in la-la land assuming that everything is okay. Because it's, again, it's not their problem. And the right groups are not talking to each other in the right ways.
 
And speaking of that, let's go into the next question that I wanted to throw out there. What are the most common weaknesses that facilitate malware infections? What are you guys seeing, Chris?
 
Chris: Well, I like to look at a couple of different things. One of the things...Secunia does a yearly report which I really like; they've done a very nice job. At looking at a typical endpoint and trying to quantify the risk associated with known vulnerabilities.
 
And what they've shown is that Microsoft, it's not a Microsoft world anymore. On a typical endpoint with 50 pieces of software installed on it, about 22 of those come from Microsoft, the other 28 from third party apps. So Microsoft would be your OS and your Office stuff, right? Excel, Word, etc. Your third party apps would be things like your Firefox browser, your Adobe, your Peachtree, whatever other CAD software, whatever else you're using.
 
So you have this not quite even split in terms of the amount of software on there. However, what you find out is that 21% of the vulnerabilities are on the Microsoft OS or third party...their apps. Only 21%. Whereas the other almost 80% are with those third party apps. And in addition, they point out that if you have a Microsoft updater to update those 22 programs, that's one updater you need. And then you need eleven other updaters to update all the rest of your third party apps.
 
So 12 updaters. That's a lot of room for one or two of them to be missed. And as they say in the counter-terrorism world, "We have to be perfect 100% of the time. The bad guys only have to hit once." So if you're relying on your end users to maintain their vulnerability patching, that's a tall ask, I think.
 
This isn't just Secunia. There's an Aberdeen report that looks at what is your total vulnerability window if all you do is patch Microsoft? And they came up with almost the same numbers; around 11 to 22% of your net vulnerabilities would be patched if you did Microsoft-only patching. The rest of them are third party. So the big lesson there is you've got to patch everything. You can't just say, "Well, I've got the Microsoft updater. I'm good to go."
 
Now as we mentioned before, there's all this new malware being made. And the bad guys are following this; they know that Microsoft is doing a better job. They're saying, "How do I get into these machines? Well, I don't want to attack Microsoft. I attack these third party apps because nobody patches them." And we're still seeing that happening today. That's probably the most common weakness we see.
 
Now I could get into all of the specifics of how they do that and everything else. But you know, really, at the end of the day, there's so few zero days that get exploited, but there's this whole world of known vulnerabilities that patches exist for them, but they're not getting put on the endpoints. And therefore, they get exploited.
 
Kevin: Right. You know, it's interesting, in the work that I do, I do a lot of internal security assessments. By that, I mean vulnerability testing, scanning hosts, looking...performing some manual analysis and exploiting flaws to demonstrate what can happen. 
 
And yeah, broken patch management has got to be one of the biggest issues that I see. I see missing work station patches. I've seen missing server patches even more often. And I see people, they're relying on the Microsoft solution to patch their Windows boxes, and they have zero third party patch management, you know? Or that their third party patch management...when I say "third party," I'm talking about Adobe, Java...basically everything else outside of the OS and the Office apps.
 
Chris: Yeah, the other eleven.
 
Kevin: Yeah. They're relying on their users to make these updates. And you know, I've done it before and Chris, I know you've done it before, and so has everybody else. We're alerted that there's a new Adobe update, there's a new Java update, there's a new whatever update. And what do we do? We ignore it. We ignore it for a few days or at least a day, or maybe a few days, or maybe it goes a week or longer for whatever reason. Maybe it's because the user is not connected to the network somehow, and it's somehow tied into that.
 
But these patches are not getting applied in the right ways. And then we have these exploits. We have these breaches, these hacks, and whatnot. And then we wonder, "Why is this happening?"
 
Chris: Yeah.
 
Kevin: That is exactly why it's happening. It's a broken approach. And sort of on the same token, I see a general lack of security testing. A lot of people will run just general vulnerability scans. And they often do it just on their external host. Just looking at it from the internet in. And they're not looking on the inside at their work stations or servers. That...all of their endpoints across the board. And to me, again, that's a big problem. The interesting thing that I'm seeing is that a lot of these businesses have documented policies. They have a patch management policy and a process. But it's just not getting followed. These vulnerability scans, these security assessments would not be turning up these flaws if their patch management system was working.
 
I do want to say that...I'm not just blaming it on the end users and IT staff. I do know that there are certain situations where patches can't be applied because the third party vendors won't support it, or it'll break something, or whatever, and I totally get that. But it still doesn't make it right. There's still a problem.
 
Chris: Yeah. My colleague, Paul Henry, wrote a blog post sometime during the summer where he pointed out that after a vulnerability is announced, a [inaudible 00:27:27] is announced or after Patch Tuesday or what have you, the bad guys have an exploit created within eight hours. 
 
Kevin: Wow.
 
Chris: So think about that. Eight hours, right? That's your window. That's your window to get that protection put on to your box, right? Just something to think about.
 
Kevin: Yeah, and the typical window is more like two weeks or a month, or maybe the patch will never be applied. Another common weakness that I want to make sure we talk about here is your users. They're a fundamental part of the problem not just because they're not applying the patches, but just because they're being careless, and they may not understand technology in the ways that we do. So they just kind of go about their day, and they get themselves and your network into a bind.
 
It's no longer just the criminal hackers, it's our users. And the reality is both groups know that they can get away with things. The bad guys know that their odds of getting caught are slim. They know that users are gullible, that the technical controls are not perfect. And then at the same time, users know that those policies that they signed off on, they had to go through the training or whatever, they know that they're not being enforced. Or they'd just assume, "Well, that's IT's deal. That's IT's problem. Surely, we are protected. Surely, our computers are protected and I can just click whatever link, and if it's not valid or if it's malicious, then I'll be blocked." And I think, again, that's a big part of this problem.  
 
But the reality is any given network is really just one click away from compromise, you know? With all this phishing stuff that's taking place. That's a hard one to protect against.
 
Chris: Yep. Absolutely.
 
Kevin: So Chris, my next question is why is it that we cannot achieve the level of control and visibility that's truly needed? I think we've kind of touched on some of these points. But what else? What else is missing?
 
Chris: Well, from my perspective, looking from the outside in, and looking at a lot of the analyst reports, and talking with customers and stuff like that, I really see a couple of areas that kind of impede us. One is kind of on the technical front. We've already talked about the number of updaters you need if you have a typical endpoint, and most people don't have that typical endpoint; they probably need more updaters. And the difficulty that poses in trying to get control over what's going on in an endpoint? Are things updated on a timely basis? Let alone the visibility, right? If you let all your end users do their own updating, that's problematic. You have no visibility. 
 
But the other thing you kind of...on the flip side of that is we see a lot of endpoints that have a lot of different agent on them, and a lot of different point products being used to kind of create kind of that bootstrap kind of approach to the security. In that endpoint...that state of endpoint survey that we do every year, a couple years back, we discovered that the average number of agents on an endpoint is 3.7. And the average numbrer of consoles that an IT security staff needs to maintain control over the endpoints under their purview, 3.9.
 
Kevin: Wow.
 
Chris: Another way of looking at it is that over 51% had three or more agents, and 54% had three or more consoles. So that's a lot of folks that have multiple tools working on the endpoint that can cause conflicts and other problems, but also create gaps in your visibility. Because you've got these different consoles and they don't work together. That's a fundamental problem.
 
I think another thing that you already brought up is kind of on the people and processes side. The transference of risk, kind of what you mentioned earlier, right? The end user said, "Well, it's not my problem, it's IT's problem. And if something goes wrong, all I have to do is take my box over there and they'll fix it." That's a moral hazard in a classical sense. 
 
There's the institutional resistance. "We've spent X number of dollars on this technology. It should protect us. And don't come to me and tell us it doesn't. Otherwise, you've wasted our money." There's a lack of senior management or board concern. I mean, we talked earlier about the SEC kind of forcing this issue. And certainly when you start getting into the data protection realm of things, there's board-level concern.
 
But study after study shows that there's a disconnect between what it is that the security folks are saying, and what the board-level folks are concerned about. And that is another cultural issue, another educational issue that really needs to be taking place. That surrounds the people and the processes within the organization.
 
And the last thing I would mention is kind of regulatory. We have regulations out there to try to ensure that companies bear their responsibilities. That they don't pass off that risk to make the gain and pass off the risk. But it kind of sets a low bar. There's that check-mark mentality that goes on, that organizations can say, "Well, you know, I obeyed the law and I'm compliant." Verizon does their yearly data breach investigation report. And in 2012...and in fact every year, they do this. They look at the number of...they look at a significant number of organizations that have been asked.
 
And one of the things they do is they look at the number of those organizations that were PCI-compliant at the time that they were hacked. And that number typically sits in the 80, 90% range. So that's...everybody is compliant with this regulation, so everybody goes, "Ah, we're done. Great." And in fact, they get hacked.
 
This kind of, to a certain extent, goes back to what I was mentioning before in Paul Henry's post on PCI. It takes them, the bad guys, eight hours after a patch is announced for them to go back, reverse engineer the patch, figure out what the vuln was, the vulnerability was, and then create an exploit for that vulnerability. It takes them eight hours. PCI says you have up to 90 days to patch that.
 
So you could be compliant with PCI, and you've opened up an 89-hour...20 hours, 90-day window for the bad guys to attack you. So I feel it's three things: technical, people, and regulatory.
 
Kevin: Okay. I think that's a good approach. Speaking of regulatory, the funny thing is everybody is PCI-compliant up until the very moment that they get hacked, right? Then everything goes out the window. I deal with a lot of people and management that say, "Oh, yeah, we're PCI-compliant." "We're HIPAA-compliant," or "We're whatever compliant." I'm like, "Okay, that's great, but how secure are you? Because there are two different things."
 
And a lot of people just sort of take the approach of "Set it and forget it." And I think that's one of the big roadblocks that we face, is "We're just gonna set our antivirus or malware protection and forget it, and we'll do our automated patching, and we'll forget it."
 
And then people assume that everything is okay because they're not seeing any problems on the network. That's one of the fundamental differences between information security, data security, and the physical security realm which I think a lot of people in management try to compare this to. Like, "Well, we're not seeing any problems. We're not seeing anyone bash down our door. We're not seeing anyone taking our information. So therefore, we're secure." But there is a difference. And we've got to be sure that we do have that control and visibility necessary in order to find the things that really matter.
 
I think what we've been discussing, there's one thing that sort of sums it all up when it comes to achieving that level of control and visibility needed. And it's you cannot secure what you don't acknowledge. And there are so many vulnerabilities and even threats that go unacknowledged. They're there, but they're not being uncovered because the process is not right, because they're not looking in all the right areas, the proper tools are not being used, and things like that. 
 
I would say if our audience could remember just one thing from this presentation, let it be this: you cannot secure what you don't acknowledge. You've got to make sure that you're looking in all of the right areas.
 
And what we've sort of come to here is the whole thing that Einstein said. We keep doing the same things over and over again and we have to step back and say, "How is that working for us?" One thing that I'm seeing, Chris, in my work is that a lot of people just sort of sit around and stare at each other, and assume that they're taking care of X, Y, and Z. Even within IT, we just assume that everything's gonna be okay. And as Murphy's Law says, if more than one person is responsible for a miscalculation, no one will be at fault. 
 
There's another...there's a TV show called "Hoarders." I don't even know if it's still on, but my wife and I used to watch it quite a bit. There's a counselor on that television show, her name was Dr. Chabaud. And she said something that really struck home and really applies to this is that when everyone's to blame, everyone can sit still. "When everyone's to blame, everyone can sit still." And we see that with information security, with malware protection, and whatnot. 
 
I promised...I don't watch a whole lot of TV, but there's another show that I've been watching as well called "Restaurant Stakeout." And the guy, I believe his name is Willie Neagle, the host of the show. He goes in and tries to fix these ailing restaurants. One thing he said that applies to this as well, he said, "As a restaurant owner, you're completely at the mercy of your staff's judgment and training when it comes to serving alcohol to underage people." And the same goes for malware. 
 
In fact, I just saw an episode not that long ago. The main issues that they found with the restaurant that were causing all these problems were no management, no rules, and no accountability. So in essence, it was all people problems. And it's the same for every episode I see, really. Just like what we see in security. So we've got to keep the people, problems, visible and at the forefront. Because to me, I think that's where the real issue lies.
 
Let's move on to the next discussion question here, Chris. And I wanted to see, from your perspective, being at Lumension and just your general knowledge of the market and people's information systems, is it the complexity of the threat or the complexity of our information systems that's really holding us back?
 
Chris: Yeah, that's a really good question. And you know, I can see pros and cons in both of those areas, so I'll try to articulate those. On the complexity of the threat side...I mean, we've already talked about the quantity of malware we're seeing. We've talked about how fast the bad guys are reverse engineering patches. We've talked about the weaponized malware and all that. So we're definitely seeing that increasing amount in sophistication of malware. We're seeing targeted attacks. There's a case...I don't know if you heard about this, but last summer, there was a case where some malware was written in AutoLISP. Which is a language used for AutoCAD. So it was a highly targeted piece of malware to attack organizations that were using AutoCAD.
 
And the way it transmitted itself was it basically was a bad app hosted in the App Store. And it was downloaded and designed to go through, find CAD drawings at particular types of companies, and phone home and send them back, along with some other documentation and stuff. But that's highly specialized. I mean, who knows AutoLISP? Most of this stuff is in something a little more common. 
 
So that shows you how targeted these guys are getting. We also have talked a lot about advanced persistent threat; you see it in the news every day, it's kind of the new catchphrase for things. But what it really is talking about is kind of that melding of various attack vectors and various approaches; you mentioned phishing before. Where someone sends an e-mail that somebody clicks on and it takes you to a bad site, or it's a booby-trapped PDF, or attachment of some sort. And that ends up taking over the box, and then the bad guys can go from there or hop on to the network, and then go to where they want to be.
 
And the advanced part of this is that they're packaging together multiple ways of attacking your organization. The persistent part of it is they've put a lot of effort into that, understanding who they're going after, how to craft the phishing attack, how to craft the websites...the booby-trapped websites. There was a very interesting case a couple of months ago about so-called "watering hole" attacks. Where some bad guys were attacking people who were known to go to specific types of websites. And in order to explot the boxes these folks were using, what they did was they booby-trapped these websites with some iframes, and just waited until those people got on to that website. And then they took over their boxes and away they went. In this case, it was some NGO stuff, but it's also up and down supply chains. I mean, you may think you're a small company and you're at no risk, but what supply chain are you in? This watering hole attack was also focused on the defense industry supply chain. So they go after some small subcontractor to a larger contractor that then has their systems hooked up with the DoD somehow. And boom, now you've got a network-hopping capability.
 
So that's kind of on the complexity side of things. Now, that said, on the cons side there, we're still seeing that most attacks are targets of opportunity. Where you look at...I mentioned the Verizon database or data breach investigation report; they talk about that all the time. They're still seeing that most attacks are targets of opportunity. So it's not necessarily complex. 
 
We think of Stuxnet. It's a very complex attack. But what do they go after? They went after a vulnerability that was well over three months old by the time they attacked it. So if you'd been on your patching, you would not have been affected. So you could see both sides of that, right? 
 
On the complexity of the system side, another buzz-phrase you hear a lot of is "BYOD," right? BYOD, the bring-your-own-device means that your network perimeter, kind of that hard outside to your gooey inside is expanding, is porous. So your systems are getting more difficult to defend. You're seeing increasing use of VMs, of virtual machines. The cloud, you know, all of that kind of thing. You're seeing increasing use of online services, third party cloud, if you will, public cloud.
 
And all of this increases the complexity to the system. As I mentioned, I'm an engineer, and one of the things you learn in systems engineering is that the reliability of the system is the multiplication of the reliability of each individual component wtihin the system. It's a little more complicated than that, but basically, if you have three things and both have 0.75% reliability...in other words, a 25% failure rate, the overall system is gonna have something like a 45% fail rate. So you have to think about that. And as systems get more complex, you have more opportunity for failure.
 
Now, converse to that, or the cons side to that, is Clarke's Third Law. "Any sufficiently advanced technology is indistinguishable from magic." 
 
Kevin: Love that.
 
Chris: Complex systems may seem like they're magic. Yeah, Clarke's a great guy. Love his book. Love his movie, too. These things may seem like magic, but they were put together by people and people understand what they've got. And if you are keeping track of what's going on, you should be able to understand that advanced technology. 
 
We're also seeing a lot of security improvements. I mean, I mentioned before the OS, the Microsoft OS has improved in security. I read a report a couple of months ago where they...from Microsoft that showed that the Windows 7 operating system is five times more secure than XP. Yeah, I mean, obviously, they're motivated to say that, but that's probably in keeping with our experience. We're definitely seeing a decreased vulnerability density in the OSs. And the reports from Aberdeen and others bare that out.
 
So I think the real answer to your question here, Kevin, is it's both. It's complexity of the threat getting increasingly complex, and it's the complexity of the systems. But we have to throw in there that thing you were talking about, the human factor. It's that the end user who clicks on Annie Mae's funny e-mail link to watch the funny cat dance, right? 
 
As I say, it's all of that and much, much more.
 
Kevin: Absolutely. The whole...the complexity factor of the threat, to me...I actually have trouble wrapping my head around that. There's so many much smarter people than myself that are doing these things. Their approach, their mindset, and all that, and how it all works. And like you said earlier, it's coming to a point where it's being sort of industrialized with nation-states being...there's a lot of money behind this stuff.
 
I still believe that information systems complexity is a core part of the problem, you know? You can't secure what you don't acknowledge. And I've seen databases, virtual machines, cloud providers; all sorts of factors...mobile devices. There's everything out there that hasn't yet been acknowledged on certain networks, and therefore, it's not properly secured.
 
And with all this complexity, we have different OS versions, we have different applications, diferent devices, different rules, different regulations, different people being responsible. And I mean, it just makes your head spin.
 
I've been in a network administrator position in the past, I've been a security manager. And I know how hard it is. And that was a long time ago. That was before we had all this stuff that we're having to keep up with in security right now. And I don't envy anybody that's responsible for this stuff on a daily basis because you've got a lot to keep up with. Including management that continues to say, "Well, we don't have anything the bad guys would want, so we're never gonna be targeted," you know? Obviously, a lot of these are targeted attacks. We have management that says that they have nothing of value, even though they do...even if it's just network bandwidth. Zombie computers.
 
Chris: Yep.
 
Kevin: I worked on a project...
 
Chris: There's a really interesting...
 
Kevin: Go ahead, Chris.
 
Chris: Sorry. I was just gonna say to your point. There's a really interesting thing that Brian Krebs...at Krebs on Security. And he shows the value of a botted machine. It's a very interesting graphic. And he goes through all of the things that...just a machine that has no data on it. It's just the machine. What value that brings to the cybercriminals. If you get a chance, you should look at that.
 
Kevin: I have not seen that. I need to check that out as well. But I know that it's extremely valuable. And again, people will say that it's not that big of a deal. I worked on a project a couple of years ago. It was an incident response project where I worked as part of a team trying to figure out what happened.
 
This was a targeted attack against a highly visible organization, a federal government contractor. They had over 10,000 infected work stations and servers. 
 
Chris: Wow. 
 
Kevin: It was highly targeted. I wish I could share some more details. But it was very obvious what was going on. And it took this organization years...they discovered it originally, they thought they had cleaned it up. It came back about a year and a half later. And then they went on another year with it still in their environment. So over a period of two and a half to three years, some group of people were basically...had full control of their environment, of at least 10,000 of their computers.
 
That's something...I'd actually like to bring this up real quick, Chris, just to get your opinion, and so we can just throw it out there for our audience members to think about. We have anti-malware protection on our work stations, but oftentimes, I'm not seeing it on servers. What is your take? Should we have it on our servers? Are you guys seeing attacks aimed at servers and such? 
 
Chris: Absolutely, you have attacks against servers. The difficulty is that AV and servers...that's a difficult mix, right? As I mentioned before, white-listing is near and dear to my heart. I'm grey enough to remember the old days when white-listing was the way you protected servers. And I think what we're seeing now is that folks are going back to that methodology. You have a very controlled maintenance window on servers. You have it locked down, you have limited access. You need to be very careful about what you allow to reside on that server and who you let work on it and that sort of thing.
 
But I think in the end, you need to treat servers differently than you do your general endpoint. And you need different tools on there, and you need to be much more strict. 
 
Kevin: Right, right. Yeah. I guess the important thing is don't forget about your servers. Because they're certainly a target. We don't have a ton of time left, Chris, but let's go ahead and keep moving forward. One final question...and this is sort of a set of takeaways for our audience. What can people do to get their environment under control? What can they do to be proactive and to stay safe moving forward?
 
Chris: Yeah. Your slide there covers some of the things that I talked about earlier on the technical side of things. I think what folks need to think about is this notion of defense in depth that I've talked about before.
 
In the old days, your medieval castles had interlocking ranges of fire to make sure that they could protect the castle against incoming invaders. You had rings around the castle. You had the grassy field to make sure that you could see. You had the moat, you had the tall walls, the drawbridge, etc. So this notion isn't very new; it's been around forever. And we need to apply that to our information's assets
 
This means getting...both covering your basics, so we've talked about patching. We've talked about a firewall or AV, I mean. And of course, everybody should have firewalls on their systems. We haven't talked much about making sure that you have secure configurations on your boxes. But that's basic blocking and tackling, right? That's just covering the basics.
 
So your defense in depth needs to be built on those basics, but you need to add other technologies and interlock them in a way that if one fails, that the other technologies will pick up. You need to be watching your logs. You need to be in some sort of intrusion prevention system of some sort or another. You know, the firewalls both on your servers, on your network, and then on the endpoints. 
 
And then of course, you know, as I've said many times, white-listing, near and dear to my heart. This is the technology that will give you that proactive approach to your defense in depth strategy that allows you to get ahead of that constant vicious cycle you were talking about earlier.
 
So one thing I guess I'd put out there for the audience to think about is the SANS Institute put out the top 20 critical controls, and they kind of put together this list of things that people ought to be thinking about. They did a pretty good job of looking at the holistic problem and prioritizing it, putting together some things you could do to get some quick wins, and then some things that take a little bit longer, and then some longer-term strategy.
 
I would encourage folks to take a look at that. It's focused on the federal government. But you know, a lot of that stuff is common sense. And if you're serious about security, then I think that's an area to go to.
 
We've talked about people and processes. We've talked about board-level involvement. We've talked about creating a culture of awareness. You shouldn't be clicking on Annie Mae's funny cat video link. We need to have that ongoing training and communication, right? 
 
We did a survey last month where we looked at the training that folks receive or provide their end users. And you know, a lot of folks do some onboarding training, that kind of thing. Maybe they do a once a year training. But they leave it at that. And really, things are changing so quickly that you really need to have that ongoing training and that communication between the folks that are very intently aware of what's going on in the security side of things. And other people who...they've got their jobs to do. They're not out reading the same security blogs and things that you and I do.
 
[inaudible 00:56:58] points out that organizations that have a CISO or have a CIRO, a risk officer or a security officer, they tend to do a lot better than organizations that don't when it comes to the response and the costs associated with a data breach. So that may be something that would help foster a lot of this stuff we're talking about on a people and process kind of area.
 
The other area I talked about was focus...was regulatory. We've talked about kind of that checkmark mentality. And I think what folks need to focus on is on the results, not the methods. We need to foster cooperation within the organization, in-between organizations, to try to understand the threat environment that we're all in, and what we can do to mitigate that.
 
And we need to level that risk and reward or moral hazard equation, so that folks aren't accepting all the reward and assume that somebody else is picking up the risk.
 
Kevin: Right.
 
Chris: And we're seeing some of that in the regulatory environment in different ways.
 
Kevin: Right, okay.
 
Chris: Now, you wrote "automation" here. What were you thinking of there?
 
Kevin: Yeah, you know, we're coming up to the top of the hour. I'm not sure if we have a hard stop at the one-hour mark. But as for automation, you have to ask yourself how you can automate these processes to the greatest extent possible? With the limited amount of time that you have, automation is the only way you're gonna be able to keep up, I'm convinced of that. 
 
These automated controls, they're able to be vigilant when you can't be. They're gonna help relieve the pain of managing security and ongoing audits. And it's just gonna help you enforce policies to close that loop and have those repeatable processes that you need.
 
Chris: Good point.
 
Kevin: In essence, you can't just keep detecting and responding. You need to fix the underlying problems. And that also includes repeated security testing. You know, you can't just a few scans every now and then. It's got to be something on a consistent and periodic basis if you're gonna make this stuff work properly. 
 
Chris, let's start to wind things down. I had a slide I wanted to share with the audience, some resources on my website. If you go to principlelogic.com, go to my "Resources" page, I have a blog, some audio programs. You can follow me, my rants on Twitter, and I have a YouTube channel called PrincipleLogic.
 
Written a few books on the subject of information security and whatnot. My bok "Hacking for Dummies," the fourth edition, just came out yesterday. So check that out if you get a chance. 
 
I'm always looking for new ways to learn and you people to learn from. So please reach out to me on LinkedIn. You'll see the connection there. Chris, I know you have a few more points you want to make as we wind down.
 
Chris: Yeah, just, again, talking about that defense in depth strategy and talking about kind of that foundational bit of patching and configuration management. Building up with application control, adding encryption technologies to make sure that if data are lost, that they're unusable and thus, your organization si protected by Safe Harbor. Adding device control to prevent USB sticks or CDs as being used to transport media to exfiltrate data. And then, of course, AV is still part of the equation.
 
So I think you put all these pieces together and you have a layered approach that goes beyond traditional blacklisting.
 
Kevin: I agree.
 
Chris: We also have a number of resources for the audience to utilize. We have a vulnerability scanner, app scanner, and device scanner. Some tools that they can use; they're free. Download them, run them on your environment, and see what's going on out there. As you said, you can't fix what you don't acknowledge. So this might be a good start.
 
There's a lot more information on our website. If you have any questions, you want to continue the conversation, drop me an e-mail. 
 
Kevin: Definitely check out the resources that Lumension has to offer, especially the scanner tools. Those are near and dear to my heart. But I've been following Lumention for several years, and I know that they're doing a lot of good things. They have a great blog. I wrote an article on there recently...not that that's the great part of it, but I know that they pull in a lot of good resources and have a lot of good thoughts.
 
Yeah, let's go ahead, and if we could take, like, 20 seconds, Chris, to share our closing thoughts with the audience and we'll get this thing wrapped up. What do you want the audience to leave with from this presentation?
 
Chris: Well, I think we've covered a lot of information here. I think the big thing here is think defense in depth. Think about getting tools that work together to help you defend your endpoints and protect your data from the bad guys.
 
Kevin: Excellent. Yeah, and I'll just say step back and look at the big picture. You have to create a reasonable, technical, and operational environment to fight off modern malware, and the traditional approaches are not working. So understand what you've got, understand how it's at risk, and then take the appropriate steps to do something about it.
 
Folks, thanks for joining us. This has been great. Thank you very much, Chris. I've enjoyed it, and thanks for having me today. And have a great rest of the day.
 
Chris: Thanks, Kevin.