RSAC 2012: Malware growth and why layered security is still king

Malware growth and why layered security is still king. (IMG: J.Anderson)

Last week during the RSA Conference, there was plenty of talk about growth. The vendors talked about growth in their client base, and some attendees discussed growth in new business and networking initiatives. Yet, during the same week, the number of malicious applications hitting the Web grew as well, to the tune of nearly 200,000 unique Malware samples.

While the security heavyweights were showing their latest advances to the crowds at the RSA Conference, criminals were doing what they do best – production. As mentioned, there was plenty of talk about growth, some vendors even announced acquisitions during RSA, but there was tremendous growth in the Malware world as well.

Using AV-Test as a guide, more than 200,000 unique Malware samples were created last week. The only reason for their existence is exploitation. Most of those newly created malicious samples will exploit software and application vulnerabilities. Others may have a much darker purpose.

But no matter what, the Malware’s goal is to compromise a system in order to leverage it as part of a botnet or offer the criminal using it a backdoor into the network. After that, the target is information. Be it corporate, financial, or personal, in the criminal world of today, information is worth its weight in gold. An entire criminal economy exists in order to buy, sell, and trade stolen information.

“Despite the industry’s vast resources and market capitalizations, the cybercriminals are working better, faster and cheaper each year to exploit the weaknesses in our current approach to security,” stated Paul Lipman, chief executive officer of Total Defense.

He’s talking, based on the press release issued before the RSA Conference, about the use of signatures and other methods within anti-Virus and other endpoint protection offerings, and how they fail to keep up with the criminal’s running Malware development.

“If the local police had the same abysmal record, they would be run out of town. The data speaks for itself. The cybercrime era demands a new approach that makes it easier for businesses and consumers to protect themselves,” Lipman added.

He has a point, but the question is one of how.

It is easy to state that signature usage on an IPS, IDS, or AV program is the wrong approach, but much harder to suggest an alternate method that can’t be compromised by an enterprising criminal. The security world’s elite have wrestled with this problem for decades.

Behavioral detections are a positive step, but they too have their faults, such as false positives or policy implementations that follow the end user’s direction. (If the user says the application is valid, no matter what action the application takes, it will be allowed by the behavioral engine.)

Whitelisting / blacklisting, is another great advancement that has emerged over the years, but the downside here is that it requires the security system or vendor maintains a massive repository of legitimate application signatures in order for the solution to remain useful.

Another whitelisting/blacklisting approach, where only the applications allowed by policy can be activated on a given system, often have issues within a business based on productivity. This in turn means that they are often incorrectly implemented and left in an overly permissive state in order to appease an organization’s staff.

At this point, the doom and gloom may make you want to punch something. It seems like there is no hope, but fear not. This year during the RSA Conference, attendance was up. The attendees we spoke with, many of them from major corporations and government entities know that layers can have their faults and be exploited, but they refuse to give up.

They were in California last week to learn about how to better use what they already have in place, and how to augment their existing layers of defense with new tools and services in order to achieve stronger security.

AV-Test is reporting that as of March 2012, not even a week into the month, they have registered more than 60 million Malware samples. In February, they detected 600,000 new samples. Yet, despite their problems, the technologies that currently define a layered approach to security will stop all but a small percentage of those threats. They’ll stop them with signatures, behavioral detection, whitelisting, and blacklisting.

No matter what you have in place to defend a network or endpoint, it’s impossible for one product or method to do it all. Solid security is about a layered approach, but criminals know that if they play the numbers game, gaps within a network’s layered defenses can be compromised. So they develop malicious software on such a massive scale that signature based defenses, the main source of many network protection programs, will fail to keep up. This is where Lipman’s statement seems to come from.

One answer to this is to stop the reliance on signature protections and focus more on the other layers – such as behavioral and whitelisting. This is already happening as companies such as McAfee, Symantec, Sophos, and countless others move away form signatures and into layers of protection that incorporate whitelisting, behavior, and reputation. However, they still keep the signatures, because while old, they are useful.

The other answer, which came to us after talking to a security manager for a well-known pharmaceutical company, is risk assessment and management. On her network, the layered defenses were designed from the inside out. The most important assets (physical and informational) were protected first, and then other assets were segmented and protected as well.

Servers were first, starting with the databases and R&D farms, a layered approach to protection was created for this alone. After that, a network was created and secured with its own layered protection plan, in order for it to connect to the laptops, desktops, and other scientific equipment within the various labs.

The assets in the labs were also protected with their own layers of defenses. In between each node, there is yet another layer of protection. From there the other parts of the network outside of R&D, such as marketing, sales, and HR, were segmented, hardened, and protected with layers of their own.

It took years to scale their security program and a small fortune as well she told us, but they had to do it. They wanted to do it. In the end, it was worth it and they’ve not had any major problems, but she knows it’s not enough. She wanted to see what more could be done, so she appeared at the RSA Conference (and talked to us on the condition that we not name her or the company she was with) alongside tens of thousands of others in the same position, who were willing to take up the fight and protect their networks.

If the layers of protection fail, and they will fail eventually, the reaction time of the security team, and the response plan that’s been developed by the organization is what counts. It can mean the difference between a major security incident and a minor one.

It’s interesting to note that our security manager friend was investigating SIEM. The goal for her trip was to see what was on the market that would allow her team to get more from their existing layers of defense, and the massive amounts of data they collect, and react faster if needed.

It actually made the cynic in us smile when she jotted the basic outline of her security posture on a napkin and explained where she wanted to go, because it means there is hope for IT security. At the end of the day, it was the best $9.00 we’ve ever spent of coffee, and why we stress that events like the RSA Conference are more about interacting with peers and people, than they are about wandering a sales floor.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.