Malware growth and why layered security is still king. (IMG: J.Anderson)
Last week during the RSA Conference, there was plenty of talk about growth. The vendors talked about growth in their client base, and some attendees discussed growth in new business and networking initiatives. Yet, during the same week, the number of malicious applications hitting the Web grew as well, to the tune of nearly 200,000 unique Malware samples.
While the security heavyweights were showing their latest advances to the crowds at the RSA Conference, criminals were doing what they do best – production. As mentioned, there was plenty of talk about growth, some vendors even announced acquisitions during RSA, but there was tremendous growth in the Malware world as well.
Using AV-Test as a guide, more than 200,000 unique Malware samples were created last week. The only reason for their existence is exploitation. Most of those newly created malicious samples will exploit software and application vulnerabilities. Others may have a much darker purpose.
But no matter what, the Malware’s goal is to compromise a system in order to leverage it as part of a botnet or offer the criminal using it a backdoor into the network. After that, the target is information. Be it corporate, financial, or personal, in the criminal world of today, information is worth its weight in gold. An entire criminal economy exists in order to buy, sell, and trade stolen information.
“Despite the industry’s vast resources and market capitalizations, the cybercriminals are working better, faster and cheaper each year to exploit the weaknesses in our current approach to security,” stated Paul Lipman, chief executive officer of Total Defense.
He’s talking, based on the press release issued before the RSA Conference, about the use of signatures and other methods within anti-Virus and other endpoint protection offerings, and how they fail to keep up with the criminal’s running Malware development.
“If the local police had the same abysmal record, they would be run out of town. The data speaks for itself. The cybercrime era demands a new approach that makes it easier for businesses and consumers to protect themselves,” Lipman added.
He has a point, but the question is one of how.
It is easy to state that signature usage on an IPS, IDS, or AV program is the wrong approach, but much harder to suggest an alternate method that can’t be compromised by an enterprising criminal. The security world’s elite have wrestled with this problem for decades.
Behavioral detections are a positive step, but they too have their faults, such as false positives or policy implementations that follow the end user’s direction. (If the user says the application is valid, no matter what action the application takes, it will be allowed by the behavioral engine.)
Whitelisting / blacklisting, is another great advancement that has emerged over the years, but the downside here is that it requires the security system or vendor maintains a massive repository of legitimate application signatures in order for the solution to remain useful.
Another whitelisting/blacklisting approach, where only the applications allowed by policy can be activated on a given system, often have issues within a business based on productivity. This in turn means that they are often incorrectly implemented and left in an overly permissive state in order to appease an organization’s staff.
At this point, the doom and gloom may make you want to punch something. It seems like there is no hope, but fear not. This year during the RSA Conference, attendance was up. The attendees we spoke with, many of them from major corporations and government entities know that layers can have their faults and be exploited, but they refuse to give up.
They were in California last week to learn about how to better use what they already have in place, and how to augment their existing layers of defense with new tools and services in order to achieve stronger security.
AV-Test is reporting that as of March 2012, not even a week into the month, they have registered more than 60 million Malware samples. In February, they detected 600,000 new samples. Yet, despite their problems, the technologies that currently define a layered approach to security will stop all but a small percentage of those threats. They’ll stop them with signatures, behavioral detection, whitelisting, and blacklisting.
No matter what you have in place to defend a network or endpoint, it’s impossible for one product or method to do it all. Solid security is about a layered approach, but criminals know that if they play the numbers game, gaps within a network’s layered defenses can be compromised. So they develop malicious software on such a massive scale that signature based defenses, the main source of many network protection programs, will fail to keep up. This is where Lipman’s statement seems to come from.
One answer to this is to stop the reliance on signature protections and focus more on the other layers – such as behavioral and whitelisting. This is already happening as companies such as McAfee, Symantec, Sophos, and countless others move away form signatures and into layers of protection that incorporate whitelisting, behavior, and reputation. However, they still keep the signatures, because while old, they are useful.
The other answer, which came to us after talking to a security manager for a well-known pharmaceutical company, is risk assessment and management. On her network, the layered defenses were designed from the inside out. The most important assets (physical and informational) were protected first, and then other assets were segmented and protected as well.
Servers were first, starting with the databases and R&D farms, a layered approach to protection was created for this alone. After that, a network was created and secured with its own layered protection plan, in order for it to connect to the laptops, desktops, and other scientific equipment within the various labs.
The assets in the labs were also protected with their own layers of defenses. In between each node, there is yet another layer of protection. From there the other parts of the network outside of R&D, such as marketing, sales, and HR, were segmented, hardened, and protected with layers of their own.
It took years to scale their security program and a small fortune as well she told us, but they had to do it. They wanted to do it. In the end, it was worth it and they’ve not had any major problems, but she knows it’s not enough. She wanted to see what more could be done, so she appeared at the RSA Conference (and talked to us on the condition that we not name her or the company she was with) alongside tens of thousands of others in the same position, who were willing to take up the fight and protect their networks.
If the layers of protection fail, and they will fail eventually, the reaction time of the security team, and the response plan that’s been developed by the organization is what counts. It can mean the difference between a major security incident and a minor one.
It’s interesting to note that our security manager friend was investigating SIEM. The goal for her trip was to see what was on the market that would allow her team to get more from their existing layers of defense, and the massive amounts of data they collect, and react faster if needed.
It actually made the cynic in us smile when she jotted the basic outline of her security posture on a napkin and explained where she wanted to go, because it means there is hope for IT security. At the end of the day, it was the best $9.00 we’ve ever spent of coffee, and why we stress that events like the RSA Conference are more about interacting with peers and people, than they are about wandering a sales floor.