RSA Conference: In It to Win It with Sourcefire!

RSA Conference is a busy time for the IT security industry, driving conversations, handshakes, publicity and even just plain fun.  We look forward to seeing many of you, but for those not attending but tracking the conference on Twitter and Facebook, let's connect there. We want to make sure our friends on-site and off-site feel like part of the Sourcefire fun at the show. 

For those at the show, keep your eyes peeled on our Twitter feed -- and if you do not follow us yet find us at @sourcefire.  On Tuesday and Wednesday of this week, we will give two lucky winners each day a $100 American Express gift card for being the first to have "checked in" (#2552 on the show floor) with a picture of our booth. And since you'll be monitoring our Twitter feed - you will know when to snap the booth picture. Of course, extra brownie points if Snorty is involved.  And do not forget to use the #sourcefire hashtag so it stands out in the Twitter stream.  If you are not on site and see our Tweet and know someone who is present, send them a quick text to grab a pic and maybe they will share the $100.
 
Here is one for those who have left their heart in San Francisco who may not be at #RSAC.  Snorty will take advantage of the week at the conference but also do a bit of tourism - he is adventurous, after all.  We will post Facebook pictures of Snorty around San Francisco to our Facebook page Tuesday, Wednesday and Thursday. Those who share the correct location in a Facebook comment in the first hour after posting will have a chance to win a $100 gift card.  

For both the Twitter pictures and Facebook photos, we will select winners at random from all participants and notify them after RSA Conference.

See you at booth #2552 or online!

Next-Generation Network Security: An Evolution [INFOGRAPHIC]

Today Sourcefire announced its Next-Generation Intrusion Prevention Systems (NGIPS) with integrated granular application control. This is the world's first NGIPS that incorporates real-time contexual awareness and full-stack visibility, together with intelligent security automation and granular application control. These are all critical components of gaining an Information Superiority advantage for network security.

To celebrate this milestone, we created the below infographic that illustrates the journey of Next-Generation Network Security from the inception of Snort to where we are now. Enjoy.

 

Would you like some malware with your recovery? (DATA)

One of the core tenets of Sourcefire's FireAMP product, introduced just one month ago now, is unmatched visibility - specifically with a focus on how malware was introduced, when it got there, and how it spread COMBINED with the ability to remove it. It's unusual to see these capabilities in a single product when looking at the Advanced Malware Protection space - common practice until now has been to rely on new network appliances for malware analysis (that cannot remediate), and endpoint-based forensic tools for advanced malware removal (that cannot detect).  That means introducing two entirely new technologies into your enterprise for the same purpose - one on the network and one on the endpoint.  That seems daunting and a little impractical.

This kind of disjointed solution begets a lack of visibility. A black box approach combined with a blind update and scan philosophy simply does not allow you to see how malware is being introduced.  You can't see how the malware got in, and if it wasn't detected during the initial infection, chances are that you won't see it being backed up or restored either.  With this cycle, it doesn't take much effort for a threat to stay persistent.

There are two specific problems with the separation of analysis and remediation:

1. Threats change and morph once they enter an environment. Consider one of many spy or thriller movies where characters disguise their appearance to evade those after them (Mission Impossible, In the Line of Fire, Bourne Ultimatum, Salt, etc.). The character Jason Bourne, for example. He may come into your environment looking one way, but once s/he's in s/he changes his appearance and will not be spotted again. If you no longer know what you're looking for, you can't protect yourself against it.
2. Once you're infected, you're infected. After the fact visibility doesn't do you any good. It's the equivalent of getting a traffic report that alerts you to the gridlock that you're already sitting in.

Suffice to say, true advanced malware protection needs to be able to address both of these issues, among others.

I have mentioned a couple of downsides of using disjointed solutions. On the flip side, there are many upsides of integrating advanced malware protection technologies into a single product. First, the two issues listed above are no longer issues. You can have visibility and control over malware in your environment because you have the necessary information about the malware (patient zero, how the malware got in, its trajectory, how it behaves, amongst other) and the capabilities to use that information for remediation.

Second, with a combined philosophy and by integrating advanced malware protection technology in a single product, we can start to make some pretty interesting observations. One of the more interesting ones is the pollution of system backups by malware - something that happens more often than we think. We looked at some of the data collected across our more than 2 million user population in just one month and can see a number of popular backup applications routinely used to backup and restore malware. 

When traditional anti-malware defenses fail, malware is inadvertently introduced into an organization's backups. When users restore their systems with the hope of recovering from an infection, they get infected all over again. With antivirus efficacy rates persisting at less than 50%, this situation is becoming increasingly common - and it's incredibly risky for enterprises whose users are asked to do back-ups and then reconnect to the network. Some have talked about this happening anecdotally over the years, but until now it was hard to quantify where and when this happens.

The examples below show how many times each application was used to back up and restore threats. These examples are from systems that are using traditional anti-malware solutions and where Sourcefire's technology has been installed once an infection has already taken place.  It is then able to observe and block threats from being restored.

• 17,705 threats restored - Dropbox (Well known cloud Backup service)
• 5,076 threats restored - MaxSync (Maxtor Backup and Restore)
• 165 threats restored - SyncBack (2BrightSparks Free Backup Software)
• 104 threats restored - FreeFileSync (Free File Comparison and Synchronization Software)

This shows us some very interesting behavior.  First, we can confirm that threats are bypassing existing defenses AND then being backed up.  Secondly, after these threats have polluted system backups they would have been restored right back onto the previously infected computer had they not been detected.  This illustrates the importance and value in monitoring the full trajectory of threats on the endpoint.

The intelligence gathered from FireAMP's visibility does not end here. For more, read Dr. Zulfikar Ramzan's ongoing series on malware droppers by geography.

Big Data and Security: Expert Panel at RSA Conference

By 2020, EMC Greenplum estimates that the world will have some 35 trillion gigabytes of electronically stored data -- what amounts to a forty-fold increase from 2009. This is Big Data, for sure. Moreover, McKinsey Quarterly notes that in 15 of our economy's 17 sectors, companies with more than 1,000 employees store on average more data than the Library of Congress. McKinsey also mentions, perhaps not so surprisingly, that academic research suggests that companies using Big Data to guide decision making are more productive and have higher returns on equity.

The potential of Big Data is so impressive that the topic was discussed recently at the World Economic Forum in Davos. Davos has discussed how to harness and put Big Data to use for societal good. However, Big Data can also be put to use for other pressing global issues - such as protecting against global cybersecurity threats. This is why an upcoming discussion on "Big Data and Security: The Rules Have Changed" at RSA Conference in San Francisco is so critical.

Derrick Harris of GigaOM has come to the conclusion that Big Data and security may in fact be "soulmates," but could this be?  Is big data technology ready to stand up to IT security prime time? Bill Brenner of CSO Magazine, who will moderate the discussion, has already begun mulling over the topic on his blog, here.

Bill Brenner will be joined by Sourcefire's chief architect, Adam O'Donnell, Andrew Jaquith of Perimeter E-Security, who also authored his own take on the topic; John Adams from Twitter and Rich Mogull of Securosis.

For those attending RSA Conference in San Francisco this year, please join us at the session in room 301 at 3:50 pm on Tuesday February 28 where the discussion will continue.

Information Superiority as an Enabler of Continuous Capability

Recently we at Sourcefire have been doing a good deal of talking publicly about our ideas around Information Superiority. The concept is not particularly difficult – the basic idea is that network security is a battle that is fought around who can bring superior intelligence to bear on network and device security problems. The goal of an attacker is to gain local Information Superiority – leveraging knowledge of an exploit, default password, topological flaw, etc. – to access a defender’s network or devices. A defender’s job is much more difficult because there is so much to know about modern network environments and they change so rapidly. The fundamental security problem that many defenders face is not securing their environment but gaining sufficient understanding of what they’re protecting and how it’s arranged so that they can begin the continuous process of securing it as it evolves.

The traditional methods of network and asset discovery have been ill-suited to Information Superiority requirements because the scope of their operation is transient. For example, one of the chief network discovery methods used by many security vendors is to use active scanners to interrogate the environment for devices and their configuration which is then followed by more in-depth port scanning and credentialed access to form a picture of the network’s composition. The problem with this method of collection for the purposes of Information Superiority is that it only produces a picture at a moment in time. Further evolution of the environment is unknown until the next discovery scan and changes that run their lifecycle between scans are completely unknown.

In the traditional model of security this results in poorly configured security infrastructure, reduced protection and an increase of false positives (noise) as well as false negatives (missed attacks). At Sourcefire, we pioneered continuous network discovery using our RNA and, later, RUA technologies (now FireSIGHT) almost 10 years ago as a counter to this fundamental weakness in many security models that has lead to objectively improved results. With the acquisition of Immunet last year we significantly increased the level of awareness that we brought to the security equation due to its vantage point on the network and continuously updated telemetry about security-interesting events on devices. At the point that I really understood what we could bring to the table in terms of increased awareness I came up with the term “Information Superiority” to describe where we were headed with it and why I thought it was important.

There is another side of the problem as well that has only become apparent to me recently.

If you look at the vast majority of “blocking” products (IPS, FW, NGFW, AV, etc.) that are available today, what you will see is technologies whose opportunity to provide protection is transient in nature. An IPS only blocks an attack when it is in progress and has no follow-on capability if the attack definition isn’t in its signature library. An anti-virus system acts in much the same way. Firewalls, too. Even many of the new network-based client-side malware prevention systems are the same – except they have the ability to discover previously unseen attacks themselves (after letting the initial attack go through in many cases).

The problem with this approach is that the security technology only has one chance to do the right thing, after which point is has no ability to do anything about the attack or its after-effects. A good recent example of this is many of the newer network-based client-side malware protection technologies that are on the market. Frequently these technologies rely on methods like sandboxing or other binary analysis techniques to do their jobs and in many cases when they see a novel piece of content they analyze it out-of-band after letting the content continue on its merry way to its recipient. If an attack is missed it’s gone, these systems have no ability to keep track of “what happens next”. In the case of modern advanced malware the problem with this approach should be self-evident, that initial foothold is all that’s required to become deeply embedded in the environment and then mutate and spread.

As the Immunet technology was turned into what has become FireAMP, our advanced malware protection solution for enterprises, it has occurred to me that we might be on to something that’s almost entirely new in our industry. FireAMP has a number of really interesting features and capabilities but the one really strategic thing that it’s doing that I don’t think I’ve ever seen before is providing Continuous Capability. What’s that and what’s it got to do with Information Superiority? Let me explain.

FireAMP contributes to our overall Information Superiority picture by providing us with insight into the devices in a network environment and the executable content on those devices. Over time we gain a very detailed picture into what’s in an environment and what it’s doing since part of it is resident on the devices in the network and generating continuous telemetry that is received by our FireCLOUD infrastructure. The other side of the coin is that FireAMP also provides the ability to control and quarantine content on a device. Not only can we do that, we can do it at any time based on information that the operator of the product has available.

What does this mean? It means that FireAMP can detect and block advanced malware attempting to execute in an environment if it’s recognized as being hostile. However, if it’s not recognized via the automated detection engines in FireCLOUD and enters the environment its every action is still tracked and the full suite of response available from the FireAMP technology is available at any time. FireAMP never loses visibility of the content and is also tracking all of its actions continuously. This enables the user to respond comprehensively across the entire deployed FireAMP infrastructure at any time – users can clean up not just an initial infection but every mutation and additional piece of malware that it deployed in the user’s environment.

This is what I’m calling Continuous Capability, the ability to respond comprehensively and systemically across a deployed security infrastructure and it relies on Information Superiority in order to work. It is made possible because FireAMP has continuous visibility and tracking of activities by malware (and everything else) at the device-level of a network. Once continuous and comprehensive visibility is attained, Continuous Capability becomes possible.

The next frontier of these ideas should be explored at the network level. Today IDS/IPS and Firewalls/NGFW provide a lot the control mechanisms for the comprehensive, systemic response to identified hostile activity but the telemetry stream isn’t there in a timely fashion because we’re working on pure rule-based and signature-driven models instead of activity-driven telemetry collection and analysis as the foundation of rule/signature models. If engineering problems are worked out then perhaps someday network-based security technologies will also offer Continuous Capability.

Chris Peterson - 2012 CRN Channel Chief

Sourcefire is very pleased to share the news that Chris Peterson, our Senior Vice President of Worldwide Channels, Services, and Support, has been named a 2012 Channel Chief by CRN Magazine. Chris calls on more than 20 years of experience in channel and sales management in his role in which he assumes overall responsibility for Sourcefire's worldwide channel programs.

CRN’s list of Channel Chiefs is a prestigious group of the most influential and powerful leaders in the IT channel. The list recognizes those responsible for driving channel sales and growth within their organization, while evangelizing the importance of the channel throughout the entire IT industry. The reasons why Chris made the cut this year are numerous – but all demonstrate that Chris puts our partners first.

In the past year, Chris directed the roll out of Sourcefire’s new Agile Security vision to the partner community. This is vital for partners so they are armed with not just strong products, but also a strategic vision that will allow them to grow their businesses. With this, they can solidify their role with clients as strategic advisers who consult around the key tenants of Agile Security to keep their clients' businesses profitable and secure—not merely standing up boxes for them.

Sourcefire has never viewed channel communications as a one-way street. This is why Chris spearheaded the creation of our global series of Partner Advisory Council meetings for new and existing partners to garner their feedback on product strategy, direction and the program itself. We rely on partners to provide input and feedback in Council discussions to gain insight into the issues they face so we can further tailor our offerings to their needs and concerns.

CRN selected this ninth year of Channel Chief winners based on channel experience, program innovations, channel-driven revenue, and public support for the importance of IT channel sales. As we have seen, Chris has shined in all of these areas.

To read more, see CRN Magazine’s online section on this year’s winners at www.crn.com. Please join us in extending a hearty congratulations to Chris.

Who Is the Real Security Engineer?

James Bond, MacGyver, or somebody locked in a dark room with a computer? Let us know who you think the real security engineer is. If you know somebody who may have an opinion, please share.

Agile Security - The VRT Perspective

Sourcefire's Vulnerability Research Team (VRT) spends most of its time examining the latest in hacking, intrusions, malware and vulnerabilities. The VRT is more familiar than anybody with the fact that security environments undergo constant change, necessitating a very dynamic approach to security - which is how Sourcefire's Agile Security vision came about. Matthew Olney of the VRT offers his own take on Agile Security, from the perspective of someone heads down day-to-day on real security issues.

Truth be told, the VRT is a rather pragmatic bunch when it comes to security - the less spin, the better. With this being the case, please have a quick read of the VRT's take on Agile Security in the real world.

Are IPS and NGIPS the same? Introducing Next-Generation Network Security 'Fact or Fiction?'

Today's post introduces a video series called "Next-Generation Network Security: Fact or Fiction?" that will be shared over the course of the coming months. In the series, we will showcase brief videos that examine debates germane to the security industry with topics from network security appliances to what advanced persistent threats (APTs) really are. Each video will ultimately reach a conclusion that determines whether the proposition is fact or should be written off as fiction.

In our first installment, vice president of security strategy Jason Brvenik examines whether or not intrusion prevention systems (IPS) and Next-Generation IPS (NGIPS) are one and the same. Are there fundamental technology differences between the two? Hear what Jason has to say and let us know what you think.

Sourcefire FireAMP: AMPlify Your Security! [Video]

FireAMP from Sourcefire is an enterprise malware analysis tool that analyzes and blocks advanced malware. FireAMP has many attributes, such as file trajectory, outbreak control, retrospective remediation, and so on, but is also lightweight and about 1/3 the size of traditional anti-malware solutions. The comparison, as evidenced by this video, is stark. For more information, visit http://www.sourcefire.com/FireAMP.

Droppers from Around the World: United States

One amazing capability that we get from both our FireAMP (Advanced Malware Protection) enterprise product as well as its consumer counterpart, Immunet, is the ability to get insight into how malware arrives on a given system; i.e., how it was “dropped.”

I decided to take a cross section of this data, and segment it geographically, so we could identify trends related to how malware arrives across different endpoints.

I’ll start by talking about data from the United States, and in subsequent blog entries, will touch upon other countries.

The most common malware dropper in the United States is winlogon.exe, which is a common target for malware. That is, malware essentially injects itself into this application.

In terms of web browsers, Internet Explorer was the most popular malware dropper (in order of number of malware instances seen from that browser) followed by Google Chrome, and then Firefox. The version of Internet Explorer associated with the most malware downloads is 9.0.8112.16421.

In these cases, users were likely socially engineered into getting infected (i.e., they followed a malicious link and downloaded/executed a threat) rather than the attacker exploiting a web browser vulnerability.

The fourth most popular dropper is Dropbox.exe (version 1.0.0.1), suggesting that people have malware in their Dropbox folders (in large numbers). It appears that in many of these cases people have assorted key generators and similar cracking tools in their Dropbox folders. This particular example is interesting because these types of file synching applications have become popular only in the last year or two. Because they can be used to share software applications, it should come as no surprise that they are peppered with malware.

Finally, the seventh most popular dropper is MaxSync.exe (version 5.0), which is associated with Maxtor Hard Drives – suggesting that people have been infected, and that the infection has affected their back-up drive as well (so that whenever they sync, the malware finds itself back on the system). While backing up data is generally a good practice, there may still be some risks involved!

In terms of actual threats, the three most popular are W32.ET.mywebsearch, W32.Agent, and W32.Clam.Adware.ShopAtHome-3. These threats are largely those that affect search and advertisements – further suggesting that consumerism needs to breed caution.