With the variant types and levels of threats, the exponential growth in numbers of attempted attacks and the possibility that some threats are state sponsored, federal government security professionals that are responsible for the nation’s information must do everything possible to minimize the attack surfaces provided to our enemies. The days when a Firewall and an antivirus product provided security to our resources are long gone.

We must utilize a Defense-in-Depth strategy to minimize our vulnerabilities. Defense-in-Depth relies on a layered stack of defense technologies joined together into a mesh, that properly designed and implemented, can provide a high level of fortification for our enterprises. These layers have typically been comprised of products such as: Firewalls, DMZ’s. Intrusion Prevention Systems, encryption technologies, VPN’s and antivirus products. Stopping short of the goal of complete protection, our endpoints have been a particular problem for security professionals. For years, protection for our endpoints has been based on blacklisting antivirus products. We all know that blacklist based antivirus products have their shortcomings. Application whitelisting based products not only overcome the shortcomings of antivirus products, but add addition functionality that most antivirus products do not or cannot perform.

“Lockdown” application whitelisting is a technology that has been around for many years and has been successfully deployed in narrowly focused controlled environments such as SCADA systems and fixed function devices. Advanced Threat Protection, which encompasses application whitelisting as well as memory protection and trusted change mechanisms, has matured to the place where it is being deployed and successfully maintained in large enterprises, including the Federal Government.

Many of the new threat vectors take advantage of vulnerabilities that other portions of the Defense-in-Depth stack cannot defend against. As security professionals, we have seen many breaches over the last 16 months that have one thing in common: a user on an endpoint within the organization or its ecosystem (like a defense contractor). People make mistakes, and we have to protect them (and our organization) as best we can.

Social engineering techniques make it easy to get a person to make a mistake and set off a malware attack; it happens every day. Once an attack has started, the perpetrator wants to have some form of payload (malicious code) loaded onto the user’s machine or leverage it to other systems inside the network. IDS and antivirus providers do a decent job at stopping this threat as long as they have seen it in the past and have developed hash values for the known malware. What these providers cannot stop are the threats that are zero-day (never seen before malware) and memory based attacks. Memory based attacks happens when malware is loaded into memory space of an already running program and can be executed from there. These memory attacks (e.g., DLL injections, Reflective injections) are hard and almost impossible to detect. CoreTrace Bouncer has been able to detect and terminate many DLL type attacks for some time. CoreTrace also has a patent pending process that can to detect and stop the Reflective Injection type payload. (Please see my colleague, Greg Valentine’s, video demonstrating the attack and how Bouncer stops it.)

We security professional must combine our tools and techniques into a successful formula in order to provide security for our enterprise and compliance with the regulations.

My Formula for Continuous Monitoring and Control.

(FW + DMZ + HIPS/NIPS + Crypto +VPN + AV + AC/AW) * SOC/NOC/Reporting
Event Mitigation

The first part of the formula: (FW + DMZ + HIPS/NIPS + Crypto +VPN + AV + AC/AW) is the portion that is your Defense-in-Depth mesh woven together in part or in whole by your security team.
The second part of the formula: * SOC/NOC/Reporting is the daily monitoring of events that occur within each and every security product within your domain; hopefully, correlated together into some manageable form via a SOC, NOC or reporting mechanism.

STOP!!!

For us to be compliant with the Continuous Monitoring regulations in FISMA we are done, right? Well yes, you can stop here and be compliant under the mandates, but have you accomplished real security in your relative domain or are you just filling out paperwork? If you stop here, you are doing yourself and this nation a disservice. The gist of the FISMA requirements are that the agencies must do monthly reporting of inventory assets, as well as the continuous monitoring and reporting of security controls. The key here is that the regulations mention security controls and do not mention security threats. This is where we must go above and beyond the letter of the law to truly perform our duties. So, please, by all means, do the paperwork, follow the regulations, but don’t stop there.

GO…

The final part of the formula: Event Mitigation is where the rubber meets the road, where you take action and move towards fixing the issues that have been uncovered. Without mitigation of the issues, you have not achieved real security. Vindicate yourself, your team and your organization. Grab the Grail…

Most security professionals today know that CoreTrace Bouncer provides advanced threat protection based on its adaptive application whitelisting technology. But Bouncer goes well beyond simple whitelisting–including extensive memory protection capabilities.

At CoreTrace, we believe actions are always better than words. So I recorded a video that shows how an attacker would use Reflective Memory Injection to compromise a victim computer, then demonstrates how Bouncer automatically prevents the attack.

Take a look and feel free to let me know if you have any questions.

Corporate executives are not the only ones that want data moved into the Cloud. Since your organization has valuable information, you have APTs that will work hard to steal it. Your APTs want you to move away from your own tightly controlled physical environment to one in the Cloud—where your data can be at risk in a variety of ways, including from attacks that began by attacking hosted systems owned by other organizations.

Please join Steve Pate, founder and CTO of High Cloud Security, and Daniel Teal, founder and CTO of CoreTrace, for an interactive webinar designed to help you understand the risks and learn how to protect your data at each step in the evolution from physical systems in your network to guest systems in the Public Cloud.

Given their extensive security backgrounds and first-hand experience in Cloud migrations, Steve and Dan are the perfect experts to facilitate this discussion and to do it a different way than a simple, one-way webinar. Please join us to hear the gentlemen’s thoughts on the following topics:

During the session, the panelists will discuss:

The evolutionary steps organizations are taking from physical systems, through Private Cloud infrastructures and ultimately to Public Cloud implementations.

The security and operational challenges that occur at each step.

Why traditional, reactive endpoint security offerings are ineffective against today’s attacks and increasingly inappropriate for each step in the Cloud evolution.

How modern solutions like application whitelisting and virtual machine (VM) encryption and encapsulation provide unparalleled, advanced protection of your data—seamlessly migrating with your systems through each evolutionary step.

The webinar will be held on Tuesday, February 21st, at 2:00 p.m. EST/11:00 a.m. PST.

Continue to Registration

Please join an expert panel, led by Joel Langill, President of SCADAHacker.com, for an interactive discussion about the future of critical infrastructure attacks and how to effectively combat them. Mr. Langill will be joined by Walter Sikora, Vice President of Security Solutions at Industrial Defender, and Selim Nart, Vice President of Professional Services at CoreTrace.

During the session, the panelists will discuss:

The future of malware attacks: targeted, purpose-built blended threats that easily bypass traditional antivirus, e.g., Stuxnet.

Why traditional, reactive endpoint security offerings are ineffective against modern malware and exploits.

The future of industrial endpoint security: proactive, defense-in-depth protection powered by application whitelisting.

Case Study: How one organization went beyond simple “check box” compliance to truly increase the overall security of its critical infrastructure.

The webinar will be held on February 16th at 2:00 p.m. EST/11:00 a.m. PST.

Continue to Registration

BREAKING NEWS: “Endpoint Security Earthquake Hits: McAfee Actively Endorses Application Whitelisting. Magnitude & Ramifications Are Significant.”

This week, McAfee, one of the two dominant forces in reactive, blacklist-based endpoint security, actively and unequivocally endorsed Application Whitelisting. Ironically, in hard coverage of Symantec’s recent problems with pcAnywhere, the industry is actively recommending application whitelisting too.

First, let’s cover the major quake: McAfee’s active endorsement of application whitelisting—for corporate desktops and laptops. In a series of videos on the popular video sharing site, YouTube, McAfee joins CoreTrace in educating the market about the shortcomings of traditional blacklist-based solutions, the advantages of application whitelisting, and McAfee Application Control’s purported advantages (most of which are unique compared to other whitelisting solutions but are not unique compared to CoreTrace (e.g., trusted change and memory protection)). You can view the initial video here here . While you are at YouTube, make sure to check out CoreTrace’s video channel too.

While CoreTrace has successfully competed with our friends from McAfee on application whitelisting projects on fixed function systems (e.g., critical infrastructure, POS terminals, servers), the antivirus giant has never publically announced that whitelisting can and should be used on corporate desktops and laptops—until now. In the introductory video, McAfee senior product manager Swaroop Sayeram directly states: “Simplistic whitelisting might fit just fixed function systems… Dynamic whitelisting is a great fit for servers… and it is now a good fit for corporate desktops as well. These days, most of the deals we are seeing are to secure servers and corporate desktops.”

Second, let’s cover the story of the related tremors: The industry’s recommendations to utilize application whitelisting to solve problems like those created by Symantec’s pcAnywhere code theft. While Symantec’s own advisory to pcAnywhere users only includes its boilerplate old-school recommendations, experts throughout the industry are recommending whitelisting as one of the main solutions. As an example, as a part of his recommendations in a FoxNews.com interview , Anup Ghosh, founder and CEO of Virginian security firm Invincea, told FoxNews.com “Businesses should deploy application ‘whitelisting.’ This will prevent unauthorized malware from running on computers.”

So, McAfee has dramatically shifted the endpoint anti-malware landscape. Now the question is, with the ground shifting beneath its feed, what will Symantec do? Stay tuned for future coverage of this developing story…