Defensive Oversimplifications

1. Attackers Have Infinite Resources

This is an oft-heard mantra, but “that way madness lies.” If attackers have infinite resources, there is no obscure nook or cranny in your defenses through which they have not yet wormed their way. Basically they’re the Matrix, and there’s nothing you can do to get out. Taken to its logical extremes, it would lead to defeatism, but most often it leads us to spend resources fighting attacks that are unlikely at best, and completely unrealistic at worst. Attackers’ resources are finite, and we absolutely must exploit this fact if we are ever to turn the tables. The sad reality is that currently we make it so easy for them, that it makes them appear to be almost omnipresent.

2. Security Control ‘X’ Will Make My Organization Secure

Controls do not provide security. They provide tools through which security gaps may be more readily addressed. Humans are the cause of most security gaps, but humans are also the best weapon we have to address these gaps. All controls can be deployed well or poorly, monitored sufficiently or insufficiently, and interpreted correctly or incorrectly. Humans make the difference.

3. Security is a Goal to be Reached

Security is not a goal to be reached. At any time, choices can be made that undermine the state of security in which you believe your organization to be operating. Security is better thought of as an infinite series of forks in the road; a never-ending set of choices to be made, each either incrementally addressing or causing security gaps. Security is about making the right choices more often than the wrong ones.

4. Security can be “Bolted On”

Security is a fundamental consideration in information systems. Adding layers of security on top of systems that are fundamentally insecure is doomed to failure. An important corollary is one that Dan Geer references in his talks, which is that even just composing two secure systems may result in a system that is insecure. Certainly then composing an insecure system and a secure system is at least as likely to result in an insecure system.

5. My Organization is not at Risk

This is the most dangerous assumption of all. While attackers do not have infinite resources and are not omnipresent, they are sophisticated and have very good intelligence capabilities. If your organization has something that would be of value to an attacker (and most do), it is far safer to assume you are at risk than to ignore that risk.

Offensive Oversimplifications

6. Security through Obscurity is Worthless

This is one of the most pernicious assumptions on the offensive side, most often espoused by those in the business of finding exploitable software flaws or penetration testing. Those put in the position of having to defend organizational networks understand that the practice of security is more nuanced. Using an ad absurdum argument, if security through obscurity were worthless, there would be no point in patching vulnerable software. It costs time and budget to find software flaws. This is evidenced by the fact that we see far more exploitation of known vulnerabilities than unknown ones. If we were, today, to eliminate all known vulnerabilities in one fell swoop, such that the only opportunity to exploit software was through new 0-days, successful incursions would immediately drop precipitously. Discussing how significant obscurity is to virtually all of security could be a blog topic in itself.

7. A Single Vulnerability = All Your Base are Belong to Us

I saw a prominent industry spokesman espouse this position in a recent list email, calling attacker access to security control software “game over.” This is closely related to the previous point and this assumption is hinted at by contests at industry conferences to “own” endpoints with competing endpoint products. If the security of your critical assets hinges on the non-existence of flaws in software on your endpoints, then this assumption may be true. But real-world attacks have to operate across multiple phases of the kill chain. Modern security practice aims to characterize and prevent or detect attacks at multiple points of the kill chain. Some organizations even go so far as to allow attacks, drawing attackers into traps where their tactics, techniques, and procedures (TTPs) can be better observed and recorded.

8. The Universality of Attack Techniques

This assumption is not one that is stated, it is perniciously implied at many conference talks. When a new attack technique is presented, the flaw is discussed as if it has wide applicability despite having only been demonstrated in one particular context. The possibility that the technique works only in very limited circumstances, against particular software or systems, is often glossed over. The danger arises when defenders spend unwarranted resources in defenses against such attacks.

9. Humans make Security Impossible

It’s almost a truism that humans are the weakest security link. That may be its own assumption, but it certainly seems that mistakes made by humans are the root cause of most security gaps in an organization. That said, in most cases, these mistakes are made possible by broken or missing processes, insufficient oversight and auditing, or failure to put appropriate controls in place that mitigate vulnerabilities in the form of security-ignorant end users.

10. User Education is a Failure

This may largely be true for the most often cited use case for user education. Many organizations try to thwart attacks such as spear-phishing emails by educating users to only recognize and avoid such emails. The evidence so far suggests that this approach hits diminishing returns so quickly as to make the practice almost worthless. However, if instead of trying to prevent attacks in this manner, the users are asked to report emails, the practice can be quite valuable. In the former case, if one-out-of-10 employees falls for the phish, the endpoint is compromised and the organization compromised. In the latter case, if one-out-of-10 employees reports the phish, the attack can be detected and (hopefully) thwarted, effectively turning the end user into a sensor instead of a firewall.

With cyberattacks becoming increasingly sophisticated and legacy antivirus solutions incapable of stopping them, it’s time for some radically different thinking. Enterprises need a new approach to protect their endpoints, servers and network from the potentially devastating effects of zero-day, targeted and other advanced attacks.

Many Bit9 customers also have next-generation network security solutions from our partners FireEye and Palo Alto Networks as part of their defense-in-depth strategy. Seeing that the threat landscape was becoming more dangerous, they asked us to find a way to integrate FireEye’s and Palo Alto Networks’ solutions with Bit9’s next-generation endpoint and server security. It was a tall order, but by working closely with these partners, we’ve delivered a game-changing solution.

The Bit9 Connector for FireEye and Palo Alto Networks, which we announced today, enables security teams to prioritize network alerts and investigate events in minutes. This product combination can automatically retrieve any new file arriving on any endpoint or server and submit it to FireEye and/or Palo Alto Networks for analysis. If a file is malicious, we automatically ensure it can never execute again anywhere in your enterprise.

The Bit9 Connector delivers four key industry firsts:

• Automatically enforces endpoint and server protection based on results from FireEye and/or Palo Alto Networks
• Automatically retrieves any file on any system and submit it to FireEye and/or Palo Alto Networks for execution and analysis
• Combines a real-time endpoint sensor and continuous recorder with FireEye’s and/or Palo Alto’s network security devices to automatically prioritize actionable alerts
• Provides real-time enterprise-wide visibility into all endpoints and servers infected by malware discovered by FireEye and/or Palo Alto Networks

Detection quickly has become a vital component of next-gen security. It’s essential to prioritize network alerts, investigate the scope of each threat, and remediate endpoints and servers based on complete threat intelligence and analysis across endpoints, servers and the network. This integration gives security professionals a full audit trail of activity and automatic alert prioritization from the network down to the endpoint.

The Bit9 Connector delivers real-time security for two major use cases:

1. Files that arrive on the network are automatically executed by FireEye or Palo Alto with malware alerts sent to the Bit9 Platform. These results are immediately correlated with Bit9’s up-to-the-second endpoint and server data to confirm the location, scope and severity of the threat across the enterprise. This enables security teams to:

• Prioritize network alerts based on how many machines have been infected and whether the malware has executed.
• Investigate the scope of threats using the recorded details of every endpoint and server to trace the root cause and progression of the attack.
• Remediate endpoints and servers by knowing precisely which machines are impacted and need attention and automatically ban files from executing based on FireEye or Palo Alto Networks detected malware.

2. Bit9 can retrieve any file from any endpoint or server—automatically or on-demand—and have FireEye or Palo Alto execute it to analyze the file and assess its risk level. This enables security teams to:

• Ensure every new file on any endpoint or server is safe. Security teams can also write rules to determine which files should be automatically submitted to maximize coverage while minimizing network traffic.
• Analyze any file on any endpoint or server with just a few clicks. Often security analysts need to determine the risk level of a particular file. Now they can use Bit9 to retrieve the file from any endpoint or server and directly submit it for detonation.
• Automatically block the execution of files on endpoints or servers based on detonation results. Bit9 can automatically ensure that any file deemed malicious by FireEye or Palo Alto Networks can never execute again throughout the enterprise.

The Bit9 Connector is a unique approach in network and endpoint security. We talked to all of the leading industry analysts before we launched the product and they agreed there’s nothing else like it in the market. Fran Howarth of Bloor Research in the U.K. said: “This important breakthrough will enable organizations to neutralise even the most advanced threats and enable compliance with mandates and best practice standards that require computing resources be proactively monitored.”

The Bit9 Connector is available now from Bit9 and our channel partners. We’re even offering an Early Access Program with priority access and financial savings until June 30, 2013. Check it out and see for yourself what next-generation security really means.

Sadly, both parts of the word fail miserably at describing today’s policy-driven whitelisting, as delivered by Bit9.

In the increasingly distant past, the amount of good software far outweighed the bad. With only a handful of viruses making the rounds, blacklisting solutions provided relatively effective security. But today’s threat landscape is very different and the number of malware signatures far outweighs the number of good applications. And as the sophistication and persistence of attackers increases, the need for highly evolved security solutions has never been greater. We’re seeing the commercialization of malware on a grand scale, and because of this, the blacklists of yesteryear are ineffective against today’s cyberattacks. So a movement is underway to migrate security to a more trust-based – or proactive – model.

You don’t keep a list of people who are not allowed in your home. Rather, you have established in your mind a set of de facto policies about how you will react when a stranger comes to the door. Information security should operate the same way, and it’s starting to. When looking at the mobile space, we see approved/trusted sources for obtaining apps (App Store, Google Play, etc.). In theory, these are places where applications have a predetermined level of trust before you download them, as opposed to a PC that can download a variety of potentially untrustworthy applications from anywhere on the Internet.

Changing our perceptions about whitelisting starts with looking at how we can establish the trust-level of a given piece of software. Bit9’s Next-generation Endpoint and Server Security solution enables organizations to define what trust means to them and enforce this assessment by establishing policies for both software pushed to end users by IT and files pulled from the Internet by end users. The Bit9 Software Reputation Service delivers cloud-driven trust ratings that indicate whether a given file should be allowed to run or not.

As an example, Adobe Reader is a trusted application, but the policy that trusts it to be downloaded and updated does not trust it to drop executable files, which Reader is not supposed to do. If that happens it’s an immediate red flag. It doesn’t matter how or why it happened, just that a program came onto the system through an unauthorized mechanism and it should not be trusted. When we think in terms of policies as opposed to lists, not only do we enhance the power of a whitelisting approach, but we also make it easier to manage.

Enterprises are increasingly choosing not to pay for standalone antivirus solutions. AV has become a commodity component of a larger security solution or a capability incorporated into other products, such as those from Microsoft. Another drawback to antivirus is the unwarranted bloat caused by daily patch updates. For instance, process control or point-of-sale systems require Internet connectivity to maintain up-to-date antivirus solutions. But most of these systems are entirely fixed-function and should be locked so they only perform their specialized function. Requiring Internet connectivity to install antivirus updates introduces unnecessary vulnerabilities, which a good security solution is supposed to prevent.

To be fair, locks have existed on doors for thousands of years, but most realize that your run-of-the-mill lock won’t stop an especially aggressive intruder any more than antivirus solutions can stop advanced threats. To protect against modern attacks, additional measures are required to ensure security. Still, even after installing more advanced security measures, no one is running around taking the locks off their doors. This is the idea of a defense-in-depth approach, because there are no silver bullets. For cyberattackers, blacklist solutions are no longer a speed bump on the road to corporate intellectual property, but they are still effective against older-style attacks. On the other hand, next-generation solutions fill the gap left by older solutions that were never designed to defend against modern or targeted cyberattacks. The future of cybersecurity is around trust – or “whitelisting,” but it’s policy-driven whitelisting that can truly meet the needs of today’s at-risk enterprises.

It’s embarrassing that Twitter has not deployed any type of two-factor authentication – which they’ve recently said they’re working on – but Twitter’s security woes don’t end there. Twitter doesn’t force its users to create complex passwords that would be difficult to hack. Its support site recommends 10-character passwords, but only requires six. Also, Twitter needs better spam filtration of direct messages to users – perhaps a spam bucket for obvious accounts that have been compromised and now distributing phishing attacks and/or spam messages such as “get more followers here <link>,” or “did you see this blog about you? <link>.”

Twitter also needs to take the same data it uses to target ads for marketers and apply it to security. Hidden in the data are commonalities that should help Twitter understand the characteristics and behaviors of common types of attacks, as well as their groups of keywords and methodologies. By leveraging the data it already has, Twitter should be able to flag suspicious tweets and immediately issue notifications and popups about potentially malicious tweets that target specific users.

The AP won’t be the last high-profile Twitter breach, but two-factor authentication will certainly help. One of the biggest challenges in security is educating users. By giving users the tools to be successful, Twitter can pivot its growing reputation as a one-stop hack shop into a more desirable position as a social media security leader.

To be clear: establishing a perimeter defense in your network is important – very important. But if you’re a company that hasn’t already covered the basics, where should you begin? Many companies are now realizing that security is not just about holding the enemy at the gates, it’s also important to understand when the enemy is already within them. A good security posture starts by assuming you are compromised and then asking the hard questions: “Would I even know if I were compromised? What is the enemy doing? How can I stop them once they are inside?”

Security doesn’t start with BYOD – that’s just one aspect of a much larger picture. Should you really be focused on the doors to your house when the foundation is crumbling? Enterprise security shouldn’t be built like an M&M – crunchy on the outside, soft on the inside – it should be crafted more like a jawbreaker – hardened from the inside out. Of course, you want everything hardened, but you can’t tackle all aspects of your infrastructure at once. You need to prioritize based on risk and value. Attackers are after intellectual property and they have a particular appetite for credentials to help them come and go as they please. Build concentric circles of defense starting with your critical infrastructure, then extend to your application and database servers, and then encompass other sensitive systems like finance and your highest risk end-user systems (e.g., remote users, publicly accessible systems, etc.).

Also, what is a perimeter these days? When it comes to securing mobile devices and cloud computing, your corporate assets are being accessed from around the world, in Internet Cafes and homes, and by devices that don’t travel through any “known” perimeter (3G/LTE networks, etc.). Authors of advanced malware are currently targeting endpoints and servers with more regularity than mobile devices. Mobile attacks tend to be focused on small financial gains, not stealing intellectual property. So what we saw in the past with hackers changing dial-up modem settings to expensive toll lines and pocketing the cash, we now see with mobile hacking and expensive premium SMS messages; cybercrime – not cyberespionage.

Mobile devices still represent security vulnerabilities because of the unprotected credentials and company documents they store. The data on these mobile devices could always be used in more advanced attacks on desktops or servers in the future. So it should be part of your strategy to secure employee-owned devices that are not under your primary control. All I’m saying is start at the center where the data and systems are easily identifiable and there are proven technologies that exist to stop advanced threats from executing in your environment. As you extend your security layers, you will be left with a security posture that’s more sour than sweet for cyberattackers.

Last year Morgan Marquis-Boire, a security researcher at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, and Bill Marczak, a computer science doctoral student at the University of California, Berkeley, found emails containing surveillance tools traced back to Gamma International. More recently, those researchers found the command-and-control server for FinFisher running in 36 countries. According to Mikko Hypponen of F-Secure, Gamma International even tried to sell FinFisher to the Egyptian Government under former President Mubarak.

As the New York Times reported in March:

“Martin J. Muench, a Gamma Group managing director, has said his company does not disclose its customers, but that Gamma Group sold its technology to governments only to monitor criminals. He said that it was most frequently used ‘against pedophiles, terrorists, organized crime, kidnapping and human trafficking.’

“But evidence suggests the software is being sold to governments where the potential for abuse is high. ‘If you look at the list of countries that Gamma is selling to, many do not have a robust rule of law,’ Mr. Marquis-Boire said. ‘Rather than catching kidnappers and drug dealers, it looks more likely that it is being used for politically motivated surveillance.’”

The Citizen Lab released research on the topic a few days ago titled “For Their Eyes Only: The Commercialization of Digital Spying.” The data in this report is shocking in many ways, including a mobile version of FinSpy that follows the same path as its desktop equivalent.

They also have a sample package that realistically masquerades as Mozilla’s Firefox. They copied so many details that Mozilla sent Gamma International a cease-and-desist letter, according to Wired. As you see in the screenshot below, the properties of the executable are identical. How would one ever know the difference? You could rely on virus scanners, but without a sample of the malicious code they won’t be able to detect or stop it.

The tried-and-true security tools that most of us depend on are reactive. You have to wait on security researchers to tear apart samples that they find in the wild to give you reactive protection. It’s the same old cat-and-mouse game that leaves you open to attack.

Fortunately, there is a way to end the game. The Bit9 Trust-based Security Platform takes a different approach by blocking the execution of untrusted files across endpoints and servers. Let’s look through the Citizen Lab’s research paper and see how Bit9 would stop these threats.

• In the messages sent to Bahrain dissidents, used the “right-to-left override” attack. From the research paper: “The RLO character (U+202e in unicode) controls the positioning of characters in text containing characters flowing from right to left, such as Arabic or Hebrew. The malware appears on a victim’s desktop as ‘exe.Rajab1.jpg’ (for example), along with the default Windows icon for a picture file without thumbnail. But, when the UTF-8 based filename is displayed in ANSI, the name is displayed as ‘gpj.1bajaR.exe.’ Believing that they are opening a harmless ‘.jpg,’ victims are instead tricked into running an executable ‘.exe’ file.”
  • If Bit9 were installed and running in high-enforcement mode, the unknown or untrusted executable would not have executed. Even if you were running Bit9 in block-and-ask mode, the user would be alerted that a program was trying to run something other than a .jpg.

• In emails sent to the Moroccan citizen media and journalism project Mamfakinch, the payload was in a malicious java file, “adobe.jar.” This file then facilitated the installation of a multi-platform (OSX and Windows) backdoor. On Windows, it writes a number of files, including ZsROY7X.-MP. This file appears to provide the main backdoor functionality. It adds a registry key to ensure the Trojan stays persistent and runs via rundll32.
  • Bit9 has the ability to track and block Java files as it does other executables, but it isn’t turned on by default. So if you had that Java option enabled, Bit9 would keep “adobe.jar” from ever executing. Let’s say you don’t have Java tracking enabled. In that case, “adobe.jar” would execute, writing out the files to the endpoint. Bit9 examines each file for its contents, finding the file “ZsROY7X.-MP” to be executable as DLL. When rundll32.exe is called to load it that execution will be blocked. The Trojan will never be able to execute with Bit9 installed.

• In an email sent to Ahmed Mansoor, a prominent UAE blogger who was imprisoned, the payload is a malicious document that looks like a Microsoft Word file, but is an RTF file that exploits a stack-based buffer overflow in the RTF format and downloads additional payloads. Using a Windows API, it downloads a second file, which is also a downloader. Then the third stage is where the backdoor is downloaded, “verimportant.doc3.” The file then writes out several files, including “V46lMhsH.shv,” which is run via “rundll32.exe.”
  • This use case has a different point of injection, but the same outcome. In this case, either the second downloader or the backdoor itself would be blocked by Bit9. Since the backdoor wouldn’t execute, cleanup would be relatively easy since it wasn’t able to inject itself into other software.

• In the use case of the modified version of Firefox, the user would be tricked into installing the wrong version by DNS poisoning, link-jacking, cross-site scripting, clever emails, or other means. The user would then install what looks to be a normally functioning version of Firefox. Infecting an endpoint in this manner tricks the users into accepting changes to his or her system. They know they are installing software, so they are more likely to click “yes” to any security warnings.
  • Companies using Bit9 build a trust-based security approach that ensures any software delivered and executed on an endpoint has been approved in some trusted fashion. Whatever model is deployed, it can prevent “trick the end user” attacks because the malicious version of Firefox is not signed by Mozilla. It would not be able to pass the rigors of a trust-based approach and would not be allowed to execute on the endpoint.

Malware comes in various shapes and sizes, with some written by criminals and others written by private companies. Keeping up with these advanced threats requires a new approach to security. Bit9 ensures that only trusted software can run, as opposed to relying on deep analysis of already-known threats that can take time and money to defend against while still leaving you unsecure. A trust-based approach is the most secure method to ensure your endpoints and servers are not being spied on by foreign governments using products such as FinFisher and FinSpy.

The time-to-detection metric continues to tick up in the past couple years, after hitting a low in the 2010 report. This is one area that I would have liked to see broken out further, as it would be interesting to see if there was a strong correlation between the attackers’ goals/motivations and the time-to-discovery. I suspect there is, but I’d like to see some numbers to confirm that hypothesis. Also, we continue to see that in most cases, attackers are having great success with tried-and-true relatively-simple techniques such as spear phishing, brute force attacks, and exploiting known vulnerabilities. The more sophisticated attacks appear to show up after attackers have gained a foothold, and are attributed primarily to the espionage-motivated adversaries where their goals preclude them from just moving on to an easier target.

What’s new in this report is that there looks to be a large increase in the number of espionage-motivated attacks. This should resonate with many of the readers of the report, as it confirms what we’ve been observing in the media and other hack reports. It is no surprise that the report attributes the majority of these attacks as originating from China.

It was also interesting to note that the vast majority of attacks were motivated either by gathering information (espionage – corporate or state sponsored), or stealing money. As should be expected, the motivation of the adversary was highly correlated with the targets’ industry, as well as the tactics, techniques, and procedures (TTPs) used. This was glaringly evident in the data, and prompted the authors to state: “In short, we’re discovering that demographics may be one of the most critical and useful components of incident research.” Attack difficulty was also very clearly segregated where espionage-motivated attacks typically garnered a difficulty rating of “medium” or higher, and financially motivated attacks received a rating of “low” or “very low.”

So what does this mean to those working to secure their systems? Know thyself, and know thy enemy. By understanding your environment, your business, and how it relates to others, you can better discern your potential adversaries and what they are after. Do your best to understand them and the TTPs typically used in those attacks. While you might not be able to prevent every attack, increasing the security and monitoring controls around those attack vectors will help you understand the exposure you face. It will also better equip you to detect and respond to those events early and hopefully before any real damage can be done. In their recommendations, Verizon states that organizations focus on the kill-chain approach, which I am a big fan of. It points out that many attacks, especially the more sophisticated ones, are not click-and-done endeavors. They require multiple attack steps, each with a different purpose to further the adversary along their path to the cheddar. The upshot is that for each attack step there are potential observables that can be used to detect the attack, and we can implement controls that might help us to prevent the adversary from moving forward along that attack path. While the attacker, given enough time, can often identify another path to their goal, they must perform further activities on the systems, which gives the defender more opportunities to react.

Verizon calls out Microsoft’s EMET as a worthwhile technology to make exploitation more difficult as well as review and implement SANS Critical Security Controls – both solid recommendations. I would be remiss if I didn’t also point out that by at least one count, the Bit9 Security Platform implements or facilitates at least eight of the SANS Critical Security Controls.

Having an inventory of all known executable files in an enterprise is invaluable for various security uses. With Bit9, assessing endpoint risk by determining which vulnerable versions of Web-facing technologies such as Java and Flash are deployed takes just a few minutes (a typical endpoint has more than three versions of Java installed). Without Bit9, such a study usually takes a good deal of time and effort. Integrations with network security solutions from FireEye and Palo Alto Networks show which alerts from those products are actionable and where malicious binaries have landed in your network. And the information made available through the console is an incident response gold mine.

Our customers include some of the most targeted institutions in the world, and they offer valuable insights and suggestions about how Bit9’s platform can be leveraged in new ways to address modern threats.

One of the most valuable fruits of our collaboration with customers has been the recent introduction of the Bit9 detection enhancement effort. This enhancement, provided as a no-cost add-on to the platform, consists of endpoint- and server-correlated sensors and reports, intended to expose advanced threats in ways that are possible only by leveraging the rich information available on the endpoint.

Comparison: Advanced Threat Indicators (ATI) vs. Indicators of Compromise (IOC)

Indicators of compromise is a widely used industry term to describe the evidence of a threat after compromise has occurred. Bit9’s detection enhancement rules are roughly similar in intent, but there are important distinctions. IOCs are generally based on scans of persistent information, and this sort of approach to finding advanced persistent threats (APTs) is primarily limited to finding evidence of threats only after compromise has occurred. Since Bit9’s technology consists of a real-time sensor on the endpoint, we have access to event-based information. For example, rather than scanning for a potentially malicious file, Bit9 sees the file the instant it is created. The event-based sensors available to ATIs will also expand over time to include other types of information such as network information.

The term we use for our detection rules is Advanced Threat Indicators (ATI), since our goal is to detect threats when they are initiated and while they are in progress, rather than detecting a compromise after it has already occurred.

As an example, one technique leveraged by APTs is to hide and execute files from the Recycle Bin. One of our ATIs looks for such an execution and immediately reports it to the server, where security operations personnel can use the information to take immediate steps to investigate and remediate the threat, for example by banning the malicious file.

Defense in Depth: Spanning the Kill Chain

A common lens through which to view engagement with cyber adversaries that is borrowed from military vernacular is a concept called the “kill chain.” The kill chain is a categorization of steps that an attacker must generally take to achieve their objective. A typical kill chain categorization is: Reconnaissance, Weaponization, Delivery, Exploitation, Persistence, Command and Control, and Actions. This breakdown of threats helps show that they are not trivial and that there are many points at which an attacker may be thwarted or detected. Applying security controls across the kill chain is the essence of defense in depth.

Bit9’s detection enhancement ATIs provide broad detection coverage across the kill chain, making successful navigation through the gauntlet without being detected a daunting task. A good example of this is shown by Bit9’s ATIs that detect illegitimate access to sensitive credentials. Attackers often use password hash scraping tools such as pwdump and Windows Credential Editor. Rather than detecting the use of these particular tools, Bit9’s detection enhancement detects the common behavior that any custom tool would have to perform in order to access that information. This type of behavior is a prelude to the attack propagating throughout the network and happens at points on the kill chain well after initial exploitation.

Onward and Upward

With an initial release just a few weeks ago, Bit9’s detection enhancement has already uncovered threats lurking otherwise undiscovered in customer networks. Bit9 will continue to improve our detection enhancement and will provide periodic updates with new ATIs over time.

As evidenced by the detection enhancement, Bit9’s Security Platform is just that: a platform with flexible functionality that can be leveraged toward improved enterprise security beyond the application control that Bit9 is most typically known for.

Actually finding the right balance proves difficult for a number of reasons. Everyone has his or her own opinions of the appropriate balance. One person may feel their computer contains nothing worth protecting, and another may feel they have done “due diligence.” The interconnectedness of data and the people that control it also makes finding balance difficult. An employee who decides to plug a USB stick they found in a parking lot into their computer can affect their employer’s entire IT environment when the machine gets infected. Volatile effects from advances in technology do not help when finding a balance. Java, once the platform to “write once, run anywhere,” has become the platform to “write once, exploit everywhere.” Many security firms spread malware through FUD, while consumer advocacy groups contribute their own spin to the pile. No silver bullet exists for striking the balance.

So we continue to swing like a pendulum – back and forth, forth and back. I leave the exploration of these trade-offs as an exercise for the reader. But those of us in the business of technology must continue to explore and understand these issues and not leave less tech-savvy folks to dictate the terms. Salvor Hardin, in Isaac Asimov’s Foundation, said: “It’s a poor atom blaster that doesn’t point both ways.” Let’s be careful we don’t push the pendulum so hard it gets stuck in the wall or smacks us in the face when it swings back. We all want control, and a loss of that control brings frustration but it also can compromise the success of your organization. Security professionals need to exercise caution to ensure that increased control in one area does not come at an unacceptable loss of control of security in another.

Fortunately, IT departments have empowering tools at their disposal to help them maintain control of their systems. The best of these tools lock the bad guys out while staying out of the way for the good guys. Bit9’s Trust-based Security Platform does just that.

The challenge, however, is that assigning blame is almost as fragmented as the devices themselves. Because Android is open source, OEMs have the freedom to alter the OS and differentiate the platform in whatever way they choose.

Other possible reasons for delays could be: (a) Manufacturers and carriers get their updates usually a little later than stock Android devices from Google (b) They have to vet the updates with regard to compatibility with other software running on a specific device and (c) mechanisms for over-the-air updates with regard to the version of the device and OS are staggered across multiple devices.

Carriers do add their own bloatware, skins, and launchers into the mix, but generally (and more significantly) OEMs alter devices – this is where the biggest bottleneck for critical updates develops. Modified versions of Android including HTC Sense, Motoblur, TouchWiz, etc., have altered stock Android enough that when Google pushes new updates, incorporating them into something like HTC Sense is time-consuming – even if HTC plans to deliver the update.

The next challenge is when these updates are finally ready to be delivered carriers have to vet them. Sometimes this is to ensure the integrity of the update and other times it’s to stall their implementation. But most of the time, delays come from OEMs through the normal implementation process or because they end-of-life products after just one year. And depending on when the user purchased the device in its product lifecycle, they could be stuck with out-of-date software for the majority of the time they own it. It’s also important to note that when most Android devices release, almost all of them are already fragmented.

OEMs also have the incentive to get you to buy a new device, rather maintaining the one you already have. In all of this, Google has limited or no control over new updates and the security patches that come with them. With device manufacturers such as Samsung, who churn out numerous devices that are only incrementally different than the last (Galaxy Mega 5.8, Galaxy Mega 6.3, Galaxy S4, Galaxy Note II, Galaxy Note 8.0, Galaxy Tab 2 7.0, Galaxy Tab 7.7, Galaxy Tab 7.0 Plus – you get the idea), it’s a focus on dollars, not security – and there is no incentive to change.

So the ACLU raises important concerns regarding Android security, but ultimately it’s the same old story. People who want Android and also want better patch management of their software should buy a Nexus 4. Users tied to CDMA carriers such as Verizon or Sprint have a larger challenge ahead. There’s no Nexus 4 available for them, but there is an iPhone. If acquiring an iPhone isn’t doable then buying the Nexus 4 on a CDMA network could be possible in a few months with the launch of the next version. Ultimately, Google needs to find ways to deliver stock Android on CDMA carriers making devices such as the Nexus 4 more ubiquitous across every carrier. Google attempted to go down this road with Verizon’s rendition of the Samsung Galaxy Nexus, but it had to make a deal with Verizon first by allowing bloatware and update delays that prevented the Verizon Galaxy Nexus from installing the latest version of Android – leaving users vulnerable.