Sourcefire Corporate Blog

Advanced Malware Analysis - Unveiling the Cost

2012-05-22T10:39:00.000-04:00

A metrics-based approach to assessing cost-benefit in malware analysis

Every security organization deals with it – digging in after a breach to understand exactly what happened in attempts to stop the breach, clean up after it and prevent it from recurring. In spite of the ubiquity, everybody does it a little differently. There are almost as many approaches to performing malware analysis as there are people performing it.

Because there are no tightly defined best practices to guide groups in their malware analysis efforts, it is very difficult for them to have any quantitative sense for the trade-offs they are making in how they approach it. This makes it difficult to support the cost-benefit of the steps they do take as well as the savings-risk for the steps they don’t take.

While it doesn’t deliver a tightly defined set of best practices, Securosis’ “Malware Analysis Quant Research Project” does the next best thing. Based on researching more than 50 companies, it details the universe of malware analysis steps that companies take and ascribes typical times, resources and costs to these steps.

The list of malware analysis steps that Securosis found is quite exhaustive. Few, if any, of the companies surveyed in the report perform all the steps. The total possible number of steps alone would make it difficult to describe best practices. That, coupled with each organization having a different risk profile and ability to invest in the process, makes it almost impossible. What may be appropriate for one company may be overkill for another.

This should be a nice benefit for security groups as they think about their incident response. This is particularly important since advanced malware threats are top of mind. Having this knowledge:

Lets them compare their processes with all possible processes and with typical processes so that they know how they stack up
Provides a quantitative basis for making decisions about adding additional steps (or removing steps) in malware analysis
Provides a quantitative basis for justifying what they do and for adding additional resources (this may be most important)

Of course, as a Sourcefire employee on the FireAMP team, this analysis is also very timely. FireAMP replaces many of the malware analysis steps described in the report with an automated way to get visibility into the full extent of the exposure and identify root cause to lower the incidences of reinfection. The report provides us with a framework to describe exactly what malware analysis steps that FireAMP automates and what costs it eliminates. Stay tuned for an ROI calculator from us that models these savings.

If you are a security professional with incident response responsibilities you should download Securosis’ “Malware Analysis Quant Research Project” and associated report “Measuring and Optimizing Malware Analysis: An Open Model.” And then you may want to contact Sourcefire to learn more about options for automating many steps in the process.

What Would Willie Sutton Say Now?

2012-05-17T13:08:00.000-04:00

As most know, Willie Sutton was the bank robber who, as legend has it, when asked why he robbed banks replied, “Because that is where the money is.” He denies ever saying it, but the point behind the quote is valid. That is why it is not surprising that the Verizon 2012 Data Breach Investigations Report (DBIR) - a continuing fount of good findings - found:

“almost all incidents in which very large amounts of data are compromised involve servers”

Most of the valuable data resides on the servers, so you’d expect them to be involved in a high fraction of the breaches.

I think about this in context of a recent trend I have been hearing about regarding the issue of how to secure user devices in a Bring Your Own Device (BYOD) world. Unlike a year ago when security executives were wondering what to do about BYOD, this year, many have embraced BYOD. Further, their attitude is that they don’t want to manage the user devices. They are resigned to this attitude because they don’t have the resources to manage all these disparate devices. Instead they will just put the proper protection and access controls in place for sensitive systems and data. They want to keep Willie Sutton from having access to the bank vault.

Unfortunately, another finding from the DBIR describes a flaw in this approach. The finding is this:

“We all know, of course, that user devices store and process information too. Furthermore, most organizations have a lot more of them than they do servers, and they’re often widely distributed, highly mobile, less restricted, and—perhaps more importantly—controlled by end users (a shudder travels down the spine of all the admins out there). For all of these reasons and more, user devices frequently factor into data breaches in some manner or another and contribute to a hefty chunk of overall data loss.

Sometimes they are the endpoint from which data is taken, but more often they simply provide an initial “foothold” into the organization, from which the intruder stages the rest of their attack. A common scenario—especially for larger organizations—involves the installation of a keylogger on a workstation or laptop in order to steal the user’s username/password for an internal application server.“

This means that protecting the sensitive data stored on servers also requires that the organization provide for security on user devices, both on and off the network. This also means that the latest trendy network based approaches to detecting malware using sandboxes or monitoring C&C traffic also fall short. They provide no protection of user devices away from the corporate network--when at home, when traveling or at a coffee shop. The only thorough way to protect these devices and not allow them to be the gateway into the most sensitive repositories of corporate data is to have a constantly vigilant presence on each endpoint - the kind of protection that is provided by Sourcefire’s FireAMP product.

In order to successfully get to the money stored in the vault, Willie Sutton needed to enter through the door and get past the teller. In the cyber world, let’s not leave the door open and the bank unattended.

Sourcefire VRT: Bigger, Stronger, Faster (VIDEO)

2012-05-16T13:03:00.000-04:00

As a company, everything that Sourcefire does embodies Bigger, Stronger, Faster - down to the teams that we build. In the below video, Sourcefire's elite Vulnerability Research Team (VRT) has a little fun with this concept, but at the core we are serious about superior innovation and superior people who work together to bring to market superior products. For more on why Sourcefire is Bigger, Stronger, Faster, visit http://www.sourcefire.com/nsslabs or http://vrt-blog.snort.org.

"Emergency Flash update fixes security bug being used to hijack PCs" - Now what?

2012-05-09T10:15:00.000-04:00

ars technica, one of my favorite sources of tech news, just published this article - "Emergency Flash update fixes security bug being used to highjack PCs". This is a pretty common occurrence - a vulnerability is announced, with or without a fix, and you need to decide what to do about it.

When a fix is available, the decision is pretty simple - deploy the fix as soon as possible. This still leaves your organization exposed for a period of time, however short. The duration of your exposure will vary depending upon whether there are change management procedures in place, how long it takes to roll out the fix, and how many employees are temporarily off the corporate network and don't have the fix available to them.

It's much worse when a vulnerability is announced with no fix available. The decision is much tougher. Do I let employees continue to use the application and risk the exposure, or do I eliminate the application and probably disrupt productivity while causing additional administrative burden of uninstalling and reinstalling? Part of what you do depends on how critical the application is to the running of your business. If the vulnerable file is the OS, then you have little recourse. If it is an application that is helpful to some in our organization, but not critical to them performing their job, then you may have more choices. What qualifies as nice-to-have versus essential will vary from organization to organization. Skype is a possible example. Perhaps, the Flash mentioned in the ars technica article is another.

Sourcefire's FireAMP product offers a new and alternate approach to minimizing the exposure in the face of vulnerabilities. FireAMP has an Outbreak Control feature called Application Blocking that lets the system administrator block any file from executing on the endpoint. It blocks execution without removing the file, and can be applied to the entire organization or an appropriate subset.

Because FireAMP applies big data analytics for a central intelligence, this blocking is done centrally, is effective immediately, and doesn't require any change to the endpoint software. That means no change management is needed, no lengthy rollout, and all endpoints, even those off the corporate network are covered immediately. The exposure is immediately minimized. Furthermore, it can be applied granularly to offer protection with minimum impact on productivity. In the Flash example - an administrator could decide to block the running of flash for Finance and Sales, but allow it to run in the creative department where it may be needed most. Once the fix is rolled out, the block can be lifted and everybody can run the application again. This is another example of how a big data and central intelligence approach can narrow the window of exposure against advance malware.

Importance of Consistent Security Effectiveness, Performance

2012-05-07T11:13:00.001-04:00

In my post "Sourcefire FirePOWER - Bigger, Stronger, Faster" I briefly discuss our NSS Labs Product Analysis reports. I will be participating in a webinar with NSS Labs on Wednesday, May 9th, at 1 p.m. ET, during which time we will discuss these results and the tests themselves.

Please join as we cover:

● Sourcefire performance over time

● The importance of third-party, real-world testing and analysis

● Why consistency in continued testing is critical and what it, or the lack thereof, indicates

● Sourcefire’s latest security effectiveness, performance and TCO numbers for FirePOWER appliances

● How to put these types of testing metrics into actionable plans for your enterprise

● Learn what this graphic represents:

To register for the webinar please direct your browser here.

A Federal Mobilization

2012-05-03T11:32:00.000-04:00

The trend of mobility is undeniable. According to a recent Wakefield Research survey, some 72 percent of government IT employees reported mobile devices having beneficial effects on their agencies. What is more, true to the trend of bring-your-own-device, two-thirds of federal employees, according to a survey by Fabrizio, Ward, and Associates, already rely on mobile devices. So what is the mobile opportunity for the public sector? Perhaps US CIO Steven VanRoekel puts it best:

"When you're carrying a mobile device, you have the power of every federal agency in your pocket."

This holds true for both citizens looking to quickly engage with agencies, or those same agencies seeking to harness mobile devices, as they have already begun to do, to more efficiently deliver services to Americans.

To capitalize on this opportunity, US CIO VanRoekel has spearheaded the development of an outline for a National Mobility Strategy, with key objectives being to use mobility to improve delivery of government services and increase Federal productivity.

This move to mobile is heartening, but we will need to make this transition with our eyes open. How will sensitive Federal data on these devices be protected? Will Federal networks have sufficient ongoing network visibility and intelligence to see and manage devices coming and going on networks--and the unique security risk that each device represents?

To help answer these questions, Jason Brvenik, Sourcefire's vice president of security strategy, will participate in an upcoming event presented by Federal Computer Week: Mobile Government Implementation Strategies: Challenges and Opportunity. The May 16 event is in Washington D.C., from 8 am to Noon. Those interested in attending can register here: http://sfi.re/JGT3yv.

Beyond security, other topics will include how the National Mobility Strategy will affect agencies, approaches to BYOD, how agencies are managing mobile apps for government services and how mobility will enhance productivity.

For those in DC on the 16th, we hope to see you. But should you not be able to make it, in your opinion, what is the biggest Federal mobility challenge?

Verizon Data Breach Report Findings: Remarkable, but not Surprising

2012-05-02T08:34:00.001-04:00

Every year the Verizon Data Breach Investigations Report uncovers interesting findings about the characteristics and frequency of data breaches across industries, company size and geography. These reports are helpful for people to better understand and prepare for the latest threats and approaches.

The “2012 Verizon Data Breach Investigations Report” contains some remarkable, but not necessarily surprising, findings. At least not surprising to the security professionals who deal with cyber threats day in and day out. Let’s review some of the findings. Of all incidents documented:

98% stemmed from external agents (+6%)
81% utilized some form of hacking (+31%)
69% incorporated malware (+20%)

These findings suggest that people outside the organization want access to some internal information and attempt to get it by exploiting vulnerabilities in systems, processes or human nature in order to deposit malware that finishes the task. The result:

174 million compromised records

From the looks of it, and the 174 million compromised records, they have largely succeeded. This is not particularly earth shattering. The 174 million compromised records is a good indication of what security professionals have known for some time and is just now starting to get wider visibility – layers of defense against threats are necessary, but not sufficient. Even newer approaches at defense such as sandboxing at the gateway, and detecting traffic to known C&C servers can be (and are) evaded by these threats – potentially the subject of a subsequent blog post.

This next finding IS remarkable:

85% of breaches took weeks or more to discover (+6%)

Think about it. The point at which a threat is identified, it has been in the organization for weeks with free rein to gather sensitive information, spread itself throughout the company, cover its tracks and introduce other new threats. This is no surprise to security professionals protecting their organizations. Incident response and forensic teams know what a problem this is. They immediately take measures to block and rid themselves of the threat, while they dig in to quantify their exposure, identify the root cause and catalog the sensitive information exfiltrated.

Quantifying the full exposure is difficult. Scanning techniques don’t uncover threats that have covered their tracks. The Verizon recommendation to “monitor and mine event logs” – a time consuming and tedious task at best. Even then, the threat may be identified, but if the root cause of the threat isn’t identified and remedied, the team can expect the threat to recur repeatedly. And if the path the threat took isn’t identified, clean-up and full remediation will be difficult at best.

Complete visibility into the full extent of the exposure and root cause can only be accomplished by understanding all file activity on the endpoint. A continuous endpoint vigilance makes it possible to do things such as connect threats to the parent processes that introduced them - a crucial step to prevent reinfection, and identify threats that either aren’t currently active, are not communicating with known C&C servers or have obscured themselves.

Fortunately, the tools for understanding the outbreak and its root causes just got a lot better. Leveraging technologies developed for the consumer internet, it is now possible to treat security as a big-data problem. FireAMP advanced malware protection from Sourcefire is one product that uses this approach. Once a threat is identified, a complete ‘file trajectory’ of it can be mapped out showing the first system infected, every subsequent system infected and the process that introduced the threat into the environment. Because the file activity is collected prior to a threat being written to a system, this information is available and accurate even if the threat later tried to obscure itself and cover its tracks.

Having an immediate and accurate map like this will help these security teams manage the damage and prevent repeat outbreaks.

FireAMP Creators Series - The Evolution of Advanced Malware Protection

2012-04-25T11:15:00.000-04:00

In these videos, we sit down with two of FireAMP's creators, Alfred Huger and Adam O'Donnell, to discuss how FireAMP came to be, why advanced malware protection's time is now, the problems it solves, along with the experience of building the product.

Please enjoy the first installment looking at the process of developing FireAMP's disruptive enterprise technology. Stay tuned for additional videos in this series. Anything you'd like to ask these creators?

Droppers from Around the World: Brazil

2012-04-19T12:10:00.000-04:00

Our next foray into malware droppers takes us to Brazil. The most common malware dropper there is explorer.exe (aggregating all versions). As we noted in earlier posts in this series, when you see explorer.exe as a dropper, that means users are actually double clicking on a malicious file and getting infected that way - i.e., there is a clear cut social engineering mechanism at play. Even when you account for version numbers, explorer.exe remains on top, with version 6.0.2900.5512. being the one to most commonly drop malware.

The next most common dropper in Brazil in called, "Ev~NeN^e.eXe." This is a common malware name and in this particular case it represents the W32.Sality virus, which is the most commonly seen threat we see in non-English speaking countries.

In terms of web browsers, their ordering as droppers is the exact opposite of what you typically see. In particular, Firefox is the most popular dropper among the browsers, followed by Chrome, and then Internet Explorer. When accounting for version numbers among browsers, Firefox version 3.6.23.0 drops the most malware. In contrast, at a global level, we typically see Internet Explorer, followed by Chrome followed by Firefox. From what we can gather, none of these instances appear to be the result of an actual browser exploit. Rather, users seem to be unwittingly downloading and executing malicious files from the web.

The third most common dropper in Brazil is reader_sl.exe, which is associated with Adobe Reader - suggesting that many Brazilians are getting infected via PDF exploits and other PDF-related threat vectors (or even getting tricked into running non-authentic versions of Adobe Reader). Infections via PDF are a growing concern in general, since users often perceive a false sense of safety when it comes to opening documents. At the same time, however, PDF is a highly expressive language and the underlying reader is a complex piece of software. Users, therefore, have to continue to be cautious when downloading any content from the Internet - regardless of what risks they perceive that content as having.

On a related note, rounding out the top 5 droppers in Brazil is uTorrent.exe (version 2.2.1.25302), which represents a common Bit Torrent application. The presence of this dropper suggests people are getting infected by downloading malicious torrents (perhaps under the guise of pirated software, movies and music). Infections via pirated content are quite common. Users often take unnecessary risks thinking they will get a free copy of a game, movie or song. In far too many of these cases they get an extra helping of malware on the side.

Sourcefire FirePOWER - Bigger, Stronger, Faster

2012-04-16T09:03:00.000-04:00

Today marks an achievement not yet seen in our industry. NSS Labs has released three product analysis reports on IPS that contain testing data on the of the 8120, 8250, and 8260. For the fourth year running, we have received independent validation of the security effectiveness, performance and total cost of ownership (TCO) of our our Next-Generation IPS (NGIPS) products. When you look at our effectiveness you will note that we have consistently improved our effectiveness while the testing and security environments have become more demanding. We even managed to exceed the previous record we set for effectiveness, achieving 99% coverage over last year’s 98% coverage.

In 2011, we brought to market FirePOWER, which is the foundation for our next-generation network security platform. Our approach is one of hardware acceleration combined with software innovation to deliver capabilities to market in the fastest and most reliable way possible. Over the years you will have noticed us implement in software, optimize that software, and transition that to hardware where appropriate. This platform provides us the fundamental packet handling needed for our NGIPS and is the building block of our Next-Generation Firewall (NGFW). The performance results of all three products were consistently 170% of rated throughput. The 8260 model tested at 34G of inspected throughput when measured against a real world mix of traffic. This consistency demonstrates Sourcefire's commitment to providing appliances that can both scale and grow as network security needs change.

It makes me proud to tell you that Sourcefire invests significantly in our products to ensure that we provide the most effective tools available to protect our customers’ networks. I’m also proud to acknowledge that before we can bring to market superior products, we must start with superior people. Finding exceptional talent that meets our high standards is challenging, but that has culminated in creating the best technical team one could find. This incredibly talented team is directly responsible for these results, which aren’t just important for our customers, it is important for our industry.

Independent testing serves as checks and balances on vendor and data sheet claims and we are proud of our achievement. What makes us more proud of this work is looking at numbers from competitors over the years, you can see that even larger organizations have been unable to maintain the focus and dedication it takes to consistently protect their customers. In the end, we are bigger, stronger and faster than they are.

We are proud of our advancements, yet we know they are not the end of the road. We will continue to innovate and advance our core engine, because we believe deeply in the need for security. It is also important to us, and the foundation of our company, that we continue to provide our enhancements to our core engine as open source, and we expect that the community continues to benefit from them and ultimately demands more from us in the process.

From our perspective, any vendor claiming to provide security that cannot at least meet this expected level of consistent security effectiveness and performance should think seriously about their commitment to their customers. Any company evaluating a next-generation security platform should especially take this type of innovation and investment into account. At Sourcefire, we will continue to innovate aggressively to protect our customers, and we’d like to think this innovation will raise the industry-wide quality bar so high that our adversaries decide there are better businesses to be in. We welcome the competition and challenge them to join us in continually raising that bar.

Next-Generation Network Security Fact or Fiction: Do NGFWs require NGIPS?

2012-04-12T11:43:00.000-04:00

This is the next installment in our "Next-Generation Network Security: Fact or Fiction?" series, examining debates relevant to the security industry. In this installment, Jason Brvenik, vice president of security strategy at Sourcefire, examines whether high-performance firewalls must have next-generation IPS (NGIPS) in order to provide sufficient threat protection. What do you think?

Sourcefire's Truth - Agile Security

2012-04-10T11:23:00.000-04:00

We share this video that gives a bit more of Sourcefire's perspective on the world. More than a brand, this video represents the importance of every enterprise having Agile Security solutions that are as dynamic as the real world they protect and the attackers against which they defend.

And given our recent weekend filled with eggs for many, keep a close eye out in the video for the rabbit (yes, a rabbit) that makes an appearance, albeit a brief one.

FireAMP Outbreak Control - A Recourse Against Malware (DEMO)

2012-04-06T10:23:00.000-04:00

We have made no secret of the hard work that Sourcefire has put into the development of FireAMP. And we have done this in the hopes that it will actually remove some of the hard work from the lives of our customers who face malware challenges daily. For this reason, we want to share this demo of FireAMP's Outbreak Control that uniquely contains and remediates malware outbreaks and blocks future attacks.

Outbreak Control speeds response time in the face of attacks for immediate recourse, instead of waiting for updates from security vendors. And aspects like Cloud Recall will quarantine files that are deemed malware--without a full scan--and automatically remediate systems. FireAMP also blocks known malware in real-time in order to prevent infections in the first place. This short video demo (2:20), the next in our FireAMP 5 series, gives an overview of Outbreak Control and its capabilities.

Next-Generation Network Security Fact or Fiction: Does Offensive Research Contribute to Threat Protection?

2012-04-04T11:01:00.000-04:00

This is the next installment in our "Next-Generation Network Security: Fact or Fiction?" series, examining debates relevant to the security industry. Matt Watchinski, vice president of Sourcefire's Vulnerability Research Team (VRT) looks at the value of conducting offensive research for threat protection when working with limited time and resources amidst copious amounts of known vulnerabilities.

Richard Stiennon talks to Martin Roesch about Information Superiority (VIDEO)

2012-03-29T15:41:00.000-04:00

The concept of information superiority is an important one, particularly when it means an attacker holds an information advantage over a network's defenders. This results in an attacker being able to leverage a local issue that those looking after a network may not be aware of - whether an exploit, zero-day, topological issue or otherwise, in order to gain access.

To tip the scales of information superiority in our favor, we must be able to create an integrated picture of what exists on a network at any given time to understand what must be protected, how the network is changing and what it may be vulnerable to.

In this video (2:50), Richard and Marty discuss what information superiority amounts to in 2012, so the considerations above can be readily addressed.

Droppers from Around the World: Australia and New Zealand

2012-03-27T13:40:00.000-04:00

In this post, I’ll continue my series on how malware is dropped into systems around the world, looking specifically at Australia and New Zealand.

The most common dropper in Australia is explorer.exe – which represents Microsoft Windows explorer. When explorer.exe is seen as a malware dropper that means the malware infiltrated the system because a user actually double clicked on it (hence why it showed up as originating via explorer.exe). In all likelihood, users were socially engineered into making a poor security decision.

The second most common dropper in Australia is chrome.exe (the name associated with Google’s Chrome web browser), aggregated over all versions. When accounting for version numbers, the most common dropper is Chrome version 16.0.912.63.

The most popular browsers that drop malware (in order of number of malware instances seen from that browser), after Chrome, are Internet Explorer followed by Firefox.

The third most common dropper (when accounting for version numbers) in Australia is called Praetorians.exe. This name coincides with a popular game, which suggests that users are downloading and installing what they think is a pirated copy of the game (but that in fact drops malware onto their system). The most popular malware dropper in New Zealand is winlogon.exe, which is a common target for malware (i.e., malware attaches itself to it). Many of these cases appear to be associated with W32.Trojan.1415. Digging in, the underlying threat itself is one called Brontok.

The most popular browsers that drop malware in New Zealand (in order of number of malware instances seen from that browser) are Internet Explorer, Firefox, and Chrome. (It is interesting to contrast this with Australia where Chrome is first). The version of Internet Explorer associated with the most dropped malware is 9.0.8112.16421.

In the case of both Australia and New Zealand, the three most common threats are W32.Agent, W32.ET.mywebsearch, and W32.PUPgenPUP. These generally seem to represent programs that deal with advertisements and search. Of these, it’s interesting to note that the last of these was actually first identified through our advanced analytics engine, which allows us to detect threats by analyzing data across our community.

Given that Australia and New Zealand are so close to each other geographically, it is not so surprising that they see the same threats. What is somewhat surprising, however, is that these threats seem to infect machines through different vehicles.

FireAMP File Trajectory - An Endpoint Flight Recorder (DEMO)

2012-03-20T11:31:00.000-04:00

Much hard work has been devoted to FireAMP in order to make it the most progressive and disruptive technology to date in the fight against malware. We particularly feel that one aspect of FireAMP, File Trajectory, is truly unique and vital, allowing for security teams to at last be able to answer fundamental questions like which system was infected first by malware and to see and understand immediately the extent of any outbreak and how it may be spreading. As we have previously expounded on, File Trajectory enables unprecedented visibility into the endpoint, effectively amounting to a "flight recorder" for all file activity on the endpoints across an enterprise, functionality never before seen. Please see our short demo (1:33) on File Trajectory to see this innovation in action.

Richard Stiennon talks to Martin Roesch about Next-Generation IPS (VIDEO)

2012-03-19T11:07:00.000-04:00

Lead analyst at IT Harvest, Richard Stiennon, recently sat down with Sourcefire founder and CTO Martin Roesch to discuss a host of topics and trends germane to the IT Security industry in 2012. As this was an extensive conversation, we will release a series of videos in the coming weeks, highlighting excerpts of their discussion.

This first video focuses on the continued evolution of next-generation security platforms, in particular, next-generation IPS, and its integration of elements like application control, previously only available on NGFW platforms. This progression represents new found flexibility for security teams and how they can deploy and manage their security technologies. Please watch this video (2:45) for deeper discussion.

In With the New: Snort Rules

2012-03-13T12:46:00.000-04:00

Many in the security field are by now familiar with Snort - the open source intrusion detection and prevention technology, created in 1998 by Sourcefire founder Martin Roesch. And many will also know that Sourcefire still develops and oversees Snort today. Snort uses a rule-driven language combining benefits of signature, protocol and anomaly-based inspection methods--and with some 4 million downloads to date, Snort is the world's most popular intrusion detection and prevention technology. Snort serves as the underpinning of Sourcefire's next-generation IPS system.

What makes Snort and Sourcefire so unique is the provision of Agile Security, a continuous process with four essential elements of seeing, learning, adapting and then acting, to effectively protect environments against dynamic attacks.

This notion of continuously adapting brings us to an important update we wanted to draw your attention to. Allow us to tee up the news here, prior to handing the conversation over to Joel Esler at Snort.org. While Spring may not be here quite yet, after more than a decade of Snort rule additions, now is the moment for a bit of spring cleaning, to make Snort more agile than ever. Ever since the ability was added to Snort to write rules, those rules have been organized into categories in different files. For years these rules have been added to, but the time has arrived to refocus and streamline the ruleset, add features, and, as Joel notes, "clear the old cruft away."

Over the coming months, the old categories will be reorganized into a new set of categories in order to make our customers' lives simpler while delivering greater value out of the rules, for both corporate and Open Source users.

This represents a very important progression for our product to make it more agile and stronger than ever. Please continue reading the post on our Snort blog for much greater detail on the new rule categories, for this represents an important progression:

http://blog.snort.org/2012/03/rule-category-reorganization.html.

Computer Security Trends and Threats in the Federal Sector - Future of Security

2012-03-08T11:03:00.000-05:00

By now we are well aware that advanced persistent threats (APTs) and other cyber attacks can and will wreak havoc -- and IT security professionals are justifiably concerned. A recent ESG research report notes that 93 percent of security professionals are "very concerned" or "concerned" about the potential impact that APTs could have on U.S. national interests such as national security or the economy.

What's more, in 2011, some 280 million variations of malware were identified -- and many just on one computer or network. With this as a backdrop, Sourcefire founder and CTO Martin Roesch discusses thoughts on where the future of IT security will head to confront this. This is the last excerpt of Martin's discussion with Federal News Radio in its Federal Executive Forum roundtable on Emerging Technologies.

What Does the iPad 3 Mean for IT Security Teams?

2012-03-07T13:32:00.001-05:00

With the launch of the iPad 3 today the trend of bring-your-own-device (BYOD), such as smartphones and tablets, to work shows no sign of abating. Hailed by many as a boon to worker productivity and a cost savings for organizations, what are the implications of BYOD for IT security teams?

A recent Gartner report shows tablet sales on a pace to reach over 300 million units in 2015 with Apple expected to command more than 50% market share in tablets until 2014. Android-based tablets are next in line and expected to gain significant ground by 2015. As for smartphones, new research from the Pew Internet and American Life Project indicates that more than half of all mobile phones in the U.S. are smartphones. Given this data and the slew of announcements at Mobile World Congress last week, one thing is certain; iOS, Android or other, we are rapidly adopting tablets and smartphones as our “go-to” computing devices.

The impact on the corporate network is significant. The “2011 Consumerization of IT Study” conducted by IDC and sponsored by Unisys found that 40% of IT decision makers say that workers access corporate information from employee-owned devices, but in stark contrast more than 80% of employees indicated they access corporate networks this way. To protect their corporate assets organizations need to close this gap.

If we take a closer look at Apple-based systems, relative to mobile malware threats out today, iOS is relatively unscathed. Apple’s “walled garden” approach has helped. However, as an IT security administrator, protecting systems that may not belong to you is a huge challenge, some of which cannot be addressed by one simple security solution. But there are a few things you can do to harden your teams and policies to help maintain control of your network.

First, make sure your executives have the latest devices as upgrading the entire platform is easier and less risky than a piecemeal approach of upgrading individuals’ software – particularly when they’re high productivity, high-demand employees.

Second, be mindful that even though iOS has been relatively immune to attacks, as the number of users increases so do the odds that high-value data will reside on iPads and be put in transit into other network devices where threats are borne. While not technology based, enforced policies that regulate what data can be transmitted to BYOD devices can help.

Third, in situations when you can’t control the tablet or smartphone, it may be useful to lock down your organization’s network or computers (laptops, desktops, servers) with capabilities like application control. Consider approved applications that can be used by employees to remotely access their desktop computers back in the office from their iPad or other tablet while travelling. While you may not be able to limit the installation of application on the device, you can prevent it from running on corporate-owned computers.

As we welcome the next evolution of the iPad and a host of competing devices with open arms, we must also open our eyes to the security gaps BYOD presents and take a proactive approach to bridging these gaps.

RSA Conference: In It to Win It with Sourcefire!

2012-02-27T17:09:00.000-05:00

RSA Conference is a busy time for the IT security industry, driving conversations, handshakes, publicity and even just plain fun. We look forward to seeing many of you, but for those not attending but tracking the conference on Twitter and Facebook, let's connect there. We want to make sure our friends on-site and off-site feel like part of the Sourcefire fun at the show.

For those at the show, keep your eyes peeled on our Twitter feed -- and if you do not follow us yet find us at @sourcefire. On Tuesday and Wednesday of this week, we will give two lucky winners each day a $100 American Express gift card for being the first to have "checked in" (#2552 on the show floor) with a picture of our booth. And since you'll be monitoring our Twitter feed - you will know when to snap the booth picture. Of course, extra brownie points if Snorty is involved. And do not forget to use the #sourcefire hashtag so it stands out in the Twitter stream. If you are not on site and see our Tweet and know someone who is present, send them a quick text to grab a pic and maybe they will share the $100.

Here is one for those who have left their heart in San Francisco who may not be at #RSAC. Snorty will take advantage of the week at the conference but also do a bit of tourism - he is adventurous, after all. We will post Facebook pictures of Snorty around San Francisco to our Facebook page Tuesday, Wednesday and Thursday. Those who share the correct location in a Facebook comment in the first hour after posting will have a chance to win a $100 gift card.

For both the Twitter pictures and Facebook photos, we will select winners at random from all participants and notify them after RSA Conference.

See you at booth #2552 or online!

Next-Generation Network Security: An Evolution [INFOGRAPHIC]

2012-02-27T10:19:00.000-05:00

Today Sourcefire announced its Next-Generation Intrusion Prevention Systems (NGIPS) with integrated granular application control. This is the world's first NGIPS that incorporates real-time contexual awareness and full-stack visibility, together with intelligent security automation and granular application control. These are all critical components of gaining an Information Superiority advantage for network security.

To celebrate this milestone, we created the below infographic that illustrates the journey of Next-Generation Network Security from the inception of Snort to where we are now. Enjoy.

Would you like some malware with your recovery? (DATA)

2012-02-24T09:50:00.000-05:00

One of the core tenets of Sourcefire's FireAMP product, introduced just one month ago now, is unmatched visibility - specifically with a focus on how malware was introduced, when it got there, and how it spread COMBINED with the ability to remove it. It's unusual to see these capabilities in a single product when looking at the Advanced Malware Protection space - common practice until now has been to rely on new network appliances for malware analysis (that cannot remediate), and endpoint-based forensic tools for advanced malware removal (that cannot detect). That means introducing two entirely new technologies into your enterprise for the same purpose - one on the network and one on the endpoint. That seems daunting and a little impractical.

This kind of disjointed solution begets a lack of visibility. A black box approach combined with a blind update and scan philosophy simply does not allow you to see how malware is being introduced. You can't see how the malware got in, and if it wasn't detected during the initial infection, chances are that you won't see it being backed up or restored either. With this cycle, it doesn't take much effort for a threat to stay persistent.

There are two specific problems with the separation of analysis and remediation:

Threats change and morph once they enter an environment. Consider one of many spy or thriller movies where characters disguise their appearance to evade those after them (Mission Impossible, In the Line of Fire, Bourne Ultimatum, Salt, etc.). The character Jason Bourne, for example. He may come into your environment looking one way, but once s/he's in s/he changes his appearance and will not be spotted again. If you no longer know what you're looking for, you can't protect yourself against it.
Once you're infected, you're infected. After the fact visibility doesn't do you any good. It's the equivalent of getting a traffic report that alerts you to the gridlock that you're already sitting in.

Suffice to say, true advanced malware protection needs to be able to address both of these issues, among others.

I have mentioned a couple of downsides of using disjointed solutions. On the flip side, there are many upsides of integrating advanced malware protection technologies into a single product. First, the two issues listed above are no longer issues. You can have visibility and control over malware in your environment because you have the necessary information about the malware (patient zero, how the malware got in, its trajectory, how it behaves, amongst other) and the capabilities to use that information for remediation.

Second, with a combined philosophy and by integrating advanced malware protection technology in a single product, we can start to make some pretty interesting observations. One of the more interesting ones is the pollution of system backups by malware - something that happens more often than we think. We looked at some of the data collected across our more than 2 million user population in just one month and can see a number of popular backup applications routinely used to backup and restore malware.

When traditional anti-malware defenses fail, malware is inadvertently introduced into an organization's backups. When users restore their systems with the hope of recovering from an infection, they get infected all over again. With antivirus efficacy rates persisting at less than 50%, this situation is becoming increasingly common - and it's incredibly risky for enterprises whose users are asked to do back-ups and then reconnect to the network. Some have talked about this happening anecdotally over the years, but until now it was hard to quantify where and when this happens.

The examples below show how many times each application was used to back up and restore threats. These examples are from systems that are using traditional anti-malware solutions and where Sourcefire's technology has been installed once an infection has already taken place. It is then able to observe and block threats from being restored.

17,705 threats restored - Dropbox (Well known cloud Backup service)
5,076 threats restored - MaxSync (Maxtor Backup and Restore)
165 threats restored - SyncBack (2BrightSparks Free Backup Software)
104 threats restored - FreeFileSync (Free File Comparison and Synchronization Software)

This shows us some very interesting behavior. First, we can confirm that threats are bypassing existing defenses AND then being backed up. Secondly, after these threats have polluted system backups they would have been restored right back onto the previously infected computer had they not been detected. This illustrates the importance and value in monitoring the full trajectory of threats on the endpoint.

The intelligence gathered from FireAMP's visibility does not end here. For more, read Dr. Zulfikar Ramzan's ongoing series on malware droppers by geography.

Big Data and Security: Expert Panel at RSA Conference

2012-02-23T11:00:00.000-05:00

By 2020, EMC Greenplum estimates that the world will have some 35 trillion gigabytes of electronically stored data -- what amounts to a forty-fold increase from 2009. This is Big Data, for sure. Moreover, McKinsey Quarterly notes that in 15 of our economy's 17 sectors, companies with more than 1,000 employees store on average more data than the Library of Congress. McKinsey also mentions, perhaps not so surprisingly, that academic research suggests that companies using Big Data to guide decision making are more productive and have higher returns on equity.

The potential of Big Data is so impressive that the topic was discussed recently at the World Economic Forum in Davos. Davos has discussed how to harness and put Big Data to use for societal good. However, Big Data can also be put to use for other pressing global issues - such as protecting against global cybersecurity threats. This is why an upcoming discussion on "Big Data and Security: The Rules Have Changed" at RSA Conference in San Francisco is so critical.

Derrick Harris of GigaOM has come to the conclusion that Big Data and security may in fact be "soulmates," but could this be? Is big data technology ready to stand up to IT security prime time? Bill Brenner of CSO Magazine, who will moderate the discussion, has already begun mulling over the topic on his blog, here.

Bill Brenner will be joined by Sourcefire's chief architect, Adam O'Donnell, Andrew Jaquith of Perimeter E-Security, who also authored his own take on the topic; John Adams from Twitter and Rich Mogull of Securosis.

For those attending RSA Conference in San Francisco this year, please join us at the session in room 301 at 3:50 pm on Tuesday February 28 where the discussion will continue.