Key aspects of its many talents include:
· Exploit unpatched hosts vulnerable to MS08-067, usually by scanning port 445
· Spread via infected USB devices
· Shut down key security services, such as Windows Update and Antivirus
· Brute force passwords and gain access to network shares and Peer to Peer networks

While Conficker may use these methods to reach new heights of evil, the methods themselves are not new. As with most viruses and worms, the process for escalating privileges, exploiting hosts, and gaining unauthorized access remains much the same: exploit a weakness, stop the services that may prevent the nefarious deed, and then spread the love via email, network shares, peer to peer communications, or removable devices. This type of malware has a definable and traceable behavior pattern, as do most—and being able to track this activity and respond to it does not depend on knowing exactly what flavor of malware you are dealing with, given the visibility into the network a SIEM can provide. While there is certainly value in the more ‘signature-based’ approach that antivirus and IDS software use, especially when it comes time to actually remove the malware and restore the system, behavior patterns can often prove a far more valuable and flexible method of identifying the attack and stopping it in its tracks before you have a thousand systems to restore.

In the case of the TriGeo SIM, the advanced correlation engine is quite capable of identifying these unusual behavior patterns and taking immediate action to stop them. The key advantage that a SIEM has that a point solution such as antivirus or IDS/IPS does not is the ability to “see” across the entire network. Not just at the file level or just the network level, but rather all devices, from all sides. In this manner TriGeo SIM collects evidence of the effects of an attack at all levels—logon failures at the server level, critical process stops at the host level, and excessive or unusual network traffic at the network and firewall level. This visibility allows a SIEM to correlate behaviors that a single solution would be blind to, and thus be less dependent on signature based response and focused on identifying “bad” behavior of any type. More importantly, TriGeo SIM can instantly respond when this behavior is detected and disable the offending machine(s).

When the worm attempts to gain access to privileged accounts, it will try to brute force these passwords—this activity is immediately and easily detectable by simply having the TriGeo Agent on your core servers, such as your Domain Controllers. When TriGeo’s behavior-based rules (over 500 of which are included out of the box) detect a large number of logon failures in a short period of time, especially to “critical” accounts such as your Admin accounts, they will immediately generate security alerts to notify you of this behavior. In addition, if you choose to do so you can configure the TriGeo Rules to take more proactive actions, such as disabling the NIC of the offending machine or shutting it down, effectively quarantining the box until you are able to investigate further.

The same responses can be used in the event that your antivirus does detect the worm, but is unable to clean it (which happens more frequently than we’d like to think, usually because of out of date virus engines). Having an Agent on your antivirus server will allow TriGeo to collect these events and respond accordingly, even when your Antivirus service is unable to do so.

In addition, having the TriGeo Agent on all of your machines, including your workstations, will give the maximum amount of visibility and control, allowing you detect when the worm attempts to stop critical services (such as antivirus or Windows Update). Since this worm specifically takes advantage of a Windows vulnerability, if the machine is unable to obtain the update then the worm can exploit this vulnerability and gain additional privileges. Ensuring that your critical services are running as expected is only a small part of what TriGeo can do—in addition, the SIM can correlate this data with other behavior patterns, such as the unusual user account activity mentioned above, to detect that malware is loose on the network and take action immediately.

For example, TriGeo’s Worm Behavior rules detect a combination of events such as many failed logon attempts, in conjunction with an increased amount of TCP traffic (resulting from the worm’s attempts to spread itself across the network), and the attempts to stop critical services—if this combination of events is detected on a given source machine, it is immediately deemed suspicious, marked as an Incident, and action can be taken. This type of behavior is typical of almost any malware, not just Conficker, which is the real power of the behavior-based rules approach—TriGeo SIM doesn’t have to know it’s Conficker to know it’s bad news and needs to be stopped. Having visibility across the entire network allows the SIM to intelligently compare the data from all of your reporting devices and extrapolate the unusual activity, especially in the case of a virus or worm, which tends to affect so many different devices on your network.

Last but not least, our USB-Defender technology is also capable of detecting the use of USB mass storage devices and can even immediately detach “unauthorized” devices based on properties like serial number,  user, the machine, or time of day. In this manner, a USB device could be immediately detached before malware would have a chance to take hold, reducing your risk of exposure. Even in the event that you cannot disallow access to all devices, a USB attach event can be correlated with any of the unusual behavior mentioned above, or an alert from the host’s antivirus, and be immediately removed based on these findings.

In short, though a footprint may not look like a boot, that won’t stop your TriGeo SIM from identifying that someone or something has stepped on your precious network resources and stop them in their tracks. No matter what the name, the behavior is key and so is the response that TriGeo SIM can provide.

For more information on Conficker and its behavior patterns, check out the Conficker Working Group website at: http://www.confickerworkinggroup.org/wiki/pmwiki.php/ENT/Enterprise

Other sites of interest include:

https://www.honeynet.org/node/388 and https://www.honeynet.org/node/389

http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

http://mtc.sri.com/Conficker/addendumC/

http://www.us-cert.gov/cas/alerts/SA09-088A.html

I’ve been selling to the midmarket for arhummm 20+ years! (My how time flies….) I know these people really well. At conferences like the Gartner MidSize Enterprise Summit and CIO Decisions, I get the pleasure of spending a lot of time with midmarket executives who always voice their frustrations with vendors who simply, “don’t get them.” One executive at a dinner said, “We’re sick to death of companies like XX and XXXXX, who want to shove their enterprise products down our throats.” There was laughter while someone said, “Tell us how you really feel!”

These executives have got “Rodney Dangerfield Syndrome” because they feel that they “get no respect.” We’ve seen it time and time again. The big players announce midmarket initiatives that are worth about as much as the cyberpaper they’re distributed on. They frankly don’t know what or how to sell to the midmarket and are surprised when these initiatives flop.

There seems to be two corporate strategies by enterprise-focused companies that are going after the midmarket.

• They use their current organizational structure to get economies of scale. Sounds reasonable. You’ve already got a support team, a professional services group, and a sales group – just use them for the midmarket too! Wrong! We saw how poorly this worked when Cisco purchased Protego and released Cisco MARS. Customers were calling support in a foreign county and talking to reps that knew nothing about the product. Along those same lines, their sales people tend to run a 12 – 18 month sales cycle with a deal size of $225,000 aren’t the same people who do telesales to the midmarket, where our average deal is $37,000. Simply put, you can’t put people on airplanes to wine and dine prospects over an 18-month sales cycle for a $37K deal. You have to be smart about how you market, sell and support midmarket companies.

• This one is even worse than the first one. You can’t have a product strategy where one size fits all. Taking an enterprise product, renaming it, clipping some of the features and then slapping a different price tag on it is not the same as engineering a product specifically for the needs of midmarket companies. Despite their best efforts, trying to put square pegs in round holes just doesn’t cut it.

I had someone from the business development group at a very large security vendor (competitor) tell me that they, “just couldn’t figure out why they weren’t getting any traction in the midmarket.” I told him it was very simple, “You don’t have a product for them.”

At TriGeo, we’ve been called dogmatic in our commitment to the midmarket. To those that said that, I thank you. The midmarket has always been the most consistent buying segment, even during times of economic uncertainty. In fact, according to Forrester Research the midmarket is predicted to increase its spend a full percentage point over 2008 with the bulk of that spend going to security products. Not a bad target market during an economic downturn.

An executive from a log management vendor told me that everyone thought we were crazy because we were going after the midmarket and that we’d be out of business in no time at all. Now, he says, “We look like geniuses.”

Astute observation or 20/20 hindsight? You tell me.

Unfortunately, the article suggests that the solution for dealing with this threat is keeping log data for longer periods of time to provide a broader set of historical data for analysis. This approach is purely forensic. It’s a great way to uncover the source of a breach after the fact, but it does little to prevent the breach or even improve overall network security…which leads some to conclude that log management and traditional SIEM solutions aren’t as valuable as the market had hoped. The reality is that a reliance on forensics is the issue.

Let’s look at this from another perspective.  Let’s imagine that the anti-virus and anti-malware market focused on data collection, storage, reporting and searching.  Those are all useful features, but none of them will actually protect you from threats.  Instead, anti-virus and anti-malware focus on real-time analysis and even more important, an active response…

Who would buy an anti-virus or anti-malware solution that produced a daily bar chart listing the anomalies infecting our networks, or worse required that we periodically search a mountain of data for suspicious activity?

Why shouldn’t we expect, and even demand, that SIEM and Log Management solutions also provide us with that same level of analysis, detection and response?

Let’s look at what the article reported.  Dark Reading describes the “slow and silent” attack as a “methodical attack, where the attacker covers his tracks as he penetrates the network, sometimes ceasing the attack for days at a time to avoid raising suspicion”.  It also notes that intruders “…can turn off logging”.  What’s easy to miss is that this activity leaves tracks. Even the simple act of disabling the logging is itself logged, and frankly that action should warrant an immediate inspection - given its classic association with intruders and insiders looking to cover their tracks.

In discussing the TJX hack, the article describes this as a classic “low and slow attack.” Once inside they created new accounts which they used to tap into the TJX credit card data.

Wouldn’t it be great if there was a product that could monitor authentication activity and alert you to the creation of new accounts?  No doubt, a large retail organization has lots of turnover, so perhaps the volume of new account creation is too high… So let’s focus on group membership.  How many of those new accounts were added to the Administrators group?  How many of those accounts logged directly on to core servers, accessed the high value databases, changed firewall policies, or installed new applications?

My point is simple, all of these events can be analyzed in real-time, and any one of them is sufficient to generate an incident that should be investigated. If any of them are correlated with access at unusual times or locations, it’s likely a compromise is in progress - right now.  Whether you respond automatically, or via notification and subsequent manual response, the point is that you’re able to respond while there’s still an opportunity to protect the data.

Mid-Market Threat
Some have the mistaken notion that this topic is solely the realm of the “enterprise” organization. Given the stories that make the national headlines, it’s easy to fall into this trap, but there’s something else at work here that needs attention. A recent TechTarget article on the Heartland breach suggests that the SMB market isn’t likely to be a target for the kind of attack used to compromise the Heartland Payment Systems network.

The article reveals a common misconception that the SMB market is comprised of “mom and pop” businesses. I agree that the law firm example given in the article isn’t a likely target for this attack, but your local restaurants, convenience stores and many other retail merchants are significant targets. One case was detailed in last year’s Black Hat Las Vegas conference and represented over $1 million lost in associated credit card fraud from about 60 days of captured transaction data – using a method nearly identical to the Heartland breach.

Why do hackers target this market?

They’re often seen as easy prey, and the rewards are more than sufficient to justify a relatively small investment by the attacker. A hacker can net thousands of credit cards by capturing every transaction at a few different locations over a period of a month or two. While such a breach won’t break the Heartland record, and almost certainly won’t make the national news, that doesn’t mean midmarket businesses are not at risk.

Bottom Line:
Is forensic analysis important?  Absolutely.  It’s simply not enough.  Given the realities of today’s world, it’s time we start thinking about SIEM as a tool for prevention and focus on real-time analysis and response.  The alternative is another chalk outline around another business and another job for the forensic team.

We’re seeing similar shakeups from other VC backed competitors.

A recent 451 Group report stated that Q1 Labs is not cash flowing.  LogLogic’s CEO said the same thing in an online interview.  In addition, LogLogic just had its second reduction in force, which allegedly cut over 30% of their workforce.

I’ve also heard that LogRhythm is trying to raise capital. Bad timing… Securing additional investment in this climate won’t be kind to the current investors.

How long will the VC’s continue to fund companies with products that customers don’t want?

At TriGeo, we continue to do what we’ve always done – apply a simple formula for success.  We listen to our customers. Their feedback helps us develop an unrivaled commercial product, provide world-class service and support while being ever mindful to sound business practices.  By sticking to this simple formula, TriGeo has enjoyed sustained profitability, revenue growth and continues to be debt free. In fact, we’re forecasting 2009 to be another banner year.

If the headlines are any indication, the government can use a little help in the network and data security department, and I’d like to see it held to the same standards that it imposes on the nation’s public corporations and financial institutions.

The fact remains that the hunt for the nation’s first CTO has begun. There’s no shortage of names being considered, nor tasks that this superhero should be asked to perform. A visit to www.obamacto.org is a revealing and somewhat frightening look into the technical psyche of thousands of people who are suggesting and voting on hundreds of proposals. Given the disparate backgrounds, interests, and political affiliations, it’s no surprise that the suggestions include topics like Broadband Everywhere, Mass Transit, Space Mining and the very popular Open Government Data.

If we view the role of CTO as a technical visionary, then there may be an opportunity for the CTO to have a hand in many of these proposals. All we’ll need now is one of those “no strings” checks for a few hundred billion and we can have some serious fun.

Oh sorry, wrong department…

Assuming nothing is changing on the technology funding front, this new CTO may find that execution will be one of the biggest challenges faced.

My advice is simple: Imagine that the government is a business. (Yes, I realize that requires some serious imagination…)

Imagine that the government has products for sale and we’re the consumers. In a major corporation, the CTO would be looking for opportunities to utilize technology to give the company a strategic advantage by improving productivity and cutting costs. I can only hope that the person that gets this job can approach it with these pragmatic goals in mind. Before it gets any bigger, let’s hope the new CTO is up to the challenge of revitalizing the core infrastructure. Many US technology companies and employees would benefit and it could help provide economic stimulus to a critical sector.

While the State Department breach is relatively small, it’s newsworthy for several reasons. 

1. It’s another failure for an organization that seems to be plagued with network security challenges.  Considering they have detailed identity data on nearly 200 million U.S. passport holders, it’s reasonable to ask, “Who’s guarding this information, and how?”
   
2. We’re dealing with identity theft originating from within a branch of the federal government! 

We might be able to choose not to do business with a specific retailer, but we don’t have a choice when it comes to the government.  If you apply for a passport, your records are stored in their database, apparently easily accessible, and with little to no oversight.  While many states have passed data breach notification laws, these laws don’t seem to apply to the State Department. It wasn’t required to notify applicants that their records may have been compromised and their identities were at risk - and they didn’t notify them for over seven months.

Will the federal government be held to the same security and compliance standards that it has mandated for corporations or that states impose on businesses operating within their borders?

It seems unlikely, so we’re faced with a serious dilemma.  The national ID campaign, and of course the drive toward national healthcare will both embody massive, centralized databases that we’re “assured” will be secure.  How can we be sure as citizens that the ever-growing volume of citizen and visitor data being compiled by the government will be “secure”?

I’m not a cynic, just a practicing pragmatist.  The challenge is enormous, the risks are real, and I’ve seen little evidence to-date that suggests the problem is being addressed.  There are no easy answers, and certainly no cheap ones, but we can start by demanding the government play by the same rules they’ve imposed on business.  I’d like to see the people signing off on government IT audits held to the same standards (and penalties) that SOX places on executives.  At the very least, responsible disclosure requirements should be implemented.

I’ve recently had several calls from analysts asking about how TriGeo is faring during these uncertain economic times.  Nearly all of the analysts I spoke with are hearing that VC funded SIEM and log management vendors are being told by their investors to cut back spending…and not just back…WAAAYY Back.

During the discussion I told them all, we’re “doubling down.”  While everyone else in our space is cutting back (even Symantec is laying off nearly 5% of its workforce) TriGeo is hiring in almost every department and investing even more into our marketing and channel efforts.  We have no intention of ducking for cover - we’re forging ahead and expanding.

I see this economic downturn as an incredible opportunity for TriGeo.  We’re in the best position out of all our competitors to weather this storm.  TriGeo is profitable, cash flow positive, has a huge cash reserve and is debt free.  I’m certain you won’t find any other private SIEM vendor who can say the same.

It’s likely that the downturn will lead to the disappearance of many of the marginal SIEM and log management products on the market.  The companies selling these marginal products are alive because VC funds are keeping them afloat, not because of customer adoption.  These companies are long past the time when investment made sense to get a company off the ground.  Having these products fall away is a bit of ‘Natural Selection’ in action. This is the best possible news for consumers. They’ll get better products for better prices.

Yep, I do think this cloud has a silver lining.

California’s Governor, Arnold Schwarzenegger, vetoed the state legislator’s second attempt to pass a Consumer Data Protection Act.  While the new bill softened some provisions found in the original, such as the requirement that a breached organization reimburse financial institutions for the cost of replacing credit cards, it remained a flawed bill in many respects.

By vetoing the bill, the Governor once again concluded that adequate protection already exists. Schwarzenegger wrote, “As I stated in last year’s veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.”

I had a chance to talk about the proposed legislation last month. During the discussion, I expressed my hope that the Governor would again veto the bill because I saw it as an inadequate attempt to define appropriate data handling requirements with only one possible outcome…litigation.

The bill meant well, but falls short of providing any significant new value and includes minimal guidance on how to minimize the potential loss of data.  Its technical focus is limited to storage and transmission suggesting that businesses:
1.      Don’t store consumer data, even if it’s encrypted
2.      Encrypt data that is being transmitted on open networks

These aren’t unreasonable requests…

Inappropriate customer data storage and transmission have been the leading culprits in several recent breaches.  Unfortunately, storage and transmission breaches are only the tip of the iceberg.  Businesses continue to lose sensitive data just through wireless access points, weak passwords, weak encryption, vendor default or contractor passwords, systems compromised by key loggers, trojans and more.  Plain and simple: If a business handles a meaningful volume of credit card data, there is a high probability someone is looking for a way to get it.

Considering all the risks, and the reality that security can be expensive, don’t we need legislation?

Perhaps… but not this legislation.

It didn’t highlight many of the possible attack vectors and PCI already enforces everything the proposed legislation would offer. Given the California bill’s shortcomings, I wonder who the target audience was for the bill.  Were they serious about requiring businesses to protect the data, or was their agenda focused on generating evidence to assign blame?

Clearly, the most meaningful consumer data protection comes from taking responsible and prudent steps to prevent data loss. Even under the best of circumstances, no one can guarantee that a loss will never occur and that’s where California led the way in disclosure legislation.  In my opinion, this legislation was ill-conceived and I hope it won’t be back.

What do you think?

Network security is often viewed as an arms race, and Black Hat is one of those venues where the arms merchants gather to display their wares, and people on opposite sides of the conflict evaluate claims and counter-claims and challenge both.

Is Virtual Security Real Security
Much of the focus this year was on virtualization, and the popular misconception that virtualized systems are “as secure” or even “more secure” than their physical counterparts – nothing could be further from the truth. As is often the case, network management and network security are at odds in this fairly new arena. The pros of virtualization are obvious – space, power, heat and cost are all significant drivers to the rapid adoption of this technology, but ignore the security implications of the virtual world at your peril.

It’s certainly easy to imagine that when multiple systems and virtual network infrastructure all coexist that it’s critical to understand that a security flaw exposes much more than a comparable physical implementation. The bottom line is that virtualized network infrastructures simply do not equate (yet) to their physical counterparts and some caution is required to ensure you understand the strengths and weaknesses of virtual networks and plan accordingly.

No Honor Among Thieves
Nitesh Dhanjani and Billy Rios’ presentation “Bad Sushi: Beating Phishers at Their Own Game“ delved into their research on phishing tools and tactics, and the underbelly of this community. While not entirely surprising, it was interesting to see the volume of ready-made sites, how little some members of the phishing community actually know, and the lucrative market for captured personal information.

Using information gleaned from one of the phishing sites they investigated, they turned to Google and found pages of credit card data readily available. This raised an interesting question. Why is it that this information, some of it only hours old, was so readily available? Their conclusion was that the free “samples” establish the sellers as “legitimate”. On the market front, it seems that Gold and Platinum cards, complete with CCV, sell in packs of 100 for $2,500 and 500 for $5,000 (prices subject to change without notice.)

It was fun to hear of the duo’s effort to break into the world of phishing, and that a “mentor” assisted them with code that would have sent a copy of anything they collected directly to their new cyber-friend. Clearly, the prevailing rule is the law of the jungle where Big Phish eat Little Phish. The community does attempt to police itself with blacklists that expose “unscrupulous phishers” – an amusing oxymoron.

Get Rich or Die Trying
One of the more entertaining presentations this year was “Get Rich or Die Trying - Making Money on The Web, The Black Hat Way”, by Jeremiah Grossman, Arian Evans. They stated at the outset that some of the techniques demonstrated could yield significant financial reward, and while some might even be “legal”, they could stretch the envelope of one’s ethics.

There was the case of the woman that discovered QVC would send her free merchandise if she simply ordered and then canceled. The $412,000 she made exploiting the cancellation system flaw and reselling the “QVC packaged” items on eBay ultimately led to her discovery and conviction for wire fraud. In another example, an Estonian financial firm discovered that it was possible to view embargoed press releases (releases scheduled to be made public on a specific date in the future). The SEC investigation estimated they made over $8 million trading on this information.

These are just a few of the many Black Hat approaches to making money on the web that were discovered and tested by some creative (if not always bright) people, cataloged for us in this presentation, and presented as education and temptation - just in case that day job doesn’t work out.

Apparently, the firm’s USB policy was to glue the ports to prevent their use, and they missed one. An insider took advantage of this hole in their security, and every Sunday evening for approximately 2 years, this individual allegedly copied approximately 20,000 customer records to a USB mass storage device.

Let’s just examine this scenario for a moment. I appreciate that in a large organization it can be costly to deploy desktop-based solutions that monitor and prevent the use of USB storage devices. I also pity the poor guy that ran around with a glue gun, and question how they addressed USB keyboards and mice, but let’s be honest - the glue, or lack thereof, was not the problem - not on one PC, not on a thousand.

Countrywide has databases full of highly confidential, and extremely valuable information - valuable both to the company, and obviously on the black market. Naturally, that begs the question, was the glue their only access control method? Were they so confident in its ability to thwart all attacks, that database auditing, user identity and access monitoring or even basic application auditing were completely ignored - for two years?

It’s easy to rush to judgment, but from the publicly available information on this case, there was an obvious breakdown in event monitoring. I suspect that Countrywide, like most organizations, employs many layers of network defense, and these defenses are generating a literal ocean of log data. As is often the case, it’s simply impossible to do an effective job of analyzing this data without some form of automation. In some cases, the data is captured and stored for search and compliance purposes, but without correlation and analysis this data lacks a critical ingredient: context.

What do I mean by context? Let’s examine what we know about this situation, and that will put the “context” of this situation into perspective.

Obviously, the employee in question possessed whatever physical access control was needed to get into the building. He also had perfectly valid credentials to access the network. Likewise, he was an authorized user of whatever application provided access to the customer data. When viewed as individual data points, there’s nothing unusual in this information and assuming all of this activity was logged, and archived for compliance, theres really nothing suspicious about this activity — and no reason for it to have captured anyone’s attention — and it never did.

Now, let’s give this same information some critical “context”. The employee entered the building on Sunday evenings, logged onto a workstation, fired up some application, queried the database, retrieved 20,000 records, inserted a USB mass storage device and copied the data to that device - from a workstation that was not even his normal location.

Let’s look at this as it could been seen with event correlation:

• Physical access outside business hours
• Network access outside business hours, from an unusual location (the exposed PC)
• Application access outside business hours, from an unusual location
• Database access outside business hours, from an unusual location, resulting in over 20,000 records being retrieved
• Insertion of a USB mass storage device (a policy violation, but they were blind to this activity)
• Copying data to the USB device (again, the organization was blind to this activity)

When viewed as whole, a picture of clearly suspicious activity emerges — that’s context.

Is it reasonable to expect that they could have seen this picture? Absolutely!

Assuming that Countrywide has fairly typical security systems and audit best practices in place, this activity would have generated a significant audit trail that could have been correlated, in real-time, to alert the security team to some highly suspicious if not clearly malicious activity.

The lesson here goes well beyond the Superglue Security hole. Identity, access, application and location data is readily available in most environments, but without correlation this data lacks the context needed to detect and prevent insider abuse. It’s the ability to provide real-time correlation that distinguishes security information and event management (SIEM) technology from log management, aggregation and search-based products. TriGeo SIM, for example, ships with over 650 correlation rules — that includes “out of the box” rules that could have easily identified the activity listed above, notified the security team, and even stopped this guy in his tracks.