News

Verizon study finds what’s on the inside counts, too

July 14, 2008

In an article from Dark Reading, a recent study from Verizon Business points out that your network’s greatest threat may not be attackers from the outside or poor configuration inside, but a catastrophic combination of both.

The study, based on 500 forensic investigations between 2004 and 2007, showed that while 73 percent of breaches are can be traced to external attackers, those attacks are made possible by in-house staff erroneously overlooking their systems’ security flaws.

Even though insiders directly caused only 18 percent of security breaches, 62 percent of breaches could be attributed to a significant error in internal security practices. Even more alarming was that someone outside the organization discovered 75 percent of breaches. Often these were errors of omission where staff believed that security procedures or configuration changes were implemented, but in reality they were not.

The study characterizes these attacks as crimes of opportunity, made possible by system security practices that close the front door but leave the back door open. Verizon went on to assert, “87 percent of the breaches probably could have been avoided through the proper enforcement of security controls.” As Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions states, “It really boils down to doing the basics, from planning to implementation to monitoring of the data.”

No tool provides more complete monitoring than a real-time Intrusion Forensics System such as the Q5 from NeuralIQ. With real-time monitoring any action that could potentially affect the computer’s security is detected, analyzed, and reported to your security staff. With a Q5 you can go even further and find vulnerabilities in a test system you never planned for in your security policy, close the holes, and prepare your production systems BEFORE attackers have any opportunity to exploit the discovery. The Q5 opens every transaction on a protected system, both internal and external, to your security staff and gives them the tools to find previously undiscovered vulnerabilities before an outside organization finds them for you.

Gartner Security Summit Sizes Up An Evolving Landscape of Threats

June 3, 2008

This week in Washington, D.C., security experts, analysts and even a few science fiction authors gathered at the Gartner Security Summit to talk about the next big cyber threats. Two of the most interesting trends involve threats arising from the exploding use of social networks and software as service (SaS) providers.

In both cases, attackers can direct attacks toward several organizations by first compromising SaS and social network services and then abusing the trusted relationship between users and the site to deliver malicious code. Because services like SaS and social networks are typically provided over encrypted connections, signature-based security is rendered completely ineffective.

John Pescatore, vice president and research fellow at Gartner, told Dark Reading that, “The attacker could go after Proctor & Gamble—or salesforce.com, which P&G uses, as well as hundreds of others,” They are going after shared code – software as a service, etc. – to magnify the impact of the attack.”

As the Dark Reading piece points out, the conventional response would be to bar the use of the unmanaged and potentially risky apps from the enterprise. But this bunker mentality not only deprives organizations of the significant value and power of tools like SaS, social networks and virtual worlds, it may prove to be untenable in the future.

“We’re finding a lot of clients calling it a ‘Generation X/Generation Y problem,’” Pescatore told Dark Reading, “where young users who have grown up with social networks and smart phones expect to be able to use these tools not only at home, but at work. The old IT model that tells you what you can do and use [technology-wise] is breaking.”

In addition, according to Pescatore, “There will be more tools to reverse-engineer enterprise applications on Websites,” Pescatore says. “Within two- to three years, these reverse-engineering tools will be so easy to use that the next round of application-level attacks will be against every type of software you can think of.”

In such a climate, the already overwhelming pace at which new attacks outrun the capacity of conventional security to handle them will only accelerate. Real-time cyber intelligence tools, such as NeuralIQ’s Q5 Intrusion Forensics Systems, which give organizations the power to identify and respond to attacks in real time, are integral to meeting future security challenges. The Q5, for example, is able to peer directly into system memory, beneath the encryption layer, so attacks over encrypted channels are laid bare. The information threat landscape is constantly evolving. Shouldn’t your security do the same?

NeuralIQ Q5: A New Category in Information Security

February 4, 2008

Putting NeuralIQ Q5 into a category like other security products is difficult. In fact, NeuralIQ Q5 establishes a new category: the Intrusion Forensic System.

Most security products have a limited range of detection and protection. Some can work on the network, some on the host. Those on the network have only a narrow range of detection. Several vendors have moved to Unified Threat Management (UTM). UTM refers to a comprehensive security product that includes protection against multiple threats. A UTM product typically includes a firewall, antivirus software, content filtering and a spam filter in a single integrated package. So UTM is only as good as the weakest component in its package. If the antivirus scanner is excellent but the firewall in the system is not tuned appropriately your protection is compromised.

No network traffic or host activity escapes Q5 detection. NeuralIQ Q5 Intrusion Forensic System enhances protection at every level of the network stack. Regardless of which systems you use to protect your hosts and network, Q5 can make your systems smarter, more agile, and easier for you to use.

Feature: Visualize Operating System and Attacks in Real Time

October 29, 2007

Neuralon is a next-generation interface for visualizing operating system activity. It’s a three-dimensional graph that takes data captured by NeuralIQ’s Q5 Series intrusion forensics systems and converts the data into an interactive tool for monitoring, navigating, and analyzing attacks in real time. Nodes are coded to represent processes, ports, and attackers. Neuralon allows users to quickly identify what processes are under attack, the port over which the attack is made, and the attacker initiating the connection.

Neuralon can be used to monitor system activity live, or you can use it as a time machine, allowing you to visually search your system’s interactions in the wild. Scrub through the event line to locate regions of interest. Tens of millions of database rows containing valuable forensic intelligence are at your fingertips without having to pore through massive logs. Fully integrated into NeuralUI, the frontend for the Q5 Series, users can drill down into exactly the detailed forensic information they need, including attacker history, packet stream visualization, and host activity.

Event Horizon: The World’s First Real-Time Forensic Honeygrid

September 10, 2007

Last night NeuralIQ launched Event Horizon, a global network of high-interaction honeypots that are subject to real-time forensic analysis. Built from NeuralIQ’s Q5 series of intrusion forensics systems (IFS), Event Horizon collects signatures, reverse-engineered shellcode, and vulnerability data acquired by the honeygrid and pools them into a central database.

Event Horizon, which is named after the maximum observable distance in the universe, reflects the Q5’s ability to capture all operating system data for virtualized guest decoys while remaining completely outside the decoys, within the host hypervisor. All interaction with the decoys is funneled into the Q5’s multi-layered forensics engine while remaining invisible to attackers.

Because Event Horizon receives signatures, exploit code, and a wealth of forensic intelligence in real time, it marks the first time that the security industry will have the ability to mount a zero-day response to zero-day attacks.

“Information security has found itself in a reactive posture for too long,” said NeuralIQ CTO Alen Capalik. “Researchers will never be able to predict all the ways attackers will circumvent their defenses and exploit their systems. Yet by learning directly from attackers in real time and pooling that knowledge, at least we can tip the balance of power back into our favor.”

The rapid analysis and collection of intrusion intelligence from around the world also gives a whole new view to “the anatomy of a hack.” In addition to making otherwise static, signature-based systems much more agile and giving security professionals the information they need to close vulnerabilities at their source, Event Horizon offers the promise of observing attack patterns as they evolve on a global scale.

“The power of a single IFS is formidable. When you start connecting these systems around the world and let them learn from each other, however, the possibilities are truly extraordinary,” said CEO Stan Eramia. “Right now we’re just excited to be collecting data, but over the coming months, things are really going to start getting interesting.”

Can Signature-Based Systems Survive?

July 20, 2007

Static signature-based detection took another knock on the chin today in an article posted at Vnunet.com. Although the article focused on a report issued by anti-malware firm PCtools, known primarily for its desktop solutions, the trends identified by the security company’s chief threat officer, Kurt Baumgartner, are applicable across the industry:

“The security space is changing rapidly. We are witnessing a major shift in the anti-malware marketplace, moving into a new era of Malware 2.0,” Baumgartner told Vnunet.com.

“We are now dealing with zero-minute, rather than just zero-day, exploits that have the potential to further evade signature detection,” he added.

Baumgartner’s report identified the following trends:

The sheer volume of malware variants is overwhelming researchers, and malware authors are taking advantage of the increased lag time before signatures for these attacks can be generated manually.

New techniques are being used to make threats more difficult, if not impossible; to detect with traditional signature-based systems.

Fran Howarth, a partner at analyst firm Hurwitz and Associates, concurred.

“Signature-based detection is dead, be it for antivirus, intrusion detection or any other security measures,” Ms. Howarth told Vnunet. “Security companies are currently just playing a game of catch up.”

Electronic Trading: Is Something Broken With FIX?

July 10, 2007

Financial services firms, investment banks, and stock exchanges are built on the notion of taking acceptable risks, but the biggest risk they face may lie on their own networks.

David Goldsmith, CEO of Matasano Security, told Dark Reading last week that FIX, the application-layer protocol used by the financial services industry for automated trading, is surprisingly vulnerable.

“For the most part, when you look under the hood of these protocols we find almost no means of security,” Goldsmith says.

The FIX protocol website estimates that 75% of buy-side and 80% of sell-side financial services firms use FIX for electronic trading, and a recent survey by TowerGroup showed plans for expansion on both sides of the transaction.

The survey also found that more than three fourths of all financial exchanges queried support FIX in their applications, as do most major stock exchanges and investment banks.

Despite its widespread use, Goldsmith said applications written to the FIX protocol are vulnerable to denial-of-service, session hijacking, and man-in-the-middle attacks. Applications are also vulnerable to monitoring by criminals, who use trading patterns and timing information for financial gain.

These attacks are especially dangerous, since the real-time nature of markets means that losses incurred due to exploits are often immediate and irreversible.

Goldsmith also said that traditional security tools won’t really help the situation. “You’re not going to find that the IDSes of today are supporting FIX, or vulnerability scanners are finding FIX vulns,” he says.

Application profiling is especially difficult, added Goldsmith, since “these systems cannot be [taken] offline.”

NeuralIQ CTO and founder, Alen Capalik, has more than a decade of experience with FIX, having worked as network architect and security specialist for financial services firms, banks, and national exchanges. If you would like to learn how the NeuralIQ Q5 series of intrusion forensics systems can help secure FIX for your organization, please contact us.

Virtualization and the Need for New Security Tools

June 24, 2007

Virtualization has become a hot technology, but with incredible cost benefits and increased agility come new challenges for security professionals.

Fifty percent of IT professionals are already using virtualization or plan to do so with in the next 18 months, according to a survey released last week by emedia. But as Gartner’s Neil MacDonald recently pointed out, the advent of virtualization brings its own attendant risks. “Virtualization, as with any emerging technology, will be the target of new security threats.”

Unfortunately, these threats will not be met by rote deployment of existing tools and strategies. “Many organizations mistakenly assume that their approach for securing virtual machines (VMs) will be the same as securing any OS and thus plan to apply their existing configuration guidelines, standards and tools,” said MacDonald.

The Importance of Vulnerability Research

June 6, 2007

Testing in-house and vendor-built software for security holes should be an enterprise priority, said a group of vulnerability research experts speaking on a panel at the Gartner IT Security Summit in Washington, D.C. this week.

“If you don’t find the problems, someone [else] will find the problems,” said Chris Wysopal, co-founder of Veracode. “If you leave crumbs on the floor the ants are going to show up. That’s a huge liability … for your company.”

A Gartner electronic poll of 1,000 attendees indicated that the majority of organizations are relying on scanning tools for their vulnerability testing.

The panel agreed that scanning tools alone were not sufficient, but the challenge of reverse engineering is a daunting one. The problem is that reverse engineering is an expensive and skill-intensive endeavor.

Gunter Ollman: Counting Vulnerabilities

June 1, 2007

IBM Internet Security Systems analyst, Gunter Ollman, blogs about the actual number of security vulnerabilities at the FreqencyX blog. He writes:

If you have read the 2006 Trend Statistics report – you will have observed that X-Force tracked, analyzed and researched 7,247 public vulnerability disclosures last year. If you’re also following the X-Force Threat Insight Monthly report, you’ll see that there’s already been over 2,500 new vulnerability disclosures in 2007.

But, as Ollman points out, that represents only the number of “public” vulnerability disclosures. The actual number of security vulnerabilities is much, much greater:

Summing it all up, then we’re probably looking at around 132,115 non-public vulnerabilities for last year – making a grand total of 139,362 new vulnerability discoveries (give or take quite a few).

A few of Ollman’s conclusions:

If you’re basing your protection strategy upon keeping up solely with public vulnerability disclosures, you’re missing almost 95% of the vulnerabilities actually out there (this year).

If your defense systems are designed to protect against specific vulnerabilities (i.e. signature-based) – it probably means that it was designed to protect a subset of publicly disclosed vulnerabilities. Preemptive protection engines are needed for the remaining 97% of annual vulnerabilities.

Network World’s Bruiser Picks NeuralIQ at Interop

May 25, 2007

“After all the hype and pomp about security networks has come and gone this year at Interop, it’s a relief to find at least one company with the vision to see much of the security industry is still standing around in its birthday suit and the insight to do something about it.

NeuralIQ is security technology for the 22nd Century.” Read more

NeuralIQ Featured in Dark Reading News

May 24, 2007

“A security startup here is demonstrating technology that could make honeypot technology more manageable and practicable for security teams in large organizations.” Read more