NeuralIQ Government Services Names Mary Beth Long Senior VP

Former Department of Defense Deputy Secretary joins cyber intelligence company

KIRKLAND, Wash. — Feb. 4, 2010 - NeuralIQ, Inc., the only provider of real-time network intrusion forensics, announced the Honorable Mary Beth Long has assumed the role of Senior Vice President at NeuralIQ Government Services, Inc.

"Cyber crime and cyber warfare are serious threats to our national security, as well as our economic well-being," Ms. Long said. "I look forward to working with NeuralIQ to provide our partners with the intelligence necessary to defend against these alarming attacks."

Ms. Long's most recent Federal position was the Assistant Secretary for International Security Affairs at the U.S. Department of Defense. In that position, Ms. Long advised the Secretary of Defense on strategy for the Middle East, Arabian Gulf, Europe and Africa. Ms. Long served as the Acting and the Deputy Assistant Secretary for two years prior to her appointment to the position. Previously, Ms. Long oversaw and directed domestic and international counter-narcotics operations as the Deputy Assistant Secretary of Defense for Counternarcotics.

Before joining the Department of Defense, Ms. Long worked for more than ten years at the CIA, and practiced law with Williams & Connolly LLP. She graduated with honors from the Washington and Lee University School of Law, and earned a Bachelor of Arts from Pennsylvania State University.

"With her background in international issues and the intelligence community, Mary Beth brings vast, recent experience and global perspective to the NeuralIQ team," said Admiral William J. Fallon, U.S. Navy (Ret.), CEO of NeuralIQ Government Services, Inc. "Her knowledge of international security matters and well-known ability to get results will help us immensely."

NeuralIQ Government Services, Inc., is headquartered in Alexandria, Va. A subsidiary of NeuralIQ, Inc., the company provides sales and service to federal, state and local government agencies.

About NeuralIQ

NeuralIQ enables organizations to see, understand and counteract cyber attacks that conventional security products cannot detect or decipher on their own. Generating real-time intrusion forensics, NeuralIQ’s Event Horizon is a critical new component to a comprehensive security strategy. Armed with actionable intelligence, targeted organizations may protect their high-value assets against their most sophisticated threats. NeuralIQ has offices in Kirkland, Wash.; Alexandria, Va.; and Santa Monica, Calif. For more information, visit www.neuraliq.com.

###

Contact:
James Whitfield
NeuralIQ
(206) 852-5381
jwhitfield@neuraliq.com

NeuralIQ Government Services Names Bill Stacia Operations Director

Former Naval officer to direct operations at cyber intelligence company

KIRKLAND, Wash. — Jan. 28, 2010 - NeuralIQ, the only provider of real-time network intrusion forensics, announced Bill Stacia as Director of Operations at NeuralIQ Government Services, Inc.

"I am honored to join the NeuralIQ Government Services team," Stacia said. "NeuralIQ's Event Horizon is a resource that can make a real difference in our national security."

Stacia retired in June 2009 from the U.S. Navy. During his 26 years of service, he served in many positions of responsibility and leadership, including command of the nuclear submarine USS Cheyenne and the Joint Maritime Facility in St Mawgans, U.K. He is a graduate of the U.S. Naval Academy and has a master's degree in International Relations from the Fletcher School of Law and Diplomacy, Tufts University.

"The competence and drive that propelled Bill throughout his distinguished Naval career will provide an invaluable catalyst for the NeuralIQ team," said Admiral William J. Fallon, U.S. Navy (Ret.), CEO of NeuralIQ Government Services, Inc.

NeuralIQ Government Services Inc., is headquartered in Alexandria, Va. A subsidiary of NeuralIQ, Inc., the company provides sales and services to federal, state and local government agencies.

About NeuralIQ

NeuralIQ enables organizations to see, understand and counteract cyber attacks that conventional security products cannot detect or decipher on their own. Generating real-time intrusion forensics, NeuralIQ's Event Horizon is a critical new component to a comprehensive security strategy. Armed with actionable intelligence, targeted organizations may protect their high-value assets against their most sophisticated threats. NeuralIQ has offices in Kirkland, Wash.; Alexandria, Va.; and Santa Monica, Calif. For more information, visit www.neuraliq.com.

###

Contact:
James Whitfield
NeuralIQ
(206) 852-5381
jwhitfield@neuraliq.com

James O'Neill Joins NeuralIQ Board

Former Siemens CEO joins board of directors at network security company

KIRKLAND, Wash. — Jan. 21, 2010 - NeuralIQ, the only provider of real-time network intrusion forensics, today announced that James R. O'Neill has joined their Board of Directors.

"The risk posed by targeted cyber attacks to large corporations is enormous, and NeuralIQ is one of the few companies that can help," O'Neill said. "I'm glad to be a part of this truly promising enterprise."

Formerly the CEO of Siemens Enterprise Communications, O'Neill brings more than 30 years of technology industry experience to NeuralIQ. Prior to Siemens, O'Neill served as chairman and CEO of CompuDyne Corporation, a leading provider of products and services to the public securities market.

"Jim brings a staggering amount of technology industry experience to NeuralIQ," said Matthew Bergman, Chairman of the NeuralIQ Board. "We're looking forward to Jim's contribution in getting our message out."

From 2002 to 2008, O'Neill served as corporate vice president and president of Northrop Grumman Corporation's Information Technology (IT) sector, one of the world's premier providers of advanced IT engineering and business solutions for government and commercial clients with 2007's revenue exceeding $4.5 billion and more than 100 offices worldwide. In addition, O'Neill was responsible for the company's entire IT shared-service organization, which managed and implemented enterprise solutions in partnership with the company's corporate office. O'Neill maintained senior executive relationships with companies such as Cisco, IBM, Hewlett Packard, Microsoft, Oracle, Avaya and others.

About NeuralIQ

NeuralIQ provides network security intelligence to commercial and government organizations to protect their most valuable digital assets against targeted cyber attacks. Generating real-time intrusion forensics, NeuralIQ's Event Horizon security appliance enables administrators to discover, understand and counteract the most complex threats as they happen. NeuralIQ has offices in Kirkland, Wash., Alexandria, Va., and Santa Monica, Calif. For more information, visit www.neuraliq.com.

###

Contact:
James Whitfield
NeuralIQ
(206) 852-5381
jwhitfield@neuraliq.com

NeuralIQ Names Craig Husa CEO

Veteran technology executive and entrepreneur to lead network security company

KIRKLAND, Wash. — Jan. 7, 2010 - NeuralIQ, the only provider of real-time network intrusion forensics, announced Craig Husa will immediately assume the position of President and Chief Executive Officer.

"I'm excited about NeuralIQ and the breakthrough technology we've developed for protecting vital digital assets," Husa said. "The network security landscape has changed dramatically recently and I believe NeuralIQ is positioned for strong growth as a result."

Husa most recently served as President and CEO of General Software, a developer of embedded firmware that was acquired by Phoenix Technologies (NASDAQ: PTEC) in 2008. Earlier, Husa led Healia to an acquisition by Meredith Corporation (NYSE: MDP), a $1.6 billion publisher of print and online properties. Husa was a co-founder and Senior VP of CourtLink, which was sold to LexisNexis in 2001.

"Craig has start-up experience, growth experience and three acquisitions under his belt," said Matthew Bergman, Chairman of the NeuralIQ Board. "He's a solid tech executive with a stellar track record. We're very pleased to bring him on board."

About NeuralIQ

NeuralIQ provides real-time intrusion forensics for Windows and Linux networks. Rooted in honeynet methodologies, NeuralIQ's Event Horizon network security appliance mirrors production networks with undetectable, secure clones to trap intruders and let network managers understand threats as they happen. NeuralIQ has offices in Kirkland, Wash., Alexandria, Va., and Santa Monica, Calif. For more information, visit www.neuraliq.com.

###

Contact:
James Whitfield
NeuralIQ
(206) 852-5381
jwhitfield@neuraliq.com

UC Berkeley Hacked, 160,000 at Risk

May 8, 2009

Hackers successfully penetrated the health services network at the University of California at Berkeley, potentially jeopardizing the identities of 160,000 members of the university body and its affiliates.

Students, alumni and others whose information was hijacked are further compromised by the fact that many of their social security numbers were also appropriated in the breach. Shelton Waggener, UCB's Chief Technology Officer, tried to allay concerns by focusing on the challenges hackers face in associating personal data with the social security numbers.

What is truly alarming is that this large-scale compromise went undetected for six months. The server breach began on October 8, 2008 and was not exposed until April 9, “when a campus computer administrator doing routine maintenance discovered messages left by the attackers.” When asked, Waggener said logs indicated the attacks originated from overseas, “primarily in the Asian theater.”

Still in the Lab: Oak Ridge's “Autonomous Defenders”

March 9, 2009

At the U.S. Department of Energy’s Oak Ridge National Laboratory, researchers have created SILENT STORM—the prototype for an “intelligent, self-healing intrusion protection and prevention system” (IDS/IPS) deployed as a colony of replicating “cyberrobots,” or cybots. The idea is for the intrusion-detecting cybots to reside among a set of network-connected hosts to form a distributed framework for detecting and reacting to attacks. If any cybot detects an attack, it communicates that finding to other cybots for corroboration; if multiple anomalies are detected, an alert is sent to the colony’s command and control host.

ORNL believes that SILENT STORM is a response to the limitations of today’ commercial IDS/IPS offerings, which are seen as producing a high rate of false positives, unable to learn from new patterns, and whose nodes can’t communicate with each other automatically to respond to attacks. However, while based on 10 years of development, SILENT STORM is still years from being ready for use outside the lab.

CWE/SANS Top 25 and other lists highlight lack of attack visibility

February 16, 2009

In January and February 2009, MITRE and SANS Institute announced joint publication of 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. This publication marks a significant milestone in the software user community’s movement toward identifying best practices for closing security-related vulnerabilities in packaged software. The list was drawn up by over 40 top software security experts in the U.S. and Europe out of over 700 software problem definitions tracked by MITRE’s Common Weakness Enumeration (CWE™) project.

Publication of the CWE/SANS Top 25 follows the releases in 2007 of the 2007 Top 20 Security Risks from SANS Institute and the Top 10 2007 from the Open Web Application Security Project (OWASP), each of which describes the most significant and well-defined security-related vulnerabilities widely found in today’s Internet-facing systems.

Beyond providing valuable information, the lists also represent a measure of “pushback” by the user community, indicating their concerns over the pace of efforts by the packaged software and IT security industries to provide solutions—this while operators of sensitive systems face increasingly costly and well-publicized data breaches and an accelerating rate of new disclosures of high-severity vulnerabilities. Helpfully, customers can employ the three lists as baseline metrics for assessing the robustness of vendors’ offerings, whether guaranteed by that vendor or validated by a third party.

On the other hand, the lists indicate the seriousness of certain “host-based” vulnerabilities found at all levels of users’ installed software stacks. For instance, roughly one-half of the CWE/SANS Top 25 list’s items, including the nine vulnerabilities under the “Risky Resource Management” category, represent exploitable defects in the host’s behavior—that is, at the operating system syscall or services levels or relating to how the software stack uses “important system resources”. Surveilling your servers’ inner workings in true stealth hasn’t been achieved in today’s IT security marketplace, which has concentrated on enforcing account or access privileges and probing network traffic. Because system defenders have almost zero visibility into host behavior, an attacker’s techniques and targets can’t be identified until after your digital assets have “left the building.”

Targeted, methodical attacks can be the most dangerous, experts say

January 14, 2009

IT security commentators have recently noted the danger to enterprises posed by targeted attacks that unfold over many days or weeks. A common theme is theft, or acquisition in stealth, of privileged login credentials, perhaps after the attacker exploits an application vulnerability or taps a communications channel. Those credentials give the attacker the access to navigate among the victim's high-value information assets and the time to cover his or her tracks, such as by silently changing important application configurations and disabling the logging of sensitive operations.

For this kind of methodical, “low and slow” attack, the attacker might allow days or weeks to pass between the attack's stages to avoid raising suspicion. This provides plenty of time for new accounts to be created and additional malware to be installed. A particularly disturbing scenario is for the attacker to become a “long-time resident,” gradually modifying sensitive applications and inflicting damage in less easily detectable increments.

To protect against the “resident” attacker, the experts offer various qualified suggestions. First, as the commentator admits, “You can't fight what you can't see,” so system defenses must include reliable tools for monitoring sensitive system accounts and application behaviors. Second, identifying a multi-stage attack might require keeping longer-term logs than is the enterprise's current practice. Third, identifying and limiting the “reach” across the enterprise's systems of each privileged account are important but can result in operational confusion.

Confronting the diminishing returns of today's security technologies

January 8, 2009

With arrival of the new year, IT security commentators have posted a wide range of predictions for 2009. One author anticipates several developments that hint at the diminishing returns of funds spent on some of today's widely deployed security solutions.

Operating system vulnerabilities—The author predicts an increase in hybrid attacks targeting web servers and browsers as well as the OS itself. Also cited elsewhere, the logic here is that the 2009 release of Windows 7 and the growing popularity of the Mac OS and Linux platforms provide more low-hanging OS fruit of uncertain robustness for malware to probe. The industry's response would be a renewed focus on host-based security rather than traffic probing and log inspections.

Application heuristics—New code-obfuscation tools (Metasploit 2.3) represent the culmination of the long-term “strain” on the antivirus industry, which in 2008 innovated by locating the signature database “in the cloud” to cope with the anticipated millions of new malware variants. Predicted, on the other hand, is a technological movement toward monitoring application behavior to flag the presence of malware.

Security training—Also anticipated is more spending on security training, so that more intelligent procedures and practices as well as defensive user behaviors and coding practices are employed to augment the fundamental limitations of today's security technologies.

Reacting faster to zero-day attacks

December 19, 2008

In a blog's recent guest editorial, a commentator offers a “pragmatic” point of view regarding how the IT security professional should respond to published notices of zero-day attacks: the vulnerabilities found day-to-day by security researchers do not necessarily translate into risks that must be addressed in short order by an IT staff. Because he believes “the sad truth is that a true zero-day attack will own us all,” the commentator suggests that IT staff concentrate their efforts on the traditional approaches of hardening configurations of Internet-facing devices and monitoring networks, servers, and databases for anomalous behaviors that, he believes, are the detectable precursors to a zero-day attack. “React faster” is the focus of his pragmatic strategy.

The reality behind this commentator's advice is, the operating system and application vulnerabilities that are already publicized but not yet figuring into a documented attack at a given site do represent a risk of loss to the enterprise. As the commentator acknowledges, because the IT industry has “failed miserably in predicting much of anything through time,” the enterprise faces true risk from any identified vulnerability. Apparently, this commentator accepts that losses from zero-day attacks are the “price” of an enterprise's “admission” to the Internet, while merely hoping that the sizes of such losses aren't prohibitive.

PCs can be "open windows" for breaching an organization's network

December 3, 2008

The vulnerabilities of Windows PCs to cyberattacks have become highly visible due to press reports. For example, a Computerworld article cites a vendor study that found 98 percent of Windows computers use at least one unpatched application and nearly half contain at least 11 applications that are at risk from attack, with both figures worse than those from a similar survey by the same vendor 11 months prior. Also consider the report of an experiment in New Zealand by IBM and NetSafe, publicizing International Computer Security Day, in which four unprotected PCs connected to the Internet received a total of 112 direct attacks in only two hours, with one of the four computers rendered unusable after 1 hour and 40 minutes.

Of course, many of the attacks against PCs target nontechnical users—that is, consumers of goods and services available over the Internet—with the twin goals of (1) harvesting personal identifying information, including financial accounts information, and (2) adding compromised PCs, one by one, to one or another botnet.

Today, web surfing is the most prevalent pathway for malware infection on PCs. Examples of specific vectors are “drive-by” downloads of malware files from compromised web pages, web pages containing JavaScript that opens specific rogue HTML pages from which malware can be mistakenly downloaded, and takeover of an entire domain for hosting a rogue web server that offers disguised malware for downloading.

The dangers of compromised PCs connected to your organization's network are legion—from rapidly propagating malware like Agent.btz to loss of control over a domain controller's password hashes. And each downloaded payload can be obfuscated by the malware author to deceive even the latest database of signatures provided by a reputable intrusion prevention system (IPS) vendor.

One must therefore conclude that the notion of all your organization's PCs repelling all web-based threats at all times is not realistic. A strategy for information security that relies mainly on post-mortem log inspections and signature updates cannot possibly keep pace with today's multipronged, multistepped, and remotely controlled attacks.

Deep threat: compromise without malware

November 4, 2008

A recent Dark Reading article identifies a paper from researchers at the University of California at San Diego that describes a programming framework for crafting arbitrary code without injection of malware and triggered via a buffer overflow. In call stack memory, the attacker stitches together calls to specific sections of an application's own linked code (such as libc) in order to perform practically any task permitted under the application's own privileges. Because no malware is downloaded to the target host, no detection by an anti-virus tool or intrusion detection system is possible. Though this kind of “return-oriented programming” exploit is not new, the paper goes beyond previous public discussion by describing how to implement a full-featured code library for surreptitious low-level host compromise.

Data record exposures at state and local agencies outnumber those at Federal agencies during 2008

October 30, 2008

The Privacy Rights Clearinghouse recently reported that state and local governments experienced breaches of data records for 3.8 million Americans during the first nine months of 2008, including a single incident at the Colorado Division of Motor Vehicles that exposed records for 3.4 million people. Discounting the Colorado incident, this places the number of records exposed at state and local agencies well ahead of the number exposed at the Federal level (five breaches against records on 23,024 individuals) during the same time period.

One commentator attributed the relatively better results for Federal data sites to the use of standardized processes and controls required under the Federal Information Security Management Act and to the fact that there is no similar standard in place for state and local governments. However, scepticism about the timeliness of incident reporting from Federal sites has been voiced by other observers.

Uncertainty about attackers' anti-forensics techniques noted in Verizon Business team report

October 13, 2008

As identified in the previous blog entry, the “2008 Data Breach Investigations Report,” published recently by the Verizon Business RISK Team, summarizes the key results from an analysis of more than 500 forensic engagements by the Verizon Business Investigative Response team over the four-year period 2004 through 2007. The report presents data indicating that in the majority of the caseload incidents, the victimized organizations required weeks to months to both discover and mitigate data breaches and that the vast majority of breaches were discovered not by internal means but by notification by a third party.

The report's authors address the possibility that the significant lag time experienced was the result of the attackers' use of anti-forensic techniques to conceal evidence of their actions (page 24). An example of such a technique is securely modifying or deleting critical log files. Furthermore, the report authors state that the Investigative Response team found evidence of anti-forensics use in 39 percent of the caseload.

Ineffective response causes lags in detection and mitigation of data breaches, says Verizon Business team report

October 6, 2008

The “2008 Data Breach Investigations Report,” published recently by the Verizon Business RISK Team, summarizes the results of more than 500 forensic engagements by the Verizon Business Investigative Response team over the four-year period 2004 through 2007. The report contains dozens of salient discoveries about the circumstances of data thefts due to outsider, insider, and business partner activities.

The report identifies three phases that encompass the events leading up to and following a data breach: attacker point of entry to data compromise, compromise to discovery, and discovery to mitigation. The report offers startling findings about the differences in time spans among the phases of data breach events addressed in the team's caseload (page 22). In almost half (47 percent) of the incidents' “point of entry to compromise” phase, attackers required only minutes to hours to identify and attack their desired target data, indicating that attackers likely had prior knowledge of the victim's systems.

However, in 63 percent of cases the “compromise to discovery” phase encompassed months, and in 62 percent of cases the “discovery to mitigation” phase encompassed weeks to months. Also remarkably, in a substantial majority of cases the victimized organizations became aware of data breaches through notification by a third party rather than through internally deployed detection techniques.

The report's authors conclude that, though most organizations investigated for this report have the technology and know-how to detect and respond to data compromise events, those organizations seldom did so (page 23). Given today’s state of the art in network security response, the authors' diagnosis goes no further than to surmise that the organizations experienced breakdowns in their own processes for collecting, analyzing, and reporting on “anomalous log activity.” Later in the report, the authors again identify poor monitoring and response to network events as a key contributor to data breach events, even though 82 percent of such breaches were preceded by detectable precursor events (page 27).

Closing the gaps between detection, mitigation, and remediation

September 18, 2008

In a recent blog post, the commentator Robert Richardson describes the steps he took to deal with a malware infestation that loaded the deceptively named “MS Antivirus” program on his computer. Richardson figures that some number of files on his computer were modified but admits that the time required to unravel the details of the malware's behavior would likely be more than he can spare.

For an even more serious malware intrusion on your sensitive networks, the cost of supporting forensic evaluation of compromised assets can scale rapidly. Detection this late in the attack cycle severely limits opportunities for both mitigation and remediation. Since attacks usually target multiple machines, the cost of incident handling rises dramatically with every lost minute. On the positive side, however, the knowledge gained from a timely analysis of an attack increases in value as it is reused in multiple contexts at sites across the organization. Plus, as your forensics knowledge increases, accumulated tactical understanding can evolve into strategic insights about an attacker's movements; for example, see the presentation by Maarten Van Horenbeeck.

Secure deployment: Profiling your application with real-time forensics

September 9, 2008

A recent article focuses on the security risks entailed by installing new enterprise applications. In the author's words, though these applications “are the windows to the very information that keeps organizations alive,” rollout within the enterprise is too often subject to the mindset within IT of “features now, security later.”

After listing common security vulnerabilities present in the typical application, such as leaving the database administrator account password as blank after installation and the web front-end not being deployed with SSL encryption, the author encourages checkoff of the installation by an IT security team representative to identify compliance with the key requirements found in the 110-page DISA Application Security Checklist.

DEFCON 16's “Race to Zero” contest demonstrates uphill battle against zero-day virus attacks

August 27, 2008

At the recent DEFCON 16 conference in Las Vegas, the controversial “Race to Zero” contest challenged teams of security professionals to fool today's antivirus (AV) engines by modifying nine computer viruses and exploits, each already blocked by the AVs, and sneaking them past the AVs' scanners. Thus, the conventioneer audience was witness to a “race” to create nine new zero-day exploits in the fastest time. Amazingly, two of the competing teams achieved this goal in under 6 hours each, with the winners doing so in 2 hours 25 minutes. In the words of Robert Lemos (SecurityFocus article), “even old viruses can get by the latest antivirus engines if they are dressed in the right bits.”

According to the contest's host, New Zealand security researcher Simon Howard, the results demonstrate the challenge facing the vendors of today's antivirus technology, which is based on pattern detection. The obfuscation techniques employed by today's online attackers have produced a “massive number of variants,” with up to 500,000 detected in the wild by the end of 2007.

Verizon study finds what's on the inside counts, too

July 14, 2008

The “2008 Data Breach Investigations Report,” published recently by the Verizon Business RISK Team, points out that your network's greatest threat may not be attackers from the outside or poor configuration inside, but a catastrophic combination of both.

The study, based on 500 forensic investigations between 2004 and 2007, showed that while 73 percent of breaches can be traced to external attackers, those attacks are made possible by in-house staff erroneously overlooking their systems' security flaws.

Even though insiders directly caused only 18 percent of security breaches, 62 percent of breaches could be attributed to a significant error in internal security practices. Even more alarming was that someone outside the organization discovered 75 percent of breaches. Often these were errors of omission where staff believed that security procedures or configuration changes were implemented, but in reality they were not.

The study characterizes these attacks as crimes of opportunity, made possible by system security practices that close the front door but leave the back door open. Verizon went on to assert, “87 percent of the breaches probably could have been avoided through the proper enforcement of security controls.” As Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions states, “It really boils down to doing the basics, from planning to implementation to monitoring of the data.”