Today, Bromium released the results of its “Enterprise Security Confidence Report,” a survey of more than 125 information security professionals, focused on the greatest risks facing organizations today, the effectiveness of various security solutions and the priorities for security architectures.
As we reported in our press release, the survey found increased concern about legacy solutions and users. In particular, confidence in traditional detection-based solutions, such as antivirus and firewalls, is at an all-time low. However, prevention-based technologies, such as threat isolation, that provide proactive protection are seen as foundational to security architecture and effective as defeating cyber attacks.
In addition to discussing these findings, this blog will also present the rest of the results from the “Enterprise Security Confidence Report.” To begin, let us examine the areas of greatest risk.
Q1. “Which do you feel are the greatest areas of risk to your organization? (select any that apply)”
When asked, “which do you feel are the greatest areas of risk to your organization?” the overwhelming response was the user, which makes sense considering their tendency to click on anything, open anything and circumvent security controls that they find restricting. As you can see, endpoint was also among the top four responses. Together, the user and the endpoint combine to create the perfect storm of risk. Also interestingly, among the top responses were cloud services and mobile devices, both relatively recent technology initiatives that many organizations that are clearly creating risk, as they remove centralized control from security teams.
Q2. “Are you confident in the ability of traditional endpoint protection systems, such as antivirus to detect unknown threats, such as zero days?”
An overwhelming 92 percent of information security professionals are not confident in traditional endpoint protection systems, such as antivirus, to detect unknown threats. Confidence in traditional solutions has never been worse. When we asked a similar question last August “only” two-thirds of security professionals had lost confidence in traditional endpoint protection. That confidence has now been decimated.
Q3. Which of the following technologies do you feel are ineffective security solutions?
Again, overwhelmingly, information security professionals have no confidence in traditional security solutions. Seventy-eight percent of respondents selected antivirus and 21 percent selected firewalls.
Q4. Which of the following technologies do you feel are effective security solutions?
When asked to select effective security solutions, 58 percent selected endpoint threat isolation. Network-based solutions, specifically intrusion detection/prevention systems and network sandboxes, also received a good response, relative to the other solutions.
Q5. “Which stage of adaptive security architecture do you think is most foundational?”
When asked to select which stage of adaptive security architecture is most foundational, the overwhelming majority selected prevention. It is interesting to note that last than 25 percent of respondents selected detection and even less selected response. Considering how frequently security vendors market with the FUD of “assuming compromise” this should be a wake-up call that information security professionals are quite tired of purchasing security solutions that cannot prevent attacks.
Information security professionals have lost faith in traditional solutions, even as they continue to struggle with traditional user risk. Detection-based solutions cannot provide the adequate level of protection. Prevention-based solutions are considered the most foundational and endpoint threat isolation is considered the most effective. Bromium has pioneered an endpoint threat isolation solution that prevents data breaches with micro-virtualization. To learn more, visit: http://www.bromium.com/products.html
News today, Brian Krebs reports of a new Adobe Flash zero-day and its associated critical patch. According to Krebs, Adobe claims the exploit (CVE-2015-3113) is already being used in targeted attacks, so security teams should be on high alert.
Adobe has published a security bulletin that indicates systems running Internet Explorer on Windows 7 are known targets. Systems running Firefox on Windows XP are also vulnerable. Adobe has categorized the patch for this exploit with the highest priority ranking.
Brian Krebs has provided a helpful link to check if your system is running Adobe Flash, which may be found here: https://www.adobe.com/software/flash/about/
Krebs also notes:
“In lieu of patching Flash Player yet again, it might be worth considering whether you really need to keep Flash Player installed at all.”
Bromium Director of Product Marketing Bill Gardner notes:
“This reinforces that well known browser plugins often have unknown vulnerabilities. We could generally expect to get dozens of these in any given year.”
This Adobe Flash zero-day illustrates why Internet content is so untrustworthy: attacks can be committed through the browser, through scripting languages and even through extensions. It’s a greenfield for hackers with no end in sight if the status quo for protection doesn’t change.
Now that the exploit has been discovered, most security and operations teams are scrambling to do one of two things – race to deploy the newest patch before hackers can leverage the exploit for an attack. Or test the patch to make sure it integrates with legacy systems.
Of course, the third option is to deploy threat isolation security solutions. This latest zero-day and others like it can be secured by isolating the browser in a micro-VM (such as Bromium vSentry). By isolating the threat, security and ops teams granted the grace period needed to test and deploy these critical patches.
The aftermath of the OPM breach is beginning to play out with Congress calling for resignations. The Wall Street Journal reports on official hearings with conflicted testimony. The Chairman of the House Committee on Oversight and GOvernemtn Reform Rep. Jason Chaffetz stated:
“I hear, ‘We are doing a great job.’ You are not. It is failing.”
The failure of the Office of Personnel Management to prevent this massive government data breach has rallied bipartisan support for the resignation of Director Katherine Archuleta.
Congressional Cyber Security Caucus co-chair Rep. Jim Langevin has stated:
“I have seen no evidence Ms. Archuleta understands this central principle of cyber governance, and I am deeply concerned by her refusal to acknowledge her culpability in the breach. I therefore believe that Ms. Archuleta should tender her resignation immediately.”
If Archuleta does resign, it would not be the first time we have seen someone lose their job from a cyber security breach. In 2014, Target’s CEO resigned after its massive data breach.
Security & The Status Quo
It is not enough to continue doing what has always been done because hackers continue to innovate new attack vectors.
Rep. Langevin continued:
“While I appreciate that Ms. Archuleta inherited a difficult situation, her first budget request continued to reflect the status quo even as the warnings continued.”
For information security professionals that have been watching this story develop, this should serve as a stark reminder that the impact of a data breach is not only the loss of data, but potentially the loss of a job.
Unfortunately, so much of security is stuck in the “status quo.” There are so many security vendors that actively promote a philosophy that “you will be breached” or “assume compromise,” so it should come as no surprise when these vendor’s solutions are breached. Of course, these vendors are not left with the responsibility to fall on their swords. If a security vendor tells you that you will be breached, what are they even selling you?
Bromium has pioneered a proactive approach to preventing data breaches, which is so much more useful than reacting to the detection of a breach. Threat isolation separates unknown and untrusted tasks and processes from trusted and critical computing resources to stop data breaches. By moving past the status quo, Bromium can isolate threats to prevent breaches.
Do you remember the Y2K problem? In the years before the year 2000 there was huge concern that a wide range of systems would fail because many programs and even compilers used only two digits for the year, and therefore 2000, stored as “00” could be erroneously interpreted as 1900. I won’t go into the details, but Wikipedia has all you’ll need. The Y2K problem was understood globally to represent a huge threat to computer systems of all types – from control systems for nuclear plants to banking and commercial applications – and hence to the world economy. In preparation for January 1, 2000 the business sector spent over $300BN to remedy the problem ($410BN today). And the Y2K problem did not destroy the economy.
The OPM breach makes me think it’s time for a Cyber-Y2K. Fear and fatalism are at an all time high. Orgs with big budgets are still easily rolled and we read warnings of a “Cyber Armageddon”. Leading figures such as Keith Alexander say “There are only two kinds of companies – those that have been hacked, and those that will be”, and CSO magazine says we’ve passed the cyber-tipping point. But often when I visit large enterprises or Federal Agencies I’m appalled at the lack of basic security hygiene. Endpoints that are over a year out of date on patching; Extensive “dependencies” on Windows XP; firewall rules that take hundreds of days to update due to approval procedures; standard username/password access control; applications and users that are granted admin rights… The list is long and tedious. And fear makes it worse: IT Pros fearing change don’t want to upgrade or change anything because that would introduce a whole new set of issues.
We need to move forward. Doing so needs to be a national priority. We have a tax code that businesses are required to comply with. Why is there no national mandate for security practices that insists that enterprises of all sizes move forwards to more secure infrastructure and security practices? Why is it acceptable that a large bank or a major Federal agency still runs Windows XP? There is no good reason. Specifically, excuses such as “legacy app dependencies” have to be addressed. Businesses need to be forced to move forward if necessary, and they need to insist that their application vendors move forward too. A national mandate for compliance with the best practice in security would force companies to invest – similar to the Y2K problem. And the Federal Government would not be able to get off the hook. Excuses like “Sequester” or “my printer driver won’t work on a new OS” need to be shown for what they are – pathetic excuses that leave our infrastructure vulnerable, making every one of us less secure.
It’s time for a Cyber-Y2K. We need a national effort to move our online society to a more secure foundation. The litany of breaches must stop. We know how to stop them and we need to mandate that every enterprise moves forward.
Last week we saw another sophisticated attack unearthed by a large security company from its own compromised internal networks (yes, even cyber defenders are fallible). This attack leverages the most dangerous weakness on a system, namely an unknown vulnerability in the “kernel” or core of the operating system. Not surprisingly, spear phishing seems to be the suspected means leveraged by the attackers to deliver the attack to the victim(s). The attack had layers of sophistication and shows signs of a well-planned attack that was designed specifically to bypass all known detection technologies. Some of the reported findings that make this attack interesting:
- Font kernel exploit
The attack leveraged a zero day vulnerability in TTF font parsing, this makes the attack a lucrative target via spear phishing eg: browser or Office documents.
- Multiple zero days
It has been reported that up to three zero days were used in the original attack. This indicates that it was a well-sponsored attack. It takes many man hours by experts to discover such vulnerabilities.
- Stolen driver certs from high profile company (FoxConn)
This provides the malware persistence capabilities, post infection and also creates a challenge for whiltelisting technology that relies on signed driver whitelisting.
- Memory resident malware
Most of the malware was in-memory to avoid detection by heuristics and signatures, this poses a challenge for blacklisting solutions.
If you were around the cybersecurity industry in 2011, this attack creates a sense of Deja vu with the ‘original’ Duqu malware. So in short, both blacklisting and whitelisting technologies were defeated by this sophisticated malware and the attack remained undetected for a few months.
Given the nature of the attack, there is no doubt that the security community will reverse engineer the publicly available binaries of the attack and post more details in days to come.
Are kernel (ring0) attacks rare? Certainly not, as the security industry invests more into monitoring and defenses, attackers are stepping up their game. The Windows OS kernel with millions of lines of code provides a lucrative attack surface for the informed attacker. In fact, ever since Stuxnet in 2010, this has been a common theme – leveraging kernel mode attacks to bypass various layers of security technologies both on network and endpoint.
The table below lists some of the publicly known malware attacks uncovered that leveraged kernel exploits.
*The attack failed to get a nice name
In the past few years, the Bromium Labs team has done several technical security talks on this topic to educate users of the inevitable attack and explaining the limitations of the current “layered defense” stack of security products. Compromising the kernel via a classic drive by exploit gives the attacker a huge advantage over several layers of security software (see the Bromium White Paper on Trends in Zero Day Kernel Exploits) and he/she can go unnoticed for months, just as in the case of Duqu 2.0.
Providing protection against such sophisticated attacks via web or emails targeting users has been a mission for us at Bromium from Day #1. Threat isolation, such as micro-virtualization prevents breaches and mitigates against kernel-level attacks by separating unknown and untrusted tasks and processes from trusted and critical computer systems.
Ultimately, it’s up to you to decide – who’s going to be the lord of ring0 in your organization?
Today Bromium announced the general availability of Bromium Enterprise Controller (BEC), a key component in our architecture to help enterprises achieve security by design. This post is just a brief introduction. I’ll provide more detail shortly.
BEC plays a pivotal role in the Bromium architecture for enterprise-wide security. It is a centralized co-ordination “brain” for a distributed system of Bromium protected endpoints that allows the endpoints to collaborate to help the enterprise infrastructure to respond in real time to targeted attacks. It is architected to serve global organizations and to deliver the availability and redundancy that they expect.
In the first wave of Bromium product delivery we focused on ensuring that each endpoint can protect itself by design using micro-virtualization to hardware-isolate threats on the endpoint CPU. Micro-virtualization also transforms threat detection by allowing attacks to safely execute in isolation while being comprehensively tracked to deliver real-time forensic insights, capturing every move of the attacker in a hardware-isolated micro-VM in which there is nothing to steal and no way to pivot onto high value networks. A full realization of the Bromium architecture will enable our customers to dramatically improve their security enterprise-wide, and today’s announcement is the beginning of a series of capabilities that we will deliver to achieve this vision.
BEC enables enterprise security teams to deploy vSentry and LAVA at scale, to tens of thousands of endpoints, with a single click. For example, recently, a Fortune 50 corporation deployed vSentry and LAVA to tens of thousands of endpoints in less than 90 days. It also provides a powerful set of policy orchestration, monitoring and threat management capabilities for enterprise endpoint infrastructure. BEC complements Bromium vSentry and LAVA as the “brain” that robustly scales a distributed architecture for defeating attacks, gathering real-time threat intelligence from each endpoint, and distributing that real-time intelligence to the security infrastructure as a whole, to permit a rapid enterprise-wide response to targeted attacks. BEC uses industry standard STIX/MAEC formats to allow organizations to rapidly share intelligence between vendor products and with their peer organizations.
Key features and benefits of BEC include:
- Streamlined and Scalable Global Deployment—Accelerate deployments at scale with a fully autonomous installation and update engine that does not impinge on existing desktop management systems or personnel.
- Simplified and Granular Policy Management—Configure dynamic policy requirements with an advanced engine and granular controls. Fully integrated directory services can assign, deliver and update security policies relevant to individual or group roles.
- Centralized Visibility and Actionable Security Intelligence—Monitor, analyze and report on dangerous security events, attack kill chains and risk profiles in real time from a centralized dashboard.
- Integration with Threat Intelligence Systems—Publish threat intelligence in real time to SIEM systems and network security tools to provide defense-in-depth. Share threat data in a structured format, such as STIX, with other agencies and organizations to enable cooperation in the fight against cyber attacks.
BEC automates deployment and configuration of Bromium vSentry and LAVA, enabling the largest enterprises in the world to immediately realize the benefits of proactive protection from advanced threats and unparalleled visibility into security events. Bromium’s patented micro-virtualization technology enables the CPU-based isolation and real-time introspection of unknown Internet tasks as they run on the enterprise’s endpoints.
- Automatically Defeat Advanced Attacks—Bromium vSentry leverages micro-virtualization to automatically isolate and defeat attacks—without the need for signatures or whitelists.
- Identify and Analyze Malware Execution—Bromium LAVA leverages micro-virtualization to identify and analyze malware execution in each isolated task, including memory changes, files, registry and full packet capture. LAVA analysis is streamed to the Security Operations Center in real time, before automatically remediating the endpoint.
More information about Bromium Enterprise Controller is available here.
News today, CareFirst is reporting that that medical records of 1.1 million customers have been breached. The news casts a shadow over the healthcare industry, which is still recovering from the breach of 80 million records from Anthem earlier this year. In fact, the Washington Post is already reporting that “2015 is already the year of the health-care hack — and it’s only going to get worse.”
The Washington Post reports a third of the US population has been impacted in the past five years:
“Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to Department of Health and Human Services data.”
Additionally, a recent Ponemon study, the “Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data” revealed some very alarming statistics, as CSO reports:
The report also found that it’s not just big, or small, healthcare organizations, but all sized healthcare organizations are at risk to enduring successful attacks against their systems.
According to the report:
91 percent of healthcare organizations had one data breach.
39 percent experienced two to five data breaches.
40 percent had more than five data breaches over the past two years.
The prognosis is not good. Once again, we are witnessing the negative impact that occurs when organizations fail to properly invest in the most foundational aspect of security: PREVENTION. Once again, we have an incident response team investigating the attack, no doubt to report that this was a sophisticated attack that could not have been prevented. This vicious cycle of “cyber indulgences” and assuming compromise is toxic to security.
Cyber attacks are really not all that sophisticated – the real issue is that the traditional security model has not kept pace with the malicious actors. As the recent Verizon DBIR illustrates, 97% of exploits shared 10 common CVEs. As Bromium research as previously demonstrated, “defense in depth” architecture can be easily circumvented by kernel exploits.
It is time to get serious about the condition of information security, both in healthcare and across many other industries with critical data to protect, such as government organizations, financial services and retail.
Gartner reports, in “Designing an Adaptive Security Architecture for Protection From Advanced Attacks” by Neil MacDonald and Peter Firstbrook, published February 12, 2014:
“Harden and isolate systems: We believe the foundation of any information security protection architecture should start by reducing the surface area of attack by using a combination of techniques. These techniques limit a hacker’s ability to reach systems, find vulnerabilities to target and get malware to execute.”
Bromium provides a proactive approach to threat prevention by isolating attacks through application containerization. Bromium vSentry software transforms endpoint security with a revolutionary new architecture that focuses on protection through hardware-enforced isolation.