The impact of recent cyber attacks will be felt for years to come, perhaps having risen to a new level of hurt with the Target and Sony attacks. With a Fortune 500 CEO ousted and a Hollywood movie held hostage, cyber-security is on the minds of chief executives and board members as they gather in their first meetings of 2015. How can a massive organization with complex systems and networks prevent itself from becoming the next Target or Sony? Is there any hope?
Yes, there is hope! However, we have to change the economics of cyber attacks.
Cyber-Security is an Economic Game
In The Art of War, Sun Tzu discusses the economic considerations of war, front and center. The business of cyber-security is also an economic game.
Cyber-crime is red-hot because it makes great economic sense to the adversary. The investment of time and money required for cyber criminals to breach a billion dollar organization is infinitesimally small compared to the payoff. A team of two or three hackers working together for a few weeks with a few thousand dollars of black market software is often enough to breach a Fortune 500.
This reality confounds CISOs who already spend tens of millions of dollars every year on IT security. Your IT security investments are not giving you any leverage!
Antiquated Defenses and Vast Attack Surfaces
Current security architectures were designed in a bygone era when there was a useful notion of an internal network inside the corporations’ buildings, and the Internet outside. The firewall was invented to create a narrow isolating choke point between internal networks and the Internet allowing only a few controlled interactions. All was well!
In today’s world of Mobile, Social and Cloud, the situation is quite different. Your systems routinely run computer programs written by persons unknown. While you may not realize it, each Internet web page is a computer program, as is every email attachment, and even web advertisements. Just about any Internet-connected “rectangle” that you see on an electronic screen is a program. All these external programs are potentially malicious, and can compromise you.
A single bug in over eighty million lines of computer software, in Windows or Mac OS, or in any app, e.g., Office, Java, Adobe, combined with an inevitable mis-click by an unsuspecting employee can compromise your enterprise. You have a massive attack surface, literally countless places for the bad guys to get in! The endpoint is your unguarded front door, where you are being attacked continuously as your employees click away in offices, homes, coffee shops, and hotel rooms.
The endpoint is the weakest economic link in your defenses. Once an endpoint is compromised, the adversary can remotely control the infected computer with the same privileges on your network as one of your legitimate users.
Backfire from Next-Gen Security Investments
Let’s consider the economics of the next-generation firewall. First, the next-gen firewall does absolutely nothing for your riskiest mobile users. Moreover, modern malware tries hard to avoid misbehaving while it is still within your network pipes before reaching an endpoint. The firewall, grasping at straws, generates a large daily stream of seemingly suspicious events. These notifications have to be analyzed and chased down by additional investments in event management systems, and security analysts. The overwhelming majority of these events turn out to be false positives, i.e., wasted money.
The bad guys also use this as a weapon, by cranking up the volume of spurious traffic known to generate false positives, while the real attack is carried out elsewhere. This is reverse leverage.
Ultimately, the next-gen firewall becomes a bottleneck, a choke point, unable to keep up with your growing traffic. You have to spend more money on additional hardware that generates even more false-positive events. Vicious cycle.
A New Hope
There is hope. Innovation will resolve this crisis.
You cannot afford to keep doing more of what you have done in the past, or more incremental versions of this stuff. You have to look beyond Security 1.0. In order to level the playing field, organizations must invest in a strategy that will directly impact the economic costs to malicious actors.
Close your eyes and visualize a heat map of risk for your enterprise. In this picture, every one of your endpoints, enterprise owned or employee owned, client or server, on-premise or cloud hosted, is a little red dot. The size and color intensity of the dot is proportional to the amount of information on the endpoint, and the nature and frequency of Internet interactions that each endpoint has. This is the battlefield!
You are looking for products that reduce your exposure. Your investments must protect your information from unknown Internet programs that run on your endpoints, while still supporting such programs seamlessly. This isolation technology must be simple and robust, like disposable gloves in a hospital. It must be designed such that it costs the adversary significant time and money to try to break through. Ideally, you must also be able to fool the adversary into thinking that they have succeeded, while gathering intelligence about the nature of the attack. Techniques like Bromium’s micro-virtualization let you do this.
You will also need new products that let you continuously visualize and monitor your risk at the Internet endpoint level, and provide end-to-end encryption and robust identity authentication. Your compliance, device management, and insider-threat monitoring systems must also work within this framework.
Plan Ahead or Fall Behind
A very senior executive, i.e., you, Mr. CEO, is going to have to micro-manage the plan to mitigate the risk of cyber-attacks. This is a time of great risk to our organizations, so leaders must follow their own business instincts.
How will you figure out the products that will make up your new security architecture? This is quite straightforward- just ask Marc Andreessen, the venture capitalist, or Phil Venables of Goldman Sachs for a list of 5-10 startup companies with innovative Security 2.0 products. Ignore any company that is not run by its founders. You must partner with people with long-term goals towards your economic victory against the cyber-adversary, and who are thinking beyond just a quick transaction.
Ask the startup leaders to come and pitch their solutions to you personally. Have them convince you of the efficacy of their approach. If you don’t understand what is being said, or if you don’t see how the proposed solution raises the economic costs to the adversary by orders of magnitude, it is not worth your while. Select what you truly believe in, and then help the startups help you!
Unless you have one already, hire a top-notch CISO as a partner for this project. For suggestions on whom to hire, ask any one of Jim Routh (Aetna), Tim Dawson (JP Morgan Chase), Roland Cloutier (ADP), John Zepper (US Department of Energy), Tim McKnight (GE), Sunil Seshadri (VISA), Mark Morrison (State Street), or Bob Bigman (former CISO of the CIA). These are some of the modern-day Knights of the Round Table in the realm of cyber-security, and understand the economic principles underlying this fight.
While you transform your security infrastructure to turn the economic odds back against the adversary, your company might look like an “Under Construction” zone. Some users will complain loudly, and you will have to make an effort to have the business running smoothly while the transformation is in play. Nothing worth doing is ever easy, and you must be prepared to see this through. The risk of inaction is worse.
Update: Breaking News: ICANN targeted in a spear phishing attack
Information security becomes increasingly important as the frequency of cyber attacks increases. From Target to Sony, the past 12 months have played host to the largest volume of attacks in recent memory. We are witnessing the rise of the targeted attack, which is frequently accompanied by spear phishing campaigns.
Phishing is not new. I recall receiving suspicious emails and messages on my America Online account in the 1990s, warning that my account would be suspended unless I replied to provide my password. Similar scams persist for online banking, eBay and PayPal. Cyber criminals show no signs of abandoning phishing because it continues to work.
In 2010, Google announced that it had been compromised by spear phishing during “Operation Aurora.” Likewise, RSA fell victim to spear phishing in 2011. More recently, the Target breach in 2013 can be traced back to a spear phishing email. It seems that the easiest way to infect a major enterprise is to ask an employee to click on an infected file.
Spear phishing is insidious because it preys upon the weakest link of information security systems, its users. Social engineering entices users to click on malicious documents and URLs by suggesting they may be related to work, such as budgets, invoices or shipping notification. Truly advanced attacks may leverage social networking, such as LinkedIn, to customize spear phishing emails.
Ultimately, the goal of these spear phishing attacks is to execute undetectable malware, which evades traditional security solutions, such as antivirus. Once the initial endpoint is compromised, the attack can proliferate across the network before exfiltrating data to command and control servers.
This Thursday, December 18, Bromium will be hosting a Webinar, “The Tip of the Spear: Defeating Spear-Phishing.” Join Bromium Sr. Director of Products Bill Gardner to learn:
- Why cybercriminals are ramping up their spear-phishing attacks
- The most common methods used in these attacks to ‘get the click’
- A revolutionary new approach that can actually counter these attacks and secure both your endpoint and your network
Register today: http://learn.bromium.com/webr-tip-of-the-spear.html
The FBI has warned US companies of a wave of destructive cyber attacks, in light of the recent Sony hack. I commented to eSecurityPlanet and SecurityWeek:
“These attacks are troublesome, but not surprising. Earlier this year we witnessed Code Spaces shutdown after a successful attack destroyed its cloud back-ups. Likewise, the evolution of crypto-ransomware suggests attackers are targeting the enterprise with destructive attacks. These attacks are unlike the “cat burglary” of Trojan attacks, but much more brute force like a smash-and-grab or straight vandalism.”
An internal memo from Sony claims that “the malware was undetectable by industry standard antivirus.” It seems that what has become industry standard is the inability of detection-based solutions to prevent these major breaches. Recall that Target was breached, in spite of a major investment in detection-based security.
The reality of the situation is that major attacks against leading brands and organizations show no signs of stopping. In the past year we have seen Target, Home Depot, eBay and many others get breached. And these are only reported breaches. There are almost certainly more sinister attacks that have still gone undetected.
Additionally, it should be painfully apparent that detection-based solutions are ineffective at preventing cyber attacks. This should come as no surprise as more than 70% of breaches can be traced to a failure of endpoint security. We are witnessing a wave of sophisticated attacks that almost always involve the endpoint and almost always go undetected.
Legacy solutions are failing because antivirus security is almost 30 years old. Savvy information security professionals are recognizing the need for a new approach. Bromium eliminates the need to detect malware in advance by isolating all content in a hardware enforced microVM and denying an attacker access to the protected organization. Bromium is positioned to protect against both known and unknown attacks, including malvertising, crypto-ransomware and spear-phishing, which can be leveraged in APTs.
Next Thursday, December 18, join Bromium Sr. Director of Products Bill Gardner to learn more about how and why advanced attacks leverage spear-phishing. Register here: http://learn.bromium.com/webr-tip-of-the-spear.html
I hereby solemnly promise that Bromium will never have a product with “fire” in its name. By now every vendor in the next-gen IDS / IPS / Firewall / honeypot-as-ultimate-defense-against-the-dark-arts market has a next-gen “fire”-branded product that claims to protect against APTs.
Though the vendors’ gleefully assert that endpoint AV is useless against today’s “sophisticated attackers”, their solutions do little more than move AV into the network, with a focus on alerting rather than stopping attacks. Even the worst AV suite can quarantine suspected malware, but with a “fire” product in your network you are deploying a variant of AV that can do little more than bleat.
How did we end up here? Well, “fire” appliances are optimized for quick sales: Persuade the customer to test the appliance on a span port on the network. Show alerts for lots of bad stuff crossing the network, and the deal is done. To ensure that there are lots of alerts, the vendors run legacy, unpatched VM images on the appliance that aren’t even properly licensed and bear no resemblance to the software on your actual endpoints. But the result is terrific: Lots of events – and lots of purchase orders.
The worst thing about this racket is that these appliances don’t solve the security problem – they make it worse.
Bromium is working with a large enterprise with north of 50,000 employees. Their security team receives 6,000 alerts per week from their “fire” product. Through de-duplication in their (expensive) SIEM, they typically reduce those down to 250 alerts a week – each of which is manually investigated – typically taking 2-4 hours, but often twice that, depending on the skill of the investigator. And more often than not, the endpoint is re-imaged just because “it’s simpler” and “we don’t really know if malware executed; re-imaging is safer”. Investigation, analysis and remediation results in 500-1,000 hours of labor, per week, without accounting for end-user downtime.
The bad news: Over several months the security team has concluded that over 80% of the alerts are obviously false alarms – there was either no attack or the attack did not execute given the patch level of the endpoint.
They have conservatively calculated that they waste well over $1M/year on FALSE POSITIVES!
Typically 50 of 6000 alerts are attacks that would execute on the endpoint – under 1%. This matches anecdotal evidence from Bromium customers that about 1% of their off net PCs see some form of malware each month. Of course with vSentry, remediation is eliminated, and if the attack executes, it does so in the narrow confines of a micro-VM from which it can steal nothing and go nowhere.
Bromium aside – can you afford to invest in tech that is inaccurate, costs more to run than to buy, and still doesn’t protect the enterprise?
Recent zero day attacks targeting Windows using malicious Office documents should be a reminder to all of us that no attack vector ever truly dies, it just lurks in the background waiting for it’s time to come again. Malicious Office documents have not been a popular attack vector for several years, but it seems that what’s old is new again.
The recent crop of attacks seen in the wild use Word, PowerPoint and other Office documents to exploit serious vulnerabilities discovered in numerous versions of Windows. These attacks were targeted at major corporations and at least one attack compromised the Windows kernel. This is particularly concerning as kernel exploits can put the attacker in full control of the system and bypass all known forms of defense, including AV, sandboxes and behavioral blocking solutions.
The industry often seems to be distracted by “bright shiny objects” that are in the headlines and that are actively being exploited. That is no excuse however to neglect vectors that have been succesfully used in the past but that for whatever reason have lost favor for a period of time. Attackers are supremely adaptable and will focus on any vector that is vulnerable, particularly areas where defenders have been lulled into a false sense of security.
These document based attacks illustrate the point again that detection based strategies are no longer effective in providing the level of protection needed in the digital world we all operate in today. ANY digitial information that a user interacts with from the outside world holds the potential for attacking and compromising a system whether it has been recently known to deliver attacks or not. The only rational approach is to treat ALL information as if it is malicious.
The Bromium approach to isolation provides protection from just these types of kernel attacks. The Bromium Microvisor seperates security from the operating system or the media being protected. Bromium uses the security features built into modern hardware platforms to isolate attacks originating from the web, whether from downloaded documents or malicious web servers. Even sophisticated zero day attacks are defeated without any actions from either the user or the IT group.
According to Forrester Research Microsoft Office still dominates the enterprise productivity suite market. Bromium customers running the MS Office platform, inlcuding Office 2013 were protected against the new zero day attacks before the these attacks were ever developed or deployed. This type of new approach to the entire cyber security problem is what the industry, and vulnerable customers have been waiting for.
We are proud to announce the successful results of an independent source-code review and penetration test of vSentry version 2.4 by the leading security consultancy IOActive – acknowledged as one of the world’s leading security firms serving Global 1000 customers, and with an enviable reputation in software assurance and penetration testing. We gave IOActive the source code for vSentry and tasked them with breaking it – with complete freedom to publish their findings, good or bad.
You’d be forgiven for thinking we’re nuts. Why would we do this?
We are as tired as you are of the exaggerated claims made by security vendors – products that claim to secure your environment that … don’t really. We think it’s time to change the conversation: When vendor claims are verifiable, customers can properly understand their security posture – and they will reject products that don’t deliver. We’d like the industry to stop blaming the victims and focus instead on defeating attackers.
Bromium is single-mindedly committed to delivering a product that transforms the security of endpoints by design, using micro-virtualization – without relying on detection, fuzzy logic, better heuristics, big data, machine learning or other hail-mary passes. But we also recognize that we stand on the shoulders of giants – the security community whose diligence and dedication helps to protect us. We want to deliver a product that offers the best possible defense, so we need the world’s best pen-testers to attack it. We recognize that If we are to make credible claims of security by design, they must be validated by the best in the business.
When we asked our customers to recommend a firm with the right skill set and integrity, they were unanimous. IOActive has impeccable credentials in research and analysis, and its hard-won reputation is born of leading edge research in pen-testing, reverse engineering, code review, social engineering, and hardware security.
IOActive conducted a comprehensive analysis of Bromium vSentry v2.4 over several months, using a team with expertise in the attack surface of applications, the Windows kernel, hypervisors and hardware virtualization. They analyzed the vSentry product architecture and source-code and conducted a comprehensive run-time penetration test with the aim of escaping the isolation of a micro-VM, compromising the Microvisor, and attacking the Windows desktop.
We are proud that IOActive discovered no vulnerabilities that can be used to defeat or disable vSentry or compromise the endpoint. Their work validated two key principles that guide development at Bromium:
- First, we emphasize minimalism. Xen is small, but micro-Xen is very substantially smaller. We focus on reducing the attack surface so that we can reasonably claim to defend it. We apply strict development standards, and all code is scrutinized by multiple developers.
- Second, Bromium has (in Bromium Labs) a separate, elite team of security analysts. Their job is both to guide our architects and also to attack the product using an extensive set of automated probes and manual pen-tests, to ensure that developers haven’t slipped up.
IOActive added yet another degree of separation and an independent team of experts with source code access. vSentry passed their review with flying colors, and their insights and feedback have already been incorporated into the product. Crucially, we have developed a powerful way to engage with leaders in the security community that credibly bolsters our own effort to deliver best-in-class products. We are proud to be better at what we do, because we exposed our work to the best.
We are committed to regular 3rd party assessment of the security of our products because our customers depend on us to protect their most valuable assets, and because security is a problem that benefits from a “many eyes” approach. We hope that by setting an example we can convince other vendors to make a similar commitment to independent validation, and that over time customers will begin to demand that their vendors adopt this approach.
If you’d like to receive the IOActive report please email me.
Recently LinkedIn recognized Bromium as one of the 10 most InDemand startups in the Bay Area. Thank you LinkedIn, and thank you Bay Area Tech Community!
A number of folks, prospective and current co-workers, investors, customers, and friends have periodically asked me: Hey Mr. CEO of hotshot startup, why is your company special? Why should someone want to come to work at Bromium, instead of going elsewhere to another startup or a big company?
What makes Bromium so special?
Bromium is special because we have a deep sense of mission. Ensuring the security of Internet users and Internet-connected devices is one of the grand challenges facing us. The current state of affairs is very problematic: our computers and networks are easily and routinely subverted by the bad guys, resulting in great economic loss, and have deep public security implications. We are building mission-critical dependence into every aspect of human activities on cyber-infrastructure that is insecure at its core. We are building a house of cards!
People have lost their faith in the security of our computing infrastructure. Bromium’s mission is to restore trust in our computing systems.
Bromium is also a very special place because we have a very unique, and refreshing approach, with some fairly clever and innovative technology that we specially created to help address the cyber-security challenge.
Unlike the rest of the security industry, which relies on increasingly complex algorithms to try and detect malware in incrementally sophisticated ways (and falls further and further behind the bad guys) we rely on isolation to deliver security, using a really cool technology that we invented called micro-virtualization.
With micro-virt, we create disposable (virtual) computers for each Internet task that you need to work on, such as a visit to a website or opening a word document from an email attachment. These virtual computers are created and destroyed automatically behind the scenes as you click, you don’t see them!
Any Internet malware that you might inadvertently pick up is kept isolated, in its own micro virtual machine, and then eventually killed off and cleaned up when you are done with the task and close the browser tab or navigate to another website. All this happens without you having to worry about it or even think about it.
The outcomes we deliver for our customers are nothing short of amazing: in a world where there appears to be some much despair and angst around cyber-insecurity, a Brominated customer has a superior endpoint security architecture that greatly reduces their risk and their operations costs, while simultaneously empowering their employees.
Micro-virtualization is the result of many years of the Bromium team working on taking hypervisor technology to the next level. It builds on research and product work that my co-founders and I, and our numerous collaborators and co-workers did over the course of the last decade across many different use-cases of virtualization. This is deep systems work – the type you get to do at very few companies. We have engineers and teams that work at the UI layer, through the guts of Web Browsers and important applications like Office, through the various layers of OSX, Windows and Android, and finally in the hypervisor itself. Our engineers collaborate with each other and have a unique and powerful understanding of computer systems and the important business of cyber-security.
So if you are a software engineer, looking to build rocket-ship type technology for a great cause, or a sales person that wants to sell and put something very important and meaningful into the hands of every man, woman and child on the planet, then Bromium is one of the special few companies where you belong!