I was pretty happy to see the CSO article about experts dropping anti-virus posted today. Signature-only detection techniques are nearly ineffective today and will continue to get worse (see my post on polymorphism here.) It's good to see press coverage around this issue and some examples of how security veterans are protecting their systems without AV.

However, the article indicates that only "Security Experts" should take this step. Why?? If anti-virus is not effective why should it be the solution pushed on the non-technical users? I'm guessing these security experts are using manual tweaks and other techniques that are not easy to scale. Fair enough, but if you are responsible for security of a user population you *need* to educate yourself on alternative endpoint security options. The endpoint is critical to protecting your environment and is probably where you can get the biggest ROSI right now. And there are plenty of advanced endpoint security solutions (like behavioral HIPS) that are widely deployed and operationally scalable.

There has been a lot of press around the Iranian elections and how social media is facilitating rapid sharing of information. The amount of news on this subject is dying down so now is a perfect time to reflect on what we can learn from this event. Twitter has received a bulk of the notoriety and is showing it's value as a real-time news feed from the street. The relative ease of sharing pictures and video makes it even more compelling (check out picfog.com as an example.)

There is some interesting analysis we can do with the data generated by this event. It's becoming easier than ever with all the trending and search tools available for Twitter. If we start by looking at trend data for the #iranelection hash tag we get this (using Twist):

This data is trending up similarly, so let's drill into the early days just after the election:

From this view it's clear that the words Iran, Election and Ahmadinejad started to get more active about 24 hours before the #iranelection tag was being used and 32 hours before it really took off.

Does this provide any value from a security visibility perspective? I think it does. Discovering anomalies and trends is an important part of an effective security program. Analyzing distributed events like this provides insight into human crowd behavior. For example, what if the #iranelection tag was automatically generated 24 hours earlier? What if people that were tweeting with the words Iran, Election and Ahmadinejad were told about the tag and started to use it earlier? How many of these tweets are SPAM riding the wave of activity...well, that's a good topic for another post :-)

This also highlights techniques that we can use in our infosecurity world to discover threat trends. Are you capturing data from all your security and networking devices and analyzing these events? Do you analyze network traffic ("the crowd") for emerging trends? Could you implement a process to get better visibility into security events as they occur?

The tools and techniques are out there that make this very feasible in complex and distributed networks. Are you leveraging them?

A few weeks back McAfee announced their intent to acquire Solidcore for approximately $33M USD (with another $14M in performance bonuses.) I wanted to get a post out on this sooner, but we have been busy with the recent rebranding effort for Exultium. Better late than never :-)

I spent a number of years competing against Solidcore and McAfee while I was a Product Manager at Cisco. It was pretty surprising to see this acquisition at first, but now it has settled in and I can understand why McAfee made this move.

First, let me expand upon my history with Solidcore. I competed against them most heavily in the embedded systems market. This was especially apparent in single function systems running on multi-function OSes (like ATM machines on Windows XP.) I believe there are 2 core reasons for this:

• Complete focus - they were a startup focused on the embedded vendors and all their marketing materials backed this up. Kudos to Solidcore for staying focused.
• Technology fit - change control technology works well in a single-function environment. If you're shipping out 10,000 kiosks per year and they all work the same way then one profile is very manageable and provides stability for your customers.

At the time of the acquisition they were putting up some pretty impressive numbers. 200K endpoints under protection with a large majority (I assume) running a server OS. This is probably the big reason why McAfee came in to swoop them up. A high growth endpoint security player with a market largely uncontested by the competition (by the I mean Symantec.) Sure, the competitors can protect single function devices, but they don't have the focus that Solidcore brings to the table. Plus McAfee was able to pick them up at a bargain price (appears that total funding for Solidcore was around $40M USD as reported in 2007.)

The future is unclear; as is always the case with acquisitions. It seems that McAfee is taking the right initial step by putting the Solidcore team under McAfee's Risk and Compliance business unit. Hopefully this means the team can remained focused on the technology and not on integrating with ePO (which has killed other endpoint acquisitions in the past.)

This week was pretty exciting as we did some early stage rebranding of the company. After *many* iterations we have come up with the name "Exultium" and have acquired the domain. The combination of advising and consulting we're providing our customers seems to fit nicely with our new name.

We've gone through some exciting organizational changes as well, but I'll post that info next week.

Let me know what you think of the new name!

Microsoft just released the "Microsoft Security Intelligence Report" for the time period of July-December 2008. This report is a monster, topping 180+ pages! It may take a while to read through, but there is a bunch of interesting data available for review.

I skimmed through the report and found myself slowing down around page 86 where Microsoft discusses the number of virus variants detected in the wild. In the second half of 2008 there were 95 million malicious samples detected by Microsoft security products. This means that.....

Hold On, did I just write 95 million malicious samples? 1/2 million a day? That is a *big* number

There are 2 main reasons for this high number:

1. Samples are counted for each infected file, even if the virus is the same
2. Polymorphic viruses change with each infection thereby creating many variants

How you are protecting against this malware in your environment? If your answer is just "Endpoint Anti-Virus (signature based)" then you have a problem. Your A/V vendor could not possibly provide you with 1/2 million signature definitions a day (or even a tiny percentage of this.) You wouldn't want it anyways, since your machine would stop functioning if it had to deal with such a large virus database.

However, there are ways to deal with polymorphic viruses. Most of the A/V vendors are extending their solutions beyond pure signature-based detection. Plus, there are other solutions that don't rely on signatures at all. If you are responsible for protecting corporate assets then make sure to educate yourself on the solutions available today.