Several people have been asking me lately if I still prefer Sophos technology. After all, they recently released a bad update and Tavis Ormandy’s recent paper illustrated some design flaws in the product.
There’s spin on both sides. Unsurprisingly, Sophos is downplaying the issue and Tavis Ormandy’s tone in his second paper is much like that of his first. So I thought it would be good to explore the issues more fully.
I am disappointed in Sophos’s recent fumbles, but not disheartened. I still think that, for a great many companies, they have the best solution available.
There are two core problems here. The first is that of scaling. As companies grow bigger, they often become slower to react. Sometimes, they fail to adjust to their new reality. Sometimes, however, they get through it and become incredible companies. There are indications that Sophos is beginning the turnaround.
The second problem is industry-wide and has to do with market-splintering. Today, we are facing a splintering security vendor space and reports like the ones from Tavis are a symptom. Reports we’ve been getting for the past few years about AV and IDS being “dead” is yet another symptom. There’s nothing wrong with these reports and it’s good that people are thinking about the issues. But unfortunately, they’re missing the big picture.
In a splintering space, there is an increasing deviation between what a product actually does and how it is branded. This continues until the vendors wake up and pivot their branding to better match what they actually do. This always takes longer than we’d like, because employees of a company are driven by their brand even more than their customers.
As I see it, the AV vendor space is breaking apart into four chunks:
Traditional AV – Focused on being lightweight and supplementing the protections built into an operating system.
Anti-Malware – Focused on monitoring and responding to bad and potentially bad things that can happen to an operating system.
Application Whitelisting – Focused on locking down an operating system to only allow known applications to run.
Malware Analytics – Focused on providing detailed data about events so human analysts can make appropriate decisions.
We are also seeing the attack space splintering as well. Specifically, we’re seeing a tiered structure emerging:
Background Radiation – A constant stream of trivial attacks, legacy viruses and worms that float about the internet.
Industry-focused Asset Attack – Attacks that focus on specific industries aiming to steal monetary assets. These often rotate between industries, “campaign” style. At present, Western banks are in vogue. Indications are that these attacks are run by organized criminal groups. If you have above average protection in this space, you gain significant competitive advantage as attacks are driven to those that do not.
State-sponsored IP Attack – Attacks that also focus on specific industries, but are run by better-organized groups suspected of being funded by state agencies. They aim to steal intellectual property. You get significant benefit from being above-average here too.
Industrial Espionage – Attacks focus on specific companies and likely come from other specific companies. There is no benefit to be gained from being above-average in defense, as that just creates rapid escalation in an arms-race pattern of growth.
The third splintering effect is familiar to those of you who have heard my talks or read my comic book.
In the defense space, we have two primary trends emerging based on complexity. Both are valid, but they are completely incompatible with one another (at least on the large scale).
Simplification – This trend involves firms who outsource much of their operations and infrastructure to managed SOC providers, cloud providers, SAAS providers, etc. The idea is that by focusing on their core business and finding trustworthy partners, they can become more nimble and therefore, more profitable.
Complexification – This trend involves firms who increasingly centralize their infrastructure through virtualization, log management, analytics, etc. The idea is by taking more control, you can better analyze the business and find regions of improvement.
So after this rather long diversion, what does it mean for Sophos? Well, their core strength is offering administrators a solution to rapidly and consistently provide a reasonable level of protection that gives early indicators of attack. This means they’re a great fit for anti-malware up to and including the State-sponsored IP attack tier and work best in simpler environments or in simpler subsets of complex environments.
I do not think that they’re the best solution for highly-targeted complex companies, as they are not an analytics tool. They’re also not the best solution for extremely simple firms that want “set it and forget it” technologies. Security takes work and if you put the work in, you get better security. You should pick a solution that allows you to put in more work than you currently do, but does not require that additional work for the product to still be effective.
Many of the critiques of Sophos tend to be at the edges. And Sophos doesn’t help these concerns by marketing as if they fit everywhere for everyone. I think they’ll eventually reach this goal, but they’re not there today.
If you’re in a highly complex environment that is facing constant incursion from well-funded foreign governments, Sophos better not be your only tool. You need Analytics, too.
If you want the cheapest solution out there that you can install and ignore, Sophos won’t work well for you either. That’s where Traditional AV and the ability to wipe and reload when it fails comes in.
Operationally, you need to figure out what sort of attack and defense space you’re in, so you can select the tool(s) that will provide the best protection for your business. If you overlap spaces, you’re going to need multiple tools. One of the biggest reasons I really like Sophos is because of their flexibility to play in overlapping spaces. They layer quite well with other security products, which is a great benefit for their customers.
Just remember: We live in a complex world. There are no magic bullets. Security requires thought.
Whenever a major media event happens (like Hurricane Sandy), we are inundated with news. Sometimes that news is useful, but often it merely exists to create FUD… Fear, Uncertainty and Doubt. While I have not personally seen any malware campaigns capitalizing on the event yet, it is inevitable. The pattern is generally as follows:
Event hits the news as media outlets try to one-up eachother to get the word out.
People spread the warnings, making them just a little bit worse each time they are copied.
Other people create hoaxes to ride the wave of popularity.
Still other people create custom hoaxes to exploit the disaster financially.
A few minutes ago, at least in my little corner of the internet, we hit stage 3 when this image was posted:
Now, as someone who plays with photography, I was a bit suspicious, but as a security person, I can actually prove some things here.
The first tool I want to discuss is FotoForensics. Check out their analysis.
See how the statue of liberty and land on which she stands is much brighter than the background? That indicates that that image has been pasted on top of the other, so we know it’s fake.
Sometimes, though, this trick doesn’t work. If someone is making a good hoax, they can change the error levels to prevent easy detection. That’s where our next tool comes in. TinEye is awesome.
Look what happens when I do a reverse image search on the suspicious file here. (TinEye results expire after 72 hours, so if you’re slow to read this, just past the URL of the photo into their search box.)
TinEye, by default, is going to try to find the best match. But that’s not what we want. We want the original. Luckily, when people make hoaxes, they usually shrink the image to make it harder to find the signatures of a hoax. So we just click to sort by size and there we have what it likely the original:
Then it lists a bunch of sites that have stolen this image to use without credit. (That’s a different post.) You can then click on the “Compare” link for the likely original and see what they did. By flipping between the versions, you can see that they added the Statue of Liberty, the water and the boat. They also shrunk the image and made it darker… because darker is scarier, apparently.
The important thing to realize here is that the attacker is trying to manipulate you. By spreading fear, they are making you more susceptible to future attacks. By taking advantage of your uncertainty and doubt, they put you in a position where you will do unwise things to gain an element of certainty in your life. Does this matter that much in an image hoax? Probably not. But it does matter when you start getting fraudulent emails convincing you to “click here” to help victims of the hurricane.
Uncertainty and doubt can work against you, but it can also work for you. When the attacks come … likely in a few hours, approach them with suspicion. If you’re in the path of the storm, trust the names you recognize, like Google and The National Weather Service. If you’re not in the path of the storm and want to send aid, go with The Red Cross. If anyone else you don’t know asks for your money or your clicks, ask yourself what they have to gain.
It’s no secret that cyberspace has quickly become the world’s next battleground. The United States and Israel were widely speculated to have delivered a mighty blow to the Iranian Nuclear Program with the Stuxnet Virus and now Iran has fought back attacking the web sites of American financial institutions, Bank of America and J. P. Morgan Chase.
Despite the magnitude of these web-based attacks, I don’t think the public necessarily understands how devastating cyber warfare could become. With nearly all business featuring some sort of online component and so much of our day-to-day activities utilizing web-based technology, a cyber terrorist could effectively cripple everything from bank accounts, telecommunications, medical facilities, utilities, transportation … you name it. Perhaps this is why U.S. Secretary of Defense, Leon Panetta offered a rather dire warning last week:
“The collective result of these kind of attacks could be a cyber Pearl Harbor,” warned Panetta. “An attack that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nations and create a new profound sense of vulnerability.”
I bet that quote got your attention! The reality of such an immense attack can certainly be debated, but the question of whether the United States is ready and able to protect its interests is certainly a topic that should be at the forefront of any discussion regarding terrorism and world war.
Heather Roff, a Research Fellow with the Eisenhower Center for Space and Defense Studies at the United States Air Force Academy, penned a great post this week for the Huffington Post that discusses the conclusions we can draw from Panetta’s speech and how prepared the United States is to defend it cyber borders.
There is a significant security flaw in Java and it is being exploited fast and furiously by cyber criminals. Sophos’ Naked Security blog has a fantastic post on the vulnerability and especially its effect on Oracle users. Their solution: Disable Java immediately. Check out the post here.
And why is Java so problematic you ask? Graham Cluley states the following:
“In fact, it has become increasinglycommon to see malware authors exploiting vulnerabilities in Java – as it is so commonly installed, and has been frequently found to be lacking when it comes to security.
Cybercriminals also love Java because it is multi-platform – capable of running on computers regardless of whether they are running Windows, Mac OS X or Linux. As a result it’s not unusual for us to see malicious hackers use Java as an integral part of their attack before serving up an OS-specific payload.”
For easy reference, here’s how to disable Java on the most popular web browsers.
If you haven’t heard, the United States and Israel are behind the cyber warfare attacks on Iran’s nuclear program which included malicious software viruses Stuxnet, Flame and Skywipe. Since the cat is officially out of the bag, I suppose we may as well have some fun with it!
Mikko Hypponen of F-Secure reports that he received several emails over the weekend from one of the scientists who claims to be working on Iran’s nuclear program. The scientist claims a new cyber attack has halted their enrichment activities and is supposedly playing AC/DC’s “Thunderstruck” over the speakers of the infected PCs at max volume.
Apparently this particular attack is another SCADA-based controller exploit that has forced the Iranians to shut down their centrifuges yet again while rocking some music to openly mock them.
The United States has a long history of using music in psychological operations. Some of my happiest memories of serving Uncle Sam were playing music on restricted radio frequencies and taking requests from the enemy combatants for their song choices. “You know we’re looking for you and when we find you, well, you know. But before that happens, I’d love to hear some more Ozzy.”
Unlike you, attackers are not limited by resources, budgets, laws or ethics. They can launch any number
of attacks from anytime or anywhere. This means you have to maintain a strategic balance between defense and response. Learn More
Always stay a move ahead of your opponent.
If you are constantly focused on reacting, you are not taking the time to learn and adjust your security
strategy based on your experiences. Your attackers are constantly evolving, so you must, too … just a little faster. Learn More
Make better use of what you already have.
Before you invest in yet another expensive security project, fine-tune the security products you have in place.
Are your defense systems fully-patched? Have you turned on all the necessary bells and whistles that came with your original product? Learn More
The right security strategy for right now.
The days of defining and executing a rigid multi-year security plan are over. Since attackers are incentivized
for rapid change, you must also adapt to the always-evolving threat landscape. An inflexible security plan will create holes
quicker than you can fill them. Learn More
Part of your team, not instead of your team.
Without a highly-skilled and experienced staff of security experts, it is extremely difficult to remain unscathed
from the many possible attacks waged against your organization each day. Thus, it is sometimes necessary to leverage the knowledge
of others. Learn More
A smart investment for smart growth.
Once your internal operations are working well and you are effectively using what you have, it's time to grow.
But before you purchase another layer of protection, first identify what really matters to your business and create goals you
can measure to see if your next project will indeed be a success. Learn More
About RJS Security
RJS Software provides information management solutions that allow businesses
to improve productivity, make better decisions and save money. Our software helps organizations
streamline data collection, digitize and manage documents, automate work processes and optimize