I’ve seen a lot of Patch Tuesdays.  If you look back at history, the concept of updating (“patching”) the Windows operating system began with the release of Windows 98.  The term “Patch Tuesday” didn’t actually start until 2004 when the ritual became more scheduled in an attempt to reduce patch cycles.  Each month Microsoft would reduce a small number of “patches” to address vulnerabilities, but this week was different.  Microsoft released 13 security bulletins that cover a total of 34 vulnerabilities, the most that Microsoft has ever addressed on a single Patch Tuesday. 

According to PC World:  “Microsoft says it will deliver its largest-ever number of security updates on Tuesday to fix flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and the enterprise-grade Forefront Security client software.”

Of the 13 bulletins, eight are rated “critical” by Microsoft, the company’s highest risk rating. Five are deemed “important,” one notch lower on Microsoft’s severity scale. Nine of the vulnerabilities had been previously disclosed, allowing cyberattackers a way to break into Windows systems before the fix was available.

This kind of craziness leads companies around the world to engage in what I call “patch panic” – security administrators and IT management scrambling to try to understand each patch, what systems might be vulnerable, what threats could exploit those vulnerabilities, potential implications to their business (and how many nights and weekends they are going to have to work).  Some companies will spend weeks trying to collect this information to make decisions on which systems to patch and many will patch systems that don’t require it.  Hours, days and weeks of productivity will be lost.  What a waste of time.

The good news is, it doesn’t have to be this way.  McAfee recently announced one of the most creative products I’ve ever been associated with – McAfee Risk Advisor – the first and only risk analytics solution to eliminate the manual, time-consuming and error-prone approach associated with patching efforts.  We do this by correlating threat, vulnerability and countermeasure information to pinpoint which assets are truly at risk for a specific threat.  It works in conjunction with McAfee Labs Global Threat Intelligence and Vulnerability Manager (formerly Foundstone), as well as countermeasures such as McAfee’s Network Security Platform (formerly IntruShield), Host Intrusion Prevention and VirusScan Enterprise to provide a complete picture of risk posture. 

McAfee customers with our Host Intrusion Prevention and antivirus products had protection in place before these vulnerabilities were announced, due to our partnership with Microsoft.  Buffer overflow protection capabilities within these products mean that customers receive out-of-the box protection and are not dependent on signature updates, unlike other vendors’ offerings.  Customers using our Application Control (formerly Solidcore) have absolutely no need to patch those systems, because they are completely blocked from these vulnerabilities.  This week’s news also highlighted the most popular threat trend around malicious sites and web attacks, like last week’s Adobe PDF vulnerability.  McAfee’s Web Gateway protected our customers from these vulnerabilities even before the announcements.

The bottom line is that life in IT security doesn’t have to be a huge process any more – we can eliminate “patch panic” and the countless lost hours, money and downtime that most people now take for granted.  We can also reduce the number of patches that need to be applied and let you apply them when it is least disruptive – drastically reducing patching costs and risks, while improving overall system availability and security. 

We help customers patch on their schedule, not someone else’s.

It is hard to believe it has been five years to the day that McAfee acquired Foundstone, the company I helped start. At the time of the acquisition I knew McAfee as a solid AV vendor – nothing more. As I reflect back on the past five years, McAfee has had some ups and downs; however, there has been a transformation of the company that might not be evident to the casual viewer. Like watching your children grow, you don’t always see the day-to-day change, but when you look at the last five years, it is startling.

Over two billion dollars in investments later, we have added some amazing technologies through our own development as well as acquisitions that include SafeBoot, Solidcore, Secure Computing, MX Logic, and the list goes on. We have added new revenue streams and have significantly decreased our dependence on selling just AV. We also have a skipper at the helm in Dave DeWalt that is not shy in making bold moves to aggressively attack our competition.

My walk down memory lane is an interesting exercise as I contemplate the next five years of McAfee. Today I am humbled at the opportunity to become McAfee’s worldwide CTO. As the dominant player in digital security, my first goal is to drive thought leadership with our customers and prospects and to demonstrate that we have what it takes to solve complex security challenges. My second goal is to drive innovation across all our product offerings as we continue to broaden and diversify our portfolio. To achieve these goals I will be assembling the “Office of the CTO” with heavy hitting CTOs across our business units as well as our geography’s.  

There is much work to be done, but I am confident we will continue to beat our competition and deliver world-class security technologies to consumer, mid-market, and enterprise customers. You will be hearing a lot more from the team in the coming months so stay tuned and keep reading our blogs.

In June McAfee acquired Solidcore, a leading provider of dynamic whitelisting technology. Today, under the McAfee name, we offer the industry’s first end-to-end compliance solution that includes dynamic whitelisting and application trust technology. In my opinion, this technology is one of the most disruptive that I have seen over the last 15 years. We are finally able to achieve our goal of providing DAT-less protection and enforce compliance across many different Windows, UNIX, and fixed function devices.

McAfee’s Application Control, Change Control, Change Reconciliation, Integrity Monitor, and PCI Pro will be added to our current line-up of risk and compliance offerings and system security offerings. The integration of Solidcore with McAfee provides customers with the highest level of system integrity and security across their physical and virtual environments, and allows customers to quickly and easily meet compliance requirements, like PCI. This is especially true for our retail customers struggling with how to protect their Point of Sale (POS) systems.

In addition, Solidcore’s portfolio adds the “enforcement” arm to McAfee’s current suite of risk and compliance offerings. Dynamic application whitelisting, coupled with our own Artemis in the cloud technology, will enable McAfee to move even further ahead of our competitors in protecting customers. The end result will be improved IT compliance, security and availability.

I have been traveling around the world the last two months, and the reception to this technology has been overwhelming. One bank I met with was keenly interested in protecting their ATMs and could not have DAT files pushed to each ATM because they had a whopping 8K of bandwidth. Yes – you read that correctly – 8K! Our Solidcore technology was a perfect fit for this application as well as many others – especially in a fixed function and constrained environment.

In my opinion, the industry had one “hammer” in their proverbial tool belt called AV, and everything looked like a nail. Now, McAfee has multiple compelling solutions that offer an amazing array of protection and integrity monitoring capabilities integrated into ePO. I would encourage anyone looking at application whitelisting technologies to learn more about this exciting technology by visiting our Web site at http://www.mcafee.com/us/enterprise/products/risk_and_compliance/application_control.html.

After all the hype around Conficker, I thought I would try to provide some soothing thoughts.  For just a minute, imagine a calm place where malware is banished from attacking your PC.  No more terrible Tuesdays from Microsoft.  No more worrying about the latest worm ready to commandeer your systems for fun and profit. Just peace and tranquility as you Facebook away….  What a wonderful world that would be.  What else would you have to worry about?  How about your routers…?

In what is thought to be the first of its kind, the psyb0t worm appears to be targeting Linux mipsel routing devices like the Netcomm NB5, and turning them into mindless zombies used to staff up the latest botnet.   Researchers at DroneBL recently identified this worm and have put out a detailed description of how it operates.  I found it particularly interesting, since most consumers don’t take the security of their routers seriously.  Moreover, this worm takes advantage of the worst security problem known to man: man – or Layer 8, as I like to call it.  Many of the NB5 routers shipped with no password or default passwords.  However, the real problem is that the remote users were allowed to access the administrative ports.  Poor default security combined with poorly chosen passwords will kill you every time.

I won’t rehash the technical details, as you can read them at the link above.  In my opinion this is an innovative worm that ushers in a new era in botnets.  We should be thankful this only showed up on a SOHO platform and not on a Cisco router.  With some of the work that has been done by Felix “FX” Lindner shows that you can reliably remotely exploit unpatched Cisco routers.  I shudder to imagine a Cisco botnet.  Once again, finding vulnerable systems and patching them is critical to staying one step ahead of the bad guys.

Back in 2001 I was sitting at my desk (or card table as it were) getting Foundstone off the ground as a fledgling startup. At the time we were trying to make sense of 9/11 and what it meant for our country as well as our business. As we pondered the future, we were brought back to the reality that security does indeed march on – as the Nimda worm began to propagate throughout the Internet. During the initial panic everyone was wondering if it was a real worm or “Cyber-Terrorism,” a newly minted term. At the time, Nimda was one of the most sophisticated worms we had ever seen with five attack vectors, allowing rapid propagation throughout the Internet and internal networks. One of the attack vectors was a vulnerable version of IIS susceptible to the Unicode web traversal exploit for which a patch existed. All in all, this worm was a real pain to deal with and bounced around company networks for years to come.

Let’s fast forward to 2009. The attackers have moved from creating worms because they “can” to creating multi-vector malware that has a level of sophistication exponentially higher than the lowly Nimda. Botnets are BIG business and the folks that used to do this as a hobby are making some serious coin. Gone are the guys like Mudge and Hobbit who would expose security flaws for the betterment of the community, replaced by folks like the Russian Business Network, a multi-million-dollar enterprise. Although things appear to have dramatically changed, in my mind they really have stayed the same. “How?” you ask. It is an axiom that humans program software. Humans make mistakes. Therefore, there will always be software flaws, some of which will turn into exploitable vulnerabilities. Granted, there are automated tools that can be used as part of a Security Development Lifecycle to help ameliorate this situation; however, they are far from perfect and not universally used. Conficker ultimately takes advantage of a buffer overflow condition against a vulnerable unpatched system. So in 2009 we are still dealing with the boring buffer overflows of yesteryear hoping that Address Space Layout Randomization (ASLR) or Data Execution Prevention (DEP), which are both security features of Vista, will help our cause. As a wise man once said, “Hope is not a strategy!” So for the realists out there I have a few thoughts:

1. Understand what systems are on your network. Are these assets critical to your business or is it the Point of Sales system in your cafeteria?
2. Understand what security state they are in. Are they vulnerable or not? Patched or not?
3. Have a plan to deploy countermeasures. Host IPS and Network IPS are two great ways to put patching back on your time schedule instead of Microsoft’s.
4. Implement a Vulnerability Management Process that leverages vulnerability management software. It is critical to understand the assets you have, the vulnerabilities on your network, the current threats you face, and the countermeasures you possess. I have spent almost a decade working at Foundstone and McAfee developing technologies that do exactly this. In a time of potential chaos our McAfee Foundstone Vulnerability Manager customers take comfort in knowing they were able to scan for this vulnerability in October 2008 when MS-08-067 was released. With an updated FSL package (March 30, 2009), they now have the ability to scan for infected machines on their network. A big thanks to the Honeynet Project’s Tilmann Werner and Felix Ledger, and of course Dan Kaminsky for providing some new methods to detect this nasty worm.
5. When the CIO or CISO calls, make sure you have the answer to “Are we at risk?”  This tends to calm the management types down and also helps in job security.   If you don’t have a good answer, go back to item number 1-4.

While we realize not everyone has our Vulnerability Manager product (yet), keeping with our tradition of helping to educate and give back to the community we are releasing a free scanning tool to detect the presence of Conficker. You can find a copy here. So you can either hope or pray this puppy won’t erupt on April 1, or take a proactive position and determine if this scoundrel is lurking on your network. What are you waiting for?! Get scanning!

In my travels and discussions with CIOs, CISOs and Risk & Compliance Officers, I hear time and again how companies struggle with a lack of time, resources and expertise when performing IT audits. I have a name for this condition – “audit fatigue,” where massive efforts are devoted to complete multiple IT security audits. Also, in an environment where cost containment is an absolute must, having to purchase additional infrastructure (such as consoles, agent technology, software distribution and reporting tools) is often not a valid option. This is why the Risk & Compliance Business Unit at McAfee has developed a new solution for simplifying IT audits and demonstrating compliance. We call this our Total Protection for Compliance Solution, or ToPS for Compliance.

ToPS for Compliance simplifies the tasks associated with performing IT audits through integration of two previously separate approaches – agentless and agent-based policy audits. We have eliminated the need for companies to decide between these two approaches, or worse, to deploy multiple products at increased cost and complexity. With ToPS for Compliance, a unified IT policy benchmark is utilized for both managed assets (those with an agent) and unmanaged assets (those without). The audit process is radically simple – discover assets, select benchmarks, assign assets, execute the audit across both managed and unmanaged assets together, then view the combined results. Because ToPS for Compliance uses the security management infrastructure (McAfee ePolicy Orchestrator) already in place at many customer sites, existing agents, consoles and reports are leveraged for IT policy audits. This integration helps improve return on IT investments and reduces the learning curve cost for users.

ToPS for Compliance uses automation and integration to go even further. “Patch panic” results from not knowing the implications of an emerging threat, and results in a non-prioritized approach to patching and remediation. Can you say “Conficker worm” and “MS08-067″? To help companies reduce “3,000 to 30″ – identifying those systems that are at critical risk – we are introducing Project CARMA to make security protection more intelligent. Project CARMA is included in ToPS for Compliance and integrates the McAfee Threat Information Service (MTIS) with countermeasure-aware risk management and correlation from ePO. New threats and vulnerabilities are evaluated against the deployment of anti-virus, buffer overflow and intrusion prevention solutions. Assets that have these countermeasures are at less risk and allow administrators to allocate remediation efforts toward areas of highest risk. Now we’re talking! – managing risk by understanding your residual risk based upon deployed McAfee countermeasures like Host Intrusion Prevention (HIPS).

Finally, It has been a great year for our R&C Business Unit as we continue to drive innovation into our products – the type of innovation that you have come to expect from the old Foundstone team. When we first launched Foundstone we “broke the mold” on Vulnerability Assessment and set a new standard for Vulnerability Management. Our competition soon followed and copied our product and messaging (down to ripping off a full paragraph from our Web site). But imitation is the sincerest form of flattery. I am really curious to see how our competition responds as we usher in a new era of vulnerability/risk management and compliance automation and smash the old paradigm once again. With over 60 million enterprise endpoints deployed that can take advantage of our technology, it will be “entertaining” to see how our competition tries to copy this one!

George

For years, enterprises have stretched their budgets and their IT staffs to comply with government regulations and created internal policies designed to protect customers and employees.  Myriad point products and proprietary standards have sprung up, prolonging and complicating the audit process. The question these companies must now ask themselves now is “how can we prove to auditors that we’re compliant?”

Managing IT risk and meeting a variety of compliance standards requires more then a patchwork of security technologies. Companies must adopt an optimized approach for efficient compliance management that combines enforcement of security policies with the ability to quickly audit and report on the effectiveness of those policies.  By moving to a central management console to deploy, manage and report on the compliance solutions, companies can greatly eases audit, legal discovery, or other regulatory processes.

Last week McAfee announced two new offerings to help companies prove compliance with regulatory mandates and their own security policies. We believe that can reduce their time to compliance, provide greater protection of their assets, and reduce their costs.  By centralizing the management and enforcement of security policies, automating the assessment of security configuration controls, and proactively measuring results against policy, organizations can finally prove they’re doing what it takes to be compliant.

George