What did the Infoworld survey on whitelisting not cover?

The InfoWorld (IW) survey methodology was to see a demo of the product conducted by each company via webex and interview with the company over the phone. While we appreciate the opportunity to participate in the survey the methodology limited what was considered for the survey.

There were three important aspects that were not covered:

1.    Security offered by the solution
2.    Security of the cloud offering
3.    Deployment & Management versus Demoability

Let us examine these one by one.

Security offered by the solution
First lets explore how easy is the solution to bypass? For example,
•    take Bit9 which does not offer memory protection, which means that a simple buffer overflow exploit will bypass the whitelisting solution.
•    Or take script authentication, i.e. ability to whitelist scripts and java etc. If a solution does not offer this you can run a script on the system and completely bypass the protection?
•    Or take protection of kernel components? If the solution does not whitelist kernel drivers and components you can bypass the solution by simply inserting a driver into the system
•    Can executables be whitelisted from a network share (required for most Windows Active Directory based deployments)?

Whitelisting is fundamentally different than black listing, in the sense that the whitelist needs to be complete for the system to function. Thus if you don’t have coverage for a particular type of executable the solution is easily compromised. While the report mentions that MFE application control is the only solution which offers scripting and buffer overflow protection, it fails to highlight: Coverage is not a feature it is important for security!

The other aspect which was not covered by the survey was self-integrity or protection of the system itself. If the solution becomes popular how well does it withstand against targeted attacks on itself. Can ill-intended administrators bypass the system?

As several of our customers have figured out for themselves the protection from our competitors is easily bypassed.

Security of the Cloud Offering
The assumption behind the report and several other reports is: “If its in the Bit9 cloud its good”. There are several things to point out here:

•    Cloud can only cover off the shelf binaries (script coverage is very sketchy). They don’t cover any custom software which is a large part of most enterprises

•    Secondly, by shifting the problem to the cloud, one has to ask the question how is the cloud info constructed and how safe is it to poisoning.

As discussed in the previous section most of these solutions don’t cover scripts so the cloud offerings are only for binaries and that too only for off the shelf binaries.

Let us focus on the second aspect. How secure is the cloud? Take Bit9 for example, they claim to have 7.5B files in the cloud. Who checked that these are from valid sources? Most of these are collected by crawling the web? If its on CNET it is secure? If it’s on download.com is it secure? Who checks whether its secure? Has this function been outsourced to a country in Eastern Europe or Asia?  7.5B files were verified?

Niel McDonald’s @ Gartner has an interesting blog article and discussion about the same http://blogs.gartner.com/neil_macdonald/2009/03/31/will-whitelisting-eliminate-the-need-for-antivirus/

If you look at MFE cloud technology, it has several dimensions along with the analysis is done. In addition it directly talks to publishers to ensure that the quality of data in the cloud is pristine. Most small vendors like Bit9, just don’t see enough data: domain registrations, spam addresses, firewall rules, endpoint’s pinging back, site advisor to have enough dimensions to correlate and produce high quality data.

The MFE Application Control will be integrated to the MFE Cloud. This was already demonstrated at FOCUS ’09 and is on the short term roadmap.

Deployment and Manageability vs Demoability

As with most lab surveys, this one does not cover the manageability and deploy-ability of the solution:
•    Can it scale to 100,000’s of desktops/servers

•    What are the breakage/failure rates

•    How much does it cost to operate and maintain

Can it scale to hundred’s of thousands of desktops? Most people who are familiar with EPO will understand that deploying at those scales is a very different ball game. You can’t keep 100,000 TCP connections open to your management sever, most boxes will die at 4000 open TCP connections. You have to deal with reporting and event-flood at that scale.

MFE Application Control is fully integrated into EPO and that is a BIG win. It uses the EPO plumbing to achieve scalability. The management architectures of the competitors architecturally will fail to scale to such numbers.

At one point in the report there is a mention of the memory protection provided by CoreTrace. Again memory protection is an interesting concept, for most solutions out require tuning to make it work. So question to ask is what % of your systems will it work? And the feature of killing running process if a buffer overflow is detected is it a good looking demo? But what are the failure rates: false positives and negatives?

How much does it cost to operated and maintain? Whitelisting is not a new concept. The problem has always been of management of the whitelist. MFE Application Control has a lot of investment and features which dramatically reduce this cost and make it a viable solution for enterprises.

Summary

The InfoWorld survey has evaluated some aspects of solutions, but in my opinion has not covered 3 very important topics: How secure is the solution?; How secure is the cloud?; and Deploy-ability of the solution?

These are top of mind for every customer and should be included in any evaluation or comparison. As we have demonstrated several times in the field, MFE Application Control stands out as #1 as a deployable high security solution.

AppLocker and App-V

Interesting article on brianmadden.com regarding using applocker as a licence enforcement mechanism.

http://www.brianmadden.com/blogs/timmangan/archive/2009/10/29/AppV-and-AppLocker.aspx

App-v and other technologies like it create breakage. The question is how much breakage and how easy it is to fix. The answers to those questions determines whether it is a dev tool for developers, something that consulting houses can do or an IT admin can do.

What has this got to do with security you ask? Well the answer to that question determines how much lockdown you can do with applocker.

If there is a lot of downstream cusatomization, it becomesd hard to use app-locker. The challenge in whitelisting is not the enforcement mechanism, but the configuration of the white-list: its coverage and maintenance.

Over the years the wrapping of apps by app-v has improved. There is betterr handling of things like winzip (which broke because it registered a shell extension) or apps which required a service. But still in general apps which have multiple processes communicating with each other and/or a service are very challenging.

Citrix has had this problem for a long time also. So if you are a developer of the app you can fix this, but to do it in the field and for complex applications not only is tough but also complex. Then to make a whitelist for it is challenging.

Another difference between whitelisting for security versus licencing is that for security the whiterlisting need to be complete. Imagine you missed some drivers from the whitelist, your machine won’t even boot.

But for licensing you are using the WL as an access control mechanism, very different. For example you can say that WL is applicable only to app-v apps, that’s not security but licensing.

We should keep the two separate.

People using bbery as chick magnets: ‘oh! That mr powell on the blackberry’

Some nuggets…..

Hard to change brainware: hardware and software is easy

Update after every transaction, not based on calendar

If you left it upto TSA no one would get into planes

One button to talk to all the generals in gulf war

Balance between threats and vulneribilities and organizational efficiency

Leader knew reality of the situation and acted on it

Gorbachev: openness and restructuring

Information is bringing the world together, we need to make sure that faith in the information continues.

Creation of wealth: get people up from the poverty line

Energy, Water and Environment

Who we are and what we are in America?

Japenese Businessman when asked what is your fav city?
Why NY?
Its the only city where when I am walking down the street they ask me for direction

Hope, Open dreams and Opportunity

Nation of nations

DDW and Colin Powell Keynote Focus 09

David Milam CMO giving overview of the conference. Lots of
presentations from customers. Going over logistics.

DDW runs up to the stage ….

Human Protection history; cows, eggs, homes, houses, castles, ships… Now protection of cyber world. First virus 1986. Now time to protect online assets.

Attack sophistication is going through the roof.

Malware: 500 percent up last year
80% to steal money
20% for disruption
25K samples a day

Web: 1.5 M web sites a month
DNS attacks
Cross Site Scripting
Defacing

Network: 400K zombies a day
Conficker/Korea
Critical Infrastructure

Data: 1 trillion a year
Autorun.exe
Usb and phones
Compliance

Email: spam=malware
Up 10% a year
Spear phishing
New protocols

MFE Strategy:
Multi-layer defense, multi-correlated defence, real time visibility

Security at every layer: chip, os, virtual, usb sticks,

Solution Stack:
EPO
Endpoint: greatly expanded coverage of platform (Solidcore)
Network
Data Center
Extended Supply Chain
Across networks

Interlocked
Outside Threat
Inside Threat: 99% of data theft
Malicious insider who come to steal

Intelligence Integration
The cloud and intelligence
30M users connected constantly to the cloud
.More than aq million appliances talking to the cloud
Application intelligence (solidcore, known good) whitelisting is key for this intelligence
Open invitation to develop intelligence

SIA partner program
Common agents, reports, policy, dashboards
Different vectors talking to each other
Partner eco-system: correlating different vectors

Real time visibility

George Kurtz, CTO of MFE
Presenting a demo of McAfee Risk Advisor (awesome product)

Why does this matter:
Money, reputation, brand –> action

MFE has grown from an AV company to a Security Company

:Security and Virtualization

We had an informal session with MFE’s largest customers in the Bay Area to discuss MFE roadmap for securing virtual environments.

It was a small room but it was packed. Here were some interesting topics which were discussed:

- how can we prevent scheduled a/v scans and dat updates from overwhelming a physical host

- why do I need to do anything different than what we have today?

- I am going to flatten my network using cisco nexus-v. All links external internal will connect to the ESX layer and then I need policy from a security perspective to say what vms can be on which network.

- can you support the upcoming MFE solutions in a med-v environment. We are also going to use app-v for win7 migration. Win7 will be 64 bit with xp images being 32-bit

- Are we going to price this per hypervisor or per host?

My Mom switched to Microsoft Essentials

I first heard about MSFT Security launch at dinner from my Mom, she had installed it on her laptop.

I asked “already ?”.

Today several people in the hallway at work were talking about it (I work at McAfee), there were emails flying around. It was very interesting to hear/read: people said the detection is not good, MS should stick to their business, people won’t trust MS …. Our business is safe.

I was like hmm… my mom switched. Maybe I am new to MFE and have not drunk the cool-aid. Then another thought struck me, completely unrelated about my Mom’s practice (she is an OBGYN).

“People will switch because they don’t know the difference”

In my mom’s practice she tries really hard that her patients don’t have a c-section. Many of her students on the other hand advice their patients to have one by default (doctor’s make more money when you have a c-section). I heard this as a kid growing up. Then one day while waiting for my mom at her clinic, I heard two expectant mothers talking:

“I really like that doctor. My first delivery was so painless. I picked an auspicious date, went in, they were ready for me. No labor pains, anesthesia, when I woke up baby was there, I was home 2 days later and walking in a week. All my colleagues tell me they went through enormous pain, I just don’t get it”

I said “wow”.  Look at it from her point of view: no rush, scheduled delivery, no pain, she doesn’t know the difference what is good or bad for her down the road.

As I was hearing these folks at work it was dejavu. The don’t get it, most consumers can’t make out the difference.

From their perspective, its free, it does not slow down the system and it is from a respectable company Microsoft. They get spyware with MFE or SYMC or AVG. They will get some with MSFT, its not something in their control or something they care about.

Fascinating to watch at home and work. Who will get it right? What does the consumer really care about?

Solidcore FIM with EPO is in the works…

I heard from couple of customers that they heard from our competitors that non-security products from Solidcore will not be supported by MFE going forward. This is completely UNTRUE.

We are busy integrating our FIM (file integrity monitoring) into EPO. This will be a 100% integration and will make it very easy for all MFE customers to use FIM with EPO to meet their compliance requirements.

We will release a technology preview of this capability soon for all to see and play with. In addition to real-time FIM that solidcore offered earlier, now you will have the power of EPO and integration with other reporting and search to give you a one-stop compliance, risk and security dashboard.

If you would like an early release feel free to contact me.

Symantec versus McAfee

Great Article

http://harbor.typepad.com/analysis/2009/07/symantec-vs-mcafee.html
Symantec (SYMC) and McAfee (MFE) are software companies known best by consumers for their antivirus packages.  Symantec is the market leader in almost every segment it operates in, whereas McAfee is generally number two.  Partly due to recent strong revenue growth and partly due to an aggressive marketing strategy to get its software installed on computers by the original equipment manufacturer, McAfee shares are trading at about twice the earnings multiple of Symantec.  Given that Symantec has historically outperformed McAfee, McAfee’s strategy is risky, and the current valuation implies that McAfee will outperform even beyond the horizon visible to analysts, I see an interesting long/short opportunity.

Overview of Thesis

SYMC and MFE are nearly identical companies with the primary difference being that Symantec is larger and involved in data storage, management, and backup.  The key short-term strategic difference is in growth strategy. A few years ago, SYMC seemingly choked on the acquisition of Veritas, a large data storage and management company, but they have since been able to integrate Veritas into a coherent Symantec.  During this integration process, McAfee has been able to gain market share by bundling software into easily used suites for consumers and small businesses, a trend SYMC missed in 2006.  MFE is now attempting to steal market share from SYMC by entering into agreements to have a free-trial of MFE software pre-installed on PCs.  While management and many analysts are optimistic that this will produce strong results, the long-term benefits are limited.  The average user that pays for antivirus software after a free-trial period remains a customer for approximately three years.  If SYMC decides they are loosing valuable market share to MFE’s OEM strategy, they can simply compete by offering OEM’s an equal or better deal than that offered by MFE.  Oligopolies naturally form for a reason, and number two players generally don’t have much success waging turf wars against the number one players by spending more money on distribution.  MFE doesn’t have any sort of a long-term competitive advantage with the OEM strategy.  However, SYMC has an established data storage and management business that offers something unique to customers and will take a while for competitors such as MFE to duplicate.

Analysts’ forecasts for revenue growth from 2008 to 2010, according to Bloomberg, are 29% for MFE (65% earnings growth), and 4% for SYMC (22% earnings growth). This leaves MFE trading at 23x 2010 earnings, compared to 14x 2010 earnings for SYMC, indicating that either McAfee will outperform well beyond the horizon visible to analysts or they will grow earnings by more than 65% over the next two years and maintain it.

To read more: http://harbor.typepad.com/analysis/2009/07/symantec-vs-mcafee.html