Blogs

Last week we announced several new, important core security technologies that we added to our TRITON architecture. Websense ACE now includes 10 new defense innovations; seven are focused on outbound traffic to keep data theft and call-home communications contained, preventing theft or loss. Because so many of them are industry firsts, I wanted to take a moment to explain what many of these do and why we created them.

Truth is, the bad guys are stealing corporate data and avoiding detection using advanced techniques. In just the last year, we've seen key intellectual property and user identities stolen from corporations and government agencies, including some you would least expect-including entertainment (gaming) and security companies!

Below are a few examples of how cyber criminals are going undetected, stealing your IP, and how we can stop it from happening.

More

Every day, organizations worldwide are targeted by data-stealing attacks. While these attacks have evolved in frequency and sophistication, many security defenses have failed to adapt. Old techniques don’t address containment against data theft and cybercrime call-home communications. The growing prevalence of cloud apps, along with increases in SSL traffic, mobility and remote users are also adding more blind spots to traditional defenses.

It’s imperative that we continue to stay up-to-date on the latest tactics and tricks. Join me this Wednesday, August 8, 2012 from 10 a.m. - 11 a.m. PT for a webinar on the seven stages of data theft. We’ll be covering each of these steps:

Reconnaissance - Targeted attackers access credentials and research online profiles, email IDs, org. chart information, hobbies and interests from social profiles to gain insight on their victims.

Lures - Designed to prey on human curiosity, web lures often link to videos or breaking news, while email lures are more business-focused on transaction and fake delivery notices.

Redirects - Users are usually directed to a survey, rogue anti virus offer or a fake web page where an exploit kit is waiting. Traditional redirects are injection attacks, while newer ones focus on social networking wall postings, fake plug-ins, fake certificates and heavily obfuscated java script.

Exploit Kits - The exploit kit objective is like that of a sniper: take the shot with a malware dropper file only when an open door for tested vulnerabilities is found.

Dropper Files - This stage is what most people consider the focus of their forward-facing defenses: analyze every file that comes into the network for malware. The problem is dropper files use dynamic packers, so known signatures and patterns are not available.

Call-Home - This stage involves calling home for malware downloads and tools, and for sending back information, standard procedure for any successful online attack. The problem is that most defenses are only forward-facing and do not analyze the outbound traffic from infected systems.

Data Theft - This is what they are after. The ability to contain an attack and stop data theft raises many questions that we will address. Can your defenses detect password files leaving your network or the use of custom encryption on outbound files?

In addition, we’ll be covering: why current defenses are failing; today’s new security requirements; and the newest, bleeding edge advanced threat and data theft defenses to emerge thus far.

We look forward to having you join the webinar. Bring your questions and be ready to talk threats!

Time for Black Hat again! Day one is almost complete and I’ve seen some big themes.

There’s some of the usual. Vulnerability scanning and pen testing are definitely present and the topics of identifying and learning from data breaches are still big—especially around the area of SIEM. There are also some new developments. For example, more exhibitors are simply about education, including your typical certification schools, but general higher learning institutions, like the University of Maryland, are also here.

As usual, Black Hat USA is full of security vendors and their products, but there seem to be more ‘service’ offerings showcased this year. This may not be surprising to those who have heard analysts increasingly discuss the weaknesses assumed by an organization that is overly dependent on purely in-house resources.

Education, services and research tools are obviously taking center stage in the battleagainst cybercrime. All this focus on education is precisely why we’ve developed a few new tools and resources to help resource-strapped customers tap into the expertise of the Websense® Security Labs™ researchers.

Sometimes you need more than what you have on-hand—especially when you are dealing with highly advanced malware and complex data stealing attacks. That’s when you need an expert security researcher to help. Our Websense Security Labs have morethan one hundred team members worldwide, hip–deep in the latest threats. The new Websense CyberSecurity Intelligence™ (CSI) services, announced today, help extend their expertise and educational benefits right into your organization.

Websense CSI services offer both online and 1:1 time with our researchers, through tools, training, in-person guidance and malware forensics.

All Websense CSI customers will have access to ThreatScope™, an online sandbox environment, to safely test potential malware. It uses our Websense Advanced Classification Engine (ACE) analytics to compile an extensive report of observed behavior on an uploaded file. Insights include the infection process; post-infection activities (such as calling home); system-level events and processes; registry changes and filemodifications.

Think about it, Black Hat USA only comes around once a year, but every day needs to be about education in the security field. Websense CSI services can be an extension of your learning process— giving you access to our researchers and the necessary tools to help you become more educated on the threats of today.

If you could study one aspect of today’s threats, what would you dive into?

Yesterday we posted about a new strain of highly advanced malware (APT), dubbed Flame. It is potentially the most advanced malware to date, at least in terms of functionality combined with the ability to stay hidden over a long period of time. It’s also unusually large (20 MB), whereas most attacks contain small files (under 1MB). The file is so large because it incorporates a broad set of capabilities including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more. It even includes some rare techniques not commonly found in malware, such as using the LUA scripting language for some of its functions. The primary function of Flame is to...

IT managers feel that getting a divorce or losing their job is less stressful than looking after company confidential data

SAN DIEGO—October 20, 2011— How are IT managers coping with today’s fast-changing threat landscape? Are they properly protected against the latest data-stealing malware? And would employees report if they compromised corporate data? To find out these answers and more, Websense, Inc. (NASDAQ: WBSN), a global leader in content security and data theft protection, commissioned independent research firm Dynamic Markets to survey 1,000 IT managers and 1,000 non-IT employees in the U.S., UK, Canada, and Australia about the latest threats to corporate and personal security, including modern malware and advanced persistent threats (APTs).

The research reveals that serious data breaches have occurred compromising CEO and other executives’ data, confidential customer data, and data necessary for regulatory compliance. IT managers are feeling the pressure and saying that data loss incidents put their jobs on the line and that the stress of managing their company confidential data is greater than divorce, managing personal debt, or a minor car accident. But help is on the horizon as headline-grabbing security incidents have promoted data security talks amongst top management and have driven focus on security, including the need for additional budget. Click here to download the full report entitled Security Pros & ‘Cons’: IT professionals on confidence, confidential data, and today’s cyber-cons.

In my last post I discussed a push toward a more unified security strategy within the public and private sector. Today, I want to discuss why companies need to change their security strategy to stay ahead of the threats they face. This topic was something that came up a lot last week at the Austin NG security summit.

Ten years ago a great security program consisted of anti-virus, IDS, and firewalls – but now those protections have lost their effectiveness. Unfortunately, those three outdated security technologies now make up a huge portion of InfoSec spend. And the remaining small pittance is allocated to deal with the most advanced threats we have seen. Doesn’t seem like a fair fight does it?

Research from Poneman says 90 percent of all companies have been compromised in the last year. Many were targets of advanced malware that compromised web and email channels. Traditional signature-based security measures DO NOT catch these threats. They are too complex and change too fast for those old security measures to keep up.

Compound that with the fact that IT security is now on the CEO’s radar and the board is asking questions about security strategy. I’ve spoken to hundreds of CISOs and CSOs over the last year and the recent data breach headlines are catching their attention. More than ever the IT team is being asked: What is our current risk posture? How do we reduce risk? What is our situation? Are we going to be compromised? What is our strategy? This is our chance. Using this momentum and interest we must change the way we operate and the way executives think about security programs.

The first step is acknowledgement: You have to realize that at some point you will be compromised and the bad guys will get in. It’s not a matter of IF an APT or a targeted attack will strike; it’s a matter of WHEN. There is no silver bullet. 

But, all is not lost! Once you’ve accepted this, the next step is to begin to change the way you plan. You need to be able to get the tools in place to be able to communicate to executives:  

“I am going to prevent X amount of attacks. And of the guys that get in, I’m going to know in X amount of time, and I will have them contained in X amount of time. We can significantly reduce the probability that they will be able to access, our most important data.” Make sure you have the technology, people, and processes to back up your claims.

This is the new strategy we have to adopt and share. In the next blog, I’ll share the successful strategies I’ve seen from some of the best organizations and CSOs who have adopted this approach. We’ll look at the most common entry and exit points of attacks and how these successful CSOs are focusing their technology investments in those areas.

In the meantime, how many of you have had conversations with your executive team about your security posture? Has this increased in frequency in the last year? Let me know in the comments below.

The media is buzzing with stories of state-sponsored hacking and so-called advanced persistent threats, as well as high-profile data-theft attacks by cybercriminals. So what does this mean to everyday businesses owners and managers, companies that aren’t defense contractors or giant corporations?

It means watch out. The wildly successful techniques used in state-sponsored attacks are moving down a malware adoption lifecycle. Yesterday’s million-dollar, well-planned, high-profile attack quickly becomes a $25 exploit kit available online to armies of low-level hackers.

This is phase two of advanced threats. This army of profit-driven hackers is using the same advanced techniques to steal any data that they can get their hands on to sell, fence or ransom. No one is safe, because traditional defenses don’t work against advanced malware. And the cybercriminals are targeting every kind and size of business.

This is the part of the story that people need to hear: While the big-name breaches get the headlines, too many companies get lulled into a false sense of security thinking that they are safe because they don’t have state secrets. Our research shows how the advanced techniques used in APT attacks move downstream. From state-sponsored groups, to criminal gangs, and ultimately to individual hackers—they are hitting any business with anything of value. Because that’s where the money is. And it’s easy pickings because their antivirus software is defenseless against these advanced methods. Here’s how we see the malware adoption lifecycle playing out in the wild: 

In the first two installments in this series, I talked about getting rid of the FUD around APTs and why they should matter to you, even if you aren’t a government agency, or one of the biggest companies on earth. Now let’s get down to the controversy that is consuming a lot of bandwidth in security circles: What is an APT and how is it any different from older malware attacks out there like botnets, blended attacks,  and standard binary-based viruses? So much is written about the topic, yet many people don’t really understand it and are just rehashing an old topic under a new name. 

The jaded folks in the security community say that all of the talk about APTs is FUD because true APTs are very few and far between. I beg to differ. I’d say that the APT buzz is not Fear, Uncertainty, and Doubt but rather Fear, Certainty, and Damage.

Let’s start with what makes a “true” APT (all examples are real)...

Alan commented on the initial APT post: I hope you don't spew marketing hyperbole else this will turn dull rapidly. Don’t worry. We are going to stick to the facts. In this piece, I want to separate from the buzz around these attacks and talk about why you should care.

We’ve heard from a lot of executives, “What should we do about APTs?” There is a high level of concern from large organizations with serious IP (like source code) that they know others will try to get. But there’s also a large group that thinks, “I’m a $10M manufacturing company, in Ohio. I don’t think Chinese or North Korean hackers are going to be knocking on my door anytime soon.”

And, they are right. (read more)

Websense Positioned as a Leader in Magic Quadrant for Secure Web Gateway

Websense also positioned as a leader in the Magic Quadrant for Content-Aware Data Loss Prevention

SAN DIEGO, June 8, 2011 - In 2010, 52 percent of data-stealing attacks were conducted over the web(i) and 2011 doesn't look any safer. To stop targeted attacks and advanced persistent threats (APTs), organizations need new security strategies. Their content security needs to examine-in real time-the substance of each website and email. Traditional endpoint and network security products are no longer sufficient. That's why Websense, Inc. (NASDAQ: WBSN) developed the TRITON^TM solution, including the Websense® Web Security Gateway. And today, Websense announced that Gartner, Inc. has positioned Websense as a leader in its recently released "Magic Quadrant for Secure Web Gateway."(ii)

If you are like me, you’ve seen and heard plenty about Advanced Persistent Threats (APTs) this year. It’s the new hot-button term. So popular that everyone has their own definition.

FUD continues to cloud the discussion we should be having. So we are starting a series of posts to separate the fact from fiction and to really nail what you should be concerned about. We will:

- Define what APTs are (and aren’t)

- Examine attacks from a research/technical perspective

- Discuss who should care and what you should do about it

- Talk about why most of today's security technologies aren't stopping these attacks

- Explain the malware technology adoption lifecycle (the dynamic missing from most discussions)

Websense Security Labs has been on the forefront of examining APTs in the wild and have charted the emergence of these exploits. We’ll explain why high-profile attacks seem to work so effortlessly. And we’ll discuss the ongoing evolution of APTs: from government/nationalistic targets to organized criminal gangs and soon individual hackers.

I encourage you to join our June 8 webcast on APTs. It’s being hosted by Patrik Runald, one of our senior security research managers.

Let’s skip the APT hype and FUD. Let’s use real-world examples to talk about what matters most to you.

In the meantime, I have my own question: how many of you have been approached by senior management with any questions about big data breaches, like, “Hey, I saw the news about (insert company) losing company data. What are we doing to avoid that?” What did you say?

We all know how hard it has been to get budget money over the last few years. You identify a problem, you evaluate solutions, and you know what you need to do. Then you hit a roadblock. You need a signature from someone who doesn’t know what you know, so you start looking for evidence that supports your recommendation.

I am very excited to give you some great new evidence. This will support your decision to use Websense to close the holes in your current security that web-based threats can come in through (and also prevent resulting data theft).

Gartner is the leading IT consultancy in the world, and they have named Websense a leader in the Gartner Magic Quadrant for Secure Web Gateway. 

This report helps give you the third-party validation that you need to avoid being the next data breach headline. You can download a copy of the report here. For more information, try contacting Websense or one of our resellers. 

What other tools are you using to wake up management to the threats and to get your project funded and fast-tracked?

As Chief Security and Strategy Officer for Websense my calendar is filled with customer visits, events, and meetings in different cities each month.  All the time spent on planes also allows me to catch up on my reading and keep up with the latest trends and topics in the security world.  While I may not have quite as many airline miles as George Clooney in Up in the Air, I like to think I am getting close.  What I would like to do in this blog is share the knowledge I gain each month surrounding new insights or particularly interesting talks I have with top security executives, creating the opportunity for everyone to benefit from my travels (without the lost luggage).

If you are an IT executive, leverage me to help you with the changing landscape of IT Infrastructure and Security. My role is to listen to your needs and help you develop strong security strategies. Then I bring these needs back to Websense so that we are always on top of the latest trends and always listening to our customers and what they want out of a security solution.  I also spend a significant amount of time helping CISOs develop strategies in my five areas of expertise:

In the wake of recent cyber attacks on Canadian and French government officials, recent data breaches at big corporations and recent news about a cyber attack of elements of the European Union, the term Advanced Persistent Threat is back in the headlines of many publications. So were these recent attacks APTs?

Whether you call it APT, targeted attack or spear-phishing is simply a matter of semantics, and REALLY doesn’t matter if you are the one under attack.