Endpoint Security

Heimdal Security logoHow would your customers feel if they had a Norse warrior stopping malware from reaching their endpoints? Meet Denmark’s Heimdal Security.

In days of old, the sight of Vikings on the horizon was enough to turn decent peasants’ blood to ice.

But the marauding Danes are now playing poacher-turned-gamekeeper – at least in IT security terms.

Because instead of being the threat, they’re now stopping the threats before they make landfall. (Or, at least, before they reach your customers’ endpoints!)

This is what our newest vendor partner Heimdal Security sees as its killer battle cry when compared to traditional endpoint security. And here’s why malware needs to be very afraid of it.

From last-ditch to proactive: endpoint protection transformed

“Form square and stick out your spears” – that’s basically the traditional approach to endpoint protection. Once the problem has hit the machine, the security software rings the panic bell, musters the garrison, and mounts a defence.

We Brits tried that against the (real) Vikings. It didn’t work.

But if we could have spotted their boats as they cast off – or, even better, seen activity on the quayside that indicated an attack being prepared – we could have taken proactive action against them before they reached Blighty.

This is exactly what Heimdal does. Instead of looking at application code and signatures in files that have already entered the endpoint, to work out if there’s a threat, it looks at the undercurrents in the ‘sea’ of network and internet traffic entering and leaving your customers’ businesses, to detect danger before it surfaces.

Rather cleverly, though, this isn’t just about identifying when users are being taken to places they shouldn’t be sailing towards – e.g. malicious websites – and blocking the connection to them before it’s made (although this is certainly important, as we explore below).

It’s also about using advanced machine-learning, heuristics and network forensics to detect apparently harmless network file ‘plankton’ that is in fact fodder for a coming malware attack.

Traditional security protects an endpoint with a last-ditch defence. Heimdal protects it by turning the entire network into a shield wall.

Which one are you betting your krone on?

Multi Layered Security Graphic
Conventional endpoint security is typically missing the traffic-based anti-malware protection that Heimdal delivers.

“Probably the best malware protection in the world…”

The famous Danish beer ad is tongue in cheek. But there’s a serious point to be made here about the strains of malware that Heimdal can protect against that many other security solutions simply can’t.

Take ransomware, for example. Traditional endpoint security looks for malicious code within files, but a ransomware-triggering hyperlink, or instruction to connect to a website, is neither a file nor, in itself, an inherently malicious piece of code. So, the endpoint security software doesn’t spot it.

But Heimdal is looking at the network, not the endpoint. It detects and blocks the malicious connections (to malvertising, legitimate but compromised web banners, malicious iFrames and redirects, botnets etc.) that signal an intention to activate or propagate attack strains like APTs, ransomware, Trojans, polymorphic malware and others.

In short, Heimdal gets stuck into the melee long before the blunt old endpoint battle-axe can!

Automatic software updates: that’s 85% of web app attacks defeated!

Exploit kits and other threats that exploit programs’ existing security weaknesses are a huge worry for traditional endpoint security vendors, because these weaknesses often exist at a lower level than that at which the security solutions operate.

Consequently, exploits can slip underneath the endpoint radar (the bad guys must feel like they’ve died and gone to Valhalla!)

They’re a huge worry for your customers, too, given that some 85% of web app attacks (like the kind that typically trigger ransomware and steal personal financial data) take hold of endpoints through an existing unpatched security hole of this kind.

But here, Heimdal have put a real edge on their sword. They have coupled their network traffic analysis with an automatic software update tool, to ensure that your customers’ internet-facing and non-internet-facing apps  – from Acrobat to Audacity, Flash to Firefox, Java to Jitsi, and many others besides – are constantly and automatically updated with the latest security fixes and patches, thus denying exploit kits an entry point.

The most security-critical applications are often those that are not concerned with security at all – how’s that for a typically innovative Scandinavian way of looking at a problem?

Why Heimdal
“Proactive” is a word you’ll hear a lot from Heimdal – and the automatic patching capability that embodies it is a good third of the company’s overall value proposition. (Click to enlarge)

Heimdal: the new word in security

Bloodthirsty or not, the Vikings gave their name to some very beneficial concepts. The word ‘law’ comes into English from their language, for example – and from where we’re sitting it looks like they’ve done it again with ‘Heimdal’!

(Loosely translated, we think the name means: “Stop the thing that’s trying to attack the longboat before it reaches the longboat.” Genius.)

Time some of your customers learnt some Danish, perhaps?

Failing to correctly configure your security solutions is one of the biggest risks to you and your customers. Security health checks can prevent it.

So, you’ve got your customers’ security covered from all angles, right?

Layered protection that shares security intelligence across applications. Endpoint security that spots malware traditional anti-virus solutions miss. Machine-learning that gets better and better at understanding threats. Belt and braces.

But then you fail to configure it all correctly and your customers get hit anyway!

Sceptical? Look at Amazon’s AWS solution, which has suffered a number of critical security and other misconfigurations, resulting in compromised user data.

Read Gartner, who say that in 2017 misconfiguration will be the most common source of breaches in mobile applications.

And take heed of the Infosec Institute, who place security misconfiguration right in the middle of the top ten cyber-risks in 2017.

Whichever way you slice it, the evidence shows that even the cleverest solutions can be useless if they’re not set up correctly – but how do you go about making sure the security solutions you deliver don’t fall into this trap?

Health checks: an MOT for your security solutions

The answer isn’t rocket science, but it is common sense.

You get your car checked out regularly to ensure it’s running as it should, and to inform you of any action you need to take to keep it fit for purpose. Essentially, it’s a health check for your motor – and you can do exactly the same for the security solutions and services you deliver.

But the even better news is that the security healthcheck is often far less disruptive and time-consuming than taking your car to the local garage.This is because the health check can often be performed by an engineer remotely, using the same web consoles you use to deliver and manage your security offerings every day.

As the engineer finds configuration faults or errors, they document these in a report that includes recommendations for the actions you need to take to fix them.

Who delivers security health checks, and what do they cover?

Where and how you get your security health checks often depends on the support and services arrangements you have with the vendors of the security solutions you sell – although this is not the only way to access them.

You could, for example, go through a specialist security software distributor who has vendor-accredited technical expertise in-house. This means you get vendor-quality product knowledge but through an organisation that is typically smaller, more agile and delivers a more personal service.

Typically, a product security health check delivered in this way will cover the full spectrum of security configuration points (it could be 60 or more) that can become an issue if not properly attended to, including (amongst others):

  • Unresolved malware
  • Patching and security updates
  • Licence status
  • Choice of deployed modules and scan engines
  • Policy and protection compliance
  • Impending end-of-life, end of support, and other OS-related issues
  • Settings (e.g. threat sensitivity); options enabled and disenabled
  • Identification and authentication

Security health checks; who fixes what’s not working?

If you have technically proficient people in your organisation, they can of course take the recommendations of the health check report and act on them.

But how does it work if you haven’t got the necessary technical resources?

Again, think of your car: you have no hesitation in handing over your keys to a trusted specialist to carry out work you couldn’t. Depending on who you get your security health check services from, the same model is potentially available – hands-on, on-site corrective work, billed according to an agreed estimate of the time it takes to complete the job.

(But no expensive mechanical components to cause the sucking in of air between the teeth, of course!)

Insights: safer than consequences

“Prevention is better than cure”, runs the old adage – but when there’s no cure available, the need for prevention becomes even more urgent.

Sadly, you can’t “cure” breach and theft of your customers’ data, for example – once the data’s been taken, it’s an irreversible action.

And if it occurs because a solution you provide wasn’t set up correctly or hadn’t been kept up to date, the legal, reputational and financial consequences for your organisation – particularly under the imminent GDPR regulations – would be severe.

But regular insight into the status of your security solutions and how they have (or haven’t) been applied can wrongfoot the risk before it trips you up.

A healthier situation all round.

 

 

 

RansomwareThe word “ransomware” terrifies individuals and organisations alike. We look at how this threat works - and how to fight it!

The ransomware mood music isn’t good this year. As security publications and commentators tell us, ransomware is expected to dominate the malware arena in 2017.

More than ever, then, security partners need to offer sound, confident advice to end-users on both the nature of ransomware, and how to defend against it.

So look no further!

Ransomware: how it works

Ultimately, the aim of ransomware is to paralyse companies’ operations, usually by encrypting data, then demanding money to decrypt it and render it usable again.

For security partners and their customers, one of the challenges with ransomware is that it can enter the network through many different routes – malicious links or infected file attachments in emails, drive-by attacks triggered by a visit to an infected website or ad, botnets, USB drives, Yahoo Messenger images… the penetration potential is extremely high.

But to rub salt into it, ransomware also dodges many of the traditional anti-virus defences.

It disguises filenames and attributes and hides behind legitimate file extensions. And it often uses secure communications protocols like https and Tor, and encrypts its communications as it goes, obscuring the tell-tale server calls that would ordinarily betray its presence.

What this means is that most anti-virus protection is none the wiser to the threat – and so the latter finds its target, which is usually the most critical data the business holds. (Indeed, the notorious Cryptolocker ransomware, as this blog, from Bitdefender, explains, hunted out 70 different specific file extensions, precisely for this reason).

Ransomware: how to stop it

A threat that can infect via so many different channels, and hide its tracks whilst it’s doing it, clearly can’t be stopped by a single “silver bullet.”

It can only be stopped by layered protection that detects and blocks at all the levels at which ransomware can penetrate and spread.

Research carried out by Trend Micro has found that 99% of over 99 million ransomware attacks were found in malicious email or web links, so robust defence at the email and web gateway level, as well as at the endpoint and network levels, are a must.

Protecting email and web traffic from ransomware

Analysis is the key here; in the absence of the normal malware “cues” that signal a threat, security solutions have to look harder, deeper and wider for signs of the miscreants.

This means not just analysing links in the body of an email, for example, but also the links in the attachments that that email contains – as well as the attachments themselves.

It means scanning for zero-day and browser exploits, and other favoured ransomware entry points that are buried in applications (such as within Office 365 – 2 million threats discovered to date, according to Trend Micro!), rather than just in links or attachments.

And it means both being able to instantly compare links with a global database of known malicious URLs, and automatically rewrite links (as we discussed in this post) to divert them into a sandbox and analysis environment.

There, they can be triggered and inspected at no risk - even if they are not “known suspects.”

Protecting endpoints from ransomware

But what if the threat enters the network from an endpoint, like a PC – triggered, perhaps, by an infected document on a USB stick?

Actually, it’s at this level that some of the most useful indicators of ransomware behaviours – rapid encryption of multiple files, for example, or exploit kits that look for unpatched software vulnerabilities, as a prelude to sending ransomware through them – can be detected.

A security solution that can isolate the endpoint can stop the ransomware from spreading further via the network. And on that point…

Protecting networks from ransomware

The network itself must of course be protected.

But network traffic flows across myriad nodes, ports and protocols, so security must be capable of identifying ransomware and attacker behaviour in and across each of these sub-layers.

Here, too the sandbox analysis that we mentioned above is a powerful resource, mirroring the actual network environment so that the presence of typical ransomware behaviours can be accurately tracked and their effect (and therefore likely objective) revealed.

And blocked!

Ransomware immunisation: using the threat against itself

But one of the slickest anti-ransomware developments we’ve seen recently is a “vaccine”, which literally uses the ransomware’s own programming against it.

Ransomware typically prevents a machine it has already infected from playing host to any other infection that could interfere with the ransomware’s own endgame.

But this same feature, deployed on uninfected machines, effectively blocks the ransomware itself, as we have previously described in this post. So, does this mean ransomware is finally hoist by its own petard?

I wouldn’t bet on it. But by sharing knowledge about how ransomware works, how we can defeat it, and where businesses and security partners can go for more advice, we make every hostage that bit more difficult to take.

And that’s a ransomware result.

End of Road for McAfee Email Security SolutionsAs many McAfee security products slide into end-of-life, we take a look at how it could affect end-users, MSPs and resellers.

Forgive us for being forward, here, but if you didn’t read our last post on the McAfee security products that have entered, or are entering, end-of-life (EOL), you probably need to.

Just to recap, many McAfee EOL products simply don’t have a like-for-like migration path, according to McAfee’s own EOL support pages. In fact, many of them apparently don’t have a migration path at all, and those that do have a distinctly oblique one, involving renamed products and (presumably more expensive) updates.

So if you’re a McAfee end-user, are you worried? If you’re a McAfee MSP or reseller, should you be worried, too?

Worry is never helpful – so here are the plain facts about the McAfee EOL products and how their withdrawal will ultimately affect end-users, MSPs and resellers alike.

Which McAfee products does this EOL problem affect?

Since Intel’s acquisition of McAfee in 2011, there has been a concerted focus on EOL-ing those products that are not core to Intel’s strategy, and so the complete list is a long one.

But three that we think will grab most end-users’ and partners’ attention are:

  • Email Gateway
  • Enterprise Mobility Management
  • Endpoint Encryption

What will this mean for end-users and partners?

Bluntly, whether you’re an end-user or a security partner, EOL means what it says on the tin, or at least in the McAfee end-of-life policy; support for the software product simply stops (“Support contracts cannot extend beyond the end-of-life date”).

Support, of course, includes patches – a critical weapon in the struggle to keep security software updated against new or emerging threats – and so a security product kept in service beyond its EOL date is likely to rapidly become no kind of security product at all.

Map the McAfee products that are going / have gone EOL to the current risk profile of the cyber threat universe and the picture looks even more alarming.

  • McAfee is EOL-ing Email Gateway, yet… malware analysis in this publication shows email-borne malware hit 705 million quarantined messages from just one security vendor in just one month of 2015 alone!
  • McAfee is EOL-ing Enterprise Mobility Management, a solution that enables IT teams and security providers to keep large-scale official and unofficial mobile use in large businesses secure - yet McAfee also admits that the unique mobile malware samples collected in its own laboratories increased 72% from Q3 to Q4 in 2015!
  • McAfee is EOL-ing Endpoint Encryption, yet… the loss or breach of customer data from a mislaid or stolen device that this kind of technology can prevent is about to become a source of huge financial risk to businesses because of the draconian provisions of the forthcoming GDPR legislation!

In short, McAfee are pulling the plug exactly where the bad guys are starting to focus most attention – and that can only end badly for end-users and partners alike.

 But MSPs and resellers can get custom support, right?

Don’t you bet on it. Although custom support, beyond the EOL date, is theoretically available, it’s on McAfee’s say-so – reseller, MSP, end-user or whoever else you are. As they state in their policy, it is “an exception”, not the rule.

Clearly, it also costs. Not only that, it requires an existing current and continuous support contract to be in place, provides only limited content updates, for a limited time period, and with specific terms and conditions.

(Oh, and it never covers hardware of any kind, even if you bought the original solution on a hardware platform).

Does all this infuse the need to migrate to other solutions with a certain sense of urgency?

What happens next?

But knowing you have to migrate is little use if you don’t have any help as to where you might migrate to.

In the last blog in this series, we’ll be exploring some of the other security vendors’ offerings, and discussing whether they’re a good fit for partners and end-users looking to leave McAfee’s EOL products behind.

Keep watching!

McAfee - End of service warning

A raft of McAfee products have gone into end-of-life (EOL) since Intel took over. We look into the issues this is likely to create, now and in the immediate future.

It’s been six years since Intel bought McAfee, during which the company has pursued an aggressive end-of-life (EOL) policy across its product range, unleashing what IT publication CRN called “waves of uncertainty” in its core markets.

A visit to McAfee’s EOL support pages reveals a current drop-down menu listing scores of products that have been put into, or are scheduled to be put into, EOL - meaning no further availability of technical support and essentially, therefore, the impending end of the product’s viability for end-users and partners alike.

And although clear migration paths are available for some of these products, for others they are conspicuous by their absence, or are simply replaced by a (presumably more expensive) “upgrade”.

The outcome is inescapable: multiple security solutions are no longer available from McAfee, and each case of EOL leaves a hole that both end-users and security partners will potentially need to look elsewhere to fill.

McAfee EOL: the critical list

Regrettably, the EOL products that appear to have no clear migration path are also the ones that cover the truly critical threat vectors like networks (Asset Manager), email (Email Gateway), mobile devices (Enterprise Mobility Management), and data protection (Endpoint Encryption).

Unfathomably, even Content Security Suite, which combines many of these defences in one convenient package, is destined for the axe.

Intel spoke of “tough tradeoffs” in making these EOL decisions, but the reality is that they have proven – and will continue to prove - tougher still for customers and partners.

The apparent absence of clarity regarding the migration path from one product to a subsequent version or replacement spells disruption, whichever way you slice it.

Should end-users (and partners) simply trust that Intel will come up with something better? Should they be looking to other vendors? If so, which?

And should they seize the simplicity of “going direct”, where available, or should they source the products through a distributor, where the added link in the supply chain could bring value-adds like services, support, consulting, rewards and benefits, and the like?

Beyond McAfee EOL: what next?

Two points are worth noting here.

Firstly, at least some of McAfee’s products won’t go into EOL for a short while yet - so there is breathing space to find and trial alternatives.

Secondly, the security market is evolving fast. Established players like McAfee are coming under pressure from a swathe of specialist security vendors, including the new “big names” like Trend Micro, as well as agile arrivals like Bitdefender, Malwarebytes and others. Essentially, when McAfee stops delivering, there is no shortage of vendors who could potentially step in.

Watch this space for our next blog, which will explore some of the most compelling post-McAfee options for resellers, MSPs and end-users alike.

virtual-cloud

Bitdefender have announced that its GravityZone solution is now certified by VMWare and has achieved the VMware Ready status.

What this means?

Organisations can now enable agentless scanning on guest virtual machines via NSX introspection, which eliminates the overheads that can be seen when running a separate instance of the agent in each VM.  It also offers increased resilience against APT's which target the security solution.

Enterprise Customers now have access to a new and proactive approach for securing Datacenters and their Network Virtualisation environments.

From Kirsten Edwards, Director, Technology Alliance Partner Program, VMware

“We are pleased that the Bitdefender GravityZone qualifies for the VMware Ready™ logo, signifying to customers that it has met specific VMware interoperability standards and works effectively with VMware cloud infrastructure. This signifies to customers that GravityZone can be deployed in production environments with confidence and can speed time to value within customer environments,”

Harish Agastya, Vice President, Enterprise Solutions, Bitdefender

“Data centers are the heart of the digital economy, and security is paramount for data center operators across the world. The VMware Ready certification marks another step in our commitment to provide security that is easy to deploy and scale, and meets the unique requirements of today’s highly virtualized environments. Our award-winning security solution leverages NSX capabilities in the software-defined data center to provide automated deployment and orchestration of security services,”

About VMware Ready

vmware_readyVMware Ready is a cobranding benefit of the Technology Alliance Partner (TAP) program which makes it easy for customers to identify partner products which have been certified to work within the VMware Cloud infrastructure.  With thousands of members worldwide, TAP includes best of breed technology partners who bring the highest expertise and business solutions for each individual customer.

About Bitdefender GravityZone SVE

Bitdefender GravityZone SVE provide security for virtual machines, virtualised Datacenters and cloud instances, through the GravityZone On Premise console.

  • Best protection for Windows and Linux virtual machines: enabling real time scanning for file systems, processes, memory and registry
  • Best proven performance in datacenters: up to 20% performance improvement compared to traditional security vendors
  • Works on any virtualization platform: VMware, Citrix, Microsoft Hyper-V, KVM, Oracle, and others on demand
  • Agentless security for VMware NSX

 

Keyboard equipped with a red ransomware dollar button.
Keyboard equipped with a red ransomware dollar button.

There has been report of several companies becoming infected by the Crysis Ransomware and as such we have had a look into what it does and how it can be prevented.

History

First detected in February 2016, this virus has multiple methods of infection typically an email which has attachments using double extensions to make them appear non-executable.  Although it has been seen to also come through SPAM emails and compromised websites.  There has also been reports that it has been distributed to online locations and shared networks disguised as an installer for various legitimate programs.

Description

Crysis Ransomware itself is capable of encrypting over 185 file types across fixed, removable and networks drives and uses RSA and AES encryption, once infected it will also look to delete the computers shadow copies.  Whilst also creating copies of itself into the following locations.

  • %localappdata%\­%originalmalwarefilename%.exe
  • %windir%\­system32\­%originalmalwarefilename%.exe

The virus will then look to create/edit certain registry keys to ensure it is run on each system start.

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"

Finally after encryption there is a .txt file placed in the computers desktop folder, sometimes this accompanied by an image set as the desktop wallpaper.

  • %userprofile%\­Desktop\­How to decrypt your files.txt

There has also been reports of Crysis stealing data and credentials from the affected machines and passing these back to its Command and Control server.  This would then allow the computers and local networks that have been infected to become vulnerable to further attack if the credentials are not changed.

It has also been seen that Crysis will monitor and gather data gathered from IM applications, webcams, address books, clipboards and browsers prior to sending this to the C&C server with the windows variant stealing account and password credentials.

Prevention

To reduce the risk of infection we recommend the following

  • Ensure you are using an upto date AV product
  • Ensure any specific Ransomware prevention tools in the AV are used
  • Ensure you have a regular tested backup of the data
  • Educate users in the dangers of opening attachments from an unknown source

 

 

Bitdefender have updated their GravityZone cloud console with some new features over the weekend and here at Blue Solutions we are happy to guide you through these changes and how they will affect you and your customers.

Anti-Ransomware

The big news is that Bitdefender has now incorporated Anti Ransomware vaccine to all its cloud customers, and will be rolling this out through the on-premise version on Tuesday 27th Sep 2016.  This module is activated through the policy section  Antimalware --> On Access settings

Gravityzone Ransomware Vaccine Policy Setting
Gravityzone Ransomware Vaccine Policy Setting

By activating this module, machines will be protected from all currently known forms of Ransomware.

Other New Features

Update Rings - this feature allows Administrators of the program to  chose when in the validation cycle an update is received.

Anti-Exploit Techniques - a new set of powerful techniques which further enhances existing technologies to fight targeted attacks.  These are integrated into the existing Advanced Threat Control module.

Web Access Control Rules - The categories list has been updated with multiple new categories added.

Exchange Protection - This can now be enabled/disabled when editing a customer with a monthly license subscription.

 

The above features are now in place for all current users of Bitdefender Gravityzone in the cloud and will be rolled out to Bitdefender Gravityzone on-premise users from the 27th Sep 2016.

For more details on the above features and a look at the other features included please click here

logo     bs-logo

Over the last week we have seen an increase in the amount of companies receiving emails containing Zepto Ransomware, a file encrypting virus based on the infamous Locky cryptoware.
Most of the emails have been carefully crafted to ensnare the victims using social engineering techniques, typically greeting the recipient by first name and asking them to open an attachment which they had requested.
zepto image
The attachment will typically be either a .zip extension or .docm extension and once opened will run a malicious JavaScript which then encrypts all files on the users machine with the .zepto extension

To try and combat the infection, we offer the following advice
1. To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
2. To protect against VBA malware, tell Office not to allow macros in documents from the internet.
3. Ensure your AntiMalware program is upto date
4. Ensure your users are careful with email attachments and only open the ones they are sure they have requested
5. If possible set email filtering to quarantine all .zip and .docm files

Brian-A-Jackson1

On a weekly basis there are now articles regarding a big brand company which has been hacked, these usually relate to what data has been lost, how they are notifying those affected and what they are going to be doing to prevent this from happening again.

So how do you prevent it from happening in the first place?

From experience I can see that if a hacker wants to get details from somewhere they will take the easiest target, the ‘Low Hanging Fruit’ as they say, in ensuring your company has some basic security principles in place can help mitigate this.

So how do you ensure you are not the ‘Low Hanging Fruit’

Simple measures can be taken within your environment to help secure it. As a basic level you should be meeting the following guide - CyberEssentials Requirements

This sets out some advice regarding Firewalls, User access control, Passwords, Malware protection and Patch management.

Once you have met the standards given within this document you should be looking to increase the security standards within your organisation. The most effective we have found is the use of education, once educated your staff will be able to react to the threats quicker and reduce the risks to your company.