Amrit Williams, BigFix CTO, continues his discussion with Mark Maiffreit of Fire Eye on emerging threats and the new vulnerability pimps.

Subscribe in iTunes:

Subscribe with XML:

TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I am joined by Marc Maiffret, Chief Security Architect with FireEye and former CTO and Founder of eEye.

Marc, thanks for joining me today. We talked a little bit about the proliferation in terms of the professionalism, the organization of the bad guys. Are you seeing any trends in terms of the number-one threat vectors that folks are using these days?

Marc Maiffret: Yeah, I mean, I think most would agree that… I mean, I think most now hopefully understand that the attacks have really moved to being at least the way that a company is initially becoming breached. I’d say 90-plus percent of the time, it’s definitely from an attack coming into the desktop environment, typically coming through some client application program, whether it’s the browser itself or all the third-party applications that can be exploited through the browser or through email. And definitely in that context also, probably the single most popular thing that we see being exploited is definitely with Adobe Acrobat.

And I think when you look at those third-party applications — and I think I’ve made this point before, but I think it can’t be kind of made enough — but when you look at the third-party applications, most of them from a security perspective they’re where Microsoft was five, ten years ago, and a lot of that is just for the fact that Microsoft had so many problems, as we all know, and so many worms and so many bad incidents that they really had to take security and really invest and treat it as a real problem rather than a kind of marketing problem.

But for most of the other companies, it’s something new for them. It’s only been in the last year or two at most that Adobe became such a large target and under such fire from all the exploits that are out there and continuous Zero Day unpatched vulnerabilities. So there’s that kind of lagging behind, and that’s sadly what we see time and time again with technology companies is it’s only once all the bad things start happening that they start to be proactive or are more proactive in their security. I think that’s a trend that will kind of always be there, and I think the scary part when you think about that is definitely as it relates to cloud computing and, where in the world of all the different cloud services, you can’t have independent researchers discovering all the vulnerabilities like you could with Adobe and Microsoft, because with the cloud obviously if you’re auditing whatever, Salesforce.com or something, as an independent researcher you can’t actually do that ‘cause it’s a third-party server that you’re interacting with and therefore illegal.

So you’re taking the independent security researchers completely out of the game of helping to improve technology, leaving it up to technology companies themselves. And if the last ten years have been any indicator of how that’s going to go, it’s going to go very poorly, in that independent security researchers have really led the charge on helping to improve technology and really to hold technology companies accountable before all the bad stuff starts happening.

Amrit Williams: And it’s interesting, too, because the organizations themselves that rely on these third-party services, they lose visibility and control. So they’re unable to use the normal type of technologies they might to watch traffic flow from a corporate resource sitting out there at Starbucks accessing corporate resources that are maintained by a third party. So it sort of creates a whole new paradigm of trust problems for these organizations.

Marc Maiffret: Yeah, completely. I mean, it’s funny when you think about a lot of the cloud services or just Software as a Service, whatever we’re calling these things today (laughing). But when you think about those technologies, not only is there the underlying just basic, “Hey, is their code secure?”; but they are actually missing… in a lot of cases they’re missing even more fundamental stuff.

For example, when you sign up with some of these different sites, especially if you’re using them for replacing your sales system or replacing your accounting system or other kind of critical core customer-management systems, they’re missing the most basic things of even giving you an audit trail of who’s logging on and logging off and where are they logging off and on from.

And sometimes they might give you that output — you can log into their site, you can look for that on a specific link within the website that you can kind of scroll through it or whatever — but they’re not giving you that in kind of a data format that you can feedback to your sim just like you would with any other type of technology. So there’s a lot of basics as it kind of relates to just the audit and controls that I think companies are used to with the more standard kind of software they’ve been using over the years that are just completely missing from most of the Software as a Service..

(00:05:11)

So I would love to see if there was ever some kind of open standards and requirements, even around the basic aspects of logging in and audit controls of these sites, to where they had kind of an open web services, XML, et cetera, interface that would allow third parties, whether it’s IT kind of building their own tools or security companies themselves. to be able to have a standardized interface through these different cloud services to be able to kind of take some of that audit and security data and bring it back to correlate it all with the bigger picture of what’s happening in a company, because obviously with corporate security there’s more than… not everything is going to be sent off to the cloud, if you will.

Amrit Williams: Yeah, no, it’s interesting you say that, too, because I think folks working trying to create cloud-audit frameworks that support that, a lot of folks have sort of doubled down on the monitoring aspect, the analysis aspect of what’s going on in their environment, so that they can at least limit the incidents once they occur.

But this whole cloud-computing paradigm removes that ability from them, and it’s unfortunate. So hopefully we’ll see a lot more of the service providers providing mechanisms that can support the infrastructure that folks have built for monitoring.

Marc Maiffret: Yeah. It’s one of those funny things; but it seems that in today’s world if you make some Facebook page or related that says that companies can sign up and IT people can sign up saying by joining this Facebook page we’re demanding these ten requirements from cloud stuff. I mean, there’s got to be some sort of grassroots thing like that, because what I’ve seen so far is definitely security folks I see bring it up now and then; but it’s definitely not enough being done to really demand it, and I would say any IT type of people and companies that might be listening to the podcast, even if you can’t necessarily hold up moving to Software as a Service, you should at least be very vocal in making your demand be heard that you do need some of these different kind of audit and kind of control aspects.

Amrit Williams: Hopefully, we’ll see that. I can’t let you go without a little controversy, though; Marc. So I’ve got to ask you a question here.

Marc Maiffret: All right, ask.

Amrit Williams: Verizon came on and started proliferating this term “vulnerability pimps” recently, and one of your old colleagues, Morey over at eEye, had a post about how to write. And he got a lot of backlash on making that comment, especially from vulnerability researchers.

So not to rehash the old vulnerability disclosure debate — I’m actually not interested in doing that — but I do want to get your take, because you mentioned something in terms of cloud computing, which is you do remove the security researchers from the equation. I think vulnerability researchers, security researchers offer a lot of value, especially those that share the information in an appropriate way with the organizations that they find problems with. Without getting into too much detail here, what are your thoughts on this? What are your thoughts on the concept that Verizon is essentially saying that this is not good?

Marc Maiffret: Yeah, you know, I kind of missed the Verizon thing; so I didn’t get the whole context of the “vulnerability pimps”. I’ve kind of heard it around and stuff, but I mean I think it’s funny. I guess for me, I’ve been in that whole realm of vulnerability research and stuff for so long now, and before Verizon had all these 8:45 and stuff that they were even doing. But the sad thing is as it relates to vulnerability researchers, I find it funny when people talk about concepts like “full disclosure” or “vulnerability pimps” or whatever, because the reality is that vulnerability research has been dead for probably a few years now.

What I mean by that is that the few security companies that actually used to still do proactive vulnerability research, like eEye, like ISS, like 9:17, almost none of these companies actually do it any more. I think one of the last commercial companies that still does good vulnerability research and publishing is CORE Securities, who very happily are carrying that flag, and love the guys for doing that. So it’s a funny thing to me when people talk about it, because I don’t know who out there is actually doing public vulnerability research any more. I mean, there’s things now and then — maybe you see something from Dan Kaminsky or now and then an independent researcher being credited in some Microsoft advisory — but it’s actually a sad state of security is that companies no longer do it and most of the independent researchers whom used to do it, they for the most part now are either just selling Zero Day to a variety of different companies and organizations and they’re kind of doing stuff behind the scenes, and that to me is a scary thing.

And that’s I think also why you’re seeing such an explosion in the number of Zero Day and attacks that we see with Adobe: because I promise you, you had to spend five or six years ago when you had companies like eEye and ISS and related doing vulnerability research, responsibly reporting things and getting them patched through Microsoft, they promised you that at least 50% of all the Adobe vulnerabilities that we’re seeing today would have been being found by those companies and fixed in the responsible ways that IT patches.

The problem is that there’s this massive vacuum in the vulnerability-research world where these people aren’t doing it any more, and as such it’s basically left to two groups of people to do it: the vendors, who we know simply do not care until things become really bad for them; and the bad guys, who we know have all the motivation in the world to find these things, and that’s why you see the increase in Zero Day, that’s why you see so many Adobe vulnerabilities and kind of beyond.

Amrit Williams: You know, that’s an interesting point. I hadn’t thought about that, but –

Marc Maiffret: Yeah, there’s a massive vacuum out there for this stuff. And so that’s where it’s like I’d much rather (laughing)… again, I don’t know the full context of “vulnerability pimp” is just about the braggery of finding vulnerabilities or kind of what that context was. But I would take an independent researcher discovering a vulnerability, working with Microsoft or whoever to get it fixed, and I would let them try to plaster all over the media and do everything that they could, because at the end of the day, who cares? They’re the one that found the vulnerability, they’re the one that worked to get it responsibly fixed, and that’s one last bug that’s now out there on the street, if you will, that’s a Zero Day that’s being used by organized crime-backed guys that are spreading stuff.

So I think when it comes down officially to that aspect of people trying to grandstand off vulnerabilities and this and that, yeah, I mean, maybe that can kind of come off kind of cheesy or vulnerability pimp-ly or whatever; but at the end of the day, I’d much rather have those people finding the vulnerabilities than what we have today, and that’s the big problem is that those people don’t even exist any more for the most part.

Amrit Williams: And it’s interesting, too, because like I was saying, I hadn’t thought about that until you mentioned it; but there really has been a major hole left by a lot of these folks and the organizations they report to restructuring how they go about research and what they should focus on. But there hasn’t been any massive drop in the vulnerabilities and patches that are coming out. They’ve spread — you know, have more non-Microsoft third-party applications getting attacked — but there certainly isn’t a massive hole in terms of the number of patching or re-jiggering of various internal security controls to respond to these events.

So the volume is still there. What seems to have changed is the process that one would normally have gone through to help protect these organizations before they become compromised. And I think you’re right: that’s created a major problem.

Marc Maiffret: That’s it.

Amrit Williams: Yeah, and it’s not gonna get any better any time soon.

Marc, I really appreciate you joining me today. Just for the audience again it’s Marc Maiffret, Chief Security Architect with FireEye, and modernmalwareexposed.org is the website that they’ve just launched, a lot of great information up there.

Marc, really appreciate you joining me today. Hopefully, we can get you back soon.

Marc Maiffret: Definitely. Thank you so much.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!