Threat Intelligence

“What are our cybersecurity protocols?” This question is one that has, undoubtedly, been top of mind for CTOs at numerous corporations and government agencies around the world in the wake of recent ransomware attacks. Given the hundreds of thousands of endpoint devices in more than 150 countries that were infected in the latest global attack, WannaCry, can you blame them?

Cybersecurity stock buying trends are on the rise. According to CNN Money, the PureFunds ISE Cyber Security ETF (HACK), which owns shares in most of the big security companies, was up more than 3 percent in early trading the Monday following the first WannaCry attacks. Positive performance in cybersecurity stocks comes as no surprise as organizations shore up their defenses in preparation for future attacks—big or small. This is the security climate in which we live.

While the numbers have been rising on both fronts, do the affected organizations truly understand what to look for when addressing cybersecurity? Where should the protection start? What obstacles might organizations need to overcome? How can they be better prepared?

Hal Lonas, chief technology officer at Webroot, takes us beyond the sobering wake-up call that attacks like WannaCry bring, and discusses actionable advice companies should consider when fortifying systems against cybercriminals.

Where should an organization start when thinking about combating malicious files entering the network?

Organizations should think about their security in terms of layers. Between the user sitting in the chair and the sites and services they access from their workstations, every level of security is equally important. The vehicles malicious files use to infiltrate the network shouldn’t be ignored either. Is it a URL? Is it a USB key that’s physically carried into the office? Or maybe it’s an employee who takes their laptop home and uses it on an unsecured network—the possibilities are endless. We’re in a very interesting era in which mobility has become the norm, there are more internet-connected devices than ever, and there are more angles every day for cybercriminals to launch attacks. Essentially, the perimeter is dissolving. That means organizations need to rethink how they approach protecting their networks.

We’ve heard the term “dissolving” a number of times recently when talking about the traditional notion of the network. Can you speak more on that?

Let’s use my phone as an example. Right now, it’s connected to the secure employee wireless in this office. When I hit the coffee shop later for a meeting, it might be on their public Wi-Fi. While I’m driving to the airport this afternoon, it’ll be on a cellular network. By tonight, it’ll be on the guest Wi-Fi in a hotel. With each movement and interaction, perimeters converge and overlap, and this phone is exposed to different levels of security across a variety of networks. Each step means I’m carrying data that could be exposed, or even malware that could be spread, between those different networks. These days, company work happens everywhere, not just on a corporate computer within the security of an organization’s firewall. That’s what we mean by dissolving perimeters.

We’re in a very interesting era in which mobility has become the norm, there are more internet-connected devices than ever, and there are more angles every day for cybercriminals to launch attacks.

One line of defense is endpoint protection. Whether you’re using a mobile device or laptop, that protection goes with the device everywhere. Even as you switch between networks, you know that’s one layer of protection that’s always present. Network or DNS-level security is also key, to help stop threats before they even make it as far as the endpoint.

How does Webroot BrightCloud® Streaming Malware Detection fit into the layered approach? Is it cutting edge in terms of protecting against malicious files at the perimeter?

Streaming Malware Detection is pushing the boundaries of network protection. As files stream through network devices—i.e., as they’re in the process of being downloaded in real time—Streaming Malware Detection determines whether the files are good or bad at the network level. That means the solution can analyze files in transit to stop threats before they ever land on the endpoint at all. We partner with the industry’s top network vendors, who have integrated this and other Webroot technologies as part of their overall approach to stopping malicious files at the perimeter.

In terms of what we’re doing with Webroot products, we’re expanding the levels in which you can be protected—looking at more and more different aspects of where we can protect you. We’re tightening the reigns from endpoint protection, which we’ve traditionally done extremely well, and branching further into the network with Streaming Malware Detection, as well as network anomaly detection with FlowScape® Analytics. We aim to bring value to our customers by protecting holistically. We’re adapting as a company with our product offerings to this new reality we find ourselves in.

What cutting edge approaches is Webroot taking to combat what has already infiltrated the network?

We hear a lot about advanced persistent threats. The reality is that those long-resting, largely undetected threats do make their way through and land in an environment with the intention of wreaking havoc, but doing it low and slow to avoid detection. The malware authors are very smart, which is something we try to anticipate. Webroot is really good at a couple of different things, not least of which is that we’re incredibly patient on our endpoint products. Essentially, we’ll monitor something that’s unknown for however long it takes, journaling its behavior until we’re absolutely sure it’s malicious or not, and then handling it appropriately.

In addition, we’ve recently added a product that does the independent network anomaly detection I mentioned earlier: FlowScape Analytics. Essentially, it analyzes day-to-day activity within a network to establish a baseline, then if something malicious or abnormal happens, FlowScape Analytics instantly recognizes it and alerts us so that we can track it down. In conjunction with our other layers of protection, it’s a solid cybersecurity combination.

What technology do you see helping to protect networks at the same scale and velocity threats are coming?

Streaming Malware Detection is a big one. Traditionally, malware has been sent into a sandbox where it has to execute and takes up resources. The sandbox also has to simulate customer environments. This approach comes with a lot of complexities and ends up wasting time for customers and users while awaiting a response. For scalability, analyzing the malicious files in transit at network speed frees up time and resources.

Is there anything else organizations should take into consideration? Machine learning at the endpoint level?

We’re always asking ourselves, “where’s the right juncture to layer in more security?” I’d like to see more organizations asking the same. You can look at our history, during which we developed a lightweight agent by moving the heavy lifting to the cloud, and that’s the theme we’ll continue to follow. The detection elements of machine learning can fit on our client, but we’ll do the computing-intensive and crowd protection work for machine learning in the cloud. That gives you the best efficacy, shares threat discoveries with all of our products and services in real time, and keeps devices running at optimal levels.

Webroot recently announced a new collaboration with Clavister, a leader in the network security market. Clavister selected Webroot’s BrightCloud® IP Reputation Service. The solution detects malicious activity within users’ IT infrastructure and delivers actionable threat intelligence. We sat down with Mattias Nordlund, product manager for Enterprise at Clavister to get the scoop on the new offering and also the importance of IP reputation.

Webroot: Give readers a brief overview of Clavister.

Mattias Nordlund: Clavister is a Swedish security vendor founded in 1997 in the very improbable location of Örnsköldsvik, on the border of Lapland, far in the North of the country. We always joke – because it’s cold and dark so much of the year – our developers don’t have any distractions from making the best security code out there. Our “Swedishness” is a big source of company pride.

The development of our proprietary software – first cOS core and later our cOS stream solution – made the product into an award-winning and industry-respected leader in cybersecurity and digital threat deterrence. We’ve managed to grow the business internationally to an installed base of 20,000 customers with a 95 percent satisfaction rate, which drove Clavister to be one of the few Swedish technology companies listed on the NASDAQ OMX Nordic Exchange. Clavister also has acquired a formidable client list that includes Nokia, Canon ITS, and D-Link, as well as collaborations with Intel, Redhat, and VMware, among others.

I love the source of pride in your heritage. Putting on your security hat, do you see a difference in cyber preparedness in Europe versus the United States?

Of course. The US is a very advanced market when it comes to threat protection and development with some of the biggest vendors operating within its borders. But, if you think of EU legislation, like GDPR, with a more independent tradition that doesn’t appreciate the surveillance and backdoors built by both US and Chinese actors, then you see that Europe is quite advanced in cybersecurity. In Sweden, just as an example, we use a two-factor authentication app for not only our banking but logging into public websites, checking your kid’s daycare schedule, etc. So identity management and using VPNs is far more advanced in the EU than in the US.

That’s great. We are always pushing two-factor authentication, but it isn’t required by many sites here. Switching gears, why is IP reputation important?

For us, it’s important as a tool to help our customers stop Command & Control and Botnet communications, alleviate load on servers from attacks from known Denial of Service (DoS) IPs, or help limit the load on mail servers by stopping known spam sources on the edge. IP reputation in a way becomes a proactive mitigation technique rather than a reactive one. That’s where we see the market for Next-Generation Firewalls (NGFW) going.

Being proactive in your cyber defense is key. What do you hope your customers will gain by including Webroot BrightCloud IP Reputation intelligence in your solutions?

For our customers, it’s one more piece of the puzzle in how to understand traffic flowing through our products. The customer will get insights on the behavior of users. Coupled with other features like web content filtering and application control, it will indicate the behavior of a user and how “risky” it is.

What advice can you share with businesses struggling with their security plans today?

Having a holistic approach to how the company behaves – BYOD, its cloud-based work, endpoint, identity access management (IAM), VPNs, etc. – is really critical. It no longer works to take a partial approach. And then there’s the human firewall factor. Keep in mind, 85 percent of network breaches come from employees hitting phishing emails. That’s very important to bear in mind, as much as the hardware and software solutions.

Wise words, Mattias. Thank you for taking the time to talk cyber.

If you want to learn more about this new collaboration, check out the media release.

We’re not telling you anything new when we say that malware continues to pose a major challenge for businesses of all sizes. Polymorphism, in particular, is especially dangerous. Polymorphic executables constantly mutate without changing their original algorithm, meaning the code can change itself each time it replicates, even though its function never changes at all. That’s why it’s so problematic; organizations that rely on traditional endpoint protection methods have little hope of detecting and blocking all the variants that might hit their network, even if they combine their antivirus technologies with network sandboxing.

How BrightCloud® Streaming Malware Detection Works

With all this in mind, we’ve developed Webroot BrightCloud Streaming Malware Detection. This brand new, innovative technology detects malicious files in transit, in real time, at the network perimeter. It can be integrated into perimeter network security devices to complement existing functionality by identifying and eliminating malicious files before they enter the network or have the chance to spread or mutate internally.

In most cases, Streaming Malware Detection can make determinations without requiring the entire file to be downloaded. It scans files in real time to make determinations after only a small portion of the file has streamed through a network perimeter device. Streaming Malware Detection determines quickly whether files are benign or malicious, enabling the device itself to block, drop, or route the file for further investigation, depending on how the technology partner or end customer chooses has configured the appliance.

For partners, Streaming Malware Detection…

• Adds malware detection functionality to your network device and enhances your ability to detect and block known and never-before-seen malware
• Makes determinations on a high percentage of previously unknown, zero-day, and malicious files at the network level
• Processes files at a rate of 5,700 files/min (over 500 times faster than a typical sandbox at 11 files/min)
• Continuously improves its own capabilities via self-learning
• Provides the flexibility to tune and adjust thresholds to minimize false positive rate
• Integrates quickly and efficiently in network edge security devices via precompiled SDK
• Provides an incremental revenue opportunity

How To Get Streaming Malware Detection

We’re currently planning to make this extra layer of protection against polymorphic malware, and targeted malware in general, available for GA in the second calendar quarter of 2017. For the time being, we’re pleased to invite existing and prospective Webroot technology partners to join our beta program. Contact your Webroot account representative to participate.

For more info about Streaming Malware Detection and other new Webroot services, read our press release.

To address the need for application security in the digital transformation era, F5 is releasing a new host of products and services.

“The digital transformation has really changed security as a whole,” says Preston Hogue, Director of Security Marketing and Competitive Intelligence. What he means is that everything—EVERYTHING—is moving to the cloud. Think about the companies from years ago, such as Blockbuster, versus their modern counterparts, like Netflix or Hulu. Think about the fact that most of today’s twenty-somethings have never set foot in a physical bank branch, but use online banking daily. Now think about the fact that every service I’ve mentioned so far has an application, which is the primary method of interaction for users.

The application is the new perimeter and identity is the key to that perimeter. Over 70% of all data breaches occur by accessing applications. At F5, we are focused on securing our customers’ applications; both by securing access to the apps, and by securing the apps themselves where they reside.

We spoke with Preston about the newest security products F5 is launching, and how they’re using Webroot BrightCloud® IP Reputation intelligence to help power their solutions.

Webroot: Tell us a little bit about the security launch. What should we expect to see?

Preston Hogue: First, we are launching a family of dedicated security products called Herculon. The first two components of the Herculon product family are the Herculon SSL Orchestrator and the Herculon DDoS Hybrid Defender. These products are dedicated to solving the challenges of SSL/TLS encrypted traffic and ensuring application availability.

Second, we’re announcing a new service called Silverline WAF Express, which will give customers easy, self-service access to our cutting-edge web application firewall. We’ve been deploying web application firewalls on premises for some time and also offer a fully managed service. Since some customers don’t have the time or resources to install and maintain the software, or maintain the racks and stack and everything within their environment, we’re giving them a simpler self-service experience.

Our focus on securing applications means our overall threat research is geared toward application threat intelligence—really trying to get to the root cause of the 70+% of data breaches I mentioned previously—so we’re also announcing increased investment in our F5 Labs threat intelligence team.

Last but not least, we’re also announcing that the services of our security incident response team (SIRT), a dedicated team of highly trained individuals within the support organization, are now available to all F5 customers around the world. This team will be the highest level of escalation for security and service response.

Since threat intelligence is such a huge component of your offerings, what should your target customers consider when choosing threat intelligence sources for themselves?

There are a lot of companies that offer threat intelligence, but it’s challenging because they all claim a kind of broad, generic expertise. We advise that customers look for specificity; for targeted, actionable information that pertains to what they’re trying to do. Looking at a company like Webroot, you’ve taken on very specific aspects of threat intelligence and you’ve been able to master those particular areas—like the Webroot IP reputation intelligence that we integrate.

We see a lot of organizations trying to take on too much. That’s why we’re very definitive about the scope of what we’re trying to accomplish, and why we focus on leveraging our application security expertise around threats and ensuring we can provide very specific, clear, actionable threat intelligence with F5 Labs.

What do you hope your customers will gain by implementing your solutions with Webroot BrightCloud IP Reputation intelligence?

We know we have the expertise when it comes to understanding the overall threat to an application. We partner with companies like Webroot for insight into a particular aspect of threats; in Webroot’s case, it’s insight into IP addresses and additional threat information around user agents and anonymous proxies. We’re very specific in our threat intelligence, and we know we’re not always able to show the entire picture on our own. So we are able to fill in other areas of the overall threat landscape through our partnerships to ensure that we can give our customers the full picture they need.

How do you see the F5 security launch changing the security industry?

F5 has been in application security for over 20 years. From what we’ve seen, digital transformation is changing security as a whole. It has driven applications out of the data center and into the cloud. That means there are 3.2 billion users on the internet, who all potentially have access to these applications, which makes them a big target for breaches. Because of our expertise within the field, F5 is in the perfect position to provide visibility into this threat landscape, and also the control our customers need to achieve a secure application experience.

In his closing comments, Hogue had the following to say, “To secure access to applications and to secure the apps where they reside, you need a complete picture of the threats that target apps. You need a team like F5, with an ecosystem of intelligence partners like Webroot to provide that picture. And that’s how, ultimately, we can help our customers solve today’s security challenges and keep users safe.”

Learn more about Webroot BrightCloud IP Reputation intelligence. Or, for more information about F5’s security launch, read the press release.