EH-Net

Great article about malware and AV.  Illustrates why we need a change in AV to detect ever changing threats.  It was kind of cool to see they owned up to it. 


http://www.wired.com/threatlevel/2012/06/internet-security-fail/

Flamer - I Can Haz Propaganda
http://infiltrated.net/index.php?option=com_content&view=article&id=48&Itemid=54

My boss would agree with you 100%.  He says that they are all "snake oil salesmen" and they created most of the problems to get money.  The thing I am noticing is that they are not catching them but still saying they can protect against it.  But isn't it a necessary evil at this point even without the FUD/gov't FUD?

They don't need to make their own malware, flood the market to sell the products. The approach is wrong. In order to understand this, you would need to go to http://maec.mitre.org and understand a lot of what's going on. In a nutshell this is the issue:

Malware Signature
1 + 1 = 2

Attacker
one + 1 = 2

New Malware Signature
one + 1 = 2

Same attack + attacker
one plus one equals 2

New Malware Signature
one plus one equals 2

Same attack + attacker
b25lIHBsdXMgb25l

No matter how they want to attack the heuristics, its a guessing game based on what they KNOW. They can never see/know/understand an attacker so there is a lot of assumption based on known knowns. So attackers will ALWAYS have an upper hand. The keys isn't to rely on malware/AV companies, the key is to understanding your network, applications and patterns. E.g., any baseline traffic would yield anomalies in sites visited, bandwidth consumed and so forth. You start seeing things leave your network destined for say China at 3am... Its something you should be quick to look at. Same applies for ANY connection LEAVING your network when say, there is no one on a particular machine. HIPS also help here but running say Tripwire or Samhain in an enterprise can be a headache

Have either of you read: http://www.amazon.com/The-Myths-Security-Computer-Industry/dp/0596523025/ref=sr_1_1?ie=UTF8&qid=1338590679&sr=8-1

It's an easy read that's written for the layman and is expectedly a bit biased in McAfee's favor. However, there were some parts that were extremely candid about both AV in general and McAfee's own offerings.

Its all about whitelisting I say.  The less educated folks in IT think it is an impossible feat to use app controls to whitelist your standard baseline system.  I was in a conference call this week where someone stated its "easier to blacklist"  I was like what???  Sure for the one offs you actually know about but what about the 100 other backdoor apps installed on your network that you DON'T know about?? 

If anything enforce whitelists on your servers, I mean if you don't know what is running on at least those then you have lost this battle. 

I believe the basic firewall rule set is an excellent example and POC - your rules that allow traffic in to specific services with the DENY ALL rule at the end.  Even outgoing, allow only these services out from these specific networks, block everything else.  Good your egress point to the network is covered.  Now do the same for everything else!  Sure it may take a while to complete the list of allowed apps on your network but in the long run it will pay off. Keep everything patched and you c-levels can sleep better at night.