Following in Dr. Snow’s footsteps
     We can follow Dr. Snow’s lead by looking for commonalities, differences and outliers in our own digital communities. We need to start to look for what makes one system get infected while another does not. It is difficult to inconvenience many people based on incomplete evidence or misunderstood information. It may help to tell the Dr. Snow story to illustrate the parallels with the difficult fight against digital diseases. When the water pump on Broad Street was removed, the community complained about the inconvenience of having to walk farther to get their water. In order to convince our digital General Board of Health to remove a digital pump handle at an organization, we must have the evidence to back up our claims.  We must remind users that when it comes to digital diseases, just like biological diseases, epidemiology is a science of probability not a science of certainty. Even a great historical figure such as Dr. Snow did not have 100% certainty of the cause of Cholera, he merely had statistics to infer from; but it was enough to make a difference to London and eventually every city in the world.
If communications are firmly in place with decision makers and users, the next part is learning how to set expectations. When decision makers or users ask for an update, both information security personnel and the users must understand that the quality of information is greatest at the conclusion of the investigation and so preliminary data may be slim or missing entirely. A diagnosis is more accurate after tests have been done. When epidemiologists are asked to investigate an environment they analyze frequencies and relationships within hosts using numerous different study tools as described in the appendix. These tools are far from perfect, but they are some of the best tools we have to fight diseases.

CDC Best Practices
     One common practice during an analysis at the Center for Disease Control and Prevention Epidemic Intelligence Service (CDC EIS) is to spend 10 minutes to explain what you know about the state of the environment at the moment with results of current analysis, and then spend 10 minutes on questions and answers. If next step actions are not clear or the presented data is flawed, adjourn and investigate further. Another habit from CDC EIS is the recruitment of representatives from different groups in the organization to perform some of the basic field work; these people become sentinels in the surveying of the environment. Few organizations can afford all the security they want, so leverage existing human resources as much as possible. Prepare a reporting system for remote information security or sentinel personnel to report suspicious activity. Indoctrinate all information security personnel into the epidigitalogy process. Rotate volunteer personnel to slowly bring all information technology personnel up-to-speed on epidigitalogy thinking in order to have personnel ready as sentinels during the next digital disease survey or outbreak. In order to obtain good data for surveying analysis, it is important that the information security professional (the listener) be patient and understanding. It is equally important for the reporting source to know how to report in clear terms. A security practitioner’s desk side manner goes a long way to assuring a good infosecurity to user relationship.
Epidigitalogy thinking encompasses these concepts:

1. Work under assumption that digital disease pathogens are already in the environment. Few environments, biological or digital are 100% free of disease pathogens.

2. Always actively monitor IT functions for signs of digital disease symptoms.

3. Document previous digital disease outbreaks to learn what can be changed on hosts or in the environment to improve organizational digital health.

4. Share knowledge of surveys regardless of how trivial it may seem.

5. Think about digital disease investigations as an endeavor based on probability versus an endeavor of absolute certainty.

6. Leverage epidemiological investigation tools such as 2x2 tables, frequency distribution tables and epicurves to determine commonalities and outliers.

7. Professional resources are often scarce, therefore volunteers reporting from the field are critical to the continuance of a healthy environment.

8. Culture and social behaviors play a role in the digital health of the environment.

    In the epidemiology field there is rarely 100% of the information available to survey a disease of interest. Epidemiologists use statistical sampling in order to make inferences from their data and apply it to the total population under investigation. By copying this statistical analysis process, epidigitalogists may sample a small percentage of the host population with more aggressive logging in order to run further statistical models to ascertain what percentage of the surveyed systems are exhibiting a digital disease. If any of the surveyed systems exhibit a digital disease, this may warrant either expanding the survey to a larger group, or it may be enough information to execute implementing a mitigating control. Once a survey is tested and is deemed effective in identifying symptoms on a subset of the organization, using automation to make it a continuous study may help to improve the long term health of the environment. In data survey exercises, it is assumed that the host protection technology may not necessarily be detecting a threat by name, but by implementing more aggressive logging beyond traditional Antivirus controls; commonalities, differences and outliers may be observed.
Surveying Steps

Step 1. Retrieve all the log data from hosts and environment to run statistical models. i.e. 2x2 tables, frequency distribution, epi-curves on different variables as described in a future post. What percentage is exhibiting suspect activity?

Step 2. Increase survey group size if step 2 was conclusive enough to warrant further investigation.

Step 3. If step 3 reveals any outliers or commonalities indicative of a digital disease, then create a mitigating control. Deploy the mitigating control to the randomly sampled systems and rerun statistical models to ensure the control is effective. Also observe the security management platform for new digital disease pathogens detected and for identifying false positives.

Step 4. If false positives are too high and identification of digital disease pathogens is too low, remove mitigating control.

Step 5. If false positives are low or deemed to be at acceptable levels and identification of never-before-seen digital disease pathogens are high, then proceed to implement mitigating control to a greater survey group of systems.

Step 6. If the greater survey group does not report false positives, then proceed to deploy to the entire population.

Step 7. The helpdesk should be monitored for increased activity of support calls, which may indicate a mitigating control is having adverse effects.

See previous post: Origins of Modern Epidemiology

The headlines are all too familiar: “Retail Giant Reports Massive Data Breach,” “Russian Gang Amasses Billions of Web Credentials.” Despite the increase in threats, we are moving more and more of our lives on line: from sensitive health and financial data, to precious photos and daily shopping. To complicate matters, our digital lives don’t just reside on a desktop but on multiple devices and platforms. Too many of us remain vulnerable to advanced threats. If we want to free ourselves to take full advantage of our amazing digital, interconnected world, we need to secure ourselves.

With that in mind, we at Norton are making significant changes to simplify and strengthen our portfolio of security products. We are making it easier to select and buy the security products you need, and download and maintain them. As cybercriminals and the attacks they launch become more sophisticated, we’re strengthening our advanced threat protection technologies and improving performance across your Android, Windows, Mac and iOS devices.

First, we’re streamlining our Norton product portfolio from nine products to one flagship solution:  Norton Security. Norton Security will be available with and without cloud backup and combines the functionality of our existing products, eliminating the need for you to choose among nine different flavors. Norton Security is currently in public beta and slated for general availability this fall.  As part of this change, we’ll be retiring some of our stand-alone legacy products, such as Norton Internet Security, Norton AntiVirus and Norton360.

We are also making the product itself simpler to use with dramatic improvements to the user interface.  With its improved look and feel as well as cloud-based management, Norton Security will feel much more like a service and less like the software you used to “set and forget.” And because Norton Security is cloud-based, it will be simple to add and manage new devices through your personal Norton account – just like you do on Netflix and iTunes. As an added benefit of this service, we’ll keep you armed with real-time updates on threats and tips to help ensure you stay confident and protected wherever you go.    

To complement Norton Security’s advanced security technologies, we will continue to offer an optional cloud backup feature to keep your data secure and always available. Norton Security is backed by the largest threat intelligence network in the world, and a team of passionate security experts working around the clock to monitor threats, develop and update our products. We will continue to provide the 24/7 customer support you’ve come to expect.

We are so confident in the protection and support provided as part of the Norton Security service, we are offering a 100% virus-free money-back guarantee. 

One Service. Total Protection. Guaranteed.

Norton has the people, products and threat intelligence to protect you and the connections you make throughout your day.

Online credentials are a hot ticket in the underground economy. 1.2 billion were stolen just this month by a Russian crime ring. So, how do these hackers cash in on passwords and other online credentials? We take a closer look at how these criminals steal your information, as well as why they are so valuable.

If anyone needed another reason to be wary of using solely passwords to protect their accounts, the recent report of the Russian cybercrime team that stole 1.2 billion usernames and passwords from 420,000 websites is that reason.  It makes you wonder, 1.2 Billion Login Details Stolen. Time To Retire The Password?

Although the attackers have not sold much of the stolen data, because of our propensity for password reuse the risk is there to cause significant personal damage, fraud, and outright theft.

One of the best ways to protect your online accounts is through a second factor of authentication - that way even if your password is compromised your account is still protected.  Below are some tips to protect your online data:

• Use strong, unique passwords and never reuse them across other online accounts.
• Activate two-factor authentication on websites that provide it. Symantec’s Validation and ID Protection (VIP) Service lets businesses implement both two-factor and risk-based token-less authentication.
• Consider using a password manager, such as Norton Identity Safe, which safely stores different passwords for online services.

Follow VIP on Twitter  @SymantecVIP

Cyber security as a political issue? Undoubtedly. What makes it so is that governments and politicians at large recognise national interest is heavily impacted by the influence of cyber – now generally used to refer to all automated or computerised systems, in terms of both hardware and software – because cyber is the horizontal element that underpins economic life.

With globalisation enabled by transport technology, communications technology and global markets, and cyber used so widely within the economy and our personal lives, its reach extends deep into the political landscape. Cyber runs our economy, it can be used to reach large amounts of the population, for committing crime, be weaponised and it affects national security – and therefore the state – at its core. All of which means that it has a direct impact on public interest and therefore attracts political attention.

UK government figures suggest cyber breaches have hit 93% of large corporations and 87% of small firms, with these attacks often criminally inspired. In some cases, governments may even be the actual perpetrators, of politically motivated attacks, sometimes resorting to hiring criminal gangs where they do not have the ‘in-house skills’ or simply don’t want the attribution themselves.

The bottom line of all of this? First and foremost, the threat of cyber-attacks is driving many states and businesses to devote ever greater resources to combating the challenge. At the same time, technology is jumping the curve so frequently that our approach to privacy is taken over by this rapid change of technology forcing evolution. And before the technology has time to mature in a certain segment, it jumps the curve again. This creates tensions and risks over-extending security or privacy at the detriment of other fundamental rights. So what role should government play in this? I believe its primary responsibility here is to look at ways in which it can deliver the right regulatory protections, while also creating the economic conditions that allow technology to foster. So there should be more supporting of start-ups, greater investment in educational resources and more funding for research and development to promote and attract innovation.

As far as regulatory protection is concerned, this is a massive undertaking. Some regulatory intervention will clearly happen as the market and the debate matures. Yet regulation is not always the answer. It’s not easy to buy a gun in the UK, for example, but it is to buy an online attack tool at low cost. Also, cyber is cross-border, so law enforcement agencies are challenged by the fact that their investigations depend on the skill of the attackers and the number of jurisdictions involved – i.e., the complexity of the investigation. How then can you deter anyone from cybercrime? How do you maintain relationships with neighbouring countries? We have highly established regulations around maritime activity and movement now, and while there are clear rules around cybercrime, too, international cooperation at the law enforcement level is going to take time.

As for as what Symantec can do to help combat the cyber threat, our fundamental role as a technology provider is to make sure we keep providing the solutions that are capable of responding to the needs of our customers, affording them the right levels of protection. It also means continuing to engage with governments around the world in an advisory capacity, promoting information security best practices.

Wherever technology races ahead, so will the cyber criminals – and so will Symantec, in its commitment to serving both as a cyber defender and engine of economic growth.

For more information please read the Full Government Report of this year’s Symantec Internet Security Threat Report.

OfficeIns from NirSoft is a portable freeware utility that lists all the Microsoft Office add-ins present on your computer.

This tool is useful in case of issues with Microsoft Office add-ins ( i.e. add-ins can cause not to open Outlook or frequent non-responding issues when an add-in is running etc.). It shows the list of all installed add-ins for Microsoft Office products (Word, Excel, Outlook, PowerPoint, Project, Access, Visio and FrontPage) and allows you to easily disable and enable them.

License : Freeware

Link : OfficeIns 

For those who don’t know me, my name is Fabien Cousteau, and I am an oceanic explorer, conservationist, and leader of Mission 31. My grandfather father Jacques-Yves Cousteau was one of the world’s most well-known underwater researchers.

Last month I had the pleasure of being the keynote speaker at Symantec’s inaugural Green Talks lecture series. Green Talks are lectures that provide an opportunity for employees to learn about the importance of environmental sustainability through inspiring and informative talks by environmental experts within and outside the company. It was great to see, first hand, how one of the world’s top technology companies is working hard to engage employees on this important topic, one I am most passionate about. 

At the lecture series I spoke about my newest project Mission 31 and the human-ocean connection. Created in 2013, the Mission 31 expedition breaks new ground in ocean exploration and coincides with the 50th anniversary of the monumental legacy left by my grandfather, who is also credited with creating the first underwater habitats for humans and leading a team of ocean explorers on the first attempt to live and work underwater.

As part of Mission 31, this summer I spent 31 days living and working on the ocean floor to better understand the impacts on our coral reefs. As many of you probably know, our coral reefs are in danger, and healthy reefs are getting much harder to find. They are a window into the overall health of our oceans and one of the crucial components to a functioning oceanic ecosystem.

I feel very lucky to have had the opportunity to study from the world’s only undersea marine laboratory at length and so closely, as it really is an invaluable tool which offers unique advantages in science, data collection and exploration just not afforded any other way.

So why 31 days? 31 days took me just 24 hours past my grandfather’s record for living underwater. I couldn’t have been happier to continue and celebrate the legacy of his work and I hope the impact of my expedition will go well beyond 31 days, raising awareness of the importance of ocean conservation and environmental sustainability.

A day in the life of

As we were immersed in research and wanted to make the most of our time down under, my day started first thing, at 4:30 am, with the first dive between 5:30-9 am, another between 11:30-2pm and the final an evening dive from 6-9pm. In between these our time was spent reaching out to media, eating, resting and recouping for the next day’s adventure. After 31 days, myself and my team resurfaced to land and were completely exhausted.

You can see some if first hand on the Mission 31 website here.

What my 31 days spent underwater means to me and to you

There are many reasons I am passionate about ocean conservation and have therefore dedicated my current life to carrying on my grandfather’s legacy. One of the key issues I see is that people wrongly believe that the ocean is less susceptible to impact than land. The ocean is often seen as an infinite resource and too often people feel that what we put into it just somehow disappears. Our ocean has become by many to be used as a universal sewer.

While there are large-scale, systematic changes that need to happen, there are a few easy steps that each of us can take – right now - to help preserve our oceans and sealife:

• Watch your sealife intake. Use a seafood guide (e.g. the Seafood Watch app) at the store or restaurant to make sustainable choices. 

• Garbage in = garbage out. All things we throw away eventually go to the ocean. Single use plastics are a huge contributor to ocean pollution. While there are great efforts out there to clean up our oceans and beaches, I must emphasize this is not the cure to the problem. We must stop the issues at their source if we hope to have a cleaner ocean in the future.

For example, a question arose at the event where someone asked if I had seen a connection between the decrease in starfish and the degradation of our oceans. I most certainly have, and this doesn’t only apply to starfish. Starfish like many slow moving bottom dwellers are quite susceptible to man-made pollution because much of it settles to the sea floor. Again, the best way to reverse this is to stop the runoff of chemicals and pollution into the ocean at the source.

• Sign up for a fun aquatic (fresh or salt water) restoration project in your area (or on vacation) with friends/family. 

No problem is too big, no person too small

I would like to wrap up this article with a question that was asked at the event.

There is an old saying, something to the effect of:  If you think you are too small to make a big difference, you have never been in bed with a mosquito.  What would you say to these people so they will get on board and do their part to protect our oceans?

To this I say, no problem is too big, no person too small to make a tangible positive impact! And it tends to be contagious. When we see how easy it can be for other people to make a small change, to make a difference, we want to do the same. It is easy to make excuses, but it is much more rewarding to see the success of your actions.

Fabien Cousteau is a Filmmaker and Oceanographic Explorer

Symantec Mobility: Suite is a finalist in the 2014 CTIA Awards MobITS program, Mobile Security & Privacy category. Vote for Symantec by clicking here. This link will bring you to our entry page where voters only have to click on the “Sign Up/Sign In to vote” link. Voting ends on Monday, September 8 @ 5:00 PM PT. 

Winners will be announced at this year’s Super Mobility Week on September 10, 2014

A fake Facebook website is behind a phishing campaign offering up the sex scandal video of Filipino TV host Paolo Bediones.

One of the questions which comes up is whether or not to rollover archives in Enterprise Vault. End user archives typically don't get that big, usually a few Gb. File System Archives, Public Folder archives, and Journal Archives can all become pretty massive though over time. 

So should you have one large archive, or several smaller ones?

For end user archives I wouldn't recommend splitting them, and having multiple per user. The archives are just not going to get to the large scale that might cause issues. Even if an archive has 50,000,000 items in it, and is 400 Gb in size, that's a drop in the ocean compare with FSA Archives, Public Folder Archives and Journal Archives. Having split archives for end-users can be confusing too, because they'll see them in the search interface, and archive explorer.

For some types of archive there are benefits in splitting them up.  I'll cover FSA and Public Folder archives in a future article let's, for now, focus on Journal Archives.

Splitting a Journal Archive

Journal Archives lend themselves quite well to be split at a date-based boundary. Depending on the size of the environment it might be desirable to split monthly, quarterly or yearly. I'd suggest quarterly is a 'good' compromise in terms of number of archives, versus the size of them. Splitting the journal archive like this can have a number of benefits, for example:

• Index rebuilds, conversions or repairs are usually quicker, because you can target a smaller archive
• Searches will be quicker when using tools like Discovery Accelerator
• Discovery Accelerator won't look at the index/archive if you're not looking for items in that date range
• Exports in Discovery Accelerator will be quicker

Splitting the 'archive' up like this also lends itself to manageability of all kinds..  For example if the Vault Store that the archives are in starts to reach a high number of items, then the 'next' journal archive can be created in a new or different vault store.

Do you split your journal archive up like this, or in some other way? Do you keep it as one big archive? Let me know in the comments below.

Reference

We are looking to hire a CSP resident in the Raleigh, NC area.  The req can be found at:

http://www.symantec.com/about/careers/careers.jsp?areq=%2021145BR

Please contact Ryan Alves at ryan_alves@symantec.com.

Responsibilities

This Resident Consultant will be the trusted advisor in Symantec Data Center Security (DCS) - formerly Critical System Protection (CSP) - for a customer located in Raleigh, NC.  The successful candidate will be part of a team of onsite Consultants that support multiple Symantec technologies for this customer.  The primary responsibilities include:

• Prevention and Detection policy testing, tuning, and automation
• Customized reporting and analytics
• Upgrade testing and deployment
• Assist with daily administration and optimization of the DCS/CSP environment
• Assist with DCS/CSP events and remediation
• Assist with creating and managing process, procedure and best practices documentation
• Support business enablement activities as the DCS/CSP subject matter expert
• Informal DCS/CSP knowledge-sharing and ad-hoc training
• Liaise with Technical Support, Engineering and Product Management
• Drive break/fix issues to resolution
• Report program status regularly highlighting DCS/CSP activities, tasks and accomplishments
• Cross train on other Symantec technologies utilized by the client including Endpoint Protection (SEP), Data Loss Prevention (DLP), Messaging Gateway (SMG), Web Gateway (SWG), Email Encryption (PGP) and Symantec Security Information Manager (SSIM)
• Assessing the security impact of traffic anomalies on customer networks
• Articulating technical security issues to customers, both verbally and written
• Responding to technical security questions and concerns from customers
• Possessing a deep understanding of hacker techniques, vulnerabilities, attacks and countermeasures
• Maintaining a strong awareness and understanding of the current threat landscape
• Conducting research on emerging security threats and potential customer impact
• Performing malware analysis and risk management on a computer system

Qualifications

• A passion for security, learning, and knowledge sharing
• 6-8 years of experience in Information Security
• 2+ years of experience creating and tuning detection and prevention policies for data center server security using Symantec DCS/CSP or competitive products
• 2+ years of experience with security incident response and remediation
• Experience working with other Symantec or competitive security technologies: such as SSIM, SEP, DLP, SMG, SWG, and PGP email preferred
• In depth understanding of host-based intrusion detection (HIPS) and host-based intrusion prevention (HIPS)
• Experience with file integrity monitoring and application whitelisting preferred
• Strong knowledge of the TCP/IP protocol suite and related security concerns
• Working knowledge of Microsoft SQL or competitive database platforms
• Strong knowledge of operating system platforms, routers, web proxies (BlueCoat), network protocols, and security architecture
• Working knowledge of well-known security tools such as NMAP, Nessus, TCPDump, Wireshark, Netcat, Backtrack, Encase, Helix, FTK
• Working knowledge of common attacks and vulnerabilities
• Strong understanding of common categories of malware and characteristics of each
• Advanced college coursework in Computer Science or Information Technology, or equivalent experience preferred
• Relevant industry standard certifications preferred (SANS, CISSP, C|EH, Etc..)
• Excellent written and verbal communication
• Ability to pass an enhanced background verification (Public Trust)
• Applicant must have resided and worked in the U.S. for 5 years to pass background verification

Virtual data centers are helping businesses become more productive and agile in today's changing world, but they are susceptible to cyber attacks. What is the best course of action to protect and manage data in a virtual environment?

Spam has been around for years, clogging up email folders with "junk" mail with links that lead to scam websites, or a download of malicious code. But the spam market is evolving, from the inbox to the places where we spend the most time sharing information online.

I have been asked these questions quite often now:

• What is the best resource for understanding Keystone Overview?
• Are there any blog posts showcasing some of the key functionalities of Keystone?
• Do we have resources detailing Keystone APIs?
• so on and so forth ...

Instead of sending emails to individuals, I thought it would be great to create a blog with a list of blogs and docs that I follow/refer almost every day.

This blog serves as a live cheat sheet of our resources for Keystone. Feel free to share any related blog which you think would be helpful to add in this list:

• Adam Young’s Web Log
• Dolph Mathews Blog
• Florent Flament's Tech Blog
• Jamie Lennox's Blog
• Matt Fischer's Blog
• IBM Developer Works
• Security Blog (redhat)
• Nathan Kinder's Blog
• Mirantis Blog
• Identity API v3
• Developer Documenation for Keystone
• Keystone Wiki
• Keystone Source Code
• Symantec - Cloud Platform Engineering

As suggested by the title I recently had a problem with MS revoking updates. It seems simple enough, but even though those updates are marked as disabled in the Altiris Database, the Zero-Day Patch workflow still tries to download them. This causes all kinds of problems because when the workflow can't download a patch it crashes. If you are like me you don't want to manually create and manage patches. So what do you do?

1. Figure out what database you are using. This seems simple enough, but if you have dealing with Legacy like we were it can get a little silly. CMDB is the default.

2. Check the correct tables in our case Altiris-2014. I jumped onto our SQL server and ran the following QUERY.

SELECT
TOP 1000 [Guid]
,[Enabled]
FROM [Altiris-2014].[dbo].[ItemActive]
--where Guid in ('41F066A7-0E7E-4BF1-B6A5-195573F9F3D6','BA28B8E2-289A-4FA3-8D6D-BBF99E1E5721')

3. Take note I’ve remarked out the GUIDS here. I used these to determine that I am getting disabled updates.

4. Onto the workflow. This is where things get a bit wonky.

5. Create a component. I called it Patch Disabled. You will need to make a note of the DATA connection String.

Data Source=SQL-SERVER-NAME.domain;Initial Catalog=Altiris-2014;Integrated Security=SSPI;

6.This is done from the Symantec Workflow Manager. Select New->Integration and call it whatever you want. Please note run the tool as admin or you will have issues with saving.

7. You will be asked to create a generator. I selected table generator. Go ahead and name it whatever you please.

8. At this point you will be able to setup the connection. Choose SQL Server Provider. Use the Connection String from Step 5.

9. Select the Table ItemActive. This is discussed in step 2.

10. Make sure both columns are selected. Make sure you save this. Make sure to populate the string into components and select read only. You can now import this.

11. Open Symantec.Patch.Zero.Day

12. Click Import components and select repository. You should see the component here.

13. You are ready to put this in your workflow.

14. Open the Get Bulletins Object, and then Filter Available Bulletins, yo should see 6 Elements Under Filter Model...

15. All your additions will be between Item Is In collection and Keep Value.

16. Place your Is Enabled Object after Item is in Collection.

17. Connect the True Wire to it.

18. Here is the run down for the inputs.

19 Data Type=ItemActiveObject, Result Variable Name=ItemActiveRetrieveData, GUID=[lement._ResourceGuid], Check Use GUID, Enabled Blank, Enabled Condition=Equals, Use Enabled and Throw on No Data, No Check, Connection String=You should have this from step 8 and 5, and Do Not Participate for the Transaction Configuration...

20. Make sure Data Not Found Goes to Filter Out Value

21. Make sure Data found goes to a T/F flag

22. The T/F Flag should have a value of [ItemAcitveRetrievedData[first].Enabled]

23. False goes to filter out and True Goes to keep value.

24. That's it SAVE/CHECKIN/PUBLISH

Cybercriminals target automotive companies in the UK, the Netherlands, Germany, and Italy with Infostealer.Retgate.

Leveraging Waiting Room Time
     Organizations can continue to rely solely on their security vendors to provide the miracle drug or antidote for the digital disease pathogen, or they can take more of a hands-on surveying approach to improve security. Relying on the security vendor is the traditional practice which is normally followed by applying pressure on the security vendor to deliver the miracle drug or antidote quickly. This time spent waiting allows the digital disease pathogens to possibly mutate and spread further in the environment. Another approach taken by organizations is the installation of many different security technologies with all the bells and whistles activated in hopes of detecting and preventing the next threat. Unfortunately, enabling all the prevention features of a security product or collection of security products may present an unwanted side effect: with prevention enabled at a very aggressive level, the possibility of false positives increases. What if we leveraged the extra protection technologies in logging mode initially and made subsequent policy changes based on statistically significant observations?

Here is an example of a SIR surveying tool:

Illustration 4. Susceptibility, Infection and Recovery Timeline
           Illustration 4 shows a SIR timeline borrowed from epidemiology, which is normally applied to tracking Susceptibility, Infection, and Recovery (SIR) of human beings during an outbreak investigation. In this epidigitalogy SIR graph sample, the x-axis represents 30 days of time. The y-axis represents the individual digital hosts in the environment. As time progresses across the x-axis, a red circle indicates when an infection has been reported. The length of the line indicates the duration of infection with the red line termination indicating the resolution of the infection. Any hosts which are repeatedly infected will show up easily to the epidigitalogist. A pattern of reoccurrence of events is indicative of an underlying issue on the host that needs further investigation. The illustration also identifies the "expiration" of a host with a black dot and length of time since commencement of expiration. In the case of digital hosts, a black dot with a black line indicates both the start of expiration and the length of time since it last reported into the central reporting system. If a host reports digital disease indicators were detected and repeatedly cleaned, this graph will illustrate a recurrence that may mask a deeper digital disease pathogen. For example, a host with a downloader may not have the downloader identified directly, but the repeated downloading and cleaning of secondary files may be a tell-tale sign of a deeper issue. By observing this type of repeated action on the graph, a host may be placed under watch for further analysis or continued study.
     One of the software tools the Center for Disease Control and Prevention Epidemic Intelligence Services (CDC EIS) personnel use in their investigation processes is called EpiInfo. During the development of this epidigitalogy idea, I tested EpiInfo with Endpoint Security logs to determine if the analysis from EpiInfo added value to an investigation of a digital host population. What I discovered was that the statistical models used by epidemiologists for frequency count, 2x2 analysis, and proactive trending for diseases in the human population is applicable to digital hosts.
Here is an example of using the CDC’s EpiInfo to get to the “a-ha” moment that connects the tools used by epidemiologists to epidigitalogists. We first perform a basic frequency distribution count across machines, applications or non-malicious file alerts in the environment. If we take a look at the frequency count of executable violations of application access rules, we obtain a list of the files with the most violations of the policy. By performing an MxN, 2x2 analysis in EpiInfo, we quickly see that copycode.exe is violating the USB write policy. We can follow this 2x2 table with a list of all machines containing copycode.exe. We can then look at all activity for the systems that had copycode.exe present.
 

Illustration 5. EpiInfo MxN, 2x2 Report Generation Widget
       In these 2x2 tables, epidigitalogists look at what the hosts were exposed to and the corresponding health outcome. This allows epidigitalogists to quantify the association between exposure to a digital disease pathogen and the resulting outcome. When this type of report is run, the epidigitalogist can begin to make inferences from the data. In the case of this 2x2 it appears that copycode.exe is triggering the most USB write block events. It is important to point out that these are not virus alerts, but simple policy violations that may be indicative of digital disease presence. It's completely possible that this is an internal application and an authorized user, but it may also be a data leak. We cannot know for sure if this is intentional, unintentional or malicious in nature. An epidigitalogist that knows their environment will be able to better filter out the noise and get to the rare-but-deadly digital diseases. This report will (at a minimum) get an epidigitalogist on the path to investigate further using the existing logs, and if further analysis of logs contain more indicators, more hands-on analysis of the hosts may be necessary.

Illustration 6. EpiInfo MxN, 2x2 Report Results
     Illustration 6 shows the detected processes by rule violation. By looking closely at the Rule_Name count, it is easy to see that 199 USB blocks were triggered by copycode.exe. The other entries are more easily filtered out based on knowledge of the environment and the known good status of setup.exe and chrome.exe.
What if, instead of encasing our hosts with inconvenient security bubbles, we were to continuously monitor them and survey them in order to respond so quickly to the initial disease pathogens that we can remove the disease before it makes a strong foothold? By taking this continuous monitoring and surveying approach, we strike a balance between early detection and response, and minimizing of false positives. Do we really wish to continue to wait in the information security emergency room for our next patient? Do we wish to wait for the security vendor to deliver the vaccine or cure for our digital disease symptoms? Or do we start taking some proactive action of our own? Should we start doing the equivalent of epidemiological investigations? Should we start incorporating a daily survey into our regimen? Should we educate end users on the healthy habits of computing? As the equivalent of washing their hands as a preventive health measure, let's make sure the hosts do not go into the dirty water. But if they must enter the dirty water, let’s ensure they go with adequate protection or at least have someone ready to help them out of the water and decontaminate them quickly.
 

Trust In Our Digital Cities
     During Dr. Snow’s time the general belief was that cities were unhealthy, and humanity was not destined to live there due to the prevalence of diseases. Epidemics were presented as evidence of the unnatural state of humans in cities and the resulting hardships encountered there. If you were to ask a mid-19th century Londoner what they thought of the future of cities, they would probably tell you that it was a passing phase and that disease will send people back to the country side. If you asked the average person today what they thought of their digital existence online, they would probably say they don't trust it, and that the rampant diseases online make it a place humanity will not be able to fully integrate into their lives. Some people have already retreated to the digital country side or avoided the digital as much as possible, rather than fully integrate into the network. This lack of trust in ecommerce and online banking is not that different from mid-19th century Londoners’ view of the viability of cities and whether people should really be there.  It is up to us to start treating the threats for what they really are: digital diseases. Once we understand digital diseases better, we can learn to adapt our hosts and environments to withstand them.
To be successful, like Dr. Snow, we must know our digital community. We must know our network and know our digital citizens. By knowing our "normal" boundaries, we can detect the abnormal. We can no longer simply sit back and wait for antivirus logs. Looking only at antivirus logs is like only looking at death certificates. Look at other data: login internals, patching cycles, install instances, network traffic, etc.  The better we understand our community the better we can take care of it.

Previous post Part III Following in Dr. John Snow's Footsteps
 

Mobile apps continue to pose a major security headache for organizations; NIST offers some advice on how to tackle the issues.

The Point of Sale malware, trojan.backoff has been reported to have affected more businesses than was originally determined by the Department of Homeland Security. Find out the best way to protect your business, and your customers.