A bomb just dropped in endpoint security…


Pay no attention to the man behind the curtain…

VirusTotal just dropped a major bomb, and only people deep in the endpoint security ecosystem understand the ramifications of this announcement.

If you’re involved in endpoint security to any degree – as a customer or an industry person – you need to understand what just happened. It’s really, really big.

A bit of background.
VirusTotal is a multi-engine virus scanner. You upload a file, and it passes the file to a large number of commercial antivirus products, and it tells you which engines detected the file as malicious.

While there are other tools available, and some have come and gone, VirusTotal is the big dog in the space. It’s owned by Google, has massive computing and resource power and everyone in the security industry uses it.

VirusTotal shares the results with subscribers. So, you can pay to get extensive and detailed information on what has been detected at any moment of the day, and who detected it. 

How antivirus companies use VirusTotal to make better detections.
It’s common practice of antivirus companies to use VirusTotal as a tool to make better signatures.

For example, if a researcher finds that two high quality antivirus engines detect a file as malicious, they have a high confidence that it’s actually malicious without further analysis. As an antivirus researcher, it saves an enormous amount of time.

Now, there’s absolutely nothing wrong with using VirusTotal results in research, and many antivirus companies use VirusTotal to supplement their own labs. They get samples from VirusTotal, and along with the samples, who detected them. If they find that a couple of high quality engines are detecting a file, they can easily add the detection to their own signatures without much further thought.

Now, there’s a next step. You could set up an an API integration with your product. If you scan a user’s machine and fine an unknown file, you could upload it through an API to VirusTotal and get a disposition on the file –who detects it. From this data, you can flag a file as malicious.

In other words, you can use VirusTotal to create your own antivirus program. Easily. 

Until now. 

It’s fine to use other engines. If you’re also contributing.
Using other engines to improve your detection rate is completely fine. If you’re also contributing back to the community yourself. In other words, if your antivirus product is also one of the participating antivirus engines.

The dirty little secret
And here’s the dirty little secret that very few people know. There are a number endpoint products that use VirusTotal to determine if a file is malicious. Without any contribution to the communityWithout giving anything in return. 

They simply pay VirusTotal a subscription fee, and receive the information.

And some of these companies have been getting a lot of attention for their supposed prowess. But for some mysterious reason, they refuse to put their own engines on VirusTotal. Could it be because they don’t want to contribute back? Maybe. Or it could be that they just don’t want everyone else to see how poorly their products actually perform.

Unfair? Yes.
Using VirusTotal information without any contribution back to the community is patently unfair. The people who are actually writing detections are sharing their results with the rest of the community, while a small group of endpoint products have been boasting of their extraordinary abilities, while working off the backs of other researchers. 

So as a customer, perhaps you can ask the next endpoint security vendor if they’re on VirusTotal. If they are, they’re contributing to the antivirus community. If they’re not, they’re not. Whatever their PR story, that’s the simple truth.

Until now.
Well, the world just got a bit brighter for the many endpoint security companies that actually contribute to VirusTotal.

Because VirusTotal is just announced that they are requiring that all scanning companies must integrate their engines into VirusTotal. Furthermore, “…new scanners joining the community will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO).”*

It’s big news. It levels the playing field. No longer will antivirus companies see their hard work taken by some sexy startup that’s raised millions of dollars on the false promise of “next generation” endpoint or other such nonsense, while bashing the very companies that they’re effectively stealing the intellectual property of. And perhaps, we’ll see what their products are really made of. Because without VirusTotal as a crutch, companies that rely on it are going to see their detection rates take a hit.

Poetic justice, indeed.

My compliments to the VirusTotal team for seeing this disparity and unfairness and taking such swift action. A class act, indeed.

And now, perhaps, we can all finally see what is behind the curtain.

Alex Eckelberry

* Disclaimer: I am a board member of Malwarebytes (a contributing member to the VirusTotal community), and an advisory board member to AMTSO.  The opinions in this blog post are my own and are not connected to these two organizations. 

The Network Security Trident – Going Beyond Compliance

First and foremost, I am not a big fan of “compliance.”  I say that with some reluctance because there are certainly some positive aspects of the notion.  The PCI/DSS standard provides an effective and comprehensive framework that organizations can use to help shape network security strategy.  Unfortunately, there is an overwhelmingly negative aspect of compliance that may actually drive organizations to a type of mediocrity which inevitably results in a higher level of risk.  This may seem a little counter-intuitive, but stay with me while I offer a brief analogy that may clarify my point.

When I was in the Navy, all military personnel were required to participate in a semi-annual fitness test.  The standards associated with the test were broad in that it wasn’t very challenging to meet the minimum standard, but it was exceptionally difficult to score the maximum on the test.  Not surprisingly, those Sailors who worked to achieve the best score were much more physically fit than those Sailors who strove for the minimum score.  Those who were content with doing just enough to get by weren’t necessarily bad Sailors.  But those Sailors who strove to maximize their performance on the test were usually above average performers overall.  The parallel here is that organizations must move beyond merely compliance to ensure they are cyber secure.

But moving beyond compliance to achieve true security excellence can be intimidating and overwhelming.  That being said, I have found that if a complex process can be distilled down to a few basic components, it becomes considerably less onerous.  To move beyond compliance and move towards being truly secure, I would focus on improving the following areas:

  • Technology
  • Experts
  • Behavior

Think of these as the points of the Network Security Trident:

Network Security Trident


I view technology in two contexts; prevention and detection.  Those organizations that rely on prevention alone (which would meet most compliance requirements) are bound to suffer the same fate as Target, Home Depot, and the long list of other companies that fail to adhere to Cyber Security Rule #1: You will be hacked.

Accepting this idea should drive companies to find and deploy hack detection capabilities.  This is particularly true for Retailers as Black Friday, Cyber Monday, Chanukah, and Christmas shopping are right around the corner.  The idea is to minimize the time between compromise and detection which will in turn mitigate the amount of time a hacker has to find and steal customer data.


Most businesses solve the human part of the resource problem by leveraging IT Staff to perform security functions. This approach is problematic for two reasons.

First, Information Technology is NOT Security.  The skill set of a true Cyber Security Expert is complimentary, but fundamentally different from the skill set of an IT Professional.  The best Cyber Security Experts have experience in defeating network security measures – they know how to hack, which makes them exceptionally well qualified to find hackers on a network.

Secondly, the primary function of IT Staff is network operations.  Adding security responsibilities to the workload of an IT Professional will inevitably result in reduced efficiency in both network operations and/or network security.

But the truth is that finding the Cyber Security Experts that I just mentioned is extremely difficult, and paying for them is even more challenging.   The good news is that some security companies can provide businesses with viable Cyber Expert outsourcing solutions.   I caution companies that choose to rely on technology solutions alone to address detection.  While it’s true that machine intelligence is effective at catching the majority of threats, there are a small percentage of sophisticated attackers that avoid detection by purely technological solutions and can only be detected by humans with the right skills.  Remember, it only takes one successful hacker to cause a world of trouble for a company.


User behavior is the last, and arguably the most critical leg of the Network Security Trident.  One user mistake, or one user who fails to follow established policy, can cause that world of trouble that I just talked about.  It doesn’t matter if a company has deployed the most advanced technology operated by the most highly skilled cyber security experts; one user action can have a catastrophic impact on a business.  So every organization that wants to be serious about security needs to follow two simple rules:

  1. Train your people
  2. Enforce policy

There’s a saying in the Navy of “everyone is a Safety Officer”   which I extend to the private sector as “Everyone is a Cyber Security Officer.”  That means that every employee should have some basic understanding of information security principles and best practices.  For the administrative assistant being a Cyber Security Officer might mean understanding what a secure password looks like.  For a network Administrator being a Cyber Security Officer might mean understanding that surfing the internet while logged on as an Administrator is dangerous; a compromise could result in root level access to the network for a hacker.   Every member of an organization plays a role in securing the retailer’s network and protecting sensitive information.

People make mistakes, so we should expect that a user will from time to time expose the company to additional risk of being hacked.  But failure to follow policy is a different story.  Policy missteps are often associated with members of an organization not paying attention to detail, and in more egregious cases policy infractions result from users deliberately ignoring policy. So like the Cyber Security Officer, everyone in an organization has a role to play when it comes to following and enforcing policy.  But it starts at the top.  CEO’s and Management Teams must ensure that policy is reasonable and that it aligns with business functions and objectives, and they must demand policy compliance from their people.  Leaders must hold employees accountable in cases where policy is deliberately ignored.

In closing, The Network Security Trident (Technology, Experts and Behavior) provides a helpful framework which can help companies drive their organizations to achieve network security excellence, moving beyond mere compliance.

Mike Walls is the Managing Director of Security Operations at EdgeWave. During his time as a captain with the US Navy, he was commander of Task Force 1030 and was directly responsible for the cyberreadiness of more than 300 ships, 4,000 aircraft, and 400,000 Navy personnel. He personally directed forces conducting cyber operations across the global Navy cyberdomain and oversaw development and implementation of cooperative (Blue Team) and non-cooperative (Red Team) cyber readiness assessments across the Navy cyber infrastructure.

We are our own worst Cyber Enemy: 3 Simple Rules to Avoid Being a Cyber Victim

3 Simple Rules to Avoid Being a Cyber Victim

I think it was Walt Kelly, the famous cartoonist, who said “We have met the enemy and he is us.”  How true that sentiment is when it comes to cyber security, and the Hackers know it.   In spite of the diligent efforts of businesses to secure their networks with the latest and greatest automated technology, employees continue to make mistakes that inevitably lead to successful penetration of their company’s network by hackers.  But all mistakes are not created equally.  

A lot of employees practice poor cyber hygiene and have bad habits when it comes to using the internet.  But to be fair, some fall victim to hackers who use clever tricks to influence bad decisions.  The security industry characterizes these tricks as “social engineering” which is different from what political junkies use to characterize the imposition of social change by a governing authority.  In the cyber security context, social engineering is a non-technical tactic that hackers use to persuade a person to unwittingly reveal information or take an action that gives a hacker access to information.  In the military we call this “influence operations.”

Hackers often use modern phone scams to dupe unsuspecting victims into surrendering their authentication credentials and other valuable information over the phone.  They might send malicious code to a smartphone, also called “smishing”, betting that the victim is unaware of the risks associated with text messages from unfamiliar sources.  They might also revert to the timeless conversational tactics practiced by their analog ancestors, the con artists. But the most prolific form of social engineering is associated with Spear Phishing, a hacker tactic that leverages carefully crafted emails directed at a specific person or group of people.    We’ll talk about Spear Phishing in a little more detail later.

So you may be asking, how do I defend against social engineering?  Well, there are a lot of things we can do but there are three things that everyone can do immediately make ourselves less vulnerable to these types of attacks.  All three are related to email, the most popular attack vector among hackers.

First and foremost, PAY ATTENTION TO YOUR EMAIL! Please excuse my use of capital letters, I’m really not yelling at you as the rules of online etiquette would suggest.  I’m simply emphasizing the absolutely essential need for understanding the risks associated with emails.  Yes, there are inherent risks associated with what should be an incorruptible tool.  It really comes down to three simple rules which will help reduce the likelihood of a successful social engineering attack against you.  Notice I used words like “reduce” and “likelihood?”  That’s my not so subtle disclaimer that nothing we do in the cyber security world is 100% effective.  Stoney’s First Law of Cyber Security clearly states that “it isn’t a question of if your network will be hacked, but when.”  The same principle applies to social engineering.  So here are the rules:

  1. Rule #1:  Think before clicking! Never click on a link embedded in an email regardless of your perceived familiarity with the sender.  If you need to access the web page associated with an embedded hyperlink, copy it and paste it into your browser window.
  2. Rule #2:  Trust your gut!  If you see an email in your queue that appears unfamiliar or suspicious, forward it to your provider, or company spam email account.  Ideally, your company would have a high end email security system (like EdgeWave’s ePrism) to stop the majority of emails as malicious before they get to your inbox.  Remember, Stoney’s First Law says that some malicious emails will get through.
  3. Rule #3:  Do not use “preview” pane in your email program! Hackers figured out a while ago how to execute malicious code when the email in which the code is embedded is opened.  Using the Preview pane could have the same effect as you opening an email.  This effectively eliminates your ability to NOT open suspicious or unfamiliar emails…see Rule #2.

So let’s talk a little more about Spear Phishing.  I’ve always been amazed with the ever evolving cyber security taxonomy.  For the most part, the names we given to hacker tactics and techniques are elegant in their simplicity.  The monikers actually make a lot of sense when you think about them.  Take Phishing and Spear Phishing.  When I think about Phishing, I visualize fishermen casting wide nets intended to catch as many “things” as possible.  Presumably the “things” are fish, but Phishing is indiscriminate so you could catch a old tire or license plate.  On the other hand, Spear Phishing is intended to catch a specific fish, that’s why we use a “spear”…anyway, I digress.  On with our discussion about Spear Phishing.

In my mind, Spear Phishing epitomizes the “targeted attack.”  I say that because in order to execute a Spear Phishing, the hacker needs to do some work.  The hacker actually uses a methodology to shape the attack.  It starts with Reconnaissance.  As a former Naval Officer and war fighter, I have a deep appreciation for how critical reconnaissance is in shaping and executing a successful attack.  When a hacker performs reconnaissance, he will use non-technical and technical methods for gathering as much information about the intended target as possible.  His intention is to piece the information together in order to identify vulnerabilities and determine which vulnerabilities to attack.

I mentioned non-technical and technical reconnaissance.  Non-technical reconnaissance is about gathering publicly available, also called open source, information about a target.  Technical reconnaissance is performed by directing packets at a target, and assessing the replies in order to identify vulnerabilities in the target’s network infrastructure.

Once the Reconnaissance phase is complete the hacker is ready to attack.  He uses information gained through reconnaissance to identify a list of employees at the targeted company.  He crafts an email that spoofs an internal email from a member of the management team to the employees on the list.  The hacker inserts a link that appears to be the address of a website frequently accessed by company employees, and includes a message intended to drive at least one of the email recipients to click.  The hacker makes a subtle change to the website URL hoping that at least one of the victims will fail to notice discrepancy.  The link will connect to a malicious website designed to mimic the real website.  The hacker understands that his chances are very good that at least one of the employees will not follow Rules #1 and #2 by clicking on the email…and the hacker’s bet is a winner!  

One employee clicks on the link and as soon as the malicious website loads on the browser, a malicious script automatically runs, executing exploits of vulnerabilities identified during the Reconnaissance phase.  In a matter of seconds, the hacker has gained access to the employee’s computer establishing a foothold on the company network.  From there the hacker does what hackers do; escalates privileges to the System Administrator level, moves laterally and vertically across the network, looks for and finds valuable data to steal.  Oh by the way…other employees that have their email preview panes enabled, and we know they’re out there, will create additional opportunities for hackers to enter the network…Rule #3!

So there you have it folks.  Three simple rules of email safety that if followed,  will dramatically lower your risk of you and your company becoming cyber victims.  Stay Cyber Safe!

Mike Walls is the Managing Director of Security Operations at EdgeWave. During his time as a captain with the US Navy, he was commander of Task Force 1030 and was directly responsible for the cyberreadiness of more than 300 ships, 4,000 aircraft, and 400,000 Navy personnel. He personally directed forces conducting cyber operations across the global Navy cyberdomain and oversaw development and implementation of cooperative (Blue Team) and non-cooperative (Red Team) cyber readiness assessments across the Navy cyber infrastructure.

Network World Names EdgeWave Firewall New Product of The Week

Network World has named the EdgeWave EPIC Next Generation Firewall a member of the “New Products of The Week”


Key features: The EdgeWave EPIC Next Generation Firewall is the industry’s first to combine expert human analysis with machine intelligence delivering to the enterprise an ability to stay ahead of constantly evolving web-based attacks.

Why The USA Hacks

The U.S. government views cyberspace as just another theater of war akin to air, land and sea, and it operates in the domain for one basic reason: national defense.

 Last in a six-part series on the motivations that compel nation-states to hack.

The United States operates in the cyber domain as a national entity for a simple reason — to protect its citizens. Like traditional notions of national defense, cyber operations extend across political, economic and military pillars of national power. But cyber operations are, in a sense, more complex, because they affect the pillars of power more profoundly, due to the speed at which they occur.

Consider how quickly the Allied Forces moved across Europe during World War II following the D-Day invasion on June 6, 1944. Within about a year, the allies coordinated a multi-pronged campaign attacking the German military on the ground, the economy from aerial bombardment of German industry, and politically by strengthening the Allies while simultaneously dismantling the Axis forces. Now consider the speed at which a modern aggressor nation could attack another nation’s military, economy and political establishment through cyber warfare. With the right planning, a well-coordinated cyber campaign could be executed with an immediate impact and with the same devastating effects.

In spite of the insight into NSA operations provided to us by Edward Snowden, I am steadfast in my belief that U.S. cyber operations are focused solely on national defense and that those operations do not include the exploitation of information for economic or financial gain. Moreover, the U.S. government imposes strict limits on cyber espionage through statutes and regulations, and holds agencies accountable for violations of those statutes and regulations through comprehensive political oversight.

Flag Map by Lokal_Profil via Wiki-media Commons

This is not to say that there isn’t potential for abuse of power of agencies in the cyber national defense community and the political establishment. That potential certainly exists and could manifest itself, should the wrong people ascend to leadership roles in government at the wrong time. For skeptical readers, I can only emphasize that my assessment is based upon personal observations made during my recent tenure in the Department of Defense cyber community. For this discussion, I’ll focus on the three organizations that contribute to the national security effort by confronting threats from aggressor nations: CIA, NSA, and United States Cyber Command.


CIA Mission Statement
Preempt threats and further US national security objectives by collecting intelligence that matters, producing objective all-source analysis, conducting effective covert action as directed by the President, and safeguarding the secrets that help keep our nation safe.

Cyber operations in a nation-state context map directly to every aspect of the CIA mission statement. By collecting intelligence and producing analytical reports, the CIA plays an important role in building the threat picture for the intelligence community. But CIA cyber operations are bounded by the guidelines of Executive Order 12333 and Title 50 of the U.S. Code. EO 12333 restricts CIA operations involving U.S. citizens in the United States, and Title 50 refers to intelligence agencies, intelligence activities, and covert operations. Because CIA operations are clandestine, there isn’t a broad body of knowledge available to the public that demonstrates how the agency operates in the cyber domain. But most recently, we did learn that the CIA was allegedly involved in Operation Olympic Games, a cyber campaign directed at denying Iran nuclear weapons capability.


NSA Mission Statement
The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.

Although the reputation of the NSA, courtesy of Snowden, has been tarnished both inside and outside of the U.S., it’s important to realize that this agency has a long and storied history of protecting the United States from the full spectrum of adversaries, by leveraging superior technology throughout the electromagnetic spectrum. Prior to the age of cyber, NSA operated in the spectrum to collect and analyze signals intelligence across the globe. Although information related to NSA operations is limited, because of security concerns, many operations find their way to the media, but the stories are often based more upon speculation than hard facts.

Clearly written in the NSA mission statement is the task of enabling computer network operations, implying both offensive and defensive capability. From a practical standpoint, the NSA is the functional leader of U.S. computer network ops across government, including the Department of Defense. There is a deep symbiotic relationship between NSA and the uniformed services, particularly the Navy. That link was formalized through CSS, the component of NSA responsible for providing cryptologic support to the Armed Services.

Like the CIA, NSA operations are highly classified, and when aspects of an operation end up in the public forum, they are typically subjected to a tremendous amount of speculation. The end result is usually an interesting story loosely based upon opinion. But some accounts of NSA operations are compelling and simply make sense. Ronald Reagan’s decision to launch air strikes against Libya (Operation Eldorado Canyon) following the 1986 German disco bombing which, unfortunately, took the lives of at least two U.S servicemen, was believed to be based upon critical signals intelligence provided by NSA.


United States Cyber Command (USCC) Mission Statement
USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

In the information age, military operations are completely dependent upon information systems for myriad reasons, ranging from command and control of operational forces in the battle space, to weapons systems, to everyday business of running the Navy, Army, Air Force, and Marine Corps. That dependence was the motivation behind the establishment of the United States Cyber Command in 2009.

As Director of NSA, General Keith Alexander was the driving force behind the creation of an organization dedicated to supporting U.S. combatant commanders in the field. General Alexander knew that the U.S. military needed a unified force of cyber operators, which could operate with the warfighters in the uniformed services, as well as with agencies like NSA. The connection already existed from an administrative standpoint, but there was no operational link with NSA. The distinction between operations and administration is significant because the U.S. government, particularly DoD, correctly views cyber space as another warfighting domain, akin to air, land, and sea. The bond between NSA and USCC was solidified with the dual responsibility of the Director NSA and Commander USCC.

The cyber army that General Alexander envisioned is taking the form of a Cyber National Mission Force of roughly 6,000 military personnel. The force, which will be distributed across 133 teams and is on track to be fully functional by 2016, will focus on three areas: providing support to combatant commanders across the globe, defense of the DoD information network, and protection of the nation’s critical infrastructure and key resources.


Why we hack
When we look at all of the nations which we have discussed in this series, it isn’t surprising that the common answer to the question of “Why They Hack” is national defense. But to assume that national defense has the same meaning to different governments is overly simplistic. While we understand, intuitively, what a literal defense of a nation commonly means, the behavior of some nations in the name of national defense is difficult to explain.

We see China and Russia engaging in exploitation of intellectual property for economic and financial gain. We see Iran and China conducting cyber operations in an effort to expand their spheres of influence. We see North Korea lashing out in an effort to demonstrate its relevance in the geo-political community. Finally we see Israel and the United States conducting cyber operations to protect their national security.

Does this mean that the United States and Israel maintain higher ethical standards of cyber conduct? I believe the United States does, but I admit that the point is arguable. We know that the United States has made mistakes; the Snowden data suggests that it did. But in the end, US cyber operations are bounded by laws, regulations, and accountability, and that’s the only way to maintain order in an environment rooted in disorder.

More on this topic:

Mike Walls is the Managing Director of Security Operations at EdgeWave. During his time as a captain with the US Navy, he was commander of Task Force 1030 and was directly responsible for the cyberreadiness of more than 300 ships, 4,000 aircraft, and 400,000 Navy personnel. He personally directed forces conducting cyber operations across the global Navy cyberdomain and oversaw development and implementation of cooperative (Blue Team) and non-cooperative (Red Team) cyber readiness assessments across the Navy cyber infrastructure.