In today’s real-time enterprise, with a focus on doing more with less, it is tempting for technical teams to take shortcuts. In software development this is often labelled “technical debt” but it applies equally to infrastructure.
Forgetting to manually apply security controls is a victim of shortcuts resulting in servers put into production without adequate protection, and with high-risk vulnerabilities open for exploitation. A recent prominent example is Equifax, revealing the identity and credit details of well over a 100 million US citizens and pinned down to unpatched software.
McCluney took a break from presenting at VMware’s vForum event in Sydney to speak to iTWire. “When we build workloads in virtualised environments, we must understand their security posture at the beginning and deploy their security when we deploy the workload,” he said.
“As people talk about automation they talk about APIs. They talk about building a workload by API, amending a policy by API, and so on - this is transformative IT where your pipeline is driven by these orchestration tools. Security has to fit right in there.”
For example, he says, “you can have application control, which again can be API-driven, so when you're deploying your code from your orchestration tools they can call the API to put the workload into maintenance mode while deploying, then use the API again to lock the executable code down".
This is great, McCluney says, “because you’ve worked with DevOps and put security into the process and it's not a pain. This can be done in prod and test and so on through the whole pipeline".
“The more you can integrate your security into your operational processes the easier it is for everyone to be security-aware and compliant as part of their normal process.
“Our approach at Trend Micro is to have recommendation scans on servers that look for vulnerabilities either at an Operating System level or the application layer, then allow an Intrusion Protection System (IPS) ruleset to protect the server from vulnerabilities on the applications or operating system.”
To clarify, McCluney points to well-publicised security vulnerabilities of recent years — ShellShock and Heartbleed — as well as Apache Struts, WordPress and Oracle vulnerabilities.
“Trend Micro’s view is if we can understand the vulnerability, we can create an IPS rule for it, and that can be deployed to your workload automatically.
“With ShellShock we were protecting customers from hundreds of attacks within five days.”
Complexity in security exists, and it’s because “no single approach works,” McCluney says. “You need multiple layers and you need automation as well. Trend Micro helps with host-based IPS, as well as deep security products like Machine Learning (ML), file integrity monitoring, log monitoring, application control, file warning and behaviour monitoring.
"For example, if we see ransomware executing on an endpoint we can prevent it from running. We can use ML to see if an unknown file looks suspicious. It may not be known in our global intelligence cloud so the software will watch it. If it starts encrypting files then we can stop it on the third one and roll its changes back.
“We’ve had behaviour monitoring for eight years. We’ve had ML for a year or so in some products, and will roll it out through the rest.”
Even so, “signatures still play a useful role, because we see we can knock out a lot of known bad at low cost. Signatures offer a good black-and-white defence. Then if it’s unknown, we can use ML capabilities on it. If we still can’t decide, we can let it run but use runtime ML to look at the calls it's making, and look for identifiable patterns and behaviour monitoring in terms of what it's running so we catch zero day exploits and ransomware. This has been a successful approach,” he says. “The next layer after that — the ultimate test — is sandboxing.”
There is big money in ransomware and business email compromises, McCluney says, estimating it is in billions of dollars. “There’s a lot of R&D into the next compromise, which is why ML is so important.”
Trend purchased Tipping Point from Hewlett Packard two years ago, and with this came Digital Vaccine labs, who run “zero day threat initiative”, dedicated to early identification of threats. “We're finding out about these vulnerabilities and as soon as we find out we can inform the vendor and write IPS rules to protect our customers and provide protection around those vulnerabilities.”
“That links into our virtual patching which is about having the right IPS rules on the right server based on the recommendation scan. It can detect you have, say, ‘abc’ software on ‘xyz’ server and then have it download and run those rules.”
When asked for his number one security tip, McCluney says “the capability to use IPS to prevent attacks on known vulnerabilities is a great mitigating control.”
“With Equifax, Apache Struts had a vulnerability. Maybe it couldn’t be patched quickly enough, but where was the mitigating control?” he asks.
“A company should have had an IPS. It’s the same with WannaCry – ok, you may not be able to patch the vulnerability, but did you have anything else to protect you? The mitigating control is important,” McCluney states.
“The other thing that comes top of mind to me is a significant amount of attacks come through email. Do you have an email defensive system applying proper sandboxing? Are you taking the threats out of email, putting them in a sandbox, detonating them, to see if they are malicious, and can you prevent them at that stage? I couldn’t recommend more the need to have a good layer policy on email coming in.
“From an endpoint policy point of view, if it's got to the machine through the email, and someone’s hit the link, you need to concentrate on what layers you have available and if you can catch things as they run. This is where endpoint ML and behaviour monitoring come in.
“I’d recommend any organisation think about security at the beginning and having that as part of the operational pipeline. Multiple layers of defence are needed. Anti-malware signatures are good, but behaviour monitoring, ML, app control, file integrity monitoring and log monitoring are all great things to have in your armoury.”
While Trend Micro is an international organisation, founded in Los Angeles, global headquarters in Tokyo, and an R&D centre in Taipei, it is doing good things in Australia.
“One of our data scientists in Melbourne, Jon Oliver, is very influential in our ML capabilities. He was instrumental in the way we focused on ransomware within the company. He saw the attack on Australia in a strong way two years ago, and a lot of the protections Trend Micro brought in were based on thought leadership from this country. Jon has over 100 patents to his name,” McCluney says.