Roesch in his team recently introduced FireAMP, an integration of its $21 million acquisition of cloud-based antimalware vendor Immunet. FireAMP is an agent-based system that monitors end points and connects to Sourcefire’s servers, where the data is analyzed and shared with other users. Users of FireAMP will receive threat intelligence alerts on suspicious behavior and can block and remove malicious files, including malware that targets zero-day vulnerabilities.

The rise of high-profile data breaches associated with targeted attacks, such as the RSA SecurID breach in 2011, has put a renewed focus on the importance of Intelligence gathering technologies. RSA, which acquired NetWitness last year, is positioning the network security monitoring platform as an awareness system, rather than a system used by forensics teams during a post breach investigation. But Roesch doesn’t see a major threat posed by NetWitness’ capabilities. He said the system requires users to analyze massive volumes of data, asking questions to make sense of it all.

“That thing collects a lot of data and it’s pretty raw and in the past you needed to know what questions to ask the data to get anything out of it,” Roesch said. “I don’t see people putting IPS and IDS investments on hold because they’re looking at NetWitness. Since the acquisition happened they’ve been a lot quieter than when they were a private company. It will be interesting to see if their approach scales to solving the kind of problems we solve just knowing what I know about their sensing and collection infrastructure.”

In a meeting with invited media, RSA recently presented its plans for NetWitness. The company is working on improving analytics to make it more of a real-time platform. The company credits its NetWitness deployment for detecting the SecurID breach, although attackers still had time to gain access to its intellectual property. RSA executives said they are working on integrating its Archer governance, risk and compliance platform to provide NetWitness with easier to use reporting and dashboard capabilities.

Researchers at Blue Coat Systems Inc. have been mapping malware to better understand malware delivery. In the Blue Coat 2011 Mid-year report (.pdf), the company found a variety of websites and online forums consistently used by cybercriminals to spread malware.

The problem stems not only from websites dealing with pornographic and pirated material. Attackers are taking advantage of common website vulnerabilities on trusted and popular websites for use by cybercrime.

In an update provided recently, Larsen said poisoned search engine results are constantly being used to drive traffic to those malicious sites. While search engine providers are labeling suspicious sites, cybercriminals have an agile process in place. They can switch domains on the fly to maintain up-time and continue spreading malware, overseeing an ever increasing number of infected machines, Larsen told SearchSecurity.com.

Digital certificate breaches have fueled an erosion of trust online, according to the SearchSecurity editorial team. While researchers look for alternatives to the digital certificate system, it may not always be clear that the site you’re visiting is legitimate.

In this wide ranging discussion, SearchSecurity editors and special guest Andrew Jaquith of Perimeter E-Security, explore whether 2011 was a good year for the security industry or if the latest security incidents highlight many of the industry’s faults.

In addition to the digital certificate breaches, part two of this podcast explores the trend of companies increasingly studying the threat landscape to be better prepared for real world attacks. While many organizations fail at completing the most basic security tasks, others have applied the basics and are taking the next steps in understanding who their adversaries are and how to defend against them.

In addition, McAfee’s Operation ShadyRAT report may have come under intense criticism, but vendor research serves an important purpose, according to Jaquith. When taken into context, some research reports can be helpful when strategic planning.

Part 1 of Security Wins and Fails of 2011

In part one of this two-part podcast, special guest Andrew Jaquith of Perimeter E-Security joins the SearchSecurity editorial team in exploring the highs and lows of 2011 for the security industry.

Mobile device platforms were built with security in mind, but in 2011 cybercriminals have had some success in bypassing security features on the Android platform, and Apple’s lack of transparency make the security of the iPhone a mystery.

In this wide ranging discussion, SearchSecurity editors and special guest Andrew Jaquith of Perimeter eSecurity, explore whether 2011 was a good year for the security industry or if the latest security incidents highlight many of the industry’s faults.

Smartphones and other mobile devices gained the most attention in 2011. Android malware, SMS text messaging scams and rogue applications shined a light on some of the weaknesses of mobile platforms.  Several high-profile data breaches also cast a shadow on any gains organizations have made to defend against attacks. Epsilon, RSA SecurID and Sony experienced major data security breaches. Meanwhile, hacktivist groups, namely Anonymous and Lulzsec, wreaked havoc on the Internet, attacking websites and crippling them with denial-of-service attacks.

In part 1 of this podcast:

WIN — The RSA SecurID breach: While the immediate details left security experts asking a lot of questions, RSA clearly had a response plan in place for a serious breach. The company briefed its largest customers and kept close contact with government contractors that ultimately were targeted by attacks as a result of the breach. While two-factor authentication competitors attempted to gain new customers as a result of the SecurID breach, RSA appears to have maintained its strong customer base.  Meanwhile, the Sony breach response was the antithesis of RSA. Sony seemed to have no breach response in place resulting in a network outage for nearly a month. The company has since rebounded, hiring Philip Reitinger, a former Department of Homeland Security official, to lead its security efforts as its CISO.

WIN-FAIL — Mobile platform security: Google Android and Apple iOS have been built from the ground up with security in mind, but it takes experienced software coders to take advantage of the security features offered by both Android and Apple. Unfortunately, a glutton of new software coders has resulted in poorly coded applications or mobile apps designed to tap into too many of the device’s features (SMS, GPS) causing privacy and security concerns.   In 2011, the security industry has seen an explosion in Android Trojans, rogue applications had to be removed from Google’s marketplace, and while malware hasn’t really targeted apple devices, iPhone security vulnerabilities and Apple’s lack of transparency into its security processes have raised some doubts about iPhone security. Security experts say that over time the mobile platforms will mature and new developers will become better coders. Until then, look out for rogue applications and application vulnerabilities that leak data.

View Part 2 of Security Wins and Fails of 2011

By Robert Westervelt, News Director

Mobile malware and mobile application threats could pose major security and privacy challenges to enterprises in 2012, according to Roger Thompson, chief emerging threats researcher at Verizon Business’ ICSA Labs. Cybercriminals could use malicious mobile applications to steal sensitive data from smartphone users, including account credentials. Stolen credentials could be used to obtain access to corporate networks, Thompson said.

Smartphones, tablets and other mobile devices have helped fuel the use of social networks. Employees are sharing more information about themselves than ever before on Facebook, Twitter and other networks via mobile applications. That freely available data could be all that is necessary for an attacker to design a targeted and convincing social engineering attack against an employee, Thompson said.

“It may be no more than just completing the profile on people so they know what kind of goods to sell you; it might not even be overtly criminal,” he said.

Thompson, who was hired by ICSA Labs in November, helped draft the security device testing and certification organization’s security predictions for 2012. In addition to rising mobile malware and malicious applications, ICSA Labs predicts the industry will take action, providing users with application scoring systems so users download valid applications onto their devices. Scoring systems could reduce the risk of more malicious mobile applications and check highly used apps for serious mobile application vulnerabilities, Thompson said. Although it’s unclear what entity would create the mobile application scoring systems, Thompson said both Google and Apple control the marketplace for mobile apps and could very likely take the lead.

“If you install some new version of an application, even if it’s not overtly malicious, you have no idea what opportunities it may be opening up,” Thompson said. “An application might not be sending SMS messages, but it could be built into the game in case it’s needed in the future and that kind of unnecessary functionality could be leveraged by an attacker.”

ICSA also predicts health care organizations will have to gain a better understanding of the risks posed by digitalized health care data stored on mobile devices and how to better secure embedded medical devices from tampering and other cyberattacks. In addition, state public utility commissions will continue to make great strides on creating standards for the so-called “smart grid.” It’s likely, according to ICSA, that the federal government will step in with its own framework and requirements.

In this interview with SearchSecurity News Director Robert Westervelt, Thompson predicts how the threat landscape could evolve in 2012 and explains why mobile device use could pose serious risks to businesses.

In this edition of Security Wire Weekly, Paul Ferguson, Trend Micro’s Advanced Threats Researcher and key liaison with the FBI, discusses the DNS Changer botnet takedown, the implications for the industry at large and why it may signal the beginning of an even more dangerous era of botnets.

Program notes: New Duqu malware shares Stuxnet Trojan code similarities