PARIS — Attaques de pirates, espionnage industriel et virus destructeurs ont fait de l’internet la cinquième dimension de la défense et les industriels se bousculent sur ce marché en plein boom.

Les Etats-Unis ont inculpé mardi cinq pirates, dont certains affiliés au groupe de hackers Anonymous accusés d’attaques qui auraient fait au total un million de victimes, dont des gouvernements et de grandes entreprises.

Les pertes causées par ces attaques ont renforcé la prise de conscience de la vulnérabilité des réseaux et l’importance de la cybersécurité, pour les Etats comme pour les entreprises.

La firme britannique Ultra Electronics évalue à 50 milliards de dollars par an le marché mondial de la cybersécurité.

“Et ce marché croit de 10% par an, deux fois plus vite que l’ensemble du secteur des technologies de l’information”, souligne Denis Gardin, directeur de Cassidian Cyber Security Solutions, une unité du géant européen de l’aéronautique et la défense EADS.

C’est presque une ruée sur le secteur, baptisé cinquième dimension de la défense, après la terre, la mer, l’air et l’espace.

“Depuis un an, les industriels de la défense ont acquis des firmes de technologie à un rythme frénétique pour renforcer leurs capacités dans la cybersécurité”, relève Guy Anderson, analyste en chef chez Jane’s IHS, une société américaine d’études et de conseil.

“La cybersécurité a été perçue commme un bateau de sauvetage pour l’industrie quand les dépenses de défense dégringolaient dans les pays occidentaux: c’était un des derniers secteurs de croissance”, ajoute-t-il.

Une arme de guerre

L’Otan a pris conscience du problème depuis que des attaques lancées de Russie ont saturé les sites du gouvernement estonien en 2007, lors d’une crise entre Moscou et Tallinn.

La même année, Israël avait piraté le réseau syrien de défense antiaérienne, prenant le contrôle des écrans radars pendant que l’aviation détruisait une centrale nucléaire en construction, affirme dans son livre Cyberwar Richard Clark, ancien conseiller de la Maison Blanche.

Depuis, les attaques sont de plus en plus sophistiquées, passant des vols de propriété intellectuelle à la destruction physique de machines.

“A partir de 2009 on va recupérer de l’information en pénétrant dans les systèmes les plus sensibles”, relève Philippe Cothier du Centre d’étude et de prospective stratégique.

En 2010, le mystérieux virus Stuxnet s’attaque aux centrifugeuses du programme nucléaire iranien.

“C’était une bonne idée”, commente un ancien directeur de la CIA, Michael Hayden. Mais elle a créé un précédent dangereux: “Aux yeux du reste du monde, elle a légitimé ce type d’activité.”

Les gouvernements occidentaux renforcent donc leurs défenses, le Pentagone s’est doté d’un “Cyber Command”, et les chiffres les plus fantastiques circulent sur des bataillons de hackers formés par la Chine.

La cybersécurité ne concerne pas seulement la défense. “Les réseaux sont les systèmes nerveux de la société”, souligne Stanislas de Maupéou, du groupe français Thales.

“Le monde du cyber est devenu absolument énorme”, dit Philippe Cothier. Même les réfrigérateurs ont des adresses IP, numéro d’identification attribué à chaque branchement d’appareil relié au réseau internet.

“En 2008 il y avait dans le monde 2 milliards d’adresses IP, aujourd’hui il y en a 30 milliards, quatre fois la population mondiale”, souligne-t-il.

We add that the “observe, orient, decide and act” loop must underly a real-time Incident Management workflow whereby intelligence is gathered in real-time and relies on deterministic risk behaviour identification.

 More on Joshua’s contribution

 ”Intruders compromised a water utility network last week and destroyed a pump, according to a state government report cited by a critical infrastructure security expert today.”  Read more here.

Read about APT: Advanced Persistent Threat.

Here is an interesting piece on the topic by El Reg – Hacktivists pose growing threat to industrial computing.

 ”Data from Norway’s oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country’s history, security officials said [...]“. Read more here.

Marco Ricca’ contribution on Data: Free and Priceless:

Marco Ricca, CEO at Satorys, was speaker on Wednesday 26, October 2011 for “Data: Free and Priceless: Data is the new currency of the online world, with some observers suggesting that free access to data could drive fresh economic growth and entrepreneurialism. Governments are starting to experiment with the potential of open data in making government more accessible, responsive and useful to their citizens.

An entire ecosystem of start-ups is blooming around the abundance of data available on the Internet – businesses that analyse, visualise and combine data to identify emerging trends. In the best-case scenario, data is used responsibly to improve future interactions through customization, recommendations, personalised offers and relevant advertising. Social networking tools can help customize and improve interactions with peers and colleagues. In other cases, data may be used, shared or altered without permission, challenging individuals’ rights to privacy or protection of their online profile and identity.

What are the full benefits to business and society of open data and public service data reuse? How can we develop mechanisms that ensure the sustainability of these innovative processes? Can government agencies link data sources coherently to enable citizens to find what they need? Can data be presented in a way that informs decision-makers in a meaningful way, yet allows the public to have a real impact on policy-making?

Florent Batard’ contribution on Heads in the Cloud :

Florent Batard, R&D manager at Satorys, asked about Security issues in the Cloud on Wednesday 26, October 2011 for Heads in the Cloud: The rapid spread of cloud computing has drawn significant attention and scrutiny in the media over recent months. It has also raised policy questions concerning how people, organizations, and governments handle information and interactions in the cloud environment. While moving to the cloud offers recognized benefits of cutting capital expenditure and enabling the more efficient use of computing resources, questions of information security, data privacy, interoperability, reliability and liability persist and need to be considered carefully and addressed rigorously. Lack of interoperability and portability between providers makes it difficult to migrate data from one service to another – good for cloud service providers, but not necessarily good for end-users. What happens if the business goes bust, or decides to change?

Press book links:  Satorys in the press for ITU World Telecom 2011.

Key industry players represented at the event include Alcatel-Lucent, AT&T, China Mobile, China Potevio, Cisco, Datang, Ericsson, Fiberhome, Fujitsu, Huawei, Intel, NTT, NTTDoCoMo, RIM, Samsung, Satorys, Swisscom, Telkom SA, Turk Telecom, TDIA, ZTE and more.

The event will also feature over 25 National Pavilions showcasing the ICT industry of countries and regions including Algeria, Angola, Argentina, Azerbaijan, Belarus, Burundi, China, Czech Republic, Ghana, Japan, Kenya, Korea, Malawi, Malaysia, Namibia, Nigeria, Poland, Rwanda, South Africa, Spain, Switzerland (Geneva area), Tanzania, Uganda and Zambia.

Satorys’ Highlights:

World2011.itu.int – Highlights: See and Experience at ITU Telecom World 2011 – 2011.10.24-27

L’Agefi – Promotion économique au salon Telecom 2011 par Julio Jaton – 2011.10.27

Menafn.com – International Telecommunication Union (ITU): ITU Telecom World 2011 sets new paradigm for top-level networking, knowledge-sharing – 2011.11.27

The Jakarta Post – Inequality a thorny issue in ITU Telecom World – 2011.10.25

TheStarOnline – Malaysian pavilion is the largest at ITU Telecom meeting in Geneva by Choong En Han – 2011.10.27

Ubifrance – Meeting between MCMC & ARCEP at Telecom World 2011 conference in Geneva by Juliette Mallez – 2011.10.27

ThisDayLive – ITU Seals Partnership Deal with Satorys on Cybersecurity – 2011.11.03

TDG – Telecom 2011 – Les autorités genevoises se profilent sur des compétences pointues – 2011.10.27

Geneva, Switzerland, on October 26th 2011 – Satorys, a leading IT Security company, has established during the ITU World Telecom 2011, a strategic partnership with IMPACT (International Multilateral Partnership Against Cyber Threats).

Satorys is a leading IT Security Provider that enables, by leveraging its world-class proprietary technology, enterprises, telecommunication operators and governments to fight modern cyber-threats. Satorys’ proven capacity to detect the Stuxnet Worm, or modern Distributed Denial of Service Attacks such as the one that affected WikiLeaks, has propelled it to a leading role in the world since early 2011.

It unique ability stems from its innovative approach, whereby threats are detected according to their behaviours – unlike anti-virus software for example that look for mere signatures. To identify threatening behaviours, Satorys correlates millions of observations collected every second on a global scale – this collective intelligence is what makes its offering so compelling to its customers.

IMPACT is the cybersecurity executing arm of the United Nations’ specialised agency – the International Telecommunication Union (ITU). IMPACT brings together governments, academia and industry experts to enhance the global community’s capabilities in dealing with cyber threats. Based in Cyberjaya, Malaysia, IMPACT is the operational home of ITU’s Global Cybersecurity Agenda (GCA). As ITU’s cybersecurity executing arm, IMPACT provides ITU’s 193 Member States access to expertise, facilities and resources to effectively address cyber threats, as well as assisting United Nations agencies in protecting their ICT infrastructures. Today, with a 137 Member States that have joined the ITU-IMPACT coalition, it has become the largest cybersecurity alliance of its kind in the world.

In addition to the many industry partners, ITU-IMPACT can further provide increasingly valuable insight to its member states and partners, through Satorys’ ability to collect, parse and present global cyber-threats – as they are nowadays increasingly short-lived, heterogeneous and deadly, Satorys’ global observation capacity has become a vital addition and value added service from ITU-IMPACT.

« L’usage de ces programmes est abusif et trop intrusif » a ainsi dénoncé Pascal Gloor, le vice-président du PPS, qui s’est confié au site Lematin.ch. La semaine dernière, le PPS s’était déjà indigné de la nouvelle et avait affirmé qu’il « en tirera toutes les conséquences ». Cette plainte contre X était donc plus ou moins annoncée.

Un flou juridique

« L’utilisation d’un logiciel espion (Cheval de Troie) sans aucune base juridique n’est pas justifiée, même pour combattre le terrorisme » affirme le Parti Pirate Suisse. Pour ce dernier, « on court le risque que les preuves recueillies sur l’ordinateur soient modifiées. Avec l’informatique, on est dans le virtuel. Il y est donc possible de torpiller un ordinateur ou de piéger une personne. (…) Notre Constitution est sans équivoque, le droit est la base et la limite de l’activité de l’État. »

Effectivement, comme le relève la Tribune de Genève, un flou juridique entoure l’utilisation des chevaux de Troie. Aucune règle liée à l’usage de tels logiciels n’est présente dans la loi fédérale. Malgré son but initial peu critiquable, un tel usage est donc considéré comme une atteinte à la sphère privée.

Et si les preuves étaient falsifiées ?

« Sans cadre juridique, ces programmes deviennent des armes redoutables » a d’ailleurs prévenu Marco Ricca, directeur de la société genevoise de sécurité informatique Satorys, interrogé par la Tribune de Genève.

« Comment être sûr que ce logiciel ne sera utilisé que dans le cadre du mandat délivré par le juge ? » questionne Stéphane Koch, vice-président de High-Tech Bridge, une société de hacking éthique. « Si le programme tombe entre les mains d’un détective privé ou d’une organisation criminelle, si un policier l’utilise de manière plus étendue que son mandat ne le permet, il y a danger ! »

Au final, le Parti Pirate Suisse craint que le logiciel ait été développé « avec le même amateurisme constaté en Allemagne », qui, pour mémoire, permet de télécharger et d’exécuter des logiciels à distance. On imagine dès lors les dangers que pourrait créer un tel logiciel entre des mains malveillantes. Une personne innocente pourrait par exemple être déclarée coupable preuve à l’appui, ceux manipulant le cheval de Troie ayant créé lesdites preuves… De la paranoïa ? Dans le doute, le PPS préfère en avoir le coeur net.

The financial and IT security industries have one thing in common: they are both undergoing a major paradigm shift. Have mainstream beliefs been wrong after all? Have supposedly unshakable edifices been standing on clay feet? Both communities are looking for their 21st century gold standard.

Lately, it seems as if the world has been experiencing a marked uptrend in criminal computer activity. In dozens of instances, prominent organizations were breached, and sensitive data was leaked. Lockheed Martin, Sony, Google, RSA, Citigroup, the IMF – just to name a few protagonists of recent high-profile hacking stories – have experienced the news as profound humiliations.

The turning point seems to have been the WikiLeaks episode of US diplomatic cables being released for everyone to look at. Ever since, security vendors have been scrambling to explain why the supposed fortresses they have helped their customers build suddenly seem as vulnerable against hackers as the ancient city of Troy ended-up being against the Greek army. The analogy is actually not as far-fetched as it may seem. To understand what most of these recent high-profile computer breaches have in common, it is important to understand what the buzz expression Advanced Persistent Threat means exactly. But first, and to stick with the fortress analogy, consider the following: for an invading army that aims to kidnap the princess, two sets of techniques exist. First, it can try to enter by knocking down the walls with a battering ram. This is usually the first approach one thinks of. It may work, but presents a number of downsides; not only does it lack discretion, but it also happens to be the one against which defences are the strongest. Therefore, it requires large resources and lacks effectiveness. In computer hacking, the same kind of approach exists; a “frontal attack” consists in targeting outward-facing servers, i.e. the ones that provide services on the Internet – Web or email servers are typical targets. This approach, even if successful, rarely gives access to the sensitive data a hacker might typically be looking for. The second set of methods, more discrete, is only limited by the attackers’ imagination. In the fortress example, they consist in offering a wooden horse to the king, digging a tunnel under the ramparts (or catapulting oneself above them) – or even seducing the princess and convincing her to voluntarily surrender. In computer hacking, these methods are called “client-side” hacking approaches. They involve targeting end-user platforms (desktops, laptops, smartphones) rather than servers, leveraging social and human components (convincing users to involuntarily adopt a dangerous behaviour), and, if successful, they readily give access to the prime target. To come back to the definition, an Advanced Persistent Threat most of the time means a targeted, client-side attack. Human behaviour is often part of the vulnerability; perimeter walls are utterly useless and prized data is immediately available after the network has been breached.

Pragmatic approach

As the general public has recently established for itself, supposedly impregnable fortresses are apparently blatantly unprotected, because their builders have assumed invaders will attack them frontally using battering rams. They have built high walls, made of indestructible brick, which attackers don’t even notice. They have focused on piling-up security technology, can roam freely once they’re in. The irrelevance of these classic protection schemes is well illustrated by the very way end-user platforms are still protected against client-side attacks. Namely, so-called “anti-virus” software. In a nutshell, such software relies on a pre-established list of known signatures. These signatures are individual DNAs of the threats they are supposed to counter. Each one of them is uncovered, understood and registered by anti-virus vendors; new signature entries are then regularly downloaded by antivirus software worldwide. In the nineties, when most hacking attacks were carried-out frontally, and when the quantity of new client-side signatures was a mere hundred per year, high perimeter walls and anti-virus software on laptops and desktops worked well enough. In 2011, few attacks are frontal anymore, and the quantity of signatures amounts to more than 70,000 per day. The protection paradigm has, however, hardly evolved since the nineties. This explains the overall vulnerability, and the recent streak of incidents that has rendered it obvious. So what does the new IT security paradigm look like?

What solutions must security officers consider to protect their organizations’ information assets, given this newfound reality? For starters, the philosophical approach needs to finish changing; it is not technology that provides safety – it rather supports an underlying set of policies that are necessarily devised high-up in the organization. Furthermore, the approach needs to be holistic, as technology alone cannot prevent all risks; user awareness training, security constraint minimization, impact mitigation through data segregation, prevention rather than reaction, are all necessary principles, part of a required pragmatic approach. Additionally, organizations have to stop focusing on building higher walls and stronger drawbridges; in parallel, they need to renounce the dream that a significant number of threats will be registered before they hit them. For client-side protection, they indeed need to embrace the preferred alternative – behavioural-based, systemic detection.

A very good illustration

The decision to rely on identifying the threats’ behaviours, rather than their signatures, rests upon a stark reality: the quantity of possible signatures is infinite. For example, it is possible nowadays to download the source code of ZeuS, probably among the most sophisticated computer Trojan horses ever devised, and thus to easily generate a cyber-weapon bearing a totally unique signature – therefore, it is naïve to hope that a targeted client-side attack may be countered through advance DNA enumeration. To devise a payload that bares a new behavior is, however, much more difficult; there is not an infinite number of ways to propagate, to leak data, or to communicate with an Internet-based “Command Centre”. Therefore, behaviour-based detection has a much better chance of countering Advanced Persistent Threat attacks.

Although technologies that work in such a way are highly innovative, the principle in itself is not. Actually, the financial industry provides a very good illustration of how it has been effectively leveraged for a long time, albeit for a different purpose. That example applies to how stolen or copied credit cards are detected and blocked: rather than relying on a hopeful list of stolen card numbers, purchasing behaviour is correlated, and malicious activity thus detected. If, for example, you pay for lunch in Zürich, and dinner in Melbourne on the same day, your card will be blocked, because it is unlikely you have teleported.

Similarly, by comparing different events across a large network segment, infection, propagation, data leakage or malicious communication can be uncovered. In conclusion, thanks to recent news, sensitive organizations worldwide, and Swiss financial institutions for that matter, have borne witness to the anachronistic nature of the traditional computer security approach. Fortunately, a better alternative exists, and innovators that have foreseen this paradigm shift are already providing them with the preferred alternative.

La cybercriminalité a coûté 114 milliards de dollars (environ 81 milliards d’euros) et fait 431 millions de victimes dans le monde en 2010, selon une étude publiée mercredi par le fabricant d’un logiciel antivirus Symantec.Selon le rapport établi par Symantec, qui produit le logiciel antivirus Norton, 74 millions d’Américains ont été victimes l’an passé de cybercrimes, qui leur ont coûté au total 32 milliards de dollars (23 milliards d’euros) de pertes financières directes. En Chine, ce coût a atteint 25 milliards de dollars (18 milliards d’euros), et il a représenté 15 milliards au Brésil (11 milliards d’euros), 4 milliards en Inde (2,8 milliards d’euros). Selon Symantec, 69% des internautes adultes interrogés ont été victimes au cours de leur vie d’un cybercrime, un taux qui grimpe jusqu’à 85% en Chine et 84% en Afrique du Sud.

L’étude souligne également le développement croissant des infractions de ce type sur les téléphones portables. “La cybercriminalité est bien plus développée que ce qu’imaginent les gens”, a commenté Adam Palmer, conseiller en cybersécurité chez Norton.
“Au cours des douze derniers mois, le nombre d’adultes interrogés pour l’étude victimes de cybercrimes est trois fois plus important que celui des victimes de crimes dans la vie”, souligne-t-il. “Et pourtant, moins d’un tiers des personnes interrogées pensent qu’elles ont plus de chance d’être victimes d’un cybercrime que d’une infraction dans la vie physique”, poursuit M. Palmer.

L’étude, menée auprès de 20.000 personnes dans 24 pays, a été réalisée aux mois de février et mars 2011 et portait sur les douze mois précédents, selon Symantec.

Du côté français.. Plus de 9 millions de Français victimes de la cybercriminalité en 2010

Plus de neuf millions de Français ont été victimes de la cybercriminalité au cours de l’année 2010, pour une facture totale estimée à 1,8 milliard d’euros, indique le rapport annuel de la société de sécurité informatique Symantec. “9,4 millions de victimes en France, c’est près d’une victime toutes les trois seconde”, souligne Symantec, l’éditeur du logiciel de sécurité Norton, qui a publié jeudi la partie française de son étude mondiale sur la cybercriminalité en 2010. Ces attaques “ont engendré près de 872 millions d’euros en pertes effectives directes des cybercrimes et 850 millions en temps perdu à résoudre les incidents, selon les estimations des victimes”, indique Symantec. Un peu plus de la moitié (54%) sont des attaques en ligne provenaient de virus ou de logiciels malveillants, suivies par les escroqueries en ligne (11%) et via les spams (10%).

“La menace de la cybercriminalité n’est pas suffisamment prise au sérieux par les internautes, alors qu’elle est pourtant omniprésente. Six adultes sur dix ont déjà été victimes d’un cybercriminel durant leur vie”, résume Laurent Heslault, directeur des stratégies de sécurité chez Symantec. “50% des adultes ne se sentent pas à l’abri d’un acte de cybercriminalité lorsqu’ils sont en ligne. Pourtant, la moitié d’entre eux ne prennent pas les mesures préventives qui s’imposent. 49% avouent que leur logiciel de sécurité censé protéger leurs informations n’est pas à jour”, selon lui. Moins de la moitié des internautes majeurs (47%) vérifie régulièrement ses comptes à la recherche d’une éventuelle fraude à la carte bancaire et 60% n’utilisent pas de mots de passe complexes ou n’en changent pas régulièrement, indique également Symantec.

Toujours selon cette étude, 23% des Français indiquent ne “pas pouvoir vivre sans internet” et 25% d’entre eux pensent qu’ils “perdraient contact avec leurs amis” s’ils devaient se passer des réseaux sociaux de type Facebook et Twitter.

Turning to client-side

 A highly interesting point which rises from this interview is the change of paradigm in the defense strategies. RSA confirm that the threat came from the client-side of their network and that all the frontal measures they have taken was therefore totally useless. This dimension that Satorys defend for several years now finally reaches international companies’ through the Advanced Persistent Threat.

Human factor become central in the new cyber defenses strategies. Social Engineering always existed but the recent growth of social media and community made much easier to attain employees personally and professionally. RSA testifies that an employee was attained by a phishing attack that was used to download a malicious payload via the flash plugin of the client browser. These actions allowed the attacker to install a remote administration tool to begin farming the data.

These new means for attacks were used wisely by attackers and finally confirm that being focused on frontal attacks is a completely outdated reasoning. Attackers are now looking for indirect access to resources and overuse the possibilities and credulity of end-users to gain access to private data. Once settled in the network attackers can easily reach the outside world from internal network and go look for orders to know which data to leak.

This change of paradigm is quite striking, indeed as RSA confess, the new postulate is that the internal perimeter should be considered compromised as used to be outside networks. We should take benefit from this experience at RSA to begin changing our approach and focus on the client-side of the network.

This is something Satorys has been claiming for several years and develop technologies focused on client-side for security detection. By analyzing internal connections and interactions Satorys has developed state of the art behavioral detection to determine the vulnerability and potentially compromised clients.

Ineffectiveness of signature based detection

Another interesting point revealed by RSA is the skills deployed to perform this attack. No more script kiddies and bruteforce on regular frontal services. The attack was indirect, performed by skilled and trained developer who designed specific software for this attack and at least generated a new signature of the software.

We can therefore notice with this assertion that any security appliance or software based on signature was anachronistic at this point and that finally the network was defense-less. As majority of security products are based on heavy and incomplete signature databases they can never keep up with the pace of new signatures publishing. Even if the database were up to date any software developed exclusively for the attack couldn’t be detected.

Once again, Satorys stood long time ago on the fact that signature-based will fail on short terms due to the exponential publish pace of the malicious softwares. Therefore Satorys focused its technology not to run behind the crowd for signatures updates but to work on a different paradigm: behavioral detection. As it exists a finite set of behaviors to attack and compromise clients, this new reasoning won’t fall into the exponential law as for signatures. By analyzing attacks by their behavior and not their signatures anymore we ensure that it will be always recognized.

Lessons learned

The lessons we can learn from such very interesting interview is that there is an increasing need for unparallel visibility on client-side and for traceability inside the information system. As RSA describes, they discovered the attacks quite by chance as few machines did few strange actions. Hopefully RSA analyst was skilled enough to investigate these actions and detect the leakage which could have been totally invisible in another context. I’m sure RSA analyst critically needed this unparallel visibility to investigate and search among their whole client-side infrastructure.

Once again we’re relieved to confirm that the choices made by Satorys actually fit the increasing need for visibility and client-side analysis. Trueboard allows to have such visibility and client oriented architecture and detection to simplify the work of analysts as RSA’s. Additionally, to deal with client-side attacks, it allows to identify and hopefully to train employees to security best practices to finally reach a high level of security.

We can sum up this video to some key points corporate and security manager should keep in mind:

• Consider the internal perimeter as compromised
• Human factor is the key for security enhancement especially concerning social networks
• Security level of partners and providers should be considered thoroughly
• Attackers are now trained, skilled and ready to develop one shot tools
• Signature-based is anachronistic considering the previous statement
• Attackers stop attacking frontally but use the client-side backdoors

- The signature-based protection paradigm is overly anachronistic – relying on “a priori” enumeration of threats for one’s safety doesn’t make any sense anymore.

- The preferred alternative is “behavior based”; by understanding – and detecting – threats’ behaviors one stands a much better chance of achieving better safety. There are indeed an infinite number of threat signatures possible, while the set of possible threatening behaviors is finite.

- Client-side security approaches nowadays make poor sense as cloud computing is gaining traction – a preferred approach is systemic, network-centric.

- Building increlevant.

Fortresses have never been so expensive – and walls have never been as tall.
This has not prevented highly protected organizations such as Google, RSA, Sony, the European Parliament, Lockheed Martin, the American Senate, Nintendo, Citigroup, the IMF, etc. from being breached. A better approach consists of building watchtowers instead of walls, i.e. of focusing on security visibility and intelligence rather than on blind protection schemes.

Satorys is expecting the current momentum underlying its activity and technological vision to gain further traction as news further corroborates these modern realities.

Among this information jungle, the BigData trend is refered as the ability to deal with huge amount of data from different source and expressing different information. Difficulties include capture, storage, search, sharing, analytics and visualizing. Big Data requires exceptional technologies to efficiently process large quantities of data within tolerable elapsed times. Technologies being applied to Big Data include massively parallel processing (MPP) databases, datamining grids, distributed file systems, distributed databases, MapReduce algorithms, cloud computing platforms, the Internet, and scalable storage systems.

 To leverage such opportunities, the challenge obviously consists in converting data into useful business information; being “data rich and information poor” is not helpful. This is where Satorys innovation and technology can help. From the very beginning, Satorys has positionned itself in this innovative field and developed methodologies to deal with such problem with new ways of parsing, normalizing, aggregating, correlating, and mining this stupendous volume of data.

Without such innovation, the risk is information overload – or otherwise called, “infobesity”. According to Jonathan Spira, chief analyst at Basex Inc. and author of the book Overload, the challenge is real : in 2010 infobesity cost 997 billion to the US economy, as the average worker wasted 25% of his workday dealing with useless data.

Thanks to its proprietary technology, Satorys is a key player of the BigData trend, as it extracts understanding from huge amounts of IT logs. These logs, transformed into semantically valuable events, are indeed leveraged to generate useful and accurate security alarms and activity reports. Satorys’ services therefore enable decision makers to act upon systemic, purposeful and efficient Security intelligence.

C’est dans cette situation que les solutions de Satorys prennent tout leur sens et plus particulièrement TrueBoard. Non seulement TrueBoard va permettre de rendre visible et exploitable ces 41% de brèches mais il va également analyser le reste des logs pour déterminer les 59% de brèches restantes avec un système de corrélation et de détection comportementale.

« En réalité, beaucoup d’entreprises déploient des systèmes de sécurité intelligente ou de gestion des logs pour cocher la case des conformités telles que PCI, FISMA, GLBA, SOX ou GPG 13, et n’ont par la suite pas les ressources nécessaires ou l’expertise technique pour rechercher les alertes et y apporter une réponse efficace ».

Une fois de plus nous ne pouvons qu’aller dans le sens de notre confrère. Bien qu’un outil comme TrueBoard soit un gros avantage pour la mise en conformité d’une entreprise, il permet bien plus. En effet, il utilise ces ressources souvent inutilisées pour en tirer de l’intelligence et présenter une information claire, pertinente et précise sur les problèmes de sécurité. Toute action malicieuse laisse une trace sur les ressources de l’entreprise, TrueBoard est là pour flairer cette trace et remonter le fil des évènements en confrontant plusieurs données et enfin en tirer une analyse fine pour déterminer la nature de la menace.
En conclusion nous pouvons dire que le service de Sécurité Trueboard permet de gérer les problèmes de sécurité client-side et exogènes mais également de remplir toutes les obligations réglementaire liées à la conformité.

Article: Q1 Labs : 41% des atteintes à la sécurité ont laissé des traces dans les logs

Ce nouveau paradigme en deux points :

1) Les attaques informatiques sont ciblées et prennent aujourd’hui la forme d’ Advanced Persistent Threats “client-side”. Seule une approche systémique et comportementale permet de les contrecarrer.

2) Les attaques informatiques sont éminemment éphémères, personalisées par cible, et ambitionnent de provoquer des scénarios de “Data Leakage”. Seule une approche systémique et comportementale permet de les contrecarrer.

C’est dans le même contexte que nous lisons récemment que plusieurs gouvernements investissent massivement dans leur capacité cyber-défensive. De facon similaire, le secteur privé a décuplé sa compréhension à cet égard ces derniers mois, notamment grâce aux différents épisodes de hacking haut-niveau qui ont eu lieu. Cette réalité démontre le niveau de maturité grandissant sur ces questions, et la compréhension de plus en plus rigoureuse du marché sur les problématiques modernes de cyber-défense.

C’est dans la perspective de ce surcroît de compréhension et de conscience que Satorys travaille depuis plusieurs années. A l’époque où la société a démarré (en 2006), le marché (privé et public) était *loin* du niveau de compréhension actuel. Malgré cela, la société a pris le risque d’investir dans une technologie largement en avance sur son temps – avec l’espoir que la demande surviendrait rapidement.

2010 a confirmé l’intuition de Satorys, 2011 est en train de la pérenniser. Le succès et la demande que connaissent Satorys en ce moment sont incommensurables. Comme expliqué plus haut, ses interlocuteurs ont désormais compris que nous avons changé de paradigme, que la menace a évolué, et que les approches classiques sont largement inadéquates.

Du fait de sa vision en avance sur son temps, Satorys est donc en mesure de proposer aujourd’hui une technologie qui répond à ce changement de paradigme. Sa capacité à observer les réseaux de facon *systémique*, et de *reconnaitre les comportements* des menaces, est tout à fait unique. Satorys ne peut donc être qu’un interlocuteur *privilégié* de quiconque a subi cette prise de conscience récente, et d’investir les moyens de se défendre, de facon moderne, contre les menaces modernes. Ceux qui fonctionnent sur l’ancien paradigme ne peuvent pas comprendre la valeur ajoutée de Satorys, et ne font pas partie de nos cibles.

En deux mots, “l’intelligence collective” que Satorys déploie est *indispensable* à une lutte efficace contre les menaces modernes.

Un excellent exemple de cette réalité est le cas Stuxnet. La raison pour laquelle il a échappé à la détection est la même pour laquelle l’immense majorité des logiciels infectieux échappent désormais aux anti-virus, même les plus performants : les anti-virus et autres protections classiques fonctionnent sur un modèle qui consiste à identifier et répertorier les « signatures » des menaces (signature-based model).

Ce modèle fonctionnait bien il y a encore quelques années, lorsque la quantité de nouvelles signatures émergeant chaque jour était limitée. En revanche, les menaces aujourd’hui apparaissent et disparaissent exponentiellement plus vite. A titre d’illustration, les statistiques révèlent que pendant l’année 1999 moins de 2 nouvelles signatures de menaces étaient détectées par jour, alors que cette quantité est de 73’000 par jour en moyenne pour les trois premiers mois de 2011. En conclusion, le modèle signature-based dont dépendent les solutions de protection classique est parfaitement anachronique, désuet et obsolète.

De surcroît, les protections classiques sont embarquées sur les plateformes qu’ils ont la charge de protéger (host-based model). Ce modèle présente plusieurs désavantages, qui rendent ces solutions souvent inefficaces. Tout d’abord, ces solutions – du fait de leur caractère éminemment décentralisé – sont incapables de bénéficier d’une « intelligence collective » efficace.

En effet, il est impensable que chacun de ces programmes communique à un système central une information sur ce qu’il « voit » ; cela présenterait trop d’inconvénients en termes de performance, d’utilisation de bande passante, et de confidentialité. Ils exploitent donc des flux d’informations et de mises à jour unidirectionnels, et sont incapables d’utiliser un effet de volume comme levier.

Ensuite, ces solutions classiques se retrouvent en concurrence avec la menace elle-même, puisque les deux logiciels (la menace et la protection) fonctionnent sur le même système en même temps – il est donc beaucoup plus aisé pour le ver ou le virus d’interrompre l’anti-virus, ou de contourner le mécanisme de protection. Finalement, puisque par définition tout le monde peut télécharger la protection, il est aisé pour le criminel de s’assurer que son logiciel malveillant échappe bien à la protection qui est censée la détecter, avant de le diffuser.

La technologie de Satorys identifie et contrecarre les menaces informatiques en s’appuyant sur un paradigme différent de celui décrit ci-dessus : sa technologie utilise un modèle « network-centric » et « behavior-based ». Cela a les implications suivantes:

- Network-centric: la protection se fait de façon éminemment centralisée. C’est-à-dire qu’un seul système a la charge de filtrer l’ensemble des menaces potentielles. En effet, l’ensemble du trafic sensible converge vers un seul et même point. La capacité d’observation et de protection est donc centrale, et une mesure de protection, lorsqu’elle est mise en œuvre, affecte instantanément l’ensemble des plateformes en même temps. L’effort préventif, aussi bien que curatif, prend donc effet en temps réel. Ensuite, puisque la protection est centralisée, aucun criminel, terroriste ou attaquant ne peut la « télécharger » et tester l’efficacité de l’arme qu’il créé ; il se lance donc forcément dans ce cas à l’aveuglette, sans connaître à l’avance l’efficacité de son logiciel. Finalement, ce type d’architecture permet d’exploiter le principe « d’ intelligence collective » ; l’ensemble des observations passées et/ou effectuées par ailleurs contribue à l’effort de lutte contre les menaces futures – un tel système est donc d’autant plus efficace qu’il protège un grand nombre de plateformes, et qu’il est déployé depuis longtemps.

- Behavior-based: c’est la caractéristique essentielle de la technologie, qui la distingue de tout le reste. C’est le comportement de la menace qui est décelé, et non sa signature. La différence est essentielle. En effet, alors que pour échapper à une détection classique la menace doit, dans le cas d’une solution signature-based, simplement changer d’ADN (et, comme on l’a vu, c’est devenu simplissime), pour échapper à une détection de type behavior-based, la menace doit modifier substantiellement son comportement ; elle doit par exemple se propager de façon radicalement nouvelle, ou communiquer avec le criminel, le terroriste ou l’attaquant en utilisant un modèle jamais vu auparavant.
La quantité d’innovation nécessaire et donc l’investissement à mettre en œuvre, pour créer une souche ayant une chance de se propager efficacement, sont supérieurs de plusieurs ordres de grandeur.

En conclusion, les attaques modernes ne peuvent être contrecarrées efficacement qu’en employant une approche centralisée, s’appuyant sur un principe de « détection comportementale » et « d’intelligence collective»- c’est à ce prix-là que la protection devient préventive en plus d’être curative, que la probabilité de détection devient maximale, qu’une intelligence collective peut être exploitée, que l’investissement criminel, terroriste ou belliqueux doit être substantiellement plus important pour devenir efficace, et que, de façon générale, un système critique peut être efficacement protégé.

The key of APT lies in its name:

• Advanced: Attacks uses various advanced techniques to perform these tasks.
• Persistent: Attackers give priority to sustainability in the victim network rather than immediate gain and exposure.
• Threat: Attackers clearly target a specific victim with a defined goal, rather than infect randomly networks.

This kind of attack combines the good old methods (Trojan and vulnerabilities) to target a specific system. The best example is StuxNet which targeted the Iranian nuclear systems.  We can define attacks as APT when it satisfies the following criteria:

• Organized by a group preferably abroad
• Organized with funds and means adapted to the target spotted
• Fully incorporated in an intelligence process toward the target
• It can’t be settled by a single hacker even super-motivated

This new trend in cyber attacks shows clearly that attacks have reached a new level. They are now organized and have tremendous funds to perform significant attacks over the network. These undergrounds organizations redirects to governments or very wealthy criminals regarding the amount of resources used.

A report published by the company “Mandiant” has defined the processes of an APT:

• System and ecosystem recognition (scanning, social engineering)
• Stealth infiltration in the spotted network
• Backdoor installation on the targeted systems
• Privilege escalation towards critical systems in the spotted network
• Installation of tools for data leakage and long-term stealth
• Privilege escalation over all the spotted network
• Massive data leakage using covert channels for example
• Adapting the victim ecosystem for long-term exploitation by the attacker

Analyzing these steps we can clearly see APT attacks will be most of time launched at client side. Attackers will have help internally or gain access and perform attacks from the client-side to be as stealth as possible and fly under the radar settled by security administrators.

Through the last months we’ve seen a recrudescence of these attacks in the news beginning with StuxNet in 2009. In the early 2010 the press coverage over Google accusing the Chinese government of a massive attack emphasized this type of attacks. More recently we can refer to the attacks over the French Economy Minister, RSA servers and Sony data leakage.

We are facing an evolution of cyber attacks based on data leakage and sustainability which companies and administration need to be aware of and prepared to handle. Currently they are equipped with classical security detection system with the efficiency we know… no APT mitigated, discover threat by luck and provide little visibility or comprehension of their network. I know propose to compare this classical security paradigm with the one developed here at Satorys.

Classical Detection

Stuxnet worm has been detected by surprise after a long period of data leakage and privilege escalation in the targeted network. The reason this worm could evade the detection is the same as for APT can infect any targeted network protected by traditional security system:

• Anti-virus and other protection systems work on a model consisting of identifying threat based on their signature (signature-based model). This model was working fine years ago, but now that threats and malware grow exponentially we can clearly see the shortcoming of such model. Tools exist to generate different signature for the same malware and therefore evade any classical detection system. In conclusion the signature-based model on which current detection system rely is totally obsolete and will definitely not catch up and mitigate the current and future attacks methods.

• The classical protection systems are embedded on the platforms they’re meant to protect (host based model). This model presents several shortcomings resulting in the total inefficiency of the detection tools. First of all, being host-based, these solutions are not capable of using collective intelligence in an effective way. Indeed it requires communicating in real-time with a central entity to update and evaluate the current level of threat. What’s more these classical detection systems are in competition with the malware itself of the platform. Indeed it’s much easier for the malware to block or evade a security system when malware have access to it. We’ve seen example of malware stopping or mitigating the host-based security system to gain privilege stealthy. Finally the protection widely released is available for all, even the attackers. They can therefore find techniques to evade the mitigation system of the security system.

Satorys Detection

Satorys identifies and mitigate cyber threats based on a different models than those quoted above. Its technology uses behavior-based and network centric models. Consequently it has the following advantages:

• Behavior-based : It’s the essential characteristic of the technology on which everything rely. It’s the behavior of the threat that is analyzed and not its signature. This difference is crucial, indeed in the case of signature-based model, the malware could easily change its signature millions times. Whereas malware won’t have an infinity of behavior to infect systems and perform illegitimate actions on a system. Attackers will have to redefine a whole new behavior for each malware detected and will shortly be out of resources.

• Network-centric : Satorys security system gathers information from all the systems present in the network. While gathering in real-time events for all the systems, it performs correlation and detection to filter all potential threats and reverberates its analysis towards all the systems of the network. Since all the events converge toward a single centralized security system, none of the attacker can download or have access to the detection method used to mitigate them. What’s more this model has the great advantage to be perfectly adapted for effective collective intelligence. The whole set of observed events (past or from other sources) contribute to the effort of detection for future threats. Therefore the system will as much efficient as it will protect a large number of systems.

Finally we see that APT can’t be mitigate using classical method, and we’ll discover more and more through these APT the limitations of classical security methods and appliances. In conclusion if you want to know more about APT we recommend the following links:

• Wired – Apt hacks – 2010.02
• Wired – Hack for oil – 2010.01
• Commandfive – Threats
• Usenix – Daly

Concretely for MSSP such as Satorys it means that it allows to be very reactive to take into account new inputs and updates about security functionnalities and vulnerabilities to integrate it into our software release.

Satorys uses one of this methodology to develop its software internally : SCRUM agile method. SCRUM allows Satorys to be in constant evolution of take into account in its development process any update concerning vulnerabilities, new ways of security detection. It also helps to provide regular and constant software release to provide new functionnalities, improved performance and bug fixes.

Satorys SCRUM development process

• Satorys can therefore be very flexible to take into account customer feedbacks and integrate it into the development process of the product. The same applies to security vulnerabilities to be integrated very quicly in Satorys products.
• The daily meeting identifies customer feedbacks and security vulnerabilities and prioritize it before integrating it into the development process and the planning of the next release.

As SCRUM defined, Satorys uses the principle of self organization to let Satorys experts deal with high-level problems without interfering or constantly micro-manage them. What’s more every collaborator has a voice concerning the possibilities of improvement or security update in the products. Satorys uses a Knowledge Base developed with the help of its collaborators to consider all aspects of problems and potentially integrate newly featured security updates.

From my point of view, agile development is crucial and should be considered in every MSSP to provide the best performance and updates in product release. In security, reactivity is a crucial factor and it’s useless to deal with an attack released 6 month earlier in a new product release.

Batard Florent, R&D Manager, at Satorys.

De nouveau cette affaire relance le débat sur la protection de la vie privée et surtout la sécurité des informations sensibles dans les systèmes d’information. Le fait de stocker en clair les mot de passe ainsi que de stocker tout l’historique d’achat et données bancaire sur la même plateforme ne nous rassure pas sur les normes de sécurité interne chez Sony.

Des normes existent notamment pour les données bancaires telles que PCI-DSS qui assure un minimum de prise de risque et d’exposition de ces données.
Les antivirus et autre IDS/IPS en place chez Sony ont été incapable de traiter ces attaques ciblés car les signatures de ces attaques ne sont pas référencées. Cet échec de sécurité chez Sony est aussi l’échec du modèle traditionnel de sécurité basé uniquement sur ces signatures. Une analyse comportementale couplé à une politique sur la gestion des données sensibles aurait eu un bien meilleur effet pour percevoir cette fuite de donnée.

De plus cette attaque nous montre une fois de plus la nouvelle tendance de fuite de données (Data Leakage). Des informations importantes sortent du système d’information sans contrôle et l’attaque est découverte quand les pirates diffusent ces informations en ligne. En résumé, les DSI doivent se poser la question de leur politique de gestion des données (Knowledge Management) et évaluer les solutions disponibles pour prévenir et empêcher ces fuites de données avec des méthodes plus efficaces que les solutions actuelles basées sur les signatures d’attaque.

The European Network and Information Security Agency has released a great report concerning the botnets and the way to mitigate them.

I particularly liked the detection section from page 41 as it concerns Satorys business. I completely agree on their approach concerning the drawbacks of the IDS/IPS solutions hosted in the customer network cf p.42. It’s really hard to scale up and know where to position these IPS/IDS.  

What’s more they highlight clearly the drawback of having signature-based detection as the payload can easily be changed and attackers can easily bypass this security. cf p.42

On contrary the other passive methods exposed confirm the choices Satorys have made concerning analysis of flow records, log flow analysis and DNS based recognition. cf p.43-50

They also encourage initiative such as HoneyNet to source the knowledge base to detect popular and automatic botnet spreading. Once more Satorys have applied this method and built its own HoneyNet across the globe to be aware of new security trends and events globally. cf p.50-53

Finally they consider distributed anti-virus as an interesting idea to detect botnet in future. This typically refers to a collective intelligence to be aware and reactive to new threats that emerge in the world and the capacity to automatically update other user to make them benefit of new updates. cf p.54

Once more we’re comforted to see that Satorys follow this good path and agree the European agency about the way to detect and mitigate botnets.

This report also presents a wide variety of counter-measures to mitigate botnets for individuals, collectivities and ISPs. This is a very interesting analysis that should be considered by network and system administrators dealing with botnets issues. Satorys integrated these solutions into its knowledge base for escalation against botnets attacks and trained security analyst to efficiently deploy these solutions into customer networks.

They also give hints about the different national and international initiatives you can refer to concerning botnets issues. cf p.96-103

Satorys’ TrueBoard provides an implementation to deal with all the issues quoted in the document and helps cutomer to be compliant with these recommendations. What’s more TrueBoard logging platform provides an answer to all the challenges highlighted in this document (cf p.2-8):

• Log Storage : with TrueBoard Cloud Log Management, you can archive TeraBytes of logs
• Log Protection : logs are transported through encrypted channel and securedly stored on disks
• Log Analysis : TrueBoard dashboard and logflow capabilities offer a wide toolset to analyze log and highlight interesting events.

TrueBoard also ensures that customers have access to graphical interface, security knowledge base, incident tracking and reporting capabilities and asset information and storage correlation(cf p.3-10).

The challenge in this setting was the critical requirement of not relying on logs that contain any kind of nominal or personal customer information. The DNS Query Logs are therefore ideal, as they can be leveraged using Satorys’ Behavioral Security technology and Collective Intelligence sourcing system.

DNS Query Logs are sent by non-authoritative DNS servers and report on requests that were sent to them by customers. These requests can be of various types, whether users are requesting a Mail Exchanger, the IP address for a Website, etc. Although they give insight on Internet activity, they divulge no personal information whatsoever.

Satorys leverages DNS Query Logs by using a highly innovative, massively distributed HoneyNet.

For example, many dozen pairs of MX Honeypots are replicated throughout the Internet, over four continents.  They feed into proprietary, highly reliable blacklists, that increase the detection reliability of spambots.

Satorys’ highly distributed and modular Cloud relies on No-SQL (Google-like indexing) to parse and retrieve terabytes of logs in a matter of milliseconds.

A new integration functionality allows defining “LogFlows”, selecting any subset of logs, events and intelligent alarms for viewing, monitoring, reporting, charting and interfacing with a third-party platform.
We have prepared a short presentation video we are happy to share with you today.

All this while 84% of internet users use IT security software for protection.

This study is yet another illustration of the incompleteness, and anachronistic nature, of signature-based, host-based security solutions. Only behavioral-based approaches, based on collective intelligence sourcing, nowadays stand a chance to fight modern malware.

See the entire study :

http://europa.eu/rapid/pressReleasesAction.do?reference=STAT/11/21&type=HTML

Still in pilot phase, this project aims at proposing an effective, fast and easy way to access the Internet safely worldwide. Several features of TrueChannel are leveraged :

-  The seamless TLS/SSL tunnel is used to evade traffic tampering and censorship

-  Strong encryption protects against surveillance and eavesdropping

-  World-Class Managed Security provisions protect against data leakage and client-side attacks

-  A distributed SOC allows fast, broadband Internet access despite the tunnel overhead

Announcement event website : https://www.actforfreedom.org/