Yoggie CEO Blog

In Part II, I talked about the huge challenge of Anti Virus companies facing the massive increase in the size of the Virus signature database. The problem is not only allocation of 60MB of Virus signature file into the computer’s RAM (That’s today, tomorrow is can be 1GB). It’s also the performance hit that PC would suffer.

I am frequently asked by Yoggie customers and prospects about this performance hit. Everyone knows that Anti Virus software slows down the PC, but providing a simple answer, is a challenge. The public records for this number varies from 15% to 55% depending on the test equipotent, lab setup and the “age” of the Anti Virus software. The latter is probably the most critical one and is controlled by the Anti Virus vendor and the end user. This means that an Anti Virus released in 2007 and running on a PC for 2 years (I.e. 2 years old) will have a very different performance hit on the PC, comparing to Anti Virus that is “only” 6 month old.

The reason is related to the fact that the Anti Virus “update” doesn’t include just new Virus signatures. Many of these daily updates include new DLL (Dynamic Load Library = computer execution code) files designed to fight specific Virus families or instance that cannot be covered using the current Anti Virus algorithms and require a specific code to effectively detect and remove such new Viruses.  As a result, older Anti Virus programs,  include hundreds of DLL files (Anti Virus may have 5 – 10 daily updates) acting as a collection of patches. These patches lack overall system optimization and may be seen as spaghetti code that dramatically slows down the Anti Virus execution performance.

Everyone knows that when first using a PC with fresh Windows OS, it runs well with satisfying performance.  However, 9 – 12 months after, the PC starts to slow down and 1-2 years after, the PC is very slow.  Windows OS contributes to this effect, however, the Anti Virus spaghetti effect is a major contributor to this effect, presenting a growing problem that current technology presents no remedy to.

As a side tip, one can understand that he better completely uninstall his Anti Virus of previous year and install a brand new version from the current year. By doing just that, one should expect better performance during the next months to come.

It is very clear that a new direction is needed. Some security companies are trying to “milk” their current technology that is generating significant revenues during last decade. While other security companies keep their R&D teams very busy in leading the industry with breaking new technologies. These companies are usually smaller ones, maybe startup companies that try to come up with a fresh vision and different a way to solve the problem.

As a founder of two security companies that recognize the paradigm shift in the security market, I appreciate creative thinking, but when it comes to security I also know that a solution always gets back  to the 3 basic laws of security.

Any breakthrough technology that tries to present a security “leap frog” step must obey these 3 laws or it will end up in the security marketplace waste basket and forgotten dead startups.

So, I started with description of the 3 basic laws of security in Part I and I’m returning to the same basic rules now.   Every brand new technology that is presented needs to be verified so it architecturally supports multiple lines of defense, that it applies different algorithms/technologies in every security line and that it is seeking maximum “security depth” between each security line.

Lets check Yoggie’s Gatekeeper product line against the 3 basic laws of security:

1.    Use of multiple line of defense: Gatekeeper comes with 13 built-in security applications.  Few, such as IDS/IPS work on the packet level and others such as Anti Spyware work on layer 7 extracting file  content and running file-level scanning.  Each presents a different line of defense. The IDS checks the packet stream, looking for matches with the DB of streams.  The Anti Spyware obtains a complete file from the Layer 7 proxy, performs content analysis to detect the true file type and applies a specific scanner to find a known Spyware file signature within the file structure/content. Moreover, the Gatekeeper as a whole acts as an integrated security line within the system, where the other security lines are installed inside the actual PC OS you are trying to protect.

2.    Yoggie’s Gatekeeper uses different technology within its built-in security lines. The IDS technology is very different than the Anti Spyware technology specified above. Also the Gatekeeper technology (content scanning) is different than the Host PC security application (i.e. Windows/Mac based Anti Virus)  which is scanning run-time code.

3.    Yoggie’s Gatekeeper detects and stops the attack and threat before it lands inside the protected PC OS. This means that the PC security application will not see screened attacks stopped by the Gatekeeper. That constitutes a “security depth” between the Gatekeeper and the PC. Moreover, the Gatekeeper hides the PC using NAT technology making it invisible to the other PCs that are connected to the same public network.

Needless to say that the 3 basic laws of security are not everything needed in security systems. Corporate IT requires policy enforcement mechanism, management, reporting tools ,etc. But the 3 laws provide an efficient and successful tool to check any security system and to allow maximum security with minimal redundancy.

That’s for today; stay tuned for additional topics, soon.

Cheers,
Shlomo.

So, Shlomo, why did you bring back your idea from 1996? Is this really what is needed now? How can this help? These are some of the questions that collegues asked me, after publishing my last blog.

Lets have a deep look on the scope of the Anti Virus challenges. The graph below shows how the number of signatures within the DB is growing. Today, most of the DB sizes range from 50MB to 60MB in RAM. The better job the Anti Virus company is doing, fewer signatures covers more Malware, meaning smaller memory footprint and lower CPU cycles consumption.

Source: Kaspersky Lab Virus Statistics

However, if this trend continues, within 3-4 years the size of the DB will reach 1GByte. It’s hard to see that PC users will agree to pay the toll of the largest PC application. Needless to mention how long it will take a PC to startup and how slow Windows will be. A huge application will scan every file operation, local or in the network, against a huge DB…

So, most of the AV companies are rushing these days to the open warm arms of In The Cloud Security (ITCS) technology. What is so promising about ITCS?

First, how does it work? A collection of servers (cloud) store the large signature DB and powerful scanner. CPU and memory resources can easily be added to the cloud to maintain high performance with no effect to service availability. Most of end users have high speed connection to the internet, which will be used by a “thin” AV client installed on the PC. The thin AV client, will create a checksum for every file (instead of scanning for known Malware signature) and will send the checksum to the cloud. The cloud will check if a file with the specific checksum has signature of known Malware. If such match found, the thin client will notify of Malware attempt and will delete the file. If there is no known Malware associated with the checksum, the file will be loaded, executed or opened on the PC.

The result is a small fingerprint on the PC (little memory consumption) regardless the size of the signature DB. Assuming high-speed network and powerful cloud, a performance improvement may be achieved also.

Where is the drawback?

The above technology is very good at outbreak time. However, the nature of the internet refer to millions of new file born every day. There are many new programs, scripts, HTML pages (need to be scanned too), potential email phising and SPAM, etc. If the client reaches a new file, the cloud may not have its checksum ready. In such case the cloud or the client needs to download the entire file, scan it, return the result and store the new checksum and scan result. Since this happens very often, such delay may be presented every day reducing the effectiveness of the cloud.

One way in which Anti Virus companies want to mitigate this drawback, is by adding a long white list to the cloud. The file white list will have checksum of non Malware files and will be maintained on daily basis. They are also considering adding proactive scanning which adds a lot of false positives. The combination of white list and proactive scanning may improve the solution, reduce the symptoms but not really fixing the problem.

So, again, what does all of this have to do with the 3 laws of security and what does it have to do with Yoggie?

For that, you will need to read Part III of this blog thread

Stay tuned and, Part III will come soon.

Cheers, Shlomo.

Since early 2008, we witnessed a major increase in Malware. If you check your Anti Virus signature database, you will find that it grew in hundreds of percents, and keeps growing. It’s not a surprise at all. When I founded my previous company – Finjan Software in 1996, our “elevator pitch” was that due to the explosive nature of the internet, signature based Anti Virus, will not be able to catch up with new released Malware. The Internet offers super-connected, unique platform of widely “open” operating systems with published APIs (such as Windows), many tools to build Malware with minimal technical knowledge and ability to send CODE not just data from one computer to another.

It was only a question of time to reach the point of half a million Malware signatures in the DB. That requires too much RAM on the PC and will demand too much of its CPU cycles to operate. Today, most of the industry experts will agree with the vision of Finjan 96: we need more security, we need it differently and we cannot pay the current toll to implement.

So, where do we go from here? Back to basics. The following 3 principles are the 3 laws/pillars of any security system. It can be a military line of defense, it can be vault security and it can definitely be Internet Security:

Law #1: Use multiple lines of defense
Law #2: Use different security technology/strategy in every line of defense
Law #3: Seek maximum “depth” between each security line

Law #1 and #2 refer to the fact that every security line is like a net with certain holes. Using multiple nets, each with different holes, assure that they cover for each other making the combined meshed net, with far less security holes, or in other words, shrinking the security holes.  This is true, only if one is using different security technology on every line of defense, assuring that each will have different security holes, otherwise, the effort is useless and the additional defense line are redundant.

Law #3 requires “security depth” in between each security line. It represents the attempt to keep the attack far from its target. This is easy to understand when guarding a country border and less clear to understand in Internet Security or Computing Security. So, as an example let’s refer to securing a corporation from internet Malware.  Nowadays, most employees enjoy access to the Internet from their corporate computers. It is the IT’s role to assure maximum security for these PCs reducing to minimum the risk presented by the Internet. A close look at a typical corporation shows that IT deploys at least two security lines. One at the Gateway level, where Firewall, Intrusion Detection and Prevention Systems (IDS/IPS) are deployed, continue with Web and Mail Proxies equipped with Anti Virus, Anti Spyware, Anti SPAM and Anti Phising systems.  This line of defense, screens the traffic arriving from the Internet before it is transferred to the PC connected to the Corporate network. This is Defense Line #1. The technology used is “content inspection” from the packet level up to and above the application level. IT also deploys a second line of defense. It is a host based security running an Internet Security suite on every PC.  It can be Norton Internet Security, McAfee Internet Security or any other Security Suite from manufacturers such as Trend Micro, Kaspersky, etc. This is Defense Line #2. It is used during runtime on the PC and intercepts execution of every application or code arriving from the internet checking it against Malware Signature DB to detect a known attack.  It is easy to see that Line #2 uses different technology than Line #1 and therefore obeys to Laws #1 and #2 mentioned above. The fact that the traffic from the internet first faces the IT Line #1 and only after being screened continues inside and lands on the PC and Line #2 provides a “security depth”. It also means that the threat and the attacks that are stopped by Line #1 never reach Line #2 or the PC, again constituting a “security depth” or “security zone” that  stops the attacks far from its target.

So, what I am suggesting in this blog post, is that in order to successfully defend a PC and its resources/information from Malware on the internet, a security system is required; one that implements effectively the above 3 basic laws of security. This means that we need to use different security technologies, deployed over different security lines with “security depth” in between them, which makes the entire solution effective, while minimizing the performance toll on the PC CPU. Does it sound like asking too much? Well, if you do not seek something, you will never get it.

I strongly believe that the days of adding thousands of Malware signatures to an already huge DB, hoping that this will be the best technology to fight Malware – is an old,  overstretched strategy that is facing the wall.  Also, alternative solutions that do not follow the 3 basic Laws of security, will fail, by definition, to meet the challenge of exploding Malware on the Internet.

Stay tuned, Part II will come soon.

Meanwhile, please feel free to comment and post suggestions, questions, etc.
Cheers, Shlomo.

The internet has been buzzing the last couple of weeks regarding the “Facebook virus” that started to spread around.
That’s natural, the Social Web, Web 2.0 and Facebook specifically have been the hot internet subject material in the last couple of weeks. Practically everyone is on Facebook these days.
And now Facebook is used to spread viruses! Scary right?

Well.. The truth of the matter is that technically, Facebook is not exploited in any way. Yes, it’s a convenient platform for a virus to work with, but the virus is not using any vulnerability in Facebook itself.
The Facebook Virus is really a great example of how a virus, and a relatively simple one at that, can infect so many people by using a series of multiple attack tactics and a lot of “social engineering“.

The attack begins with a classic Phishing email attack. Many people are spammed by emails luring them into clicking a link claiming to be to Facebook.
Clicking on the link takes you to a Phishing Web site that looks exactly like Facebook, and even has a very similar domain name.
The user is asked to login, and enters his username and password credentials.
At that moment the trap has sprung and the attacker has complete control over the victim’s Facebook, since he can login as the user. This victim is “patient zero” in a sense.

The next step is the attacker logs into the victim’s Facebook and sends a message to all the victim’s friends – Providing a link to a “funny video”.
The Website looks almost exactly like YouTube and the user tries to play the video, triggering a message saying that the Flash player needs to be updated.
The user than downloads the “Flash player update” which is the actual payload of the whole attack – This is the malware. This malware, or spyware that opens your computer up completely and herds into a botnet.

To summarize:

While Facebook does indeed provide a great platform for viral distribution, the technical methods by which attackers reach their victims are anything but new. It’s simply an elegant combination of “good old” Phishing and social engineering. Each step could have maybe been detected by a clever user, but the combination of them works better on the target. The same spyware link could have just been sent in an email – but very few people would have clicked it. What makes it stronger is that a known and trusted friend on Facebook sent it. Moreover, you don’t just download anything, it’s simply a Flash update file that you need in order to see that great funny movie.
So nothing special technically here, but a great example for social engineering techniques.

This is how can you protect yourself from this attack:

1. Since the attack, as described above, is composed of several consecutive smaller attacks, your defense should be multi-layered as well. This attack can be stopped by your security measures in several different points. The phishing email can be detected as such and blocked, the phishing Web site can be detected as such and blocked and the spyware application itself can be detected by an anti-virus and stopped. You should have all these measure in place.
And how do we at Yoggie implement this? Simple. Yoggie’s products cram 12 different security applications to run inside the device. You have multiple engines protecting you transparently. This attack would be blocked at multiple different steps by Yoggie devices. Moreover, the attack itself was first detected and reported by Kaspersky, which is the anti-virus engine that Yoggie uses inside.

2. Make sure all your security measures are up to date!
This is super important – It’s not enough to have security measure in place. The security applications you use must always be updated otherwise they are useless.
In a worst-case-scenario, when your security measures would have failed to detect the Facebook attack at any other point – An updated anti-virus would already be familiar with the spyware’s signature and stop it dead in its tracks.
And how do we at Yoggie implement this? Even simpler. All Yoggie’s products automatically and transparently update all the different engines running inside. EVERY 5 MINUTES. And the user doesn’t even feel it is happening.

3. The most important and simplest advice is this – Never EVER click on anything before careful consideration. I can’t stress this enough. It can be a link in an email message. A link in an instant message. A Web link in Facebook. Always be suspicious of such links. Always check the browser’s status bar before actually clicking the link, to make sure the URL you will get to is indeed where you want to go.

Note: this post is based on researching the reported information online and not by first-hand analysis of the virus.