Yoggie CEO Blog

I recently received an IdeaPad S10 – An outstanding netbook from Lenovo. It is relatively small, has great connectivity, and everything I need to take with me on flights and trips.

It smoothly switches from hibernation to power on and vise versa, ready to serve me when I am looking for a nearby Japanese restaurant, business address, or my Gmail account.
I also installed a copy of MobileMe client (by Apple) on it, keeping my business folders in sync on my S10, 3 Windows PCs  and my MacBook.

So far, all is great. The S10 comes with Norton Internet Security Suite 2009 ready to be enabled/installed.  When I did that, I ran into some major challenges (I do not like the words “issue”, “problem” and “risk” :-)). The Atom processor on my S10 is great for running Windows XP and my applications, but it was never designed to run these additional multiple security applications included in the Symantec security suite (to be accurate, nor any other vendor’s security suite) such as: Anti Virus, Anti Spyware, Web and email proxies, intrusion detection and prevention, Anti Spam, Anti Phishing, etc.

I immediately noticed a significant performance hit on my second reboot after getting all the recent Security Suite updates. At that point, I learned how I can really enjoy my S10.

The secret is to completely remove the Security Suite and disable Windows XP updates. Yes, this sounds like preparing my S10 to be shot dead on my next Internet connection, but this is the only way to really enjoy both performance and the great mobility of the handy S10.

I am not preaching to practice “unsafe surfing” by not using  a security tool at all, but as you know, I don’t have to pay for a Yoggie Gatekeeper that perfectly fills the security gap that I created.  The S10 has a 34mm ExpressCard slot which is perfect for the Gatekeeper Card. The only drawback is that Lenovo saved some space and made the 34 mm slot shorter than the PCI standard, causing my Gatekeeper to stick out about 10 mm of its form factor, but this is something I am ready to trade with no need to run the Internet Security Suite that makes my S10 almost non usable.

The Windows XP updates are still missing, but I am trying to be selective and cherry pick only these that I find very critical that the firewall and 13 other security applications in Gatekeeper may miss.

So as the CEO of the hair growth company said in the TV commercial: “I am not just the company president, but I am also a user” 

Cheers,
Shlomo.

I am writing this item from Frankfurt Airport, Germany. I am using my MacBook Pro, connecting to the T-Mobile wireless account, and sharing the same infrastructure with everyone else here (same access point, same switch, sharing the same DHCP server with everyone etc.)

This has nothing to do with my post today, except that I just cannot tell you how I can “see everyone else, while no one can see me”. Well, not exactly. They see my Gatekeeper for Mac mini-computer and my MacBook is hiding behind it (I have my own DHCP Server on the Gatekeeper) – sorry, I cannot avoid mentioning it

So, I am looking around and I see more Mac users than Windows-based PC users. This is not a real statistic, but the interesting point is that it’s no longer only students or young people. You start to see the suit and tie crowd using these computers, connecting to their corporate servers, “VPNing”, doing their corporate work that was totally dominated by Windows till not long ago.

This is in line with recent publications from analysts showing that since switching to Intel processors, Mac entered the corporate world, and is increasing its presence there. It is still a one digit % number, but this brings a new challenge to corporate IT. Many of these Mac owners, are very senior employees (only senior people can decide to get a non standard corporate PC). They also expect IT to support it.

Mac didn’t suffer from many Viruses and Malware attacks in the past. But, as the Mac is starting to be used by senior corporate people, it becomes an attractive target, very well selected, for identify theft, hacking into financial information and sources, getting credit card information, and do what hackers do today to Windows based PCs.  OS X is not really more secure than Windows Vista, it was just less popular.

For IT, this is a huge headache, not only do they lack experience and knowledge in these systems as well as lacking tools and infrastructure to provide adequate service, but Apple and the security vendors are not ready to provide them with security infrastructure and solutions.

IT doesn’t have a security response team that is gathering information from Mac security experts, building procedures and tools, and providing real-time answers to Mac related security vulnerabilities. All that they have with Windows based PCs is missing with the Mac.

In addition, over 15 years of progress in Windows security is missing in OS X and it takes time to catch up. Meanwhile, corporate exposure is growing, and the hackers, using strong hunting instincts, are closing in.

Apple, is trying to close this security gap, and be proactive. Last Monday, Apple announced Safari 4.0, a release that fixes more than 50 vulnerabilities in the browser. I believe that Apple is trying to increase its effort and investment in security, however, they have a long way to go, and more importantly, it really requires to change some of the Apple culture and vision – which is the more difficult task.

So, it’s not that I wish for Apple to change its culture, but instead, upon entering the corporate world, I expect Apple to grow-up a bit security-wise, and step up to the challenge.

Meanwhile, I am using my MacBook with Gatekeeper Card.

Cheers,
Shlomo.

In Part II, I talked about the huge challenge of Anti Virus companies facing the massive increase in the size of the Virus signature database. The problem is not only allocation of 60MB of Virus signature file into the computer’s RAM (That’s today, tomorrow is can be 1GB). It’s also the performance hit that PC would suffer.

I am frequently asked by Yoggie customers and prospects about this performance hit. Everyone knows that Anti Virus software slows down the PC, but providing a simple answer, is a challenge. The public records for this number varies from 15% to 55% depending on the test equipotent, lab setup and the “age” of the Anti Virus software. The latter is probably the most critical one and is controlled by the Anti Virus vendor and the end user. This means that an Anti Virus released in 2007 and running on a PC for 2 years (I.e. 2 years old) will have a very different performance hit on the PC, comparing to Anti Virus that is “only” 6 month old.

The reason is related to the fact that the Anti Virus “update” doesn’t include just new Virus signatures. Many of these daily updates include new DLL (Dynamic Load Library = computer execution code) files designed to fight specific Virus families or instance that cannot be covered using the current Anti Virus algorithms and require a specific code to effectively detect and remove such new Viruses.  As a result, older Anti Virus programs,  include hundreds of DLL files (Anti Virus may have 5 – 10 daily updates) acting as a collection of patches. These patches lack overall system optimization and may be seen as spaghetti code that dramatically slows down the Anti Virus execution performance.

Everyone knows that when first using a PC with fresh Windows OS, it runs well with satisfying performance.  However, 9 – 12 months after, the PC starts to slow down and 1-2 years after, the PC is very slow.  Windows OS contributes to this effect, however, the Anti Virus spaghetti effect is a major contributor to this effect, presenting a growing problem that current technology presents no remedy to.

As a side tip, one can understand that he better completely uninstall his Anti Virus of previous year and install a brand new version from the current year. By doing just that, one should expect better performance during the next months to come.

It is very clear that a new direction is needed. Some security companies are trying to “milk” their current technology that is generating significant revenues during last decade. While other security companies keep their R&D teams very busy in leading the industry with breaking new technologies. These companies are usually smaller ones, maybe startup companies that try to come up with a fresh vision and different a way to solve the problem.

As a founder of two security companies that recognize the paradigm shift in the security market, I appreciate creative thinking, but when it comes to security I also know that a solution always gets back  to the 3 basic laws of security.

Any breakthrough technology that tries to present a security “leap frog” step must obey these 3 laws or it will end up in the security marketplace waste basket and forgotten dead startups.

So, I started with description of the 3 basic laws of security in Part I and I’m returning to the same basic rules now.   Every brand new technology that is presented needs to be verified so it architecturally supports multiple lines of defense, that it applies different algorithms/technologies in every security line and that it is seeking maximum “security depth” between each security line.

Lets check Yoggie’s Gatekeeper product line against the 3 basic laws of security:

1.    Use of multiple line of defense: Gatekeeper comes with 13 built-in security applications.  Few, such as IDS/IPS work on the packet level and others such as Anti Spyware work on layer 7 extracting file  content and running file-level scanning.  Each presents a different line of defense. The IDS checks the packet stream, looking for matches with the DB of streams.  The Anti Spyware obtains a complete file from the Layer 7 proxy, performs content analysis to detect the true file type and applies a specific scanner to find a known Spyware file signature within the file structure/content. Moreover, the Gatekeeper as a whole acts as an integrated security line within the system, where the other security lines are installed inside the actual PC OS you are trying to protect.

2.    Yoggie’s Gatekeeper uses different technology within its built-in security lines. The IDS technology is very different than the Anti Spyware technology specified above. Also the Gatekeeper technology (content scanning) is different than the Host PC security application (i.e. Windows/Mac based Anti Virus)  which is scanning run-time code.

3.    Yoggie’s Gatekeeper detects and stops the attack and threat before it lands inside the protected PC OS. This means that the PC security application will not see screened attacks stopped by the Gatekeeper. That constitutes a “security depth” between the Gatekeeper and the PC. Moreover, the Gatekeeper hides the PC using NAT technology making it invisible to the other PCs that are connected to the same public network.

Needless to say that the 3 basic laws of security are not everything needed in security systems. Corporate IT requires policy enforcement mechanism, management, reporting tools ,etc. But the 3 laws provide an efficient and successful tool to check any security system and to allow maximum security with minimal redundancy.

That’s for today; stay tuned for additional topics, soon.

Cheers,
Shlomo.

So, Shlomo, why did you bring back your idea from 1996? Is this really what is needed now? How can this help? These are some of the questions that collegues asked me, after publishing my last blog.

Lets have a deep look on the scope of the Anti Virus challenges. The graph below shows how the number of signatures within the DB is growing. Today, most of the DB sizes range from 50MB to 60MB in RAM. The better job the Anti Virus company is doing, fewer signatures covers more Malware, meaning smaller memory footprint and lower CPU cycles consumption.

Source: Kaspersky Lab Virus Statistics

However, if this trend continues, within 3-4 years the size of the DB will reach 1GByte. It’s hard to see that PC users will agree to pay the toll of the largest PC application. Needless to mention how long it will take a PC to startup and how slow Windows will be. A huge application will scan every file operation, local or in the network, against a huge DB…

So, most of the AV companies are rushing these days to the open warm arms of In The Cloud Security (ITCS) technology. What is so promising about ITCS?

First, how does it work? A collection of servers (cloud) store the large signature DB and powerful scanner. CPU and memory resources can easily be added to the cloud to maintain high performance with no effect to service availability. Most of end users have high speed connection to the internet, which will be used by a “thin” AV client installed on the PC. The thin AV client, will create a checksum for every file (instead of scanning for known Malware signature) and will send the checksum to the cloud. The cloud will check if a file with the specific checksum has signature of known Malware. If such match found, the thin client will notify of Malware attempt and will delete the file. If there is no known Malware associated with the checksum, the file will be loaded, executed or opened on the PC.

The result is a small fingerprint on the PC (little memory consumption) regardless the size of the signature DB. Assuming high-speed network and powerful cloud, a performance improvement may be achieved also.

Where is the drawback?

The above technology is very good at outbreak time. However, the nature of the internet refer to millions of new file born every day. There are many new programs, scripts, HTML pages (need to be scanned too), potential email phising and SPAM, etc. If the client reaches a new file, the cloud may not have its checksum ready. In such case the cloud or the client needs to download the entire file, scan it, return the result and store the new checksum and scan result. Since this happens very often, such delay may be presented every day reducing the effectiveness of the cloud.

One way in which Anti Virus companies want to mitigate this drawback, is by adding a long white list to the cloud. The file white list will have checksum of non Malware files and will be maintained on daily basis. They are also considering adding proactive scanning which adds a lot of false positives. The combination of white list and proactive scanning may improve the solution, reduce the symptoms but not really fixing the problem.

So, again, what does all of this have to do with the 3 laws of security and what does it have to do with Yoggie?

For that, you will need to read Part III of this blog thread

Stay tuned and, Part III will come soon.

Cheers, Shlomo.

Since early 2008, we witnessed a major increase in Malware. If you check your Anti Virus signature database, you will find that it grew in hundreds of percents, and keeps growing. It’s not a surprise at all. When I founded my previous company – Finjan Software in 1996, our “elevator pitch” was that due to the explosive nature of the internet, signature based Anti Virus, will not be able to catch up with new released Malware. The Internet offers super-connected, unique platform of widely “open” operating systems with published APIs (such as Windows), many tools to build Malware with minimal technical knowledge and ability to send CODE not just data from one computer to another.

It was only a question of time to reach the point of half a million Malware signatures in the DB. That requires too much RAM on the PC and will demand too much of its CPU cycles to operate. Today, most of the industry experts will agree with the vision of Finjan 96: we need more security, we need it differently and we cannot pay the current toll to implement.

So, where do we go from here? Back to basics. The following 3 principles are the 3 laws/pillars of any security system. It can be a military line of defense, it can be vault security and it can definitely be Internet Security:

Law #1: Use multiple lines of defense
Law #2: Use different security technology/strategy in every line of defense
Law #3: Seek maximum “depth” between each security line

Law #1 and #2 refer to the fact that every security line is like a net with certain holes. Using multiple nets, each with different holes, assure that they cover for each other making the combined meshed net, with far less security holes, or in other words, shrinking the security holes.  This is true, only if one is using different security technology on every line of defense, assuring that each will have different security holes, otherwise, the effort is useless and the additional defense line are redundant.

Law #3 requires “security depth” in between each security line. It represents the attempt to keep the attack far from its target. This is easy to understand when guarding a country border and less clear to understand in Internet Security or Computing Security. So, as an example let’s refer to securing a corporation from internet Malware.  Nowadays, most employees enjoy access to the Internet from their corporate computers. It is the IT’s role to assure maximum security for these PCs reducing to minimum the risk presented by the Internet. A close look at a typical corporation shows that IT deploys at least two security lines. One at the Gateway level, where Firewall, Intrusion Detection and Prevention Systems (IDS/IPS) are deployed, continue with Web and Mail Proxies equipped with Anti Virus, Anti Spyware, Anti SPAM and Anti Phising systems.  This line of defense, screens the traffic arriving from the Internet before it is transferred to the PC connected to the Corporate network. This is Defense Line #1. The technology used is “content inspection” from the packet level up to and above the application level. IT also deploys a second line of defense. It is a host based security running an Internet Security suite on every PC.  It can be Norton Internet Security, McAfee Internet Security or any other Security Suite from manufacturers such as Trend Micro, Kaspersky, etc. This is Defense Line #2. It is used during runtime on the PC and intercepts execution of every application or code arriving from the internet checking it against Malware Signature DB to detect a known attack.  It is easy to see that Line #2 uses different technology than Line #1 and therefore obeys to Laws #1 and #2 mentioned above. The fact that the traffic from the internet first faces the IT Line #1 and only after being screened continues inside and lands on the PC and Line #2 provides a “security depth”. It also means that the threat and the attacks that are stopped by Line #1 never reach Line #2 or the PC, again constituting a “security depth” or “security zone” that  stops the attacks far from its target.

So, what I am suggesting in this blog post, is that in order to successfully defend a PC and its resources/information from Malware on the internet, a security system is required; one that implements effectively the above 3 basic laws of security. This means that we need to use different security technologies, deployed over different security lines with “security depth” in between them, which makes the entire solution effective, while minimizing the performance toll on the PC CPU. Does it sound like asking too much? Well, if you do not seek something, you will never get it.

I strongly believe that the days of adding thousands of Malware signatures to an already huge DB, hoping that this will be the best technology to fight Malware – is an old,  overstretched strategy that is facing the wall.  Also, alternative solutions that do not follow the 3 basic Laws of security, will fail, by definition, to meet the challenge of exploding Malware on the Internet.

Stay tuned, Part II will come soon.

Meanwhile, please feel free to comment and post suggestions, questions, etc.
Cheers, Shlomo.