McAfee launches new cloud security solution

McAfee has announced the McAfee Cloud Security Platform, a new approach to help organizations safely and efficiently take advantage of Cloud computing. The new platform achieves this by securing all content and data traffic – including email, web and identity traffic – moving between an organization and the Cloud.

“Once you move data or applications to the Cloud, you essentially lose most – if not all – of your security visibility, which most organizations find unacceptable,” said Marc Olesen, senior vice president and general manager, Content and Cloud Security at McAfee. “By securing the data and traffic before it travels to or through the Cloud, we help businesses extend their security practices and policies into the Cloud.”

The McAfee Cloud Security Platform delivers security through highly integrated, modular solutions that protect both inbound and outbound traffic moving between the enterprise and the public cloud.  Today, the platform offers the following modules:

• Web Security – McAfee Web Security provides bi-directional protection for both incoming and outgoing web traffic through proactive reputation- and intent-based protection.
• Mobile Security – Web traffic generated by smart phones and tablets can be directed through the McAfee Web Gateway using standard device management. This ensures that mobile devices are secured with advanced anti-malware protection and corporate web filtering policies.
• Cloud Access Control – The Intel Expressway Cloud Access 360, helps enable an Enterprise or Cloud Provider to provide comprehensive access control for cloud applications using Enterprise identities.
• Email Security – McAfee Email Security delivers total email protection, integrating comprehensive inbound threat protection with outbound data loss prevention.
• Web Services Security – The Intel Expressway Service Gateway offloads application level API security, data transformation, REST to SOAP mediation, and identity token exchange, to a high speed gateway at the network edge or in the cloud.

Another key aspect of ensuring Cloud security is making sure organizations identify data that should or should not be moved to the Cloud.  UsingMcAfee’s Data Loss Prevention solution, organizations can first understand where its data resides, classify that data in terms of importance or sensitivity, build policies to protect that data, and then enforce those policies while data travels within or outside the organization to the Cloud.

McAfee Data Loss Prevention discovers data no matter where it resides or what format it is in on the network, giving the enterprise rich data mining tools to deliver effective protection and the creation of more effective policies that work quickly. Centralized management and reporting is also provided through integration with the McAfee ePolicy Orchestrator platform.

The security modules can be deployed as an on-premises appliance, Software-as-a-Service solution or a hybrid combination of both. This provides organizations the flexibility and coverage to protect their headquarters, regional offices and even remote workers using mobile devices.

Regardless of the deployment form factor, the solutions can be centrally managed through the ePolicy Orchestrator platform or the McAfee SaaS Control Console.  Additionally, the platform and modules are powered by McAfee Global Threat Intelligence, which leverages the Cloud with millions of sensors and hundreds of threat researchers worldwide to deliver real-time – and even predictive – threat intelligence against all known and emerging threats.

Using the platform’s built-in Application Programming Interface (API), McAfee aims to deploy additional security modules in the coming months to provide even greater and deeper Cloud protection. This may include a variety of solutions, such as tools that can provide greater granular control over popular social media sites.

Java-based Trojan, IncognitoRAT targets both Windows as well as Mac

Most of today’s malware work on Windows and its apps, because it can affect a lot of people around the world (considering over 90% market share of windows in the consumer operating system space). However, other platforms are becoming more popular every day and attracting bad guys who are starting to create malicious code for other systems.

According to McAfee, a further threat is cross-platform malware that can execute on Windows and Mac using Java; this type of malware can run in a multiplatform Java Virtual Machine. IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms.

“The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs. The victim’s machine has to have the Java Runtime Environment installed and must be online,” explains Carlos Castillo, Malware researcher, McAfee. As soon as the file is executed, it starts downloading a ZIP file with a pack of Java-based libraries to perform several remote activities:

• Java Registry Wrapper: Used to access the Windows Registry and create an entry in Software\Microsoft\Windows\CurrentVersion\Run to execute the malware every time the computer starts
• Java Remote Control: To view and take remote control (keyboard and mouse) of an infected machine
• JLayer – MP3 Library: To remotely play an MP3 file on the infected machine
• RNP-VideoPlayer: To play videos remotely
• JavaMail: Optional Java package to send stolen information to an email account
• Freedom for Media Java: Open-source alternative to the official Java Media Framework; used by the malware to watch and record images from a remote webcam

In additional to those libraries, the downloader drops the following .jar components:

• JavaUpdater.jar: Decrypts the directory (full path) that will be created by the malware to place all the components on the infected machine. It implements TripleDES encryption and decryption methods. Finally, the component executes the principal malware, server.jar, using the common instructions to run Java applications in Windows (java -jar %malwarepath%/Server.jar).
• Server.jar: Runs in the background collecting keystrokes using a DLL designed to hook the keyboard on the infected machine. Also waits for commands sent from the control server to use the libraries described above and perform other actions, such as sending the captured keystrokes in a text file to an FTP server or an email account, viewing and recording the remote webcam, performing distributed denial –of-service attacks, taking remote control of the machine, etc.

One interesting feature of this botnet that we could not replicate during our analysis is its ability to “crash” the system. Apparently, it is a fake crash because in the dropped files we found a curious image that may appear on the infected machine:

Dramatic increase in cyberattacks and sabotage on critical infrastructure

McAfee and the Center for Strategic and International Studies (CSIS) today revealed the findings from a report that reflects the cost and impact of cyberattacks on critical infrastructure such as power grids, oil, gas and water. The survey of 200 IT security executives from critical electricity infrastructure enterprises in 14 countries found that 40 percent of executives believed that their industry’s vulnerability had increased. Nearly 30 percent believed their company was not prepared for a cyberattack and more than 40 percent expect a major cyberattack within the next year.

The report “In the Dark: Crucial Industries Confront Cyberattacks,” was commissioned by McAfee and produced by CSIS. “We found that the adoption of security measures in important civilian industries badly trailed the increase in threats over the last year,” said Stewart Baker, who led the study for CSIS. Industry executives made modest progress over the past year in securing their networks, as the energy sector increased its adoption of security technologies by only a single percentage point (51 percent), and oil and gas industries increased only by three percentage points (48 percent).

“Ninety to 95 percent of the people working on the smart grid are not concerned about security and only see it as a last box they have to check,” said Jim Woolsey, former United States Director of Central Intelligence.

The report is a follow-up to a report released in 2010 called “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” that found that many of the world’s critical infrastructures lacked protection of their computer networks, and revealed the staggering cost and impact of cyberattacks on these networks. The new study reveals that while the threat level to these infrastructures has accelerated, the response level has not, even after the majority of respondents frequently found malware designed to sabotage their systems (nearly 70 percent), and nearly half of respondents in the electric industry sector reported that they found Stuxnet on their systems. This threat to infrastructures also includes electrical smart grids, which are growing in adoption and expected to have exceeded $45 billion in global spending in 2015.

“What we are learning is the smart grid is not so smart,” said Dr. Phyllis Schneck, vice president and chief technology officer for public sector, McAfee. “In the past year, we’ve seen arguably one of the most sophisticated forms of malware in Stuxnet, which was specifically designed to sabotage IT systems of critical infrastructures. The fact is that most critical infrastructure systems are not designed with cybersecurity in mind, and organizations need to implement stronger network controls, to avoid being vulnerable to cyberattacks.”

Other key report findings from this year’s report include the following:

• Cyberattacks still prevalent: Eighty percent of respondents have faced a large-scale denial of service attack (DDoS), and a quarter reported daily or weekly DDoS attacks and/or were victims of extortion through network attacks.
• Extortion attempts were more frequent in the CIP sectors: One in four survey respondents have been victims of extortion through cyberattacks or threatened cyberattacks. The number of companies subject to extortion increased by 25 percent in the past year, and extortion cases were equally distributed among the different sectors of critical infrastructure. The countries of India and Mexico have a high rate of extortion attempts; 60 to 80 percent of executives surveyed in these countries reported extortion attempts.
• Organizations failing to adopt effective security: Sophisticated security measures placed upon offsite users are in the minority, with only a quarter of those surveyed implementing tools to monitor network activity, and only about 36 percent use tools to detect role anomalies.
• Security conscious countries: Brazil, France and Mexico are lagging in their security measures, adopting only half as many security measures as leading countries China, Italy and Japan. Concurrently, China and Japan were also among the countries with the highest confidence levels in the ability of current laws to prevent or deter attacks in their countries.
• U.S. and Europe falling behind Asia in government involvement: Respondents in China and Japan reported high levels of both formal and informal interaction with their government on security topics, while the U.S., Spain and U.K. indicated little to no contact.
• Organizations fear government attacks: More than half of respondents say that they have already suffered from government attacks.

McAfee and Siemens bond to fight against SCADA attacks

Against a backdrop of global threats such as Operation Aurora, Stuxnet and Night Dragon, enterprises need a way to protect their critical systems. To migitate such risks of Advanced Persistent Threats or APTs on the SCADA systems, Siemens-Division Industry Automation has tied up with McAfee Application Control solution to defend against such attacks.

“McAfee is pleased to partner with Siemens-Division Industry Automation to extend its whitelisting solution to help secure the world’s critical infrastructures,” said Stuart McClure, senior vice president and general manager of Risk and Compliance, McAfee. “By implementing McAfee Application Control, Siemens-Division Industry Automation customers can begin to gain control of all software on their endpoints and servers directly from the McAfee ePolicy Orchestrator platform. McAfee Application Control maintains the integrity of endpoints and servers, giving enterprises the foundational layer of security that is needed to prevent disruptive software, advanced persistent threats and zero-day malware attacks.”

Unlike simple whitelisting, McAfee Application Control uses a dynamic trust model, which eliminates the need for tedious manual updates to approved lists. As enterprises face an avalanche of unknown software from the web & unauthorized physical access, this centrally-managed solution adds a timely control to our joint customer security strategy, attuned to the operational needs of enterprises.

“A solid security solution touches three domains: people, process and technology,” said Tino Hildebrand, Head of Marketing and Promotion Simatic HMI, Siemens-Division Industry Automation. “McAfee Application Control for Siemens-Division Industry Automation is a significant step towards increased security at the product layer.”

“At the start of a project you have to design security into the solution, you have to raise awareness of all people responsible for the project and later operating the site. In addition, you have to take care of standard operation procedures to cover all relevant aspects. The security architecture has to be built with several layers of defense. McAfee Application Control for Siemens-Division Industry Automation is the cornerstone of this security concept,” he continued.

McAfee enhances network security platform

McAfee has announced enhancements to its Network Security Platform. The latest release of McAfee Network Security Platform includes enhanced botnet control through reputation intelligence, virtual network inspection and a traffic analysis port for network monitoring, forensics and other advanced analysis engines.

In the most recent Gartner Magic Quadrant for Network IPS, Gartner states, “As vulnerability research has improved, the gap between vulnerability exploitation and IPS signatures to protect that vulnerability has closed.  Future protection improvements of significance will come from bringing intelligence into the IPS from external sources instead – points the IPS does not normally have visibility within.”

Real-time, reputation-based intelligence through McAfee Global Threat Intelligence provides McAfee Network Security Platform users with additional context for enforcing network security policies, not to mention faster, more accurate threat detection.

The latest release of McAfee Network Security Platform includes:

• Enhanced botnet control: File and network connection reputation feeds from cloud-based McAfee Global Threat Intelligence allows Network Security Platform to perform in-line botnet prevention based on over 60 million malware samples and the reputation of hundreds of millions of network connections based on over two billion IP reputation queries each month.  This external intelligence provides vital context for faster, more accurate detection and prevention.
• Traffic analysis port: Traffic redirect capabilities allow arbitrary network traffic to be subjected to additional inspection by McAfee and third party products, including data loss prevention, network forensics and advanced malware analysis tools.
• Virtual network inspection: Enables the Network Security Platform sensors to examine inter virtual machine traffic on virtual environments and provide attack detection for virtual data center environments.  Network Security Platform can inspect traffic both within virtual environments and between virtual and physical environments, giving organizations the same level of visibility regardless of where the traffic flows.

As enterprises consolidate data centers, adopt cloud-services, and virtualize critical infrastructure they need a way to unify security management across physical and virtual infrastructures. In partnership with Reflex Systems, a player in virtualization management solutions and McAfee brings its threat detection and security management to virtual environments.

“Virtualization is becoming a standard part of every enterprise data center infrastructure – be it in-house or in the cloud – and organizations are recognizing that they must extend enterprise-class security and management into the virtual environment,” said Preston Futrell, President and CEO of Reflex Systems.  “We are pleased to partner with McAfee to help customers seamlessly integrate virtualization security and management into their existing security infrastructure, systems and best-practices.”

Together, McAfee and Reflex Systems will offer integrated virtual and physical security and management that enables customers to holistically monitor and understand security issues, easily apply best practices, and provide comprehensive reporting for compliance purposes across the current and next generation data center infrastructure.

“When building out Savvis’ enterprise cloud offerings, it was imperative that we base our cloud architecture on a strong security foundation with the right tools to provide customers piece of mind as they begin leveraging new cloud technologies in the data center,” said Ken Owens, Savvis technical vice president for security and virtualization technologies.  “Bringing together two best-of-breed solutions like Reflex and McAfee to meet the unique, dynamic security and management challenges in both the physical and virtual infrastructure will go a long way in helping accelerate the adoption of virtualization and cloud technology.”