News emerged on May 9 that a Russian hacker collective known as Fxmsp claimed to have breached three major U.S.-based antivirus companies. The hackers said they “worked tirelessly” for the first quarter of 2019 to obtain access to the companies’ internal networks, where they extracted sensitive antivirus source code, artificial intelligence models, web security software, and security plug-ins.
Screenshots from the dark web reveal that Fxmsp had offered the antivirus firms’ source code for sale for around $300,000. An FBI investigation is ongoing.
To better understand the ramifications of this news on Federal agencies and everyday end-users, MeriTalk sat down with Maitland Muse, Vice President of Global Channels and Alliances at AppGuard, a cybersecurity firm that specializes in zero trust endpoint protection.
So what was your immediate takeaway from this news?
It’s certainly alarming. Fxmsp accessed proprietary data from each of the affected antivirus vendors, exposing the weakness of their tools. What’s worse – by accessing their source code – these hackers can discover software vulnerabilities, exploit them, and literally use the antivirus tools as weapons. This certainly adds a level of urgency, and forces more attention to the issue of multi-layered protection.
How is this different from any other Russian hacking story or ransomware play? It seems like we hear about these all the time, but not so much what happens afterward.
Antivirus customers often underutilize AV tools that are at their disposal, and you often don’t hear about breaches until it’s far too late. Even if a vendor did fully utilize its full suite of tools, these hackers still presumably managed to dwell in the antivirus vendor ecosystems for months undetected. This casts even more doubt on the efficacy of those tools.
Further, these companies are installed everywhere – if the source code is compromised, so are the systems where they’re installed.
That’s probably lot of systems and endpoints under the government’s purview…
Yes, and so these breaches, if true, should raise alert levels for any agency or enterprise that relies on these products. Cybercriminals have gained backdoor access and will continue to target similar solutions. Everyone affected is going to have to rework their approach to providing security.
We think this ultimately could, and perhaps should, change how we deliver security solutions. In a world where antivirus vendors themselves are getting targeted, we can’t place “trust” solely in an antivirus solution. We can’t even trust privileged users. Applications and users are the weakest links in the chain. That’s why the zero trust market is emerging, and the name is fitting. Companies need to apply these principles towards protection.
So you’re advocating a change, but more often than not, the Federal market can be slow to adapt. You’re a relatively new entrant – what does it look like to you?
The status quo of the Federal market for the last ten years is irrefutable proof that a vastly different and more effective means of endpoint protection is needed. Entrenched industry players strongly resemble each other in how they work and how they have failed over the years.
There are new and agile players in the market. Agencies have purchased a lot of tools, some of them good ones, but sometimes those agencies have a hard time putting it all together in their specific environments. It’s also hard to cut through the noise when there are thousands of available tools out there.
What do you think of big cybersecurity initiatives like the CDM Program? Will that help put those pieces together?
CDM has been a helpful initiative to get better monitoring tools implemented. DHS has been very deliberate about the rollout of the program, and CDM DEFEND appears to be a more coordinated effort to achieve a real, threat-based approach to cybersecurity, rather than the traditionally reactive one.
The CDM Approved Product List is allowing those new and agile players I mentioned to enter the market, with new proofs-of-concept. The RFS process is also allowing Federal agencies to have a better say in the matter and not have to rely on one-size-fits-all deployments.
Do you think agencies are getting a better picture of the full cyber threat landscape?
There’s a lot at play here. Pure CDM is about many different detection mechanisms, generating alerts at different stages and perspectives of attacks. The new CDM Dashboard ecosystem, which was just announced, aims to bring all of these alerts and indicators together.
Being alerted to problems is generally good. The downside? This creates and worsens alert fatigue and IT/Sec-Ops personnel costs.
It’s definitely important to have the full picture. But what we are trying to do is reduce the number of problems that get into the frame in the first place. AppGuard works to block malware in real-time at the operating system kernel. This greatly reduces the number of alerts to be investigated and snuffs out attacks, long before other tools detect problems and produce those alerts. That means less work for your SOC, and more problems rooted out at the source. We integrate with both complex and simple cyber stacks, making us a strong component for any continuous monitoring strategy.
At our recent CISO Summit, former CIA CISO Bob Bigman said that if your SOC is getting expensive, it’s because it’s not “protecting” correctly.
So how do you recommend government agencies start to protect correctly?
We suggest that all agencies do live and comprehensive penetration testing. We’ve been helping to accelerate these efforts through two-day, on-site CISO summits.
Going back to what I said earlier, applications and users are the weakest link. Infected applications are betraying the end-user, and adversaries are using those apps to run various exploits. Too many cybersecurity tools rely on whitelist updates, or look for specific signatures indicative of ransomware and malware-related intrusions and breaches.
This is where zero trust comes into play. And AppGuard sits at the nexus of applications and users…the endpoint. Our patented approach assumes that any application or utility can go rogue at any moment. So instead, we block all malware at the kernel level of an endpoint’s operating system.
We’re focused on blocking those exploits before they can even be executed on a vulnerable application. That’s much more proactive than just hoping anti-exploit and patch management controls actually work when needed.
There’s not a lot of time to waste. Neal Conlon, our SVP of Sales, made an acute observation. As recently as last week, researchers discovered a new attack exploiting Linux servers, called HiddenWasp. None of the major antivirus companies were able to detect it.
Systems with AppGuard installed would have defeated this attack, and wouldn’t have needed a patch, an update, or a fix to do so. AppGuard prevents the event pre-exploit.
Maitland Muse is Vice President of Global Channels and Alliances at AppGuard. You can reach him at firstname.lastname@example.org if you’re interested in discussing this topic further.