Insights from the industry
Non-Microsoft Software Is Buggy Too

Are your systems updated with the most recent software patches? I don't mean Microsoft patches—after all the focus on Microsoft security exposures over the last several years, you probably have a plan in place for deploying Microsoft's monthly fixes. I'm talking about patches for your other software.

Marc Maiffret, cofounder and chief hacking officer at eEye Digital Security (http://www.eeye.com), says many IT pros are "completely oblivious" to any security problems in their non-Microsoft software. And the majority of patch-management software is targeted at fixing vulnerabilities in Microsoft software, which exposes companies to attacks on their machines' other software. "The easiest way to remotely compromise systems in the last two months was \[through\] vulnerabilities in Symantec corporate antivirus products and McAfee ePolicy Orchestrator,"-said Maiffret. "McAfee had actually fixed its vulnerability five months ago. But many customers didn't have the updated version."

Maiffret's research team works with software vendors to inform them about vulnerabilities eEye has found in their products. "Companies will fix a specific bug," he says, "but they're not interested in fixing the overall problem. And they downplay bugs as much as possible," employing tactics such as releasing the news about a new bug late in the day when the story is less likely to make a splash. The result is that customers won't learn about a problem unless they're on the lookout for news about the products they use.

Another indication that a software vendor isn't taking security problems seriously, says Maiffret, is when the company rolls security fixes into product updates that also deliver new features. " Customers look at an upgrade to Apple iTunes or an Adobe product, and it's a 30MB download. They don't think they need the new features, so they don't upgrade. They don't realize that they're missing out on security patches." This practice of combining features and fixes in an upgrade makes software-patch application much more difficult, if not impossible, for patch-management products. "Microsoft only got better because it got punched in the face every day. Other companies are still not taking vulnerabilities seriously ... But the more Microsoft does right, the more non-Microsoft vulnerabilities you'll see," says Maiffret.
- Renee Munshi

DataPreserve Truly Understands Its Customer

In the past, online remote-backup service providers might have seemed uninviting to small-to-midsized businesses (SMBs) because of the price or hassle of working with offsite vendors. DataPreserve (http://www.data preserve.com) aims to change this view. I talked to Doug Bruhnke, vice president of marketing, and learned that DataPreserve focuses extensively on SMBs and truly knows its customer.

"SMBs buy a certain way, typically from people they know and trust," says Bruhnke. "We've just launched nationally as a franchise and work with local IT professionals across a number of cities to give SMBs a local, trusted advisor." Whether you need to retrieve lost data or to meet at the local coffee shop to discuss backup needs, DataPreserve can accommodate you. DataPreserve provides its service for $14.95 for as much as 2GB of compressed data (roughly 4GB of uncompressed data).
- Blake Eno

Virtualization Technology for NAC

FireEye (http://www.fireeye.com) calls its Fire-Eye 4200 "effortless NAC." The FireEye 4200 introduces virtualization to Network Access Control (NAC). The solution stands apart from standard NAC technologies, which typically employ hit-and-miss posture checks and complex signature analysis. The FireEye 4200 uses a virtual "victim machine" as a sentinel through which all network traffic can be mirrored, monitored, tested, and, if necessary, quarantined. A two-step monitoring process ensures that the system wholly eliminates false positives and keeps false negatives to a minimum.

Network administrators can deal with attacks on the victim machine in three ways: Send the offending traffic to a quarantined virtual LAN for remediation, block switch ports to isolate infected machines, and implement granular filtering on individual ports to ensure that traffic continues flowing. Ashar Aziz, CEO and founder of FireEye, and Chad Harrington, vice president of marketing, liken the victim machine's protection to royal food testers of antiquity: "If the king's food was poisoned, the tester died. But the king lived."

Conventionally, NAC technology considers machine infection a situation to avoid. The FireEye 4200 redefines NAC protection by actively seeking infection and sacrificing the health of virtual machines for the sake of the production network's health.
- Sam Davenport