News & Events
Endeavor Drives Industry Adoption of FirstLight Signatures for UTM Appliances
NewswireToday - /newswire/ - Washington, DC, United States, 06/09/2008 - WatchGuard Technologies using Endeavor for IPS knowledgebase. http://www.newswiretoday.com/news/35376/Endeavor Security, Inc., a leader in intrusion detection and prevention technologies (IDS/IPS), today announced that WatchGuard Technologies, a global provider of network security solutions, is utilizing Endeavor Security's FirstLight Signatures as the IPS knowledgebase for their award-winning integrated security appliances.
"Protection against intruders at the network gateway is a critical component to developing a highly secure network environment," said Tim Helming, director of product management, WatchGuard Technologies. "Because of this, WatchGuard selected Endeavor due to its superior IPS knowledgebase, which gives our customers the industry's best solution for keeping their networks safe."
"We are excited to be included in the Watchguard family of products," said Chris Jordan, CEO of Endeavor Security. "The growth of the UTM market is a leading indicator of where the security market is headed. All customers want good security and historically, customers had to pay a lot to get a quality performing appliance."
The FirstLight Signature Service provides leading security device vendors and enterprise end-users with a timely high quality signature set that is constantly being updated, revised and extended. The FirstLight signature set comprises over 14,000 signatures that cover a broad range of both emerging and established threats.
The FirstLight Signatures enable WatchGuard's integrated security appliances to catch Policy violations (P2P, VOIP, etc.), Web Attacks (XSS, PHP, SQL) and other multiple, blended threats. Watchguard can select the appropriate signatures for its customer based on the product installed and its application.
About Endeavor Security Endeavor Security (endeavorsecurity.com) is the leading provider of Signatures for use in Secure Web, UTM, IPS and Policy Gateway devices. Its FirstLight knowledgebase has over 14,000 Signatures and supports more vendor devices than any other service. Firstlight uses a web xml soap service for delivery and constant updating. Endeavor uses a global honeygrid, patent-pending algorithms and technical analysts, to produce over 500 signatures per month. The FirstLight Signatures are formatted for the vendor engine to ensure maximum efficiency and capability. The FirstLight global honeygrid includes government and commercial entities.
DHS Project Delivers New Malware Capture Method
http://www.scmagazineus.com/DHS-project-delivers-new-malware-capture-method/article/105381/Jim Carr
February 19, 2008
A project funded by the Department of Homeland Security (DHS) promises to give security researchers a new way to kill botnets and targeted malware attacks before they infect computers.
This week, Endeavor Security plans to launch its Active Malware Protection (AMP) technology, which it developed as part of the DHS's Small Business Innovation Research (SBIR) program, at a DHS-sponsored event. Endeavor delivers AMP as a software-as-a-service product.
AMP captures malware "on the wire," before it infects an enterprise's networked computers, and then relays it directly to anti-virus vendors, Christopher Jordan, CEO of Endeavor Security, told SCMagazineUS.com. This has two major benefits to vendors and end-users, he said.
First, it permits "us to see how the malware code has been modified," he said. "We can see the actual code as opposed to finding the file after it obfuscates itself."
Second, it allows the vendors to generate new anti-virus signatures as much as six days faster than is now possible, he said. And with 200,000 to 300,000 malware files generated annually, this can make a significant difference in protecting enterprise systems, he added.
Endeavor Security's AMP also allows anti-virus vendors to better prioritize malware protection, Jordan said. For example, it would allow an anti-virus developer to respond faster to malware discovered on a large financial services customer's network while delaying a fix for one on a small customer's PCs.
AMP will also target the command and control channel that directs the botnet and targeted attacks that occur after malware has taken over a PC, Jordan said. This is where Endeavor Security's work with the DHS comes in, he added.
"With botnets, the problem is twofold," Jordan said. "One, you want to stop the initial attack. Our phase one project with the DHS to capture malware allowed us to detect the network vector of the attack, so we can prevent the infection and work with the anti-virus vendors to get the malware off the desktop."
In phase two, Endeavor Security will reverse engineer the captured malware. This will allow Endeavor Security to find the botnets often associated with malware infections.
Also as part of the second phase, Endeavor Security will work to break the botnet's command and control structure, which allows the malware writer to control bots and initiate attacks, such as sending spam, Jordan said. Breaking the command and control structure may not free the infected PC of its virus, he admitted, but "if the botmaster can't control the bots, he doesn't have a botnet."
Once that step is taken, Jordan says that Endeavor Security will focus on grabbing command control signatures and creating signatures to prevent the botmaster from taking control of the bots inside networks. That will destroy the botnet.
Endeavor Security has another year left on its contract with the DHS to complete that project, Jordan said.
DHS Project Creates New Malware Capture Technique
New development stops obfuscated botnet and targeted attacks and cuts off their command and control
http://www.darkreading.com/document.asp?doc_id=146121&WT.svl=news1_1FEBRUARY 14, 2008 | 4:45 PM
By Kelly Jackson Higgins
Senior Editor, Dark Reading
A Department of Homeland Security (DHS)-funded R&D program has yielded a new method of halting botnet and targeted malware attacks before they infect host machines.
Endeavor Security next week will unveil the new Active Malware Protection (AMP) technology, which was developed under the DHS's Small Business Innovation Research (SBIR) program, at a DHS-sponsored event for systems integrators showcasing DHS R&D efforts. Endeavor is also rolling out the technology as a software-as-a-service offering.
AMP captures malware on the wire as it enters an organization's network, and then sends it directly to antivirus vendors so they get can more quickly generate new signatures for their products, says Christopher Jordan, CEO of Endeavor Security. "It's a brand-new capability of capturing malware," he says.
Most AV companies get malware samples from their customers in large volumes, and they typically receive the simpler and easier-to-detect malware, rather than the more sophisticated or obfuscated types, he says. AMP is aimed at intercepting unknown or tougher-to-detect malware.
AMP captures a "pristine" image of the malware and automatically shoots it to the AV software company. "Then they analyze it and write signatures, and push them to" their customers, he says. The new technology detects the preliminary traces of an attack, Jordan says, the "grabber hooks" or first wave of the malware that shows up.
The new approach also gives AV companies a way to prioritize malware protection. "They can't respond to all malware with signatures," so if they are notified that Malware X, for example, was found on a major financial institution's network, that would help them prioritize it, Jordan says.
AMP also goes after the command and control channel that directs botnet and targeted attacks. "We're reverse-engineering the unknown malware we capture, with the objective to remove information on the covert channels... That lets us find infected machines already on the network" as well as the C&C hosts, he says.
The sensor-based system captures malware -- such as a botnet or targeted attack -- by its movements, and then stops it before it gets onto any systems, Jordan says.
"The best way to attack this is to attack the command and control infrastructure and not just stop the attacks," he says. "You need to know how the botnet does its C&C." The technology does the same for a targeted attack, which typically relies on a C&C-run backdoor Trojan, he says.
Endeavor is currently running the technology along with its existing IDS/IPS signatures on its own decoy network. The company has been working with at least one AV vendor and is in discussions with others to interface with the SaaS offering, which is aimed at government agencies and large enterprises.
Among the other R&D projects that will be presented at the DHS showcase -- which will be held on Feb. 21 in Crystal City in Arlington, Va. -- are new secure USB flash drives with encryption and two-factor authentication; vulnerability analysis tools that simulate a network attack; software analysis tools; and tools that quickly write and test network signatures.
WatchGuard adding SSL VPN to Firebox
http://www.networkworld.com/news/2008/021108-watchguard-ssl-vpn-firebox.htmlBy Tim Greene, Network World, 02/11/08
WatchGuard is adding SSL VPN capabilities to its Firebox line of multi-function security devices, turning them into remote access gateways for devices that don't have IPSec clients.
The new feature is part of a 10.0 release of the operating systems for its Firebox Edge, Peak and Core devices that also includes VPN support for Windows Mobile devices. The software supports Session Initiation Protocol and H.323 as well, protocols necessary for VoIP and videoconferencing traffic through the devices. Read the latest WhitePaper - The High-Availability Business: How a Simpler Network Can Meet the Demands of Business-Critical Applications
WatchGuard competes against other unified threat management (UTM) vendors including Astaro, Check Point, Cisco, Fortinet, Juniper and SonicWall. (Compare UTM products.)
The new WatchGuard software versions includes spam blocking supplemented by a subscription service supported by Commtouch that relies on sensors placed around the Internet to detect spam outbreaks and head them off.
If the WatchGuard software detects spam it drops it. The software also proxies e-mails, sends a hash of their attachments to a Commtouch server, which determines if the attachments are malicious and if so the proxy strips them off.
With the new software release, WatchGuard has shifted from SNORT for intrusion prevention to IPS provided by Endeavor Security because its software screens using a larger set of malware signatures.
WatchGuard's software upgrade adds more categories to its URL blocking software, upping the number from 40 to 54 to narrow the number of categories of sites that companies can prevent employees from reaching. This includes Secure-HTTP traffic. The URL database, which can be accessed from a WatchGuard Web server, can also now be stored locally on WatchGuard Firebox Edge security devices.
On the management side, WatchGuard has upgraded its reporting engine from a flat file structure to an SQL database that can be analyzed by third-party tools.