Windows XP End-of-Life: How USM and OTX can help avoid the security armageddon - Part 2

April 10, 2014 | Jim Hansen

This is the second of a two-part blog focused specifically on Windows XP end-of-life.

Recently, I sat down with our Director of Sales Engineering, Tom D’Aquino, to talk about the Windows XP End-of-Service that has everybody riled up. The end of service date should be no surprise. Microsoft has a pretty well-defined software lifecycle policy, and they make it very clear when products will reach the end of their lifecycle and no longer be supported. Windows XP has been in extended support now since about 2009 – almost 4 years – but on April 8th of this year, the product went into an unsupported state.

Today’s entry concentrates on how AlienVault’s Unified Security Management platform and the Open Threat Exchange can be used to help organizations address the new vulnerabilities they may be exposed to if they're continuing to run Windows XP-based systems. We also touched on the topic of the CIA – no, not the Central Intelligence Agency, but the CIA of security – Confidentiality, Integrity, and Availability.

JIM: How can organizations use AlienVault Open Threat Exchange to help them with the Windows XP situation?

TOM: The Open Threat Exchange is really a fantastic resource that we have built into the AlienVault product. It’s a crowd-sourced threat intelligence sharing initiative that allows us to get visibility on who the attackers are out on the Internet and allows you to really assess the security of your environment based on whether or not you have systems actively communicating with these attackers if they’re actually finding their way into your network. AlienVault can give you visibility into that activity just by, for example, looking at simple things like firewall communications logs.

AlienVault can actually take this a step further by correlating the log data with the built-in intrusion detection function in USM that has identified a potential attack on the network and the known reputation of the host on the Internet that’s associated with the attack. This allows us to assess with a relative degree of certainty that you’ve got an issue in the environment. So, the built-in USM intrusion detection system, the integrated Threat Intelligence feed which provides the coordinated ruleset and signatures for the IDS, and the Open Threat Exchange reputation data work together very effectively to help identify the threats that matter. We’ve also got the ability to open operating system logs that show us some interesting activity in certain cases. Authentications, for example, are login attempts.

At the end of the day, the biggest threat to the individual systems inside of your network – your workstations, your desktops, etc. – is really malware, having some kind of malicious code implanted in your systems through a web browser vulnerability, an Adobe Flash vulnerability, or through some kind of other product that you have installed on the system, maybe even a vulnerability in the operating system itself. Regardless of how malware gets in, once it’s in place and rooting around the network and up to no good, it’s typically either interacting with a command and control server that’s telling it what to do while it’s in the network, or it’s at the very least scraping information from inside the network and then sending it back out to some node on the Internet that has probably some known bad reputation associated with it.

We have a lot of visibility on the assets that are interacting in this manner. Our AlienVault Labs team processes 500,000 or more malware samples every day and actually sift through literally hundreds of thousands of IP addresses per day that are being reported to us in order to make sure that we’re on top of the latest known threats. Any time some malware starts working in the environment, in order to be effective, it’s got to go out and send its treasure chest of information back out to this bad host on the Internet, right? Well, we’re going to see that interaction, we’re going to see the communications on the network, we’re going to flag that IP address and we’re probably also going to be able to flag the actual network communications as being some known type of malware.

Everybody understands that antivirus is not going to be effective at detecting 100% of the malware that can find its way into an endpoint. It’s probably something more like 60% on a good day. And the reason for that is the detection mechanism or the detection technique for malware within antivirus software is pretty rudimentary. In order to scan an entire file system looking for specific code, you’ve got to be efficient in your scanning approach, which, in this case, unfortunately, translates to ineffective.

With the AlienVault USM platform, when we’re watching the network, looking for network communications, rather than scanning for file types or file hashes and things of that nature, we’re actually looking at the communication. We’re trying to figure out, “what does this malware do in its packets that are being sent across the network that we can use to fingerprint it?” At some point, as a malware author, you start to lose the ability to obscure your traffic, or to hide your traffic from the monitors that are watching the network. That’s where we can use the malware author’s tactics against them and be very effective at detecting their activity, as opposed to just trying to look for file hashes like an antivirus does.

JIM: One of the key information security principles that every organization considers when building an information security program is the CIA triad – confidentiality, integrity, and availability. Systems that are running critical applications on Windows XP may require a high degree of availability. Or, they may store sensitive information and therefore must have a high degree of confidentiality. Regardless of how you look at the triad, there is a balancing act that has to take place to ensure that systems stay available, maintain confidentiality, and integrity. When you look at it from this perspective, what do you think that organizations are going to end up with if they’re not thinking about each leg of that security stool?

TOM: That’s the million-dollar question. I mean, as security practitioners, that’s what we’re trying to do every day – walk that tightrope of figuring out, “How do I make the services of my network available in a way that helps people solve business problems, but also do it in a way that’s secure and keeping the bad guys out?” It really does come down to situations like this, where we have to make a decision. In the case of XP, “we’ve got an operating system that’s going to put us at an unnecessary level of risk if we keep it operational in our environment, but we’re wedded to that operating system, and we just can’t, for whatever reason, move away from it.”

So that’s where that tightrope gets really thin. Now we’re walking on dental floss. At the risk of sounding like a broken record, it just comes down to awareness, visibility, and detection. With vulnerability assessment, at the very least, you know that you’ve got these problematic systems in place and where you’ve got the risk. Being able to correlate against vulnerability data and some other information like an intrusion detection alert indicating that an attack occurred on a particular XP system is valuable. Having those two things work together to provide you visibility so that you know, hopefully almost instantly, that an attack has taken place that puts your organization at risk gives you the visibility and awareness to be able to do something about it.

Shut that system down, take the proper precautions, see that your incident response policy gets carried out and you mitigate the risk at that moment.

JIM: Thanks for your perspectives on this, Tom, and thanks for the great discussion.

TOM: It was my pleasure, Jim. Thank you.

* * * * *

Even if you’re not in a position to purchase USM to deal with this, our open source SIEM, OSSIM, and free trial USM product can help in the weeks immediately following XP end-of-life. There are free OTX services that can help as well.

Join us for the webinar “Cover your Assets: How to Limit the Risk of Attack on your XP Assets” to learn more about handling Windows XP end-of-life in your organization.

Jim Hansen

About the Author: Jim Hansen

Read more posts from Jim Hansen ›



Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial