You are now no doubt aware that Boston-based security firm Bit9 suffered an alarming compromise, which resulted in attackers gaining access to code-signing certificates that were then used to sign malicious software. See Brian Kreb’s article for more details. (Symantec breathes a quiet sigh of relief to see a different security vendor in the headlines.)

The embarrassing breach comes at a time when the company has been seen as one of the security vendor landscape’s rising stars. Bit9 has actually been around for more than a decade, but the rise of targeted attacks and advanced malware has resulted in significant interest in Bit9’s technology. In late July, Bit9 secured $34.5 million in funding from Sequoia Capital. Bit9’s future was bright. 

On Friday afternoon, Bit9 CEO Patrick Morley published a blog providing some initial details on the breach. A few of his comments stood out:  “Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network … We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9."

Bit9 didn’t provide details on the operational oversight, but it certainly was the result of failed process, failed oversight, or both. A critical configuration management process didn’t exist, or wasn’t executed. An audit function to ensure compliance to security standards wasn’t in place or had not yet occurred. 

The discouraging fact is that Bit9’s “operational oversight” is an operational reality for most companies. Ensuring ongoing compliance with security standards requires a significant investment in time and resources. Best practices are best efforts. When compared to most large enterprises, Bit9 is small, with significantly less complex operational challenges. The larger and more distributed the organization, the more challenging compliance becomes. If Bit9 could not avoid operational oversights, can you?  

What's this mean for you? 

  • It isn’t about technology. The latest and greatest technology to combat <insert threat> sure is exciting. Let’s not forget that people, process, and oversight are what make technology implementations successful. If technology overshadows them, then you are doomed to failure.   
  • Be pragmatic, you cannot protect everything. 100% compliance with security baselines is pure fantasy. Best practices are best efforts. Even if you have all the updates on your machines, it takes just one zero day in Java/Adobe Reader/Adobe Flash for complete p0wnage. Instead ensure that your most critical assets are hardened and audited. This subset will be much more operationally manageable. Do you know all your critical assets? What are your high-value targets? 
  • What is going on in your virtual environment?  Bit9’s CEO specifically mentioned virtual machines in his blog posting. I find this to be very interesting and frequently overlooked by enterprises. You must have visibility into your virtual assets and infrastructure. Refer to last year’s CISO’s Guide To Virtualization Security for more information.
  • Network Analysis and Visibility (NAV) is critical.  I am not sure how the malicious software was initially detected, but anomalous network activity could have been the source.  When our endpoint security controls fail, we have to rely on the network. Having visibility (and not just at the perimeter) remains one of the most needed capabilities within enterprises.  Refer to Pull Your Head Out Of The Sand And Put It On A Swivel for more information. Just keep in mind that the next attack could be again your NAV vendor.  
What’s this mean for Bit9? Time will tell. RSA certainly had dark days after the SecurID incident and lost business to competitors, and Bit9 will initially share a similar fate. Communication with customers and the greater security community are obviously critical. Rebuilding the brand will take time, particularly when you read Bit9 blog posts that espouse why you should opt for a "trust-based solution" that can actually stop "today's and tomorrow's advanced threats." Unfortunately for Bit9, that blog was posted the same day the breach was announced.