It's Your Move: The Changing Game of Endpoint Security


Published on

It’s time to refine enterprise security strategies at your organization. While we were installing firewalls, antivirus suites, and other technologies that block known threats, the bad guys were out rewriting the rulebook. Don't let cybercriminals stay one step ahead and put you in “checkmate.”

In this information-packed presentation, you'll learn:

* How our opponents have changed the IT security rules

* What role your employees play in this “game”

* Key moves IT security professionals can make to regain control of endpoints

* How one organization has implemented a proactive security approach successfully

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • © Copyright 2008 - Lumension Security
  • Defense in Depth Strategy Address the core IT Risk with Patch & Configuration Management Stop unwanted / untrusted change with Application Control Protect against insider risk Device Control Deploy a broad defensive perimeter with AntiVirus Reduce endpoint complexity with an Endpoint Management and Security Suite
  • Most overflows result in a system crash Occasionally, a vulnerability is discovered that allows the “overflowed” code to be executed That execution typically escapes any established security controls Because buffers are small and these attacks are difficult, many overflows attacks will try to download a more substantial payload
  • Application control or whitelisting provides a new layer in the foundation for endpoint protection. Whitelisting is about identifying the known good and by default not letting anything other than what’s on the whitelist from executing. Simply put, any executable – whether a business application, a video driver, or a web browser plug-in – not specified on the whitelist cannot load and run. It’s the most effective security layer as its prevents execution in the kernel.
  • On top of defense-in-depth, time to shift from threat-centric approach to one based on trust….
  • Trust Engine Challenge . Organizations need an automated method by which to determine whether or not to allow changes to the code running on their network assets, particularly the endpoints, in order to make the promise of application whitelisting operationally feasible. Without this, changes to the whitelist had to be made manually and oftentimes without any basis. The challenge is to implement a process by which changes can be automatically vetted and installed on network assets. Feature . LEMSS:AC allows any number of trust policies to be created and implemented which will automate the process of assessing the security and desirability of changes to programs running on network assets; these trust mechanisms allow for the automated or user-driven changes to the “known good” whitelist required in dynamic environments such as desktops and laptops without completely surrendering control over these changes. These trust mechanisms include: Trusted Publisher , Trusted Updater , Trusted Path , and Local Authorization . Benefit . This permits the organization to provide the higher level of security against malware and other undesirable programs available from a whitelisting / “default deny” approach without the additional administrative burden sometimes associated with it. Some specific examples of how the Trust Engine might help operationalize whitelisting in a real IT network with dynamic environments such as desktops or laptops include: Trusted Publisher (i.e., from a known good vendor with a signed certificate) – the organization may have whitelisted a specific Microsoft Operating System (OS) and applications (e.g., Word, Excel and Powerpoint) but finds that some users may want to add certain OS capabilities (such as additional drivers) or applications (such as Visio) from Microsoft; by implementing a policy which permits changes to the whitelist when those changes are accompanied by a valid, signed certificate from Microsoft, these changes could be made “on the fly” by the end user without additional work for the system administrators. Trusted Updater (i.e., from a known good process which updates existing software) – the organization may be using an automated patching solution (such as Lumension Patch and Remediation) or have certain continuously updated programs (such as WebEx) on their whitelist. Here again, by implementing a policy which permits changes to the whitelist when those changes are made by these specific programs, these changes could be made automatically without adding to the administrative burden. Trusted Path (i.e., from a known good location, generally inside the network) – it is not uncommon for IT administrators to create a library of known good applications, which is used when installing or updating an endpoint; organizations might want to restrict all endpoint changes to only those which come from this “source repository.” By creating / using a trusted path policy (and carefully controlling access to this “source repository”), the whitelist can be updated as changes are made in the library of known good applications. Local Authorization (i.e., allow specific users to self-authorize applications) – in some cases, an organization might allow specific users to augment the whitelist of known good applications under their own say-so, be they administrators or even end users; for instance, perhaps a “well known” salesman is on a customer call and needs to update her machine to allow her presentation to work on the customer’s equipment. This trust mechanism provides a way to permit these ad hoc changes while providing the traceability and control needed to ensure that, should they prove unwise, they can be reversed.
  • Vulnerabilities affecting a typical end-user PC from 2007-2009 almost doubled from 220 to 420 and its expected to double again in 2010 (Secunia Half Year Report 2010) A PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 third party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010. ( Secunia Half Year Report 2010) Discover: Gain complete visibility of all IT assets, both managed and unmanaged. Assess: Perform a deep analysis and thorough OS, application and security configuration vulnerability assessments. Prioritize: Focus on your most critical security risks first. Remediate: Automatically deploy patches to an entire network per defined policy to support all OS’s and applications. Report: Provide operational and management reports that consolidate discovery, assessment and remediation information on a single management console.
  • Using Lumension Device Control, you can mitigate these insider risks by: Enforcing a device and media access policy on your endpoints which won’t impede the productivity of the business Enforcing a data encryption policy for removable storage devices and media to protect that valuable data when is copied off of your endpoints, and by -Monitoring what’s happening in your environment; You can manage and report on all endpoint activity in your organization
  • It's Your Move: The Changing Game of Endpoint Security

    1. 1. It’s Your Move: The Changing Game of Endpoint Security
    2. 2. Today’s Speakers Paul Henry Security & Forensics Analyst MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE Paul Zimski VP of Solution Strategy Lumension Doug Walls CIO EMSolutions Jason Brown Network Engineer EMSolutions
    3. 3. Today’s Agenda How the “Bad Guys” Changed the Rules Key Moves We Can Make to Regain Control Real World IT Security Experience Q&A
    4. 4. How the “Bad Guys” Have Changed the Rules
    5. 5. Current Day Recipe For Disaster <ul><li>Perform below steps 1 to 5. </li></ul><ul><ul><li>Bait an End User with Spear Phishing </li></ul></ul><ul><ul><li>Exploit a Vulnerability </li></ul></ul><ul><ul><li>Download a Back Door </li></ul></ul><ul><ul><li>Establish a Back Channel </li></ul></ul><ul><ul><li>Explore and Steal </li></ul></ul><ul><li>Select another victim. </li></ul><ul><li>Repeat. </li></ul>
    6. 6. Advanced Persistent Threats Highly skilled Cyber Armies unleashing new Advanced Malware…. While many of these attacks are well organized, they have simply taken advantage of the same old mistakes we’ve been making for years.
    7. 7. Our Flaw Remediation Is Missing The Target <ul><li>Since 2009 the most hacked software was 3rd party apps and browser add-ons like Adobe and Quicktime. </li></ul><ul><li>Yet we still today focus our attention on patching Microsoft OS/Applications. </li></ul>The bad guys know it… and are taking full advantage
    8. 8. Traditional AV Can No Longer Keep Up <ul><li>More than 73,000 new malware instances every day. </li></ul><ul><li>Obfuscation has effectively rendered traditional signature based defenses useless. </li></ul><ul><li>Polymorphic malware that alters its signature with each infection has become commonplace. </li></ul>Our defenses must evolve!
    9. 9. What Did We Expect Was Going To Happen? <ul><li>We are using the same defenses that failed us for the last decade… </li></ul><ul><ul><li>Focused on the gateway - and we have neglected our endpoints. </li></ul></ul><ul><ul><li>Focused on blocking the delivery of malware - not preventing its execution. </li></ul></ul>Unless we make a definitive change in our defenses, we can expect the same results…
    10. 10. Next Generation Malware Has Arrived <ul><li>Instead of the infected machine waiting for a connection to be made from outside, the infected machine makes the connection itself. </li></ul><ul><li>Introduces a new technique of code injection – Flux writes code directly into a host process and executes it there. </li></ul><ul><li>Circumvents several desktop firewalls and makes it nearly invisible to current anti-malware software. </li></ul>Flux is a new Trojan spreading covertly through the internet.
    11. 11. If a “bad guy” can… <ul><li>Persuade you to run his program on your computer... </li></ul><ul><li>Alter the operating system on your computer… </li></ul><ul><li>Gain unrestricted physical access to your computer… </li></ul><ul><li>Upload programs to your website… </li></ul><ul><li>Crack your passwords… </li></ul>… it’s not your computer, website or data anymore.
    12. 12. At the End of the Day… <ul><li>It doesn’t matter what attack vector is used… </li></ul><ul><li>the “bad guys&quot; are trying to install and run code on your machines to gain unauthorized control! </li></ul>
    13. 13. Key Moves We Can Make Against the “Bad Guys” to Regain Control
    14. 14. <ul><li>Implement Defense-in-Depth Endpoint Security </li></ul><ul><li>Shift from Threat-Centric to Trust-Based Security </li></ul><ul><li>Focus on the Operational Basics </li></ul><ul><li>Manage Those Devices </li></ul>Key Moves You Can Make
    15. 15. Strategy 1: Implement Defense-in-Depth Traditional Endpoint Security Defense-N-Depth Blacklisting As The Core Zero Day 3 rd Party Application Risk Malware As a Service Volume of Malware Patch & Configuration Mgmt.
    16. 16. <ul><li>Antivirus will provide some protection against known payloads, and remains a good layer for known malware detection and removal </li></ul><ul><li>However as attack sophistication and targeting increases, malware becomes less effective as a primary defense </li></ul><ul><li>Application control is a much better defense to stop unknown payloads from installing </li></ul>Strategy 2: Stop Malware Payloads
    17. 17. What is Application Whitelisting? Malware Applications <ul><li>Authorized </li></ul><ul><li>Operating Systems </li></ul><ul><li>Business Software </li></ul><ul><li>Known </li></ul><ul><li>Viruses </li></ul><ul><li>Worms </li></ul><ul><li>Trojans </li></ul><ul><li>Unauthorized </li></ul><ul><li>Games </li></ul><ul><li>iTunes </li></ul><ul><li>Shareware </li></ul><ul><li>Unlicensed S/W </li></ul><ul><li>Unknown </li></ul><ul><li>Viruses </li></ul><ul><li>Worms </li></ul><ul><li>Trojans </li></ul><ul><li>Keyloggers </li></ul><ul><li>Spyware </li></ul>Un-Trusted
    18. 18. Trust-Based Security
    19. 19. Flexible Trust <ul><li>Trusted Publisher </li></ul><ul><li>Authorizes applications based on the vendor that “published” them through the digital signing certificate. </li></ul><ul><li>Trusted Updater </li></ul><ul><li>Authorizes select systems management solutions to “update” software, patches and custom remediations, while automatically updating them to the whitelist. </li></ul><ul><li>Trusted Path </li></ul><ul><li>Authorizes applications to run based on their location. </li></ul><ul><li>Local Authorization </li></ul><ul><li>Allows end-users to locally authorize applications which have not been otherwise trusted by the whitelist or any other trust rules. </li></ul>
    20. 20. Strategy 3: Focus on the Operational Basics Source: Aberdeen Group, Managing Vulnerabilities and Threats (No, Anti-Virus is Not Enough), December 2010 Assess Prioritize Remediate Repeat <ul><li>Identify all IT assets (including platforms, operating systems, applications, network services) </li></ul><ul><li>Monitor external sources for vulnerabilities, threats and intelligence regarding remediation </li></ul><ul><li>Scan all IT assets on a regular schedule for vulnerabilities, patches and configurations </li></ul><ul><li>Maintain an inventory of IT assets </li></ul><ul><li>Maintain a database of remediation intelligence </li></ul><ul><li>Prioritize the order of remediation as a function of risk, compliance, audit and business value </li></ul><ul><li>Model / stage / test remediation before deployment </li></ul><ul><li>Deploy remediation (automated, or manually) </li></ul><ul><li>Train administrators and end-users in vulnerability management best practices </li></ul><ul><li>Scan to verify success of previous remediation </li></ul><ul><li>Report for audit and compliance </li></ul><ul><li>Continue to assess, prioritize and remediate </li></ul>
    21. 21. Rethink Your Patch Strategy Source: 1 - SANS Institute <ul><li>The top security priority is “patching client-side software” 1 </li></ul><ul><ul><li>Streamline patch management and reporting across OS’s AND applications </li></ul></ul><ul><li>Patch and defend is not just a Microsoft issue </li></ul><ul><ul><li>More than 2/3 of today’s vulnerabilities come from non-Microsoft applications </li></ul></ul>
    22. 22. Stop Unwanted Applications <ul><ul><li>Immediate and simple risk mitigation </li></ul></ul>Denied Application Policy prevents unwanted applications even if they are already installed Easily remove unwanted applications
    23. 23. Reduce Local Administrator Risk <ul><ul><li>Limit Local Admin Usage </li></ul></ul><ul><ul><li>Monitor and Control existing Local Admins </li></ul></ul>
    24. 24. Strategy 4: Manage those Devices
    25. 25. Real World IT Security Experience
    26. 26. EMSolutions <ul><li>Headquartered in Arlington, VA </li></ul><ul><ul><li>Established in May 2000 </li></ul></ul><ul><ul><li>Four Satellite Offices </li></ul></ul><ul><li>Systems Engineering, Information Technology and Information Assurance, Science and Advanced Technology Solutions, and Modeling and Simulation for Government Organizations </li></ul>
    27. 27. IT Security Challenges <ul><li>Control use of removable devices on customer network </li></ul><ul><ul><li>Monitor and control data entering and leaving network </li></ul></ul><ul><ul><li>Audit any and all use of peripherals and media introduced to the network </li></ul></ul><ul><li>Protect dedicated infrastructure that supports unclassified and corporate work </li></ul><ul><ul><li>Ensure constant uptime of hot desks </li></ul></ul><ul><ul><li>Limit risk from local admin users </li></ul></ul><ul><ul><li>Prevent execution of unwanted and malicious apps </li></ul></ul><ul><ul><li>Current AV solution was not effective in preventing the issues </li></ul></ul>
    28. 28. Addressing the Challenge <ul><li>Implemented Lumension ® Endpoint Management and Security Suite (L.E.M.S.S.) </li></ul><ul><ul><li>Easy process to install, set up and maintain the application whitelist with all currently used corporate OSes and software </li></ul></ul><ul><ul><li>Shifted from another antivirus provider to the AV module within L.E.M.S.S. </li></ul></ul><ul><li>Educated users about potential external threats and internal problems that could arise from lack of precaution </li></ul>
    29. 29. Results <ul><li>Improved Security </li></ul><ul><ul><li>Eliminated malware outbreaks </li></ul></ul><ul><ul><li>More robust patch management </li></ul></ul><ul><li>Improved User Productivity </li></ul><ul><ul><li>Optimized performance of end user PCs </li></ul></ul><ul><ul><li>Reduced IT help desk calls/complaints from users regarding malware-related PC issues </li></ul></ul><ul><li>Improved IT Productivity </li></ul><ul><ul><li>Visibility into endpoints, apps and configurations </li></ul></ul><ul><ul><li>Minimized time required for endpoint maintenance and user education </li></ul></ul><ul><ul><li>Reduced admin burden by managing one solution </li></ul></ul>
    30. 30. Q&A
    31. 31. <ul><li>Global Headquarters </li></ul><ul><li>8660 East Hartford Drive </li></ul><ul><li>Suite 300 </li></ul><ul><li>Scottsdale, AZ 85255 </li></ul><ul><li>1.888.725.7828 </li></ul><ul><li>[email_address] </li></ul><ul><li> </li></ul>