The Role of Application Control in a Zero-Day Reality

The Role of Application Control in a Zero-Day Reality



With end users often downloading unwanted and unknown applications, more than 1.6 million new malware signatures appearing every month and a rising tide of zero-day attacks, there is more risk to your ...

With end users often downloading unwanted and unknown applications, more than 1.6 million new malware signatures appearing every month and a rising tide of zero-day attacks, there is more risk to your systems and information than ever before.
Find out:

* How to defend against zero-day threats - without waiting for the latest anti-virus signatures
* Why application control / whitelisting should be a central component of your security program
* How application control has evolved to enforce effective security in dynamic environments



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

The Role of Application Control in a Zero-Day Reality The Role of Application Control in a Zero-Day Reality Presentation Transcript

  • The Role of Application Control in a Zero-Day Reality
  • Today’s Speakers Paul Zimski VP of Solution Strategy Lumension Richard Stiennon Chief Research Analyst IT-Harvest
  • Today’s Agenda Evolution of Game Changing Threats Securing Endpoints from Zero-Day Attacks Q&A
  • Game Changers: Targeting, Custom Trojans and Zero-Day Malware
  • Threat hierarchy is a time line!
    • Information Warfare
    • CyberCrime
    • Hactivism
    • Vandalism
    • Experimentation
  • Custom Trojans, tools of the trade Michael Haephrati shows us how.
  • China knows Trojans
    • In the UK, the Home Office has warned about a spate of attacks in recent months involving e-mail Trojans. "We have never seen anything like this in terms of the industrial scale of this series of attacks," said Roger Cumming, director of NISCC
  • Shawn Carpenter uncovers Titan Rain
    • From Z-machine mechanic to IDS analyst
    • Fort Dix attack
    • Sandia
  • Ghost Net
    • 1,200 computers including ministry and NATO machines
    • Looking for attribution
    • Attacks on the office of the Dalai Lama
    • A special purpose botnet
  • Joint Strike Fighter
  • Project Aurora
    • Social networks used as vectors to target Google employees
    • Zero-day vulnerability in IE
    • Result
    • Loss of customer data
    • Loss of source code
  • Cyber Sabotage: Stuxnet Step 7 software DLL Rootkit DLL original Programmable Logic Controller New data blocks added s7otbxdx.dll s7otbx s x.dll
  • Other advanced features of Stuxnet
    • Stolen digital certificates!
    • Multiple zero-day vulnerabilities
    • Command and control for morphing
  • What do control systems control?
  • What to do?
    • Allow only that which is good. Deny all else.
    • Vet and test all new apps.
    • Use intelligence to determine reputation of applications.
    • Monitor behavior.
    • Stay sane.
  • Blog: email: [email_address] Twitter:
  • Securing Endpoints from Zero-Day Attacks
  • A Perfect Storm At The Endpoint Increasing sophistication & attack targeting Rising 3 rd party application risk & zero day vulnerabilities Ineffectiveness of AntiVirus as a stand-alone defense
  • Attack Originates from the network (Internet, LAN, WAN) and actively attacks a listening service on the endpoint. End-user is working with a “client application” and opening code that was downloaded from the network. Attacker has physical access to the target machine and can mount drives, hardware, insert disks. Listening Services Client Applications Local Machine Hardware Physical Access Client –side Network-based Webservers, Databases, RDP (remote desktop, file sharing, registry) Browsers, email, documents, movies, flash Drives, USB devices, NICs Type Target Examples End Goal Install payload Elevate privilege Establish beach-head Install payload Elevate privilege Retrieve data Establish beach-head Install payload Elevate privilege Establish beach-head Attack Types, Targets and End Goals
    • Malware infections are symptoms of change control failure
    Fundamental Breakdown in Change Control Test & Approve Change Implement Change Monitor & Lockdown Change
  • Build a Solid Foundation Patch & Configuration Management Application Control Enable OS Memory Protection AntiVirus
  • Malware is Malware – Payloads are Payloads Rootkits | Remote Access Trojan | Bots | Keyloggers | Sniffers Adware | Spyware | Crimeware | Worms | Virus | Logic Bombs In the eyes of Application Control these are all the same
  • Preventing Malware 1) Eliminate your Vulnerabilities
    • Most attacks rely on known vulnerabilities
    • Patching the vulnerability eliminates the attack vector
    • Patching endpoints remains a first and best line of defense!
  • Stopping a Malware Payload 2) Stop the Payload
    • Antivirus will provide some protection against known payloads, and remains a good layer for known malware detection and removal
    • However as attack sophistication and targeting increases, malware becomes less effective as a primary defense
    • Application control is a much better defense to stop unknown payloads from installing
  • AV Vendors Recognize the Limitation “ You can’t just rely on antivirus software – and we’re an antivirus company..….Antivirus, firewalls and intrusion detection are a start. But “white listing” offers a stronger defense…. McAfee believes that’s where the future is going.” George Kurtz, Worldwide Chief Technology Officer, McAfee “ Looking at the sheer volume of infected systems in the world, one thing is resoundingly clear: basic security protection is not good enough .” Rowan Trollope, Senior Vice President, Symantec
  • What is Application Whitelisting? Malware Applications
    • Authorized
    • Operating Systems
    • Business Software
    • Known
    • Viruses
    • Worms
    • Trojans
    • Unauthorized
    • Games
    • iTunes
    • Shareware
    • Unlicensed S/W
    • Unknown
    • Viruses
    • Worms
    • Trojans
    • Keyloggers
    • Spyware
  • Flexible Trust
    • Trusted Publisher
    • Authorizes applications based on the vendor that “published” them through the digital signing certificate.
    • Trusted Updater
    • Authorizes select systems management solutions to “update” software, patches and custom remediations, while automatically updating them to the whitelist.
    • Trusted Path
    • Authorizes applications to run based on their location.
    • Local Authorization
    • Allows end-users to locally authorize applications which have not been otherwise trusted by the whitelist or any other trust rules.
  • Protecting Against Buffer Overflows 3) Police OS Memory
    • Microsoft has developed effective capabilities in the OS itself to stop Buffer Overflow Attacks
      • Data Execution Prevention (DEP) - marks unused buffers as “non executable”
      • Address Space Layout Randomization (ASLR) – randomizes the memory components that make buffers
  • A Complete Defense AntiVirus Patch Management Application Control Memory Protection Intelligent Whitelisting
  • Q&A
    • Global Headquarters
    • 8660 East Hartford Drive
    • Suite 300
    • Scottsdale, AZ 85255
    • 1.888.725.7828
    • [email_address]