Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Top Tactics For Endpoint Security


Published on

Webinar - Rothke - Top Tactics for Endpoint Security.

Published in: Technology

Top Tactics For Endpoint Security

  1. 1. Top Tactics for Endpoint Security Ben Rothke, CISSP, CISM Identity and Access Management Security School
  2. 2. Times have changed <ul><li>Just 15 years ago, when you called and spoke to someone in area code 212, you could reasonably assume that the person was indeed in New York City. </li></ul><ul><li>Today, when you call area code 212, the person might be in Manhattan; but can also be in Los Angeles, Moscow, Rio or anyplace in the world. </li></ul><ul><li>Endpoints are clearly changing, both in the physical world -- and as we will see -- in the digital world. </li></ul>
  3. 3. Digital endpoint security <ul><li>Within information security, the perimeter of old was simply a router or firewall </li></ul><ul><li>Today, the endpoint is the perimeter </li></ul><ul><ul><li>In most organizations, with a laptop and DHCP, everyone gets in. At this point, there is no validation. </li></ul></ul><ul><li>The old perimeter is dead </li></ul><ul><li>Network perimeter weakness </li></ul><ul><ul><li>Remote access with 80% of enterprises using VPNs </li></ul></ul><ul><ul><li>Web-based extranet and partner connectivity </li></ul></ul><ul><li>Your perimeter firewall simply is not enough </li></ul><ul><li>some firewalls are so open, that all they do is simply slow down traffic. </li></ul><ul><li>In fact, in some organizations, its hard to tell the difference between a fw and a router. </li></ul>
  4. 4. Glass houses had no rogues <ul><li>In the mainframe era of glass houses and dumb terminals, there were simply no rogue devices </li></ul><ul><li>Networks were private, leased and closed </li></ul><ul><ul><li>Everything around the IBM mainframes was proprietary and closed. </li></ul></ul><ul><li>Today, networks are made to be open </li></ul><ul><li>Today, rogue devices are a bane </li></ul><ul><li>And endpoint security is becoming a crucial aspect of an information security endeavor </li></ul>
  5. 5. Security risks of rogue devices <ul><li>The inability to control network admission exposes significant risk to an organization </li></ul><ul><ul><li>Can be accidental or malicious in nature </li></ul></ul><ul><ul><li>Often leads to network downtime or exposure of sensitive information </li></ul></ul><ul><li>Therefore, only allow authorized devices onto the network </li></ul><ul><li>With endpoint security, non-compliant endpoints attempt connection, but are first quarantined </li></ul><ul><li>After inspection and remediation, only then are they admitted </li></ul><ul><li>Your endpoints are now secure </li></ul>
  6. 6. Definition <ul><li>While there is no single universal definition for endpoint security, the general definition of endpoint security is: </li></ul><ul><ul><li>the use of a network access control </li></ul></ul><ul><ul><li>system used to restrict network access </li></ul></ul><ul><ul><li>only to systems that demonstrate </li></ul></ul><ul><ul><li>adherence to a pre-defined corporate </li></ul></ul><ul><ul><li>security policy </li></ul></ul>
  7. 7. Why do we need endpoint security? 8 bullet items <ul><li>Viruses and worms continue to disrupt business </li></ul><ul><li>Zero-day attacks make reactive solutions less effective </li></ul><ul><li>Point technologies preserve host rather than network availability and enterprise resiliency </li></ul><ul><li>Non-compliant servers and desktops are difficult to detect and contain </li></ul><ul><li>Locating and isolating infected systems takes significant time and is extremely resource intensive </li></ul><ul><li>Users are often authenticated, but devices are not </li></ul><ul><li>Non-compliant/unmanaged devices pose an unacceptable risk </li></ul><ul><ul><li>Often source of infection </li></ul></ul><ul><ul><li>Rogue assets untracked, invisible </li></ul></ul><ul><li>Device compliance as important as user authentication </li></ul>
  8. 8. Where are the endpoint threats? 15 of innumerable threats <ul><li>Remote users </li></ul><ul><li>Mobile users </li></ul><ul><li>Regional, remote and branch offices </li></ul><ul><li>Non-compliant laptops </li></ul><ul><li>Wireless </li></ul><ul><li>Guests </li></ul><ul><li>Contractors </li></ul><ul><li>Interconnected networks </li></ul><ul><li>Distributed data </li></ul><ul><li>Business extranets </li></ul><ul><li>Remote access </li></ul><ul><li>Web services </li></ul><ul><li>Wireless </li></ul><ul><li>Mobile smart devices </li></ul><ul><li>VoIP phones </li></ul><ul><li>and many more… </li></ul>
  9. 9. What are the endpoint threats? <ul><li>Rogue wireless access </li></ul><ul><li>Keystroke loggers </li></ul><ul><li>Contractor with latest worm or virus on their laptop </li></ul><ul><li>Kiosks </li></ul><ul><li>Backdoor listening for inbound connections </li></ul><ul><li>Spyware download via P2P </li></ul><ul><li>IM </li></ul><ul><li>and more… </li></ul>
  10. 10. Origination points <ul><li>Accessed by employees, consultants, </li></ul><ul><li>customers, trading partners </li></ul><ul><li>From home office, hotel, branch office, </li></ul><ul><li>client site, airport, conference, restaurant, </li></ul><ul><li>home, trains, planes, automobiles </li></ul><ul><li>Using laptops running Windows, Linux, Mac OS/X; </li></ul><ul><li>PDA running PocketPC, Symbian or PalmOS; mobile phone, public kiosk </li></ul><ul><li>By dial-up modem, hotel Ethernet, Wi-Fi, mobile carrier, cable modem, DSL </li></ul><ul><li>To connect with email, Web-based intranet, terminal services, CRM, ERP, partner data </li></ul><ul><li>Contrast this with the old dumb terminals. One location, one hard connection. </li></ul>
  11. 11. Endpoint security benefits <ul><li>Manage zero-day threats </li></ul><ul><li>Reduce incident response cost </li></ul><ul><li>Eliminate system downtime </li></ul><ul><li>Reduce hot fixes and patching </li></ul><ul><li>Lower recovery cost </li></ul><ul><li>Comply with regulatory requirements </li></ul><ul><li>Single solution, multiple security functions, low performance impact </li></ul><ul><li>Increased security of corporate resources </li></ul><ul><li>Ensures endpoints (laptops, PC, PDA, servers, etc.) conform to security policy </li></ul><ul><li>Proactively protects against worms, viruses, spyware and malware </li></ul><ul><li>Reduced risk of outbreak due to infected endpoints </li></ul><ul><li>Safe access to networks through VPN access </li></ul><ul><li>Controlled remediation and patching of unhealthy endpoints </li></ul>
  12. 12. Evolution of endpoint security <ul><li>Today </li></ul><ul><li>Static network access </li></ul><ul><li>Every device is permitted </li></ul><ul><li>Infected or unhealthy devices are frequently the root of an outbreak </li></ul><ul><li>Tomorrow </li></ul><ul><li>Dynamic network access based on policies </li></ul><ul><li>Screen devices before granting access </li></ul><ul><li>Infected or unhealthy devices treated separately </li></ul>
  13. 13. How do you start thinking about endpoint security? <ul><li>Know what you want to inspect </li></ul><ul><li>Ensure you have policies in place </li></ul><ul><li>Risk assessment </li></ul><ul><ul><li>Define in detail what are your risks </li></ul></ul><ul><ul><li>Not all risks are created equal </li></ul></ul><ul><ul><li>Not all endpoints are created equal </li></ul></ul>
  14. 14. Questions you need to ask <ul><li>How do we enforce compliance with our security policies in order to provide a safe and secure network environment for everyone? </li></ul><ul><li>How do we identify unmanaged desktops to deliver our security message? </li></ul><ul><li>How do we ensure all types of users have adequate awareness and training of security issues? </li></ul>
  15. 15. Next steps <ul><li>Assessment of endpoint </li></ul><ul><li>security requirements and needs </li></ul><ul><li>Decision making based on policy compliance </li></ul><ul><li>Admission enforcement at the network infrastructure level </li></ul><ul><li>Quarantining/remediation of unhealthy devices </li></ul>
  16. 16. Determine the context of the endpoint device <ul><li>Function </li></ul><ul><li>Location </li></ul><ul><li>Criticality </li></ul><ul><li>Compliance state </li></ul>
  17. 17. What are your minimums? <ul><li>Define and evaluate what is necessary </li></ul><ul><li>What is to be allowed? </li></ul><ul><li>Obligatory compliance of all desktops to minimum corporate security policy </li></ul><ul><ul><li>Define minimum desktop requirements </li></ul></ul><ul><ul><li>Current OS patches </li></ul></ul><ul><ul><li>Latest Web browser </li></ul></ul><ul><ul><li>Latest AV signatures and definitions </li></ul></ul><ul><ul><li>Up-to-date personal firewall </li></ul></ul><ul><ul><li>Latest spyware signatures and definitions </li></ul></ul><ul><ul><li>Other security configurations </li></ul></ul>
  18. 18. Strategic endpoint security <ul><li>Effective endpoint security requires a strategic approach that understands the need to optimize connectivity while also ensuring protection for all critical resources </li></ul><ul><li>This is not a trivial task </li></ul><ul><li>Endpoint security is not plug and play </li></ul>
  19. 19. Converged devices <ul><li>Devices such as notebooks, tablet PCs, PDAs, smartphones and other types of mobile devices also need to be secured </li></ul><ul><li>They have increasing storage and performance capabilities </li></ul><ul><li>They travel outside the bounds of physical and logical perimeters – and they aren’t connected to the network at all times </li></ul><ul><li>These devices enter and leave your network many times over the course of the year </li></ul><ul><ul><li>That leaves myriad opportunities to return with malware </li></ul></ul>
  20. 20. Converged devices <ul><li>The Bad </li></ul><ul><li>These devices present a significant potential for financial loss, legal liability and brand damage since they are unprotected </li></ul><ul><li>The Ugly </li></ul><ul><li>Many organizations have no idea if these devices are connected to their network or how many are connected </li></ul><ul><li>The Good </li></ul><ul><li>Endpoint security can offer protection against the threats that converged devices bring </li></ul>
  21. 21. Non-corporate owned devices <ul><li>Consultants, contractors, hackers, employees and more will attempt to connect their own devices to the corporate network </li></ul><ul><li>Be it a corporate-owned device or privately-owned endpoint, they all must be controlled before being given access to the network </li></ul>
  22. 22. Legal issues <ul><li>There may be regulatory </li></ul><ul><li>and legal issues that have a </li></ul><ul><li>local impact </li></ul><ul><li>Your organization must be aware of them and fully comply with them </li></ul><ul><li>If the logs are going to be used as evidence, they must be appropriately secured </li></ul><ul><li>Get legal counsel involved </li></ul>
  23. 23. Basic endpoint security recommendations <ul><li>An unsecured endpoint must not be allowed to connect to the network if doing so inappropriately increases the risk to the organization </li></ul><ul><li>Management must identify the state of the endpoints before they are allowed access to internal networks </li></ul><ul><li>CISO must be able to provide a level of assurance to management that information will be protected when it reaches the endpoint </li></ul><ul><li>Remediation plans must be created for remote endpoints </li></ul>
  24. 24. Endpoint security is not a silver bullet <ul><li>While endpoint security is a hot topic with myriad hardware and software solutions, the reality is that: </li></ul><ul><li>There are no standards </li></ul><ul><li>Many current solutions are proprietary </li></ul><ul><li>It is still somewhat of an immature solution </li></ul><ul><li>There are not a lot of experts in the field </li></ul><ul><li>Solutions are costly and complex to implement </li></ul>
  25. 25. The Big 3 Endpoint Security Solutions <ul><li>Cisco Network Admission Control (NAC) </li></ul><ul><li>Microsoft Network Access Protection (NAP) </li></ul><ul><li>TCG Trusted Network Connect (TNC) </li></ul>
  26. 26. Other vendors in the space <ul><li>Check Point </li></ul><ul><li>Endforce </li></ul><ul><li>StillSecure </li></ul><ul><li>Symantec </li></ul><ul><li>Juniper </li></ul><ul><li>Configuresoft </li></ul><ul><li>Lockdown Networks </li></ul><ul><li>eEye </li></ul><ul><li>Qualys </li></ul><ul><li>Funk </li></ul><ul><li>3Com </li></ul><ul><li>Altiris </li></ul><ul><li>ISS </li></ul><ul><li>Citrix </li></ul><ul><li>ConSentry </li></ul><ul><li>Vernier </li></ul><ul><li>Senforce </li></ul><ul><li>McAfee </li></ul><ul><li>Forescout </li></ul><ul><li>InfoExpress </li></ul><ul><li>Intel </li></ul><ul><li>and many more…. </li></ul>
  27. 27. Commonalities <ul><li>All of the solutions are basically attempting to perform the same task </li></ul><ul><li>They all use routers, switches, wireless access points, software and security appliances to enforce endpoint security </li></ul><ul><li>Requires security credentials from endpoint devices </li></ul><ul><li>Relays them to a policy server </li></ul><ul><li>Policy servers evaluate credentials and make admission control policy decision (permit, deny, quarantine or restrict) </li></ul><ul><li>Network access device enforces admission control policy decision </li></ul>
  28. 28. Commonality – Policy Server <ul><li>The policy server is generally a RADIUS, Kerberos or 802.1x system and is the central point for establishing network access policies and is the primary mechanism for the endpoint security workflow </li></ul><ul><li>The policy server decides whether to allow an endpoint onto the network based on input from the baseline of the device </li></ul><ul><li>The server interfaces with other security configuration management functions that hold information such as OS updates, AV, patches, etc. </li></ul>
  29. 29. Cisco NAC <ul><li>API-level enforcement & quarantine technology being built into Cisco network infrastructure </li></ul><ul><li>Viable product in production </li></ul><ul><li>Multiple vendors in program </li></ul><ul><li>NAC focuses on network infrastructure, policy definition and management </li></ul><ul><li>Built on a foundation of installed Cisco devices </li></ul>
  30. 30. Cisco NAC <ul><li>NAC works via trusted modules that are installed on Windows and Linux desktops (Cisco Trusted Agent - CTA) and implemented in Cisco routers and switches </li></ul><ul><li>The CTA gathers device information and passes it via 802.1x to the Cisco Secure Access Control Server (ACS) </li></ul><ul><li>The ACS communicates with the policy server to determine compliance and enforce network access via the Cisco switching infrastructure </li></ul>
  31. 31. Cisco NAC <ul><li>NAC requires a Cisco infrastructure running a current version of IOS </li></ul><ul><ul><li>12.3(8)T or later </li></ul></ul><ul><li>For enterprises running legacy Cisco devices, this will require an expensive hardware upgrade </li></ul><ul><li>For enterprises running older versions of IOS, this will require plans to upgrade </li></ul>
  32. 32. Cisco NAC <ul><li>Benefits </li></ul><ul><li>Shipping now </li></ul><ul><li>Somewhat mature </li></ul><ul><li>Many deployments </li></ul><ul><li>Supports Linux clients </li></ul><ul><li>Disadvantages </li></ul><ul><li>Proprietary solution </li></ul><ul><ul><li>Full solution works only with Cisco 802.1x equipment and authentication server </li></ul></ul><ul><li>Cisco switch-based </li></ul><ul><li>Significant IOS upgrade may be required </li></ul><ul><li>Requires software agent </li></ul>
  33. 33. Microsoft NAP <ul><li>Health assessment of host device </li></ul><ul><li>API-level enforcement & quarantine technology via the Windows OS </li></ul><ul><li>Available in Vista </li></ul><ul><li>Multiple vendors in program and announcing support </li></ul><ul><li>Built on a Windows foundation and uses the Windows Quarantine Agent (QA) </li></ul>
  34. 34. Microsoft NAP <ul><li>QA gathers device information and passes it to the Microsoft Network Policy Server (NPS) </li></ul><ul><li>The NPS works with other devices (DHCP, IPsec, VPN, 802.1x and more) for policy compliance </li></ul><ul><li>Only supported in Vista and Windows XP SP2 </li></ul>
  35. 35. Microsoft NAP <ul><li>Benefits </li></ul><ul><li>Single policy solution for Windows devices </li></ul><ul><li>Supported by many vendors </li></ul><ul><li>Disadvantages </li></ul><ul><li>Still in beta development </li></ul><ul><li>Only Vista and XP support </li></ul><ul><li>No Linux support </li></ul><ul><li>No large scale deployments to date </li></ul>
  36. 36. Trusted Computing Group <ul><li>Creating TNC (Trusted Network Connect) Standard </li></ul><ul><li>Multiple API-level interfaces </li></ul><ul><li>Broad approach to endpoint security </li></ul><ul><li>Still in early stage of development </li></ul><ul><li>Built on the assumption that every device has a specialized piece of hardware to verify that the endpoint has not been compromised </li></ul><ul><li>Uses that hardware to monitor and enforce endpoint policies </li></ul>
  37. 37. Trusted Network Connect <ul><li>Trusted Network Connect is a set of open standards </li></ul><ul><ul><li>Mission is to develop and promote an open, vendor-neutral, industry standard specification for trusted computing building blocks and software interfaces across multiple platforms </li></ul></ul><ul><li>Not all of the standards have been fully defined </li></ul><ul><li>Little product support to date </li></ul><ul><li>Key components of TNC are a RADIUS server and 802.1x authentication servers, in addition to a trusted hardware chip (TPM) and software on the endpoint device </li></ul>
  38. 38. Trusted Network Connect <ul><li>The TPM (Trusted Platform Module) is used to authenticate the endpoint device </li></ul><ul><li>Once authenticated, the TPM passes control to a software agent, which checks the device for compliance </li></ul>
  39. 39. Trusted Network Connect <ul><li>Benefits </li></ul><ul><li>Provides security at the hardware level </li></ul><ul><li>Broad architecture </li></ul><ul><li>Wide support from laptop and other hardware vendors </li></ul><ul><li>Disadvantages </li></ul><ul><li>Requires specialized TPM hardware </li></ul><ul><li>Standards are incomplete </li></ul><ul><li>Few major rollouts </li></ul>
  40. 40. Client-based solutions <ul><li>Advantages </li></ul><ul><li>Local access to suspect resources </li></ul><ul><li>Can perform a much deeper scan of the device </li></ul><ul><li>Piggyback on local processing power </li></ul><ul><li>Generally the best solution for managed PCs on a LAN or wireless LAN, or an IPsec VPN or dial-in remote access server </li></ul><ul><li>Disadvantages </li></ul><ul><li>Another piece of software to install and manage </li></ul><ul><li>Inherent trust problem with the suspect device validating itself </li></ul><ul><li>Can possibly be deleted or disabled by an end user or administrator </li></ul>
  41. 41. Client-free solutions <ul><li>Advantages </li></ul><ul><li>Policy and trust mechanisms “in the network” vs “on the client” </li></ul><ul><li>Piggybacks on Windows management mechanisms for remote access to local resource information </li></ul><ul><li>Doesn’t require more client software to install and manage </li></ul><ul><li>Disadvantages </li></ul><ul><li>Requires some form of “managed” desktops </li></ul><ul><li>Assumes new networking intelligence installed in the infrastructure </li></ul>
  42. 42. Universal product requirements <ul><li>Ability to define a granular set of security policies </li></ul><ul><ul><li>Your organization may have many different policy requirements. The product must support any number and variety of policies. </li></ul></ul><ul><li>Ability to detect every device connecting to the network </li></ul><ul><ul><li>Ensure that it can detect any device, irrelevant of its hardware manufacturer or software creator. </li></ul></ul>
  43. 43. Universal product requirements <ul><li>Assess the device’s level of compliance </li></ul><ul><ul><li>Scan must take place before network access </li></ul></ul><ul><ul><li>Must support post admission checks (Web browser, client software, etc.) </li></ul></ul><ul><li>Enforce policy </li></ul><ul><ul><li>Complete quarantining of device </li></ul></ul><ul><li>Remediate non-compliant devices </li></ul><ul><ul><li>Ability to push signatures, patches, etc., so system can be brought up to date </li></ul></ul>
  44. 44. Conclusions <ul><li>Endpoint security is a powerful technology whose time has come </li></ul><ul><li>Don’t underestimate the time and complexity it will take to deploy </li></ul><ul><li>Make sure you define your specific needs and requirements and map those to your environment </li></ul><ul><li>You will have to live with and support your decision, so make sure you make the right choice </li></ul>
  45. 45. <ul><li>Also in this lesson </li></ul><ul><li>Podcast: Endpoint enforcement: Smart policies to control the endpoint explosion </li></ul><ul><li>Article: Keeping pace with emerging endpoint security technologies </li></ul><ul><li> </li></ul>Identity and Access Management Security School