Top Tactics For Endpoint Security

2,348 views

Published on

Webinar - Rothke - Top Tactics for Endpoint Security.

Published in: Technology
2 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total views
2,348
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
162
Comments
2
Likes
1
Embeds 0
No embeds

No notes for slide

Top Tactics For Endpoint Security

  1. 1. Top Tactics for Endpoint Security Ben Rothke, CISSP, CISM Identity and Access Management Security School searchsecurity.com/iamschool
  2. 2. Times have changed <ul><li>Just 15 years ago, when you called and spoke to someone in area code 212, you could reasonably assume that the person was indeed in New York City. </li></ul><ul><li>Today, when you call area code 212, the person might be in Manhattan; but can also be in Los Angeles, Moscow, Rio or anyplace in the world. </li></ul><ul><li>Endpoints are clearly changing, both in the physical world -- and as we will see -- in the digital world. </li></ul>
  3. 3. Digital endpoint security <ul><li>Within information security, the perimeter of old was simply a router or firewall </li></ul><ul><li>Today, the endpoint is the perimeter </li></ul><ul><ul><li>In most organizations, with a laptop and DHCP, everyone gets in. At this point, there is no validation. </li></ul></ul><ul><li>The old perimeter is dead </li></ul><ul><li>Network perimeter weakness </li></ul><ul><ul><li>Remote access with 80% of enterprises using VPNs </li></ul></ul><ul><ul><li>Web-based extranet and partner connectivity </li></ul></ul><ul><li>Your perimeter firewall simply is not enough </li></ul><ul><li>some firewalls are so open, that all they do is simply slow down traffic. </li></ul><ul><li>In fact, in some organizations, its hard to tell the difference between a fw and a router. </li></ul>
  4. 4. Glass houses had no rogues <ul><li>In the mainframe era of glass houses and dumb terminals, there were simply no rogue devices </li></ul><ul><li>Networks were private, leased and closed </li></ul><ul><ul><li>Everything around the IBM mainframes was proprietary and closed. </li></ul></ul><ul><li>Today, networks are made to be open </li></ul><ul><li>Today, rogue devices are a bane </li></ul><ul><li>And endpoint security is becoming a crucial aspect of an information security endeavor </li></ul>
  5. 5. Security risks of rogue devices <ul><li>The inability to control network admission exposes significant risk to an organization </li></ul><ul><ul><li>Can be accidental or malicious in nature </li></ul></ul><ul><ul><li>Often leads to network downtime or exposure of sensitive information </li></ul></ul><ul><li>Therefore, only allow authorized devices onto the network </li></ul><ul><li>With endpoint security, non-compliant endpoints attempt connection, but are first quarantined </li></ul><ul><li>After inspection and remediation, only then are they admitted </li></ul><ul><li>Your endpoints are now secure </li></ul>
  6. 6. Definition <ul><li>While there is no single universal definition for endpoint security, the general definition of endpoint security is: </li></ul><ul><ul><li>the use of a network access control </li></ul></ul><ul><ul><li>system used to restrict network access </li></ul></ul><ul><ul><li>only to systems that demonstrate </li></ul></ul><ul><ul><li>adherence to a pre-defined corporate </li></ul></ul><ul><ul><li>security policy </li></ul></ul>
  7. 7. Why do we need endpoint security? 8 bullet items <ul><li>Viruses and worms continue to disrupt business </li></ul><ul><li>Zero-day attacks make reactive solutions less effective </li></ul><ul><li>Point technologies preserve host rather than network availability and enterprise resiliency </li></ul><ul><li>Non-compliant servers and desktops are difficult to detect and contain </li></ul><ul><li>Locating and isolating infected systems takes significant time and is extremely resource intensive </li></ul><ul><li>Users are often authenticated, but devices are not </li></ul><ul><li>Non-compliant/unmanaged devices pose an unacceptable risk </li></ul><ul><ul><li>Often source of infection </li></ul></ul><ul><ul><li>Rogue assets untracked, invisible </li></ul></ul><ul><li>Device compliance as important as user authentication </li></ul>
  8. 8. Where are the endpoint threats? 15 of innumerable threats <ul><li>Remote users </li></ul><ul><li>Mobile users </li></ul><ul><li>Regional, remote and branch offices </li></ul><ul><li>Non-compliant laptops </li></ul><ul><li>Wireless </li></ul><ul><li>Guests </li></ul><ul><li>Contractors </li></ul><ul><li>Interconnected networks </li></ul><ul><li>Distributed data </li></ul><ul><li>Business extranets </li></ul><ul><li>Remote access </li></ul><ul><li>Web services </li></ul><ul><li>Wireless </li></ul><ul><li>Mobile smart devices </li></ul><ul><li>VoIP phones </li></ul><ul><li>and many more… </li></ul>
  9. 9. What are the endpoint threats? <ul><li>Rogue wireless access </li></ul><ul><li>Keystroke loggers </li></ul><ul><li>Contractor with latest worm or virus on their laptop </li></ul><ul><li>Kiosks </li></ul><ul><li>Backdoor listening for inbound connections </li></ul><ul><li>Spyware download via P2P </li></ul><ul><li>IM </li></ul><ul><li>and more… </li></ul>
  10. 10. Origination points <ul><li>Accessed by employees, consultants, </li></ul><ul><li>customers, trading partners </li></ul><ul><li>From home office, hotel, branch office, </li></ul><ul><li>client site, airport, conference, restaurant, </li></ul><ul><li>home, trains, planes, automobiles </li></ul><ul><li>Using laptops running Windows, Linux, Mac OS/X; </li></ul><ul><li>PDA running PocketPC, Symbian or PalmOS; mobile phone, public kiosk </li></ul><ul><li>By dial-up modem, hotel Ethernet, Wi-Fi, mobile carrier, cable modem, DSL </li></ul><ul><li>To connect with email, Web-based intranet, terminal services, CRM, ERP, partner data </li></ul><ul><li>Contrast this with the old dumb terminals. One location, one hard connection. </li></ul>
  11. 11. Endpoint security benefits <ul><li>Manage zero-day threats </li></ul><ul><li>Reduce incident response cost </li></ul><ul><li>Eliminate system downtime </li></ul><ul><li>Reduce hot fixes and patching </li></ul><ul><li>Lower recovery cost </li></ul><ul><li>Comply with regulatory requirements </li></ul><ul><li>Single solution, multiple security functions, low performance impact </li></ul><ul><li>Increased security of corporate resources </li></ul><ul><li>Ensures endpoints (laptops, PC, PDA, servers, etc.) conform to security policy </li></ul><ul><li>Proactively protects against worms, viruses, spyware and malware </li></ul><ul><li>Reduced risk of outbreak due to infected endpoints </li></ul><ul><li>Safe access to networks through VPN access </li></ul><ul><li>Controlled remediation and patching of unhealthy endpoints </li></ul>
  12. 12. Evolution of endpoint security <ul><li>Today </li></ul><ul><li>Static network access </li></ul><ul><li>Every device is permitted </li></ul><ul><li>Infected or unhealthy devices are frequently the root of an outbreak </li></ul><ul><li>Tomorrow </li></ul><ul><li>Dynamic network access based on policies </li></ul><ul><li>Screen devices before granting access </li></ul><ul><li>Infected or unhealthy devices treated separately </li></ul>
  13. 13. How do you start thinking about endpoint security? <ul><li>Know what you want to inspect </li></ul><ul><li>Ensure you have policies in place </li></ul><ul><li>Risk assessment </li></ul><ul><ul><li>Define in detail what are your risks </li></ul></ul><ul><ul><li>Not all risks are created equal </li></ul></ul><ul><ul><li>Not all endpoints are created equal </li></ul></ul>
  14. 14. Questions you need to ask <ul><li>How do we enforce compliance with our security policies in order to provide a safe and secure network environment for everyone? </li></ul><ul><li>How do we identify unmanaged desktops to deliver our security message? </li></ul><ul><li>How do we ensure all types of users have adequate awareness and training of security issues? </li></ul>
  15. 15. Next steps <ul><li>Assessment of endpoint </li></ul><ul><li>security requirements and needs </li></ul><ul><li>Decision making based on policy compliance </li></ul><ul><li>Admission enforcement at the network infrastructure level </li></ul><ul><li>Quarantining/remediation of unhealthy devices </li></ul>
  16. 16. Determine the context of the endpoint device <ul><li>Function </li></ul><ul><li>Location </li></ul><ul><li>Criticality </li></ul><ul><li>Compliance state </li></ul>
  17. 17. What are your minimums? <ul><li>Define and evaluate what is necessary </li></ul><ul><li>What is to be allowed? </li></ul><ul><li>Obligatory compliance of all desktops to minimum corporate security policy </li></ul><ul><ul><li>Define minimum desktop requirements </li></ul></ul><ul><ul><li>Current OS patches </li></ul></ul><ul><ul><li>Latest Web browser </li></ul></ul><ul><ul><li>Latest AV signatures and definitions </li></ul></ul><ul><ul><li>Up-to-date personal firewall </li></ul></ul><ul><ul><li>Latest spyware signatures and definitions </li></ul></ul><ul><ul><li>Other security configurations </li></ul></ul>
  18. 18. Strategic endpoint security <ul><li>Effective endpoint security requires a strategic approach that understands the need to optimize connectivity while also ensuring protection for all critical resources </li></ul><ul><li>This is not a trivial task </li></ul><ul><li>Endpoint security is not plug and play </li></ul>
  19. 19. Converged devices <ul><li>Devices such as notebooks, tablet PCs, PDAs, smartphones and other types of mobile devices also need to be secured </li></ul><ul><li>They have increasing storage and performance capabilities </li></ul><ul><li>They travel outside the bounds of physical and logical perimeters – and they aren’t connected to the network at all times </li></ul><ul><li>These devices enter and leave your network many times over the course of the year </li></ul><ul><ul><li>That leaves myriad opportunities to return with malware </li></ul></ul>
  20. 20. Converged devices <ul><li>The Bad </li></ul><ul><li>These devices present a significant potential for financial loss, legal liability and brand damage since they are unprotected </li></ul><ul><li>The Ugly </li></ul><ul><li>Many organizations have no idea if these devices are connected to their network or how many are connected </li></ul><ul><li>The Good </li></ul><ul><li>Endpoint security can offer protection against the threats that converged devices bring </li></ul>
  21. 21. Non-corporate owned devices <ul><li>Consultants, contractors, hackers, employees and more will attempt to connect their own devices to the corporate network </li></ul><ul><li>Be it a corporate-owned device or privately-owned endpoint, they all must be controlled before being given access to the network </li></ul>
  22. 22. Legal issues <ul><li>There may be regulatory </li></ul><ul><li>and legal issues that have a </li></ul><ul><li>local impact </li></ul><ul><li>Your organization must be aware of them and fully comply with them </li></ul><ul><li>If the logs are going to be used as evidence, they must be appropriately secured </li></ul><ul><li>Get legal counsel involved </li></ul>
  23. 23. Basic endpoint security recommendations <ul><li>An unsecured endpoint must not be allowed to connect to the network if doing so inappropriately increases the risk to the organization </li></ul><ul><li>Management must identify the state of the endpoints before they are allowed access to internal networks </li></ul><ul><li>CISO must be able to provide a level of assurance to management that information will be protected when it reaches the endpoint </li></ul><ul><li>Remediation plans must be created for remote endpoints </li></ul>
  24. 24. Endpoint security is not a silver bullet <ul><li>While endpoint security is a hot topic with myriad hardware and software solutions, the reality is that: </li></ul><ul><li>There are no standards </li></ul><ul><li>Many current solutions are proprietary </li></ul><ul><li>It is still somewhat of an immature solution </li></ul><ul><li>There are not a lot of experts in the field </li></ul><ul><li>Solutions are costly and complex to implement </li></ul>
  25. 25. The Big 3 Endpoint Security Solutions <ul><li>Cisco Network Admission Control (NAC) </li></ul><ul><li>Microsoft Network Access Protection (NAP) </li></ul><ul><li>TCG Trusted Network Connect (TNC) </li></ul>
  26. 26. Other vendors in the space <ul><li>Check Point </li></ul><ul><li>Endforce </li></ul><ul><li>StillSecure </li></ul><ul><li>Symantec </li></ul><ul><li>Juniper </li></ul><ul><li>Configuresoft </li></ul><ul><li>Lockdown Networks </li></ul><ul><li>eEye </li></ul><ul><li>Qualys </li></ul><ul><li>Funk </li></ul><ul><li>3Com </li></ul><ul><li>Altiris </li></ul><ul><li>ISS </li></ul><ul><li>Citrix </li></ul><ul><li>ConSentry </li></ul><ul><li>Vernier </li></ul><ul><li>Senforce </li></ul><ul><li>McAfee </li></ul><ul><li>Forescout </li></ul><ul><li>InfoExpress </li></ul><ul><li>Intel </li></ul><ul><li>and many more…. </li></ul>
  27. 27. Commonalities <ul><li>All of the solutions are basically attempting to perform the same task </li></ul><ul><li>They all use routers, switches, wireless access points, software and security appliances to enforce endpoint security </li></ul><ul><li>Requires security credentials from endpoint devices </li></ul><ul><li>Relays them to a policy server </li></ul><ul><li>Policy servers evaluate credentials and make admission control policy decision (permit, deny, quarantine or restrict) </li></ul><ul><li>Network access device enforces admission control policy decision </li></ul>
  28. 28. Commonality – Policy Server <ul><li>The policy server is generally a RADIUS, Kerberos or 802.1x system and is the central point for establishing network access policies and is the primary mechanism for the endpoint security workflow </li></ul><ul><li>The policy server decides whether to allow an endpoint onto the network based on input from the baseline of the device </li></ul><ul><li>The server interfaces with other security configuration management functions that hold information such as OS updates, AV, patches, etc. </li></ul>
  29. 29. Cisco NAC <ul><li>API-level enforcement & quarantine technology being built into Cisco network infrastructure </li></ul><ul><li>Viable product in production </li></ul><ul><li>Multiple vendors in program </li></ul><ul><li>NAC focuses on network infrastructure, policy definition and management </li></ul><ul><li>Built on a foundation of installed Cisco devices </li></ul>
  30. 30. Cisco NAC <ul><li>NAC works via trusted modules that are installed on Windows and Linux desktops (Cisco Trusted Agent - CTA) and implemented in Cisco routers and switches </li></ul><ul><li>The CTA gathers device information and passes it via 802.1x to the Cisco Secure Access Control Server (ACS) </li></ul><ul><li>The ACS communicates with the policy server to determine compliance and enforce network access via the Cisco switching infrastructure </li></ul>
  31. 31. Cisco NAC <ul><li>NAC requires a Cisco infrastructure running a current version of IOS </li></ul><ul><ul><li>12.3(8)T or later </li></ul></ul><ul><li>For enterprises running legacy Cisco devices, this will require an expensive hardware upgrade </li></ul><ul><li>For enterprises running older versions of IOS, this will require plans to upgrade </li></ul>
  32. 32. Cisco NAC <ul><li>Benefits </li></ul><ul><li>Shipping now </li></ul><ul><li>Somewhat mature </li></ul><ul><li>Many deployments </li></ul><ul><li>Supports Linux clients </li></ul><ul><li>Disadvantages </li></ul><ul><li>Proprietary solution </li></ul><ul><ul><li>Full solution works only with Cisco 802.1x equipment and authentication server </li></ul></ul><ul><li>Cisco switch-based </li></ul><ul><li>Significant IOS upgrade may be required </li></ul><ul><li>Requires software agent </li></ul>
  33. 33. Microsoft NAP <ul><li>Health assessment of host device </li></ul><ul><li>API-level enforcement & quarantine technology via the Windows OS </li></ul><ul><li>Available in Vista </li></ul><ul><li>Multiple vendors in program and announcing support </li></ul><ul><li>Built on a Windows foundation and uses the Windows Quarantine Agent (QA) </li></ul>
  34. 34. Microsoft NAP <ul><li>QA gathers device information and passes it to the Microsoft Network Policy Server (NPS) </li></ul><ul><li>The NPS works with other devices (DHCP, IPsec, VPN, 802.1x and more) for policy compliance </li></ul><ul><li>Only supported in Vista and Windows XP SP2 </li></ul>
  35. 35. Microsoft NAP <ul><li>Benefits </li></ul><ul><li>Single policy solution for Windows devices </li></ul><ul><li>Supported by many vendors </li></ul><ul><li>Disadvantages </li></ul><ul><li>Still in beta development </li></ul><ul><li>Only Vista and XP support </li></ul><ul><li>No Linux support </li></ul><ul><li>No large scale deployments to date </li></ul>
  36. 36. Trusted Computing Group <ul><li>Creating TNC (Trusted Network Connect) Standard </li></ul><ul><li>Multiple API-level interfaces </li></ul><ul><li>Broad approach to endpoint security </li></ul><ul><li>Still in early stage of development </li></ul><ul><li>Built on the assumption that every device has a specialized piece of hardware to verify that the endpoint has not been compromised </li></ul><ul><li>Uses that hardware to monitor and enforce endpoint policies </li></ul>
  37. 37. Trusted Network Connect <ul><li>Trusted Network Connect is a set of open standards </li></ul><ul><ul><li>Mission is to develop and promote an open, vendor-neutral, industry standard specification for trusted computing building blocks and software interfaces across multiple platforms </li></ul></ul><ul><li>Not all of the standards have been fully defined </li></ul><ul><li>Little product support to date </li></ul><ul><li>Key components of TNC are a RADIUS server and 802.1x authentication servers, in addition to a trusted hardware chip (TPM) and software on the endpoint device </li></ul>
  38. 38. Trusted Network Connect <ul><li>The TPM (Trusted Platform Module) is used to authenticate the endpoint device </li></ul><ul><li>Once authenticated, the TPM passes control to a software agent, which checks the device for compliance </li></ul>
  39. 39. Trusted Network Connect <ul><li>Benefits </li></ul><ul><li>Provides security at the hardware level </li></ul><ul><li>Broad architecture </li></ul><ul><li>Wide support from laptop and other hardware vendors </li></ul><ul><li>Disadvantages </li></ul><ul><li>Requires specialized TPM hardware </li></ul><ul><li>Standards are incomplete </li></ul><ul><li>Few major rollouts </li></ul>
  40. 40. Client-based solutions <ul><li>Advantages </li></ul><ul><li>Local access to suspect resources </li></ul><ul><li>Can perform a much deeper scan of the device </li></ul><ul><li>Piggyback on local processing power </li></ul><ul><li>Generally the best solution for managed PCs on a LAN or wireless LAN, or an IPsec VPN or dial-in remote access server </li></ul><ul><li>Disadvantages </li></ul><ul><li>Another piece of software to install and manage </li></ul><ul><li>Inherent trust problem with the suspect device validating itself </li></ul><ul><li>Can possibly be deleted or disabled by an end user or administrator </li></ul>
  41. 41. Client-free solutions <ul><li>Advantages </li></ul><ul><li>Policy and trust mechanisms “in the network” vs “on the client” </li></ul><ul><li>Piggybacks on Windows management mechanisms for remote access to local resource information </li></ul><ul><li>Doesn’t require more client software to install and manage </li></ul><ul><li>Disadvantages </li></ul><ul><li>Requires some form of “managed” desktops </li></ul><ul><li>Assumes new networking intelligence installed in the infrastructure </li></ul>
  42. 42. Universal product requirements <ul><li>Ability to define a granular set of security policies </li></ul><ul><ul><li>Your organization may have many different policy requirements. The product must support any number and variety of policies. </li></ul></ul><ul><li>Ability to detect every device connecting to the network </li></ul><ul><ul><li>Ensure that it can detect any device, irrelevant of its hardware manufacturer or software creator. </li></ul></ul>
  43. 43. Universal product requirements <ul><li>Assess the device’s level of compliance </li></ul><ul><ul><li>Scan must take place before network access </li></ul></ul><ul><ul><li>Must support post admission checks (Web browser, client software, etc.) </li></ul></ul><ul><li>Enforce policy </li></ul><ul><ul><li>Complete quarantining of device </li></ul></ul><ul><li>Remediate non-compliant devices </li></ul><ul><ul><li>Ability to push signatures, patches, etc., so system can be brought up to date </li></ul></ul>
  44. 44. Conclusions <ul><li>Endpoint security is a powerful technology whose time has come </li></ul><ul><li>Don’t underestimate the time and complexity it will take to deploy </li></ul><ul><li>Make sure you define your specific needs and requirements and map those to your environment </li></ul><ul><li>You will have to live with and support your decision, so make sure you make the right choice </li></ul>
  45. 45. <ul><li>Also in this lesson </li></ul><ul><li>Podcast: Endpoint enforcement: Smart policies to control the endpoint explosion </li></ul><ul><li>Article: Keeping pace with emerging endpoint security technologies </li></ul><ul><li>searchsecurity.com/iamschool </li></ul>Identity and Access Management Security School

×