Sanctuary Device Control


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Sanctuary Device Control

    1. 1. Lumension Security Sanctuary Device Control 4.2.2 Product Overview
    2. 2. Consequences of theft and data loss U.S. Military secrets for sale at Afgahn Bazaar BAGRAM, Afghanistan – April 10, 2006 No more than 200 yards from the main gate of the sprawling U.S. Base here, stolen computer drives containing military assessments of enemy targets, names of corrupt Afghan officials and descriptions of American defenses are on sale in the local bazaar. The thefts of computer drives have the potential to expose military secrets as well as Social Security numbers and other identifying information of military personnel...
    3. 3. Social Engineering the USB way <ul><li>Security Audit at a credit union </li></ul><ul><li>(Source: ) </li></ul><ul><li>Step 1 </li></ul><ul><ul><li>Prepare 20 USB drives with a trojan horse that gathers critical data (such as user account information) from the PC it is connected to and sends it by email </li></ul></ul><ul><li>Step 2 </li></ul><ul><ul><li>Drop these USB drives within the accomodations of the company </li></ul></ul><ul><li>Step 3 </li></ul><ul><ul><li>Wait 3 days ... </li></ul></ul><ul><li>Result </li></ul><ul><ul><li>15 out of 20 drives have been used by employees, critical data from their PC‘s has been exposed </li></ul></ul>
    4. 4. Did you know? For sale: memory stick plus cancer patient records Health bosses in Lancashire are facing awkward questions after confidential medical records of 13 cancer patients found their way onto a portable memory stick, which was repackaged and sold as new to a Crewe estate agent… <ul><ul><li>Useful portable storage? </li></ul></ul><ul><ul><li>... or malware entrypoint? </li></ul></ul><ul><ul><li>Music Files? </li></ul></ul><ul><ul><li>...or your customer database? </li></ul></ul>
    5. 5. <ul><li>We can expect the use of new devices to accelerate </li></ul><ul><ul><li>Price, shape, utility </li></ul></ul><ul><ul><li>New ways of working </li></ul></ul><ul><li>We cannot stop their adoption </li></ul><ul><ul><li>Nor should we try </li></ul></ul><ul><li>We need to enforce device-use policies that enable them to be used securely </li></ul><ul><ul><li>Granular controls that empower users to do their work while assuring appropriate behaviours </li></ul></ul><ul><ul><li>Restrictive but flexible </li></ul></ul>The Challenge
    6. 6. Product Operation <ul><li>Client boots, user logs on, </li></ul><ul><li>computer connects to the corporate network </li></ul><ul><li>Client driver sends Identification message (= machine ID, user ID, domain ID, group ID’s, driver version, OS version). </li></ul><ul><li>The Application Server queries the database for access rules and caches results. </li></ul>4. The Access Rules are created, cryptographic signatures are added and Access Rules are pushed to the client driver 5. The Access Rules are cached locally, policy enforcement is performed at kernel level SQL D ata b ase (Cluster) Kernel Driver Active Directory / eDirectory synchronizes users, groups and computer accounts periodically 6. Computer may leave corporate network and will stay secure due to local white list Policies Sanctuary Application Server(s) Digital signature Digital signature
    7. 7. <ul><li>Accounting </li></ul><ul><li>Sales People </li></ul><ul><li>Network Admins </li></ul><ul><li>Support Team </li></ul>1.1 PREDEFINED DEVICE CLASSES What are users / user groups’ needs in terms of device / media access rights to perform their allowed tasks? Users can now access their allowed devices / media according to their granted attributes 1.2 SPECIFIC DEVICE TYPE / BRAND 1.3 ADD SPECIFIC MEDIA MEDIA LIST Assign and go Individual User Groups of Users 3. ASSIGN ACCESS ATTRIBUTES 0. IDENTIFY DEVICES AND MEDIA Unique Media CD / DVD, Zip drives, Disk on key DEVICES CD / DVD ROMs MODEM REMOVABLE MEDIA USB PRINTER USB Disk Pro SND1 MP3 Player
    8. 8. Users Device Access Request Kernel Driver Known Device check List of classes & known devices Known device? Log Device Policies Users, Groups, Device Classes, Devices and Access Attributes Authorization Yes Yes Managed Device Access Control Device Access
    9. 9. Users Device Access Request Kernel Driver Known Device check List of classes & known devices Known device? Log Device Policies Users, Groups, Device Classes, Devices and Access Attributes Authorization Yes No Managed Device Access Control No Access
    10. 10. Users Device Access Request Kernel Driver Known Device check List of classes & known devices Known device? Log Device Policies Users, Groups, Device Classes, Devices and Access Attributes No Managed Device Access Control No Access
    11. 11. The Challenge Reduce Risk While Enabling New Technologies <ul><li>Four Key Steps: </li></ul><ul><li>Discovery Know what applications and devices are in use on endpoints </li></ul><ul><li>Policy Establishment Develop company-wide, group and/or user-specific policies that reduce, or eliminate endpoint security issues </li></ul><ul><li>Policy Enforcement Enforce and administer endpoint security policies and the flexibility to seamlessly make policy changes as appropriate, reducing end users’ need for involvement </li></ul><ul><li>Policy Monitoring and Compliance Reporting Understand the effectiveness of endpoint policies and to know when they have been violated </li></ul>
    12. 12. <ul><li>1) Requirement Gathering </li></ul>Implementing Device Control <ul><li>POLICY </li></ul><ul><li>2) Security Implications </li></ul><ul><li>2) Operational Implications </li></ul>For 15 MB / day With shadowing Use Memory Keys Wireless Connection <ul><li>Standard permission for Sales dep. to use only Lexar Keys with decentralized encryption </li></ul><ul><li>Offline permission for Sales dep. to use wireless connectivity </li></ul><ul><li>Sales Department </li></ul>Only if encrypted Only when offline Only Type Lexar
    13. 13. <ul><li>1) Requirement Gathering </li></ul>Implementing Device Control Print invoices Only on local printer <ul><li>2) Security Implications </li></ul>Only Type HP 1250 <ul><li>2) Operational Implications </li></ul>Use customer‘s keys Read access only <ul><li>Production Control Servers </li></ul>Maximum Stability Complete Lockdown <ul><li>Reception Desk </li></ul><ul><li>Support Department </li></ul>
    14. 14. <ul><li>1) Requirement Gathering </li></ul>Implementing Device Control <ul><li>2) Security Implications </li></ul><ul><li>2) Operational Implications </li></ul>Use Digital Cameras Only with File Filter Only Type Sony DC210 Only during business hours Use CD‘s & DVD‘s Only specific Media <ul><li>Result: Restrictive but flexible device access control </li></ul><ul><li>Marketing Dpt </li></ul><ul><li>High Security with maximum user acceptance </li></ul>
    15. 15. <ul><li>Works over Slow Network Links </li></ul><ul><li>Works through Firewalls </li></ul><ul><li>Ensures High Availability </li></ul><ul><li>Ensures Manageability in large Networks </li></ul><ul><li>Proxy Support </li></ul>Architectural Considerations Proxy Server
    16. 16. Architecture Example Backbone Sales Office (5000 seats) Reg. Office (1000 seats) Reg. Office (1000 seats) Main Site (1000 seats) 1 MBit 1 MBit 10 MBit 64 KBit Bandwidth considerations Serves Main Site & Regional Office 1 Serves Sales office & Backup for Regional Office Caching Server (due to limited bandwidth) Serves Main Site & Backup for Sales Office SQL + 2 SXS 1 SXS 1 SXS
    17. 17. <ul><li>Read and / or Write </li></ul><ul><li>Scheduled Access </li></ul><ul><ul><li>From 08:00h to 18:00h Monday to Friday </li></ul></ul><ul><li>Temporary Access </li></ul><ul><ul><li>For the next 15 minutes </li></ul></ul><ul><ul><li>Starting next Monday, for 2 days </li></ul></ul><ul><li>Out of band permission </li></ul><ul><ul><li>Assign permissions when no network connection is present, all device classes supported </li></ul></ul><ul><li>Online / Offline </li></ul><ul><li>Quota Management </li></ul><ul><ul><li>Limit copied data to 100 MB / day </li></ul></ul><ul><li>Encryption enforcement </li></ul><ul><ul><li>Access is granted only if medium has been encrypted (decentralized encryption) with password recovery option </li></ul></ul><ul><li>File Type Filtering </li></ul><ul><ul><li>Limit the access to specific file types </li></ul></ul>Access Attributes
    18. 18. <ul><li>A complete device class </li></ul><ul><ul><li>All USB Printers </li></ul></ul><ul><li>A device sub class </li></ul><ul><ul><li>USB printer HP 7575, CD/DVD Nec 3520A </li></ul></ul><ul><li>A unique device based on </li></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>serial number </li></ul></ul><ul><li>Specific CD‘s / DVD‘s </li></ul><ul><li>Specific Bus (USB, IrDa, Firewire...) </li></ul><ul><li>Groups of devices </li></ul>Attributes can be allocated to…
    19. 19. <ul><li>A local user or group </li></ul><ul><li>An Active Directory user or group </li></ul><ul><li>An Active Directory domain </li></ul><ul><li>A Machine </li></ul><ul><li>A Machine Group </li></ul><ul><ul><li>created within SDC </li></ul></ul><ul><li>A Novell eDirectory user group or organizational unit </li></ul>Access can be granted to…
    20. 20. <ul><li>Kernel Driver </li></ul><ul><ul><li>Invisible (no task manager process) </li></ul></ul><ul><ul><li>Fast (no performance loss) </li></ul></ul><ul><ul><li>Compatible (no conflict with other software) </li></ul></ul><ul><li>Encryption of unique devices with AES </li></ul><ul><ul><li>AES 256 = market standard </li></ul></ul><ul><ul><li>Fast and transparent within the network </li></ul></ul><ul><ul><li>Strong password enforcement for usage outside the corporate network </li></ul></ul><ul><li>Client / Server Traffic </li></ul><ul><ul><li>Private/Public key mechanism </li></ul></ul><ul><ul><li>Impossible to tamper with </li></ul></ul><ul><ul><li>Easily generated and deployed </li></ul></ul>Security Features
    21. 21. <ul><li>Client Hardening </li></ul><ul><ul><li>Even a local administrator cannot uninstall the client </li></ul></ul><ul><li>Prevention from Keyloggers </li></ul><ul><li>Removable Media Encryption </li></ul><ul><ul><li>Assign any removable media to any user and then encrypt the media. Encrypted device is accessible only by the user who owns the access rights on the removable media </li></ul></ul><ul><li>Offline Protection </li></ul><ul><ul><li>Local copy of the latest devices access permission list stored on the disconnected workstation or laptop </li></ul></ul>Security Features
    22. 22. <ul><li>User Actions Logging </li></ul><ul><ul><li>Read Denied / Write denied </li></ul></ul><ul><ul><li>Device entered / Medium inserted </li></ul></ul><ul><ul><li>Open API for 3rd party reporting tools </li></ul></ul><ul><li>Shadowing of all copied data </li></ul><ul><ul><li>Level 1: shows File Name and attributes of copied data </li></ul></ul><ul><ul><li>Level 2: Captures and retains full copy of data written to extenal device or read from such a device </li></ul></ul><ul><li>Administrator Auditing </li></ul><ul><ul><li>Keeps track of all policy changes made by SDC admins </li></ul></ul>Auditing and Logging
    23. 23. <ul><li>Scheduled Delivery </li></ul><ul><li>Highly configurable, templates available </li></ul><ul><li>Advanced query builder </li></ul><ul><li>HTML, CSV or XML outputs </li></ul><ul><li>Sent by email or stored to the filesystem on a predefined schedule </li></ul>Custom Reports
    24. 24. <ul><li>Easy integration with popular reporting & statistic tools </li></ul><ul><li>(Example: Crystal Reports) </li></ul>Shadowing by File Type Shadowing by User 3rd Party Reporting
    25. 25. Administrative Roles for... <ul><li>Time based access settings (e.g. Helpdesk) </li></ul><ul><li>Permanent access settings </li></ul><ul><li>Add / Create specific devices </li></ul><ul><li>Add specific CD / DVD media </li></ul><ul><li>View administrative audit logs (auditor) </li></ul><ul><li>View user access logs </li></ul><ul><li>View shadow files </li></ul><ul><li>Client Hardening (e.g. Upgrades) </li></ul>
    26. 26. <ul><li>Easy Exchange Encryption </li></ul><ul><ul><li>Authorized users can access encrypted removable devices outside the company without the need to install any kind of software whatsoever and without administrative privileges </li></ul></ul><ul><li>Offline Updates </li></ul><ul><ul><li>Send updates to computers not connected to the network using a file </li></ul></ul><ul><li>Enhanced Policy Management </li></ul><ul><ul><li>Device grouping options, Media grouping options, increased audit roles, customized comments per Device </li></ul></ul><ul><li>Multilingual Client Interface </li></ul><ul><ul><li>Client language interface changes based on regional settings </li></ul></ul><ul><li>Real-Time push of Access Policies </li></ul><ul><li>Learning Mode </li></ul><ul><ul><li>Permissions can be attached to the root of the Device Explorer tree and apply to all devices that a user(s)/group(s) use. </li></ul></ul><ul><li>Event Notification </li></ul><ul><ul><li>Customized User message when access is denied </li></ul></ul>Easy Management
    27. 27. <ul><li>The Sanctuary Device Scanner </li></ul><ul><li>System Service, scanning the network on predefined intervals for unknown devices </li></ul><ul><li>Works clientless </li></ul><ul><li>Intuitive User Interface </li></ul><ul><li>Creates template-based HTML Reports </li></ul><ul><li>XML Export Interface </li></ul>Device Discovery
    28. 28. <ul><li>Silent & Unattended Install of MSI Package via: </li></ul><ul><ul><li>SDC´s own deployment tool </li></ul></ul><ul><ul><ul><li>Fast & Easy </li></ul></ul></ul><ul><ul><ul><li>extra information as client status, present OS and Service Pack </li></ul></ul></ul><ul><ul><li>Any MSI compatible deployement tool </li></ul></ul><ul><ul><ul><li>MS SMS </li></ul></ul></ul><ul><ul><ul><li>NetInstall </li></ul></ul></ul><ul><ul><ul><li>ZenWorks </li></ul></ul></ul><ul><ul><ul><li>Group policies </li></ul></ul></ul><ul><ul><ul><li>Batch file / script </li></ul></ul></ul><ul><li>Deployment of the Sanctuary clients </li></ul><ul><ul><li>The Sanctuary ® Clients can be deployed without a server available optionally setting initial permissions </li></ul></ul>„ The timeframe of a few days for the implementation is actually too high. In reality only a few hours were needed. Easy Management was not an empty marketing statement but we can confirm it. “ Detlef Ebert IT Operations Center der ING DiBa . Easy Deployment
    29. 29. Sanctuary Modular Offering Overview Sanctuary Device Control - Base (SDCSTD) Audit Only Module (SDASTD) Encryption Add-on (SDESTD) Uplift (SDAUPL) Sanctuary Device Control – Enterprise (SDCENT) Sanctuary Suite (SACSDC) Sanctuary Application Control (SACSTD) Sanctuary Application Control Offering
    30. 30. Sanctuary Modular Offering Features Overview <ul><li>Sanctuary Device Control – Audit Only </li></ul><ul><ul><li>Includes full installation components (server side & agent) </li></ul></ul><ul><ul><li>All I/O devices usage is allowed – no enforcement is possible </li></ul></ul><ul><ul><li>Audit features include: </li></ul></ul><ul><ul><ul><li>Logging of user actions </li></ul></ul></ul><ul><ul><ul><li>Shadowing of copied data (Patented Shadowing Technology) </li></ul></ul></ul><ul><ul><ul><li>Reporting to third party systems </li></ul></ul></ul><ul><ul><ul><li>Use of Sanctuary Device Scanner </li></ul></ul></ul><ul><li>Sanctuary Device Control – Base </li></ul><ul><ul><li>Includes all SDC enforcement features, except the media encryption ones </li></ul></ul><ul><ul><li>An Uplift option is available from “Audit Only” </li></ul></ul><ul><li>Sanctuary Device Control – Encryption Add-on </li></ul><ul><ul><li>Sanctuary Device Control – Base is a pre-requisite </li></ul></ul><ul><ul><li>Management of unique and encrypted devices with AES-256 </li></ul></ul><ul><ul><li>An SDC bundle SKU for SDC – Enterprise to sell SDC-Base with Encryption Add-on. </li></ul></ul>
    31. 31. Sanctuary Device Control Audit-Only Requirements <ul><li>Non blocking mode for Devices is required before agent is deployed to hosts. </li></ul>
    32. 32. Sanctuary Device Control Audit-Only Requirements <ul><li>Device Log Option needs to be set to “Enabled”. </li></ul>
    33. 33. Thank You For more information, please call United States: +1 480 970-1025 (option 1) United Kingdom: + 44 (0) 1908 357 897 Luxembourg: + 352 265 354 11 Singapore: + 65 6725 6415 or visit us on the web at