Organizations must manage and secure a large, complex, and globally distributed. remote, and mobile computing environment all accessing corporate assets housed within the corporate network as well as corporate assets/resources housed and maintained in a 3rd party service providers infrastructure ;
The use of these Web 2.0 technologies is pervasive, across all industries. Application use of all types is consistent , irrespective of geography or industry, yet the level of risk varies based on the specific industry. • Application usage is amazingly consistent between financial and healthcare networks and universities or other more traditionally open networks, but the risks are much greater in many cases. Overshadowing the frequency of usage is the increased intensity of usage, measured by bandwidth consumed on a per organization basis. Bandwidth consumed was nearly 3 terabytes (TB). Use of social networking within the healthcare and financial services industries was consistent with other industries, yet the implied business and security risks are quite different. The use of social networking at work is an assumed right —so reigning in the use as a means of protecting data may introduce employee dissatisfaction . Or worse yet, employees may find a way around the control mechanisms . Instant Messaging although often allowed for business purposes, can open an organization to attack, when as many as 12 to 15 different IM technologies are being used in the same organization. IT’s challenge is enabling it’s end users, while still protecting them.
browser is delivering unprecedented levels of business productivity and IT risk everyday to your endpoint environment. Most organizations can’t stop it business productivity younger workforce blends social-business-personal communications together as one Social networking applications are in use in 95% of businesses today 78% of these applications support file transfers, many are known to be propagators of malware and have vulnerabilities associated with them. Same in industries like Fin Services and healthcare-95% usage of social network across the board Cybercriminals are targeting these social applications greatest opportunities for them is the amount of trust end users put into these social applications. Once in they can replicate their malware with amazing speed and devastating impact. browser based risk we then are in reality starting to talk about cloud computing. isn’t anyone in IT today who hasn’t heard or discussed cloud computing.
The web continues to be a common path of infection. Among web-based malware, we distinguish auto-executed “drive-by downloads” from those involving user interaction. Many of the latter incorporate a social engineering aspect (“click to clean your system”). The web installation vector is more opportunistic in nature than the “installed by attacker” variety that usually targets a pre-selected victim. Once the system is infected, the malware alerts an external agent who will then initiate further attacks. The web is a popular vector for the simple reason of that’s where the users are. Overly-trusting browsers and users operating with administrative privileges only add to this popularity. While not extremely common, we did observe several cases in which malware was coded directly into an existing program or script. This, of course, requires access to the system but also knowledge of how the code works. Not surprisingly, these often involve malicious insiders who developed the code or administer the system on which it runs. However, a few very interesting cases of this type were committed by outsiders. One of these involved an external agent that had access to the system for over six months. During this time, he studied the input/output process and developed a custom script to siphon data when new accounts were created.
Vulnerabilities affecting a typical end-user PC from 2007-2009 almost doubled from 220 to 420 and its expected to double again in 2010 (Secunia Half Year Report 2010) A PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 third party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010. ( Secunia Half Year Report 2010) Discover: Gain complete visibility of all IT assets, both managed and unmanaged. Assess: Perform a deep analysis and thorough OS, application and security configuration vulnerability assessments. Prioritize: Focus on your most critical security risks first. Remediate: Automatically deploy patches to an entire network per defined policy to support all OS’s and applications. Report: Provide operational and management reports that consolidate discovery, assessment and remediation information on a single management console.
The new way of thinking means nothing will execute unless we know it’s trusted. This shift in thinking requires asking new questions about change coming into our IT environment,… … such as is where did this application come from, who or what installed it, and what vendor wrote it.
Application control or whitelisting provides a new layer in the foundation for endpoint protection. Whitelisting is about identifying the known good and by default not letting anything other than what’s on the whitelist from executing. Simply put, any executable – whether a business application, a video driver, or a web browser plug-in – not specified on the whitelist cannot load and run. It’s the most effective security layer as its prevents execution in the kernel.
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your Enterprise
Today’s Speakers Paul Henry Security & Forensics Analyst MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE Paul Zimski VP of Solution Strategy Lumension
Shifting IT Risk… from Servers and Operating Systems to Endpoints and Applications
IT Networks 2000: Static Networks Corporate HQ Remote Offices & Subsidiaries WAN Corporate Data Center Data centers used to house an organization’s critical information inside a safe and well- defined perimeter
Changing Role of IT Enabling the Use of New Technology <ul><ul><li>Major Shift For IT Security </li></ul></ul><ul><ul><li>It’s now IT’s job to say YES! </li></ul></ul>
What Applications are Running on Your Endpoints? Palo Alto – The Application Usage and Risk Report, Spring 2010 Use of Instant Messaging All Industries Frequency Detected 95% Total bandwidth consumed 2 TB Total # of variants detected 62 Underlying technology 31 browser based 25 client server 6 peer-to-peer Avg # of variants per org 12 Top 5 most commonly detected <ul><li>YahooIM </li></ul><ul><li>Facebook Chat </li></ul><ul><li>Gmail Chat </li></ul><ul><li>MSN </li></ul><ul><li>Meebo </li></ul>Use of Social Networking All Industries Frequency Detected 94% Total bandwidth consumed 2.9 TB Total # of variants detected 35 Avg # of variants per org 14 Top 5 most commonly detected <ul><li>Facebook </li></ul><ul><li>Twitter </li></ul><ul><li>Myspace </li></ul><ul><li>LinkedIn </li></ul><ul><li>Flixster </li></ul>
Growing Application Centric Risk <ul><ul><li>Social networking applications were detected in 95% of organizations. * </li></ul></ul><ul><ul><li>78% of Web 2.0 applications support file transfer.* </li></ul></ul><ul><ul><li>2/3 of applications have known vulnerabilities.* </li></ul></ul><ul><ul><li>28% of applications were known to propagate malware.* </li></ul></ul>* Palo Alto Networks Application Survey 2009, 2010
Increasing # of Web App Vulnerabilities IBM X-Force
Patching Client Side Apps Now #1 Priority <ul><li>The problem of un-patched client-side vulnerabilities is one of the two most pressing priorities organizations need to address to mitigate cyber security risks. </li></ul><ul><li>Most organizations today take at least twice as long to patch third-party application vulnerabilities than they do to patch operating system vulnerabilities. </li></ul>SANS Institute, Top Cyber Security Risks, September 2009
Web Applications are the Leading Attack Path The applications we use today for productivity Collaborative / Browser-based / Open Source Social Communities, Gadgets, Blogging and Widgets open up our networks to increasing risk everyday. Source: Verizon, 2010 Data Breach Investigations Report
The Social Attack Vector Evolves Source: Verizon, 2010 Data Breach Investigations Report
Social Media has Changed the Attack Vector Botnet driven operations --Worm spreads via address replicator -- Members trust downloads MALWARE installed: --Pitches scareware --Steals cookies --Installs Waldac email spamming engine --Installs ZeuS banking Trojan --Carries out click-through fraud Sample CAPTCHA: smwm CAPTCHA protection Member account Koobface unleashed with help of CAPTCHA breakers
<ul><li>Ensure Endpoints are Patched & Configured </li></ul><ul><li>Identify and Remove Known Malware from Endpoints </li></ul><ul><li>Enforce Application Use Policies </li></ul>
Strategy 1: Ensure Endpoints are Updated Source: 1 - SANS Institute <ul><li>The top security priority is “patching client-side software” 1 </li></ul><ul><ul><li>Streamline patch management and reporting across OS’s AND applications </li></ul></ul><ul><li>Patch and defend is not just a Microsoft issue </li></ul><ul><ul><li>More than 2/3 of today’s vulnerabilities come from non-Microsoft applications </li></ul></ul><ul><li>Enforce policies to standardize and secure endpoint configurations from application risk </li></ul><ul><ul><li>Leverage NIST and OVAL, which provide non-biased vulnerability prioritization information </li></ul></ul>
Adobe Application Support Adobe Reader Adobe Flash Player Adobe Shockwave Player Adobe Acrobat Pro Adobe Photoshop Adobe Air Adobe InDesign Lumension has more coverage than any other patch vendor!
Manage Online AND Offline Endpoints Improve operations & reduce power consumption with Wake-On-LAN <ul><li>Allow maintenance of systems that are powered down </li></ul><ul><ul><li>Deliver critical patches and updates to offline machines </li></ul></ul><ul><ul><li>Eliminate blind spots in ongoing network maintenance </li></ul></ul><ul><ul><li>Improve your security posture </li></ul></ul><ul><li>Enhanced WOL relay architecture </li></ul>
Strategy 2: Identify & Remove Known Malware <ul><li>Make sure AV signatures are updated </li></ul><ul><li>Important layer in your approach, but not effective as stand-alone </li></ul><ul><li>Time-tested approach to identify and remove known malware </li></ul><ul><li>Remove any known threats before the endpoint is locked </li></ul>
Methods to Clean Endpoints <ul><li>Traditional AV scanning </li></ul><ul><li>DNA Partial Pattern Recognition </li></ul><ul><li>Exploit Detection </li></ul><ul><li>Sandbox Analysis </li></ul>
Strategy 3: Enforce Application Use Policies Learned (Adaptive) Allow Known Good; Block Everything Else Block Known Bad; Allow Everything Else <ul><li>Approach to endpoint security must be based on Defense-In-Depth to effectively address targeted and blended threats </li></ul><ul><ul><li>Antivirus shifts to after-the-fact cleanup </li></ul></ul><ul><ul><li>Application whitelisting must support change over time </li></ul></ul>Gartner Research
<ul><li>For endpoints to be secure they have to be well managed </li></ul><ul><ul><li>Enforce security policy without disrupting business productivity </li></ul></ul><ul><ul><ul><li>IT will be asked to support applications that they don’t own or control </li></ul></ul></ul><ul><ul><ul><li>Balance user’s freedom with IT’s need for control </li></ul></ul></ul><ul><ul><li>Ensure software and endpoints are free of known malware and up-to-date </li></ul></ul><ul><ul><li>Build and maintain the whitelist </li></ul></ul>Summary