© 2014 IBM Corporation
IBM Security
1© 2014 IBM Corporation
Re-defining Endpoint Protection
Mike Rothman, Securosis
Andy L...
Re-defining Endpoint
Protection
Mike Rothman, President
mrothman@securosis.com
Twitter: @securityincite
Advanced Endpoint ...
About Securosis
• Independent analysts with backgrounds on
both the user and vendor side.
• Focused on deep technical and ...
How customers view
Endpoint Protection
• Compliance is the main driver
for endpoint protection
• Whether it works or not i...
Milking the AV
Cash Cow
• Add incremental functions:
• HIPS/Heuristics
• “Crowd-sourcing” threats
• File reputation
• Endp...
Threat Management
Reimagined
Prevention
Next you try to stop an attack from being successful. This
is where most of the effort in security has gone for...
Adversaries:
Better and Better
Advanced Malware
Polymorphism
Sophisticated targeting
Professional Processes
http://www.fli...
The Negative Security Model
http://www.despair.com/tradition.html
Traditional AV
But detection of advanced attacks is still problematic if detection is restricted
to matching files at runt...
You don’t know what malware is
going to look like...
But you DO know what software
should and should not do.
This calls fo...
Advanced Heuristics
Heuristics have evolved to recognize normal application behavior. This
dramatically improves accuracy ...
Look for what?
• Executables/dependencies
• Injected threads
• Process creation
• System file/configuration/registry chang...
Application Control
• Define a set of authorized
executables that can run on a
device, and block everything else.
• Flexib...
Application Control
Use Cases
• Servers
• Fixed function devices
• High value endpoints
Isolation
Spin up a walled garden to run applications. If app is compromised (detected
using advanced heuristics), the san...
Old concept, New
Packaging
• Isolation is not new. VM’s in use by sophisticated users
for years.
• Isolation still needs t...
Choosing Prevention
• What kind of adversaries do you face?
• Which applications are most frequently used?
• How disruptiv...
Understanding Effectiveness
• Hype, religion and snake oil
will be common as vendors
look to establish their
approach as “...
Summary
• Advanced Protection requires a
broader view of threat management
• Innovation on endpoint/server
prevention will...
Read our stuff
• Blog
• http://securosis.com/blog
• Research
• http://securosis.com/research
• We publish (almost) everyth...
Mike Rothman
Securosis LLC
mrothman@securosis.com
http://securosis.com/blog
Twitter: @securityincite
© 2014 IBM Corporation
IBM Security
24© 2014 IBM Corporation
Trusteer Apex
© 2014 IBM Corporation
IBM Security
25
Are you fighting a losing battle?
IBM Internal Use Only
• Humans will always make m...
© 2014 IBM Corporation
IBM Security
26
Do you have the right weapons?
IBM Confidential until May XY, 2014
Fragmented marke...
© 2014 IBM Corporation
IBM Security
27
Trusteer Apex
Preemptive, low-impact defense for enterprise endpoints
IBM Confident...
© 2014 IBM Corporation
IBM Security
28
Apex multi-layered defense architecture
IBM Confidential until May XY, 2014
KB to
c...
© 2014 IBM Corporation
IBM Security
29
No.ofTypes
Attack Progression
Data exfiltrationExploit
Delivery
of weaponized
conte...
© 2014 IBM Corporation
IBM Security
30
Low operational impact
Advanced threat analysis and turnkey service
IBM Confidentia...
© 2014 IBM Corporation
IBM Security
31
Dynamic intelligence
Crowd-sourced expertise in threat research and dynamic intelli...
© 2014 IBM Corporation
IBM Security
32
Client example: Major heavy equipment manufacturer
Protecting endpoints against adv...
© 2014 IBM Corporation
IBM Security
33
Apex is essential to the IBM Threat Protection System
IBM Confidential - NDA until ...
© 2014 IBM Corporation
IBM Security
34
Introducing IBM Trusteer Apex
Re-defining endpoint protection for the advanced thre...
Disclaimer
Please Note:
IBM’s statements regarding its plans, directions, and intent are subject to change
or withdrawal w...
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials i...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advanced Attacks
Upcoming SlideShare
Loading in …5
×

Re-defining Endpoint Protection: Preventing Compromise in the Face of Advanced Attacks

2,079 views

Published on

Traditional endpoint protection solutions have become the punching bag of security. And for good reason. Traditional solutions, including blacklisting and signature-based antivirus, have not kept pace in combating advanced threats and zero-day attacks. Organizations are left defenseless.

A new approach is needed that understands the lifecycle of today’s advanced attacks, providing capabilities to assess devices, prevent attacks, detect compromise, investigate the incident and finally remediate the environment.

View the full on-demand webcast: https://www.youtube.com/watch?v=Xyw-SV9v9dg

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,079
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
54
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Re-defining Endpoint Protection: Preventing Compromise in the Face of Advanced Attacks

  1. 1. © 2014 IBM Corporation IBM Security 1© 2014 IBM Corporation Re-defining Endpoint Protection Mike Rothman, Securosis Andy Land, IBM
  2. 2. Re-defining Endpoint Protection Mike Rothman, President mrothman@securosis.com Twitter: @securityincite Advanced Endpoint and Server Protection: Tactics and Techniques
  3. 3. About Securosis • Independent analysts with backgrounds on both the user and vendor side. • Focused on deep technical and industry expertise. • We like pragmatic. • We are security guys – that’s all we do.
  4. 4. How customers view Endpoint Protection • Compliance is the main driver for endpoint protection • Whether it works or not is not the issue. • And to be clear, traditional anti-malware technology doesn’t work anymore. http://flic.kr/p/9kC2Q1
  5. 5. Milking the AV Cash Cow • Add incremental functions: • HIPS/Heuristics • “Crowd-sourcing” threats • File reputation • Endpoint hygiene
  6. 6. Threat Management Reimagined
  7. 7. Prevention Next you try to stop an attack from being successful. This is where most of the effort in security has gone for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It has become a question of reducing your attack surface as much as practical. If you can stop the simplistic attacks you can focus on more advanced ones.
  8. 8. Adversaries: Better and Better Advanced Malware Polymorphism Sophisticated targeting Professional Processes http://www.flickr.com/photos/dzingeek/4587871752/
  9. 9. The Negative Security Model http://www.despair.com/tradition.html
  10. 10. Traditional AV But detection of advanced attacks is still problematic if detection is restricted to matching files at runtime. You have no chance to detect zero-day or polymorphic malware attacks
  11. 11. You don’t know what malware is going to look like... But you DO know what software should and should not do. This calls for Advanced Heuristics
  12. 12. Advanced Heuristics Heuristics have evolved to recognize normal application behavior. This dramatically improves accuracy because rules are built and maintained at a specific application-level.
  13. 13. Look for what? • Executables/dependencies • Injected threads • Process creation • System file/configuration/registry changes • File system changes • OS level functions including print screen, network stack changes, key logging, etc. • Turning off protections • Account creation and privilege escalation http://flic.kr/p/6Yz7MB
  14. 14. Application Control • Define a set of authorized executables that can run on a device, and block everything else. • Flexible “trust” model to offer “grace” period to install s/w • Authorized publishers, trusted employees, etc. • Though more flexible trust models weaken security… http://flic.kr/p/97Kqk8
  15. 15. Application Control Use Cases • Servers • Fixed function devices • High value endpoints
  16. 16. Isolation Spin up a walled garden to run applications. If app is compromised (detected using advanced heuristics), the sandbox prevents the application from accessing core device features such as the file system and memory, and prevents the attacker from loading additional malware.
  17. 17. Old concept, New Packaging • Isolation is not new. VM’s in use by sophisticated users for years. • Isolation still needs to use some O/S level services, which provides attack surface. • VM (or isolation) aware malware stays dormant • Sophisticated sophisticated evasion techniques emerging: human interaction, timers, process hiding, etc…
  18. 18. Choosing Prevention • What kind of adversaries do you face? • Which applications are most frequently used? • How disruptive will employees allow the protection to be? • What percentage of devices have been replaced in the past year?
  19. 19. Understanding Effectiveness • Hype, religion and snake oil will be common as vendors look to establish their approach as “best.” • Comparative tests frequently gamed. Provide one data point. • Look for testing outliers and go on from there. http://flic.kr/p/7SrgR3
  20. 20. Summary • Advanced Protection requires a broader view of threat management • Innovation on endpoint/server prevention will accelerate • Shift investment from ineffective legacy prevention to more effective advanced prevention, detection and investigation. http://www.flickr.com/photos/74571262@N08/6710953053/
  21. 21. Read our stuff • Blog • http://securosis.com/blog • Research • http://securosis.com/research • We publish (almost) everything for free • Contribute. Make it better.
  22. 22. Mike Rothman Securosis LLC mrothman@securosis.com http://securosis.com/blog Twitter: @securityincite
  23. 23. © 2014 IBM Corporation IBM Security 24© 2014 IBM Corporation Trusteer Apex
  24. 24. © 2014 IBM Corporation IBM Security 25 Are you fighting a losing battle? IBM Internal Use Only • Humans will always make mistakes • System and application vulnerabilities continue to emerge • Malware detection will always lag
  25. 25. © 2014 IBM Corporation IBM Security 26 Do you have the right weapons? IBM Confidential until May XY, 2014 Fragmented market with point products • Endpoint protection market is highly fragmented with many point solutions - e.g., Sandboxing, application control, whitelisting Major security control gaps • Existing products offer no controls for major attack vectors - e.g., Zero-day exploits, applicative Java attacks Challenging manageability and operations • Advanced threat solutions are difficult and costly to operate • Difficult to scale manual remediation processes to thousands of enterprise endpoints • High false positive rates • Whitelisting processes on endpoints non-manageable
  26. 26. © 2014 IBM Corporation IBM Security 27 Trusteer Apex Preemptive, low-impact defense for enterprise endpoints IBM Confidential until May XY, 2014 ADVANCED MULTI-LAYERED DEFENSE Comprehensive endpoint defense against advanced threats DYNAMIC INTELLIGENCE Advanced threat intelligence collected from tens of millions of endpoints LOW OPERATIONAL IMPACT Low overhead on IT / security teams, transparent to end users Trusteer Apex
  27. 27. © 2014 IBM Corporation IBM Security 28 Apex multi-layered defense architecture IBM Confidential until May XY, 2014 KB to create icon Threat and Risk Reporting Vulnerability Mapping and Critical Event Reporting Advanced Threat Analysis and Turnkey Service Credential Protection Exploit Chain Disruption Cloud Based File Inspection Malicious Communication Prevention Lockdown for Java Global Threat Research and Intelligence Global threat intelligence delivered in near-real time from the cloud NEW NEW NEW • Alert and prevent phishing and reuse on non- corporate sites • Prevent infections via exploits • Zero-day defense by controlling exploit-chain choke point • Legacy protection against known viruses • Consolidates over 20 AV engines for maximal efficacy and operational simplicity • Block malware communication • Disrupt C&C control • Prevent data exfiltration • Prevent high-risk actions by malicious Java applications
  28. 28. © 2014 IBM Corporation IBM Security 29 No.ofTypes Attack Progression Data exfiltrationExploit Delivery of weaponized content Exploitation of app vulnerability Malware delivery Malware persistency Execution and malicious access to content Establish communication channels Data exfiltration Controlling exploit-chain chokepoints IBM Confidential until May XY, 2014 Pre-exploit 0011100101 1101000010 1111000110 0011001101 Strategic Chokepoint Strategic Chokepoint Strategic Chokepoint File Inspection Endpoint Vulnerability Reporting Credential Protection Destinations (C&C traffic detection) Endless Unpatched and zero-day vulnerabilities (patching) Many Weaponized content (IPS, sandbox) Endless Malicious files (antivirus, whitelisting) Endless Many Malicious behavior activities (HIPs) Exploit Chain Disruption Lockdown for Java Malicious Communication Blocking
  29. 29. © 2014 IBM Corporation IBM Security 30 Low operational impact Advanced threat analysis and turnkey service IBM Confidential until May XY, 2014 Eliminate the traditional security team approach (detect, notify, and manually resolve) Low-footprint threat prevention Exceptional turnkey service Low impact to IT security team Minimize impact by blocking only the most sensitive actions Centralized risk assessment service Directly update endpoint users
  30. 30. © 2014 IBM Corporation IBM Security 31 Dynamic intelligence Crowd-sourced expertise in threat research and dynamic intelligence Global Threat Research and Intelligence • Combines the renowned expertise of X-Force with Trusteer malware research • Catalog of 70K+ vulnerabilities,17B+ web pages, and data from 100M+ endpoints • Intelligence databases dynamically updated on a minute-by-minute basis Real-time sharing of Trusteer intelligence NEW Phishing Sites URL/Web Categories IP/Domain Reputation Exploit Triage Malware Tracking Zero-day Research IBM Confidential until May XY, 2014
  31. 31. © 2014 IBM Corporation IBM Security 32 Client example: Major heavy equipment manufacturer Protecting endpoints against advanced threats and malware IBM Confidential until May XY, 2014 Business challenge  Protect 10,000 endpoints in multiple international locations  Provide Remote Access to Suppliers, Contractors and Employees  Prevent IP and Technology Data Theft IBM Security Solution: Trusteer Apex Trusteer Apex protects endpoints throughout the threat lifecycle by applying an integrated, multi- layered defense to prevent endpoint compromise for both managed and remote endpoints. Threats are continually analyzed and protections provided by Trusteer’s turnkey service. Discovered 32 threats and 100 suspicious activities within weeks of deployment despite other security products Advanced Threat Protection
  32. 32. © 2014 IBM Corporation IBM Security 33 Apex is essential to the IBM Threat Protection System IBM Confidential - NDA until May 5, 2014 Open Integrations Ready for IBM Security Intelligence Ecosystem Trusteer Apex Endpoint Exploit Chain Disruption IBM Security Network Protection XGS Smarter Prevention IBM Security QRadar Security Intelligence Security Intelligence IBM Emergency Response Services IBM Security QRadar Incident Forensics Continuous Response IBM X-Force Threat Intelligence New real-time sharing of Trusteer threat intelligence from 100M+ endpoints with X- Force Global Threat Intelligence 1 2 3 5 4 Java Lockdown Protection - granular control of untrusted code, cloud-based file inspection, and QRadar integration NEW Advanced Threat Quarantine integration from QRadar and third-party products, inclusion of Trusteer intelligence into XGS NEW Data Node appliance, new flow and event APIs, and QRadar Vulnerability Manager scanning improvements NEW Integrated forensics module with full packet search and visual reconstruction of relationships NEW NEWNEW Increased global coverage and expertise related to malware analysis and forensics NEW New functionality from partners including FireEye, TrendMicro, Damballa and other protection vendors
  33. 33. © 2014 IBM Corporation IBM Security 34 Introducing IBM Trusteer Apex Re-defining endpoint protection for the advanced threat landscape Trusteer Fast Facts: Acquired by IBM August 2013 Adds endpoint protection capabilities to the IBM Security Portfolio Unique Integrations Integrated into IBM Threat Protection System Advanced Threat Defense Leaders Analyzing and preventing APT’s for the last 8 years
  34. 34. Disclaimer Please Note: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
  35. 35. www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

×