The document discusses strategies for combating malware threats, emphasizing the need for adaptable security models and various detection approaches like whitelisting and behavioral detection. It highlights the challenges posed by malicious software, including its increasing sophistication and ability to evade traditional security measures. Additionally, it addresses the trade-offs between security effectiveness and system performance, and provides insights into automatic execution detection as a complementary strategy.

1. Combating malware threats
© 2014 Property of JurInnov Ltd. All Rights Reserved
Eric A. Vanderburg, MBA, CISSP
Director, Information Systems and Security
Computer Forensic and Investigation Services

2. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Outline
• Security model
• Malicious software
• Countering malware threats
– Whitelisting
– Behavioral detection
– Automatic execution detection
2

3. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Security model
• Select security products that provide maximum security
without significantly impacting productivity
• Have a security model capable of handling direct attack
of security solutions present on endpoints
– Have a security model with fail-safe protection
– Consider security products that use obfuscation
– Consider security solutions that are less prominent
• Be willing to adapt your security model to address a
quickly evolving threat landscape
3

4. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Malicious software
• Malicious software development is a for-profit
business
• There are more threats today than ever before
• Threats today are designed to bypass the most
prominent security solutions
4

5. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Security Trade offs
• System performance and resource consumption
• Impact on end-user productivity
• Increased IT administration requirements
5

6. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
One step ahead
• Malicious software developers are familiar with
emerging security techniques
• Malicious software developers can respond
faster than security vendors
• Companies are slow to adopt new security
solutions
6

7. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Security solution adoption
• No need to bypass security solutions that were
never installed
• Malicious software developers can impede
solution adoption
• Threats can create false positives that break
legitimate software
• Threats can increase hassle to administer new
security solutions
7

8. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Application whitelisting
• Opposite of signature-based approach
• Unknown executable binaries are considered malicious
• Usually has three different modes of operation: Lock-
down, Prompt, or Audit
• Many threats require launching binaries
• Effectively stops unknown binaries from executing
• Protects against threats signature-based solutions
cannot
• Does not detect threats that are present at time of
installation
8

9. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Application whitelisting
• Does not detect threats running inside of approved processes
• May not detect malicious scripts
• Exploit features designed to increase the usability of whitelisting
solutions
• File system filter drivers can negatively impact performance
• Rarely compatible with other security solutions
• End-users may not have the flexibility necessary to perform their
jobs
• Administering automated installations and updates can be a hassle
• Modify legitimate files on disk to get whitelisting solution to prohibit
execution
• Break the ability to easily install or update software
• Degrade system performance
9

10. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Behavioral detection
• Instead of identifying malicious binaries, identify
malicious behaviors
• Often used in conjunction with sandboxing, hardware
solutions, and cloud security
• Uses static and dynamic analysis
• Can detect unknown threats signature-based solutions
cannot
• Can detect infections that are present before installation
• Can detect that legitimate applications have been
hijacked
10

11. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Behavioral detection
• Malicious software present before install can block
installation
• Obfuscation can hide malicious behaviors
• Prompting end-users can result in infected computers
• Behavioral detection negatively impacts system
performance
• False positives can result in legitimate software being
blocked
• End-users may not be able to run legitimate software
needed to do their jobs
11

12. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Behavioral detection
• Administrators must keep up to date whitelist of
legitimate applications with malicious behavior
• Launch processes designed to decrease system
performance
• Inject malicious code into legitimate software to prevent
it from running
• Install components shared by multiple legitimate
applications to break legitimate applications
• Cloud solutions are vulnerable to distributed denial of
service attacks
12

13. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Automatic execution detection
• Malicious software has incentive to persist on the
endpoint, so most malicious software attempts to
• Prevents malicious software from persisting
• Restricts access to key Windows file system and registry
locations to prevent automatic execution
• Provides protection against known and unknown threats
• Does not require reactive updating to address new
threats
13

14. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Automatic execution detection
• Allows more end-user flexibility than application
whitelisting
• Superior performance and security solution compatibility
• Like whitelisting, malicious software present at time of
install is not detected
• In-memory threats that do not attempt to persist are not
detected
• Threats that replace legitimate files are not always
detected
14

15. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Automatic execution detection
• End-users can optionally be given permission to
install persistent software
• End-users who need to install persistent
software will need IT approval
• Administrators need to configure automated
installs and updates to proceed unhindered
• Tools to minimize administrative impact
potentially open up security vulnerabilities
15

16. © 2014 Property of JurInnov Ltd. All Rights Reserved
Questions

17. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
For assistance or additional information
• Phone: 216-664-1100
• Web: www.jurinnov.com
• Email: eric.vanderburg@jurinnov.com
• Twitter: @evanderburg
• Facebook: www.facebook.com/VanderburgE
• Linkedin: www.linkedin.com/in/evanderburg
• Youtube: www.youtube.com/user/evanderburg
JurInnov Ltd.
The Idea Center
1375 Euclid Avenue, Suite 400
Cleveland, Ohio 44115