Shift to Intelligent Endpoint Security Management The document discusses the shift from traditional endpoint security methods to more intelligent approaches. Traditional defenses like antivirus software and patching are no longer effective against modern threats. New strategies are needed to control applications and local user privileges, prevent zero-day and targeted attacks, and provide better security reporting. Without improved technology solutions, organizations will continue to have sensitive data and systems compromised by cybercriminals. The future of endpoint security requires more intelligent methods like application whitelisting to lock down systems while optimizing security and resources.

1. Shift to Intelligent
Endpoint Security
Management
Andris Soroka
Data Security Solutions, andris@dss.lv
Riga, Latvia
24th of November, 2011

2. Lumension Security business card
• Offices Worldwide + Strong Partner Base (500+)
• More than 6000 customers in 70 countries
• More than 5 million endpoints protected
• Award-Winning Innovator

3. Portfolio – ANNO 1991
Endpoint Vulnerability Endpoint Data Compliance and
Operations Management Protection Protection IT Risk Management
Power Management Vulnerability Assessment AntiVirus/Malware Device Control Compliance-Control
Mapping
License Monitoring Patching and Remediation Malware Remediation Data Encryption
Continuous Monitoring
Application Deployment Security Configuration Application Control- Whole Disk Encryption
Management Whitelsiting Control Harmonization
Asset Identification and Content Filtering
Inventory X-Platform Content Application Identity & IT Risk Assessment
Support Assurance Data Discovery
Contract Management Deficiency Remediation

4. Agenda
»Traditional Endpoint Security – threats, drivers
Recent/Upcoming Product Releases Security
»Evolutions and shifts in Endpoint
Bryan Fish, Dee Liebenstein, Chris Chevalier and Rich Hoffecker
»Lumension LEMSS – the innovative platform
» Device Control
» Application Control
» Antivirus
» Whole Disk Encryption
» Patch & remediation and more

5. Business Drivers and Threats
The Endpoint Security Landscape

6. Security Today
General Categories
• Financially Motivated
» Bank Accts, Passwords, etc.
» Identity Theft
» Insiders
• Intellectual Property Theft
• Hacktivists
» IP / Customer data
» Denial of Service
» Reputational Damage

7. Threats and solutions of Security Today

8. Endpoint Security Today – most important
Reality check
• Weakest link - endpoint
» 70% of incidents are caused on
the endpoint
» >2 million unique malware
samples every day
» On average lifetime of a malware
is less than 24 hours
» Traditional defense is not enough

9. Today’s business environment
» IT continues taking the lead in business (ERP,
CRM, document management, digital
prototyping etc.)
» Development of e-World continues (B2B,
B2C, e-Services, e-Government, e-Health,
social networking, Web 2.0, unified
communications etc.)
» Consumerization, mobility and borderless
enterprise is a reality
» Cyber culture grows faster than cyber security
(as well – not all countries have compliance,
regulas or penalties)

10. Every technology is vulnerable

11. Not a Microsoft world anymore..
Apple & Adobe two of the top three applications disclosing vulnerabilities
Apple and Linux two of the top three reporting vulnerabilities
Virtualization vulnerabilities have grown in total # in recent years
The cycle from vulnerability to worm is shortening dramatically – putting
increasing pressure on IT departments to remediate vulnerabilities faster than
ever.

12. Endpoints are at risk every day
The applications we use today for productivity
Collaborative / Browser-based / Open Source
Source: Verizon, 2010 Data Breach Investigations Report
Social Communities, Gadgets, Blogging and Widgets
open up our networks to increasing risk everyday.

13. Growing Application Centric Risk
» Social networking applications were
detected in 95% of organizations.
» 78% of Web 2.0 applications support file
transfer.
» 2/3 of applications have known
vulnerabilities.
» 28% of applications were known to
propagate malware.
» AV best rate of capture malware is 33%
per day. After 30days 93%...
» ~2M pieces of unique malware
signatures detected each day.. And
numbers are growing very fast

14. Growing Device Centric Risk
» Over 70% IT security incidents are
caused by insider’s device
» 60% of confidential data resides on
endpoints
» Devices are bi-directional threats
» USB devices are well known “weapons”
of social engineering
» 48% of users utilize company tools for
personal usage

15. Endpoint Security Today
Traditional Defenses …
• Antivirus
• Patching Microsoft OS and Apps
• Firewalls
• Strong Passwords
• End-User Education Programs
… Don’t Always Work:
If They Did, We Wouldn’t Have
IT Security Breaches!

16. Summary of Endpoint threats
Where Traditional Defenses Fall
Short
• Risk from Un-patched 3rd Party Apps
• Controlling Local Admins Gone Wild
• Preventing Zero-Day Attacks and
Targeted Malware
• End-User Education Isn’t Keeping Up
• Actionable Reporting and Security
Measurement

17. Results of threats
We end up with -
• There are Internet shops full of credit
card, bank account, privacy, business
and other confidential data
• Also there are available services to rent
a botnet, malicious code and attack
anyone
• Video trainings and eLearning available
in social media, such as YouTube
• «Black market community» (forums,
blogs, interest groups, conferences etc.)
• Lost business & reputation

18. Some examples
FBI warns USA Congress that cybercriminals can hack any
internet-linked system
Gordon M. Snow, assistant director of the FBI’s Cyber Division
(13th of April, 2011)
Exclusive: Computer Virus Hits U.S. Drone Fleet
Noah Shachtman, Wired Magazine
(7th of October, 2011)
Betfair admits data hack... after 18 months - over two million
card details were stolen
Rory Cellan-Jones, BBC Technology
(30th of September, 2011)

19. Endpoint Security Today
“Organizations are looking to application control solutions to
augment signature-based antivirus protection and to exert
more control over endpoints. Although this space has been
dominated by the smaller vendors, larger endpoint
protection and management providers are entering the
market.”
-- Gartner Analysts Neil MacDonald and Michael A. Silver

20. Endpoint Security Today
Organizations do not feel more secure
than they did last year.
This is mainly due to the use of ineffective
technology solutions when better, more effective
and efficient technologies exist but are not
heavily implemented.
Paul Henry
Security & Forensics Analyst
MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-
ISSAP, CISM, CISA, CIFI, CCE
SANS Institute Instructor

21. Quotes from AV vendors
Basic security protection “You can’t just rely on
is not good enough,” antivirus software – and
Rowan Trollope Senior we’re an antivirus
Vice President, Symantec company” George Kurtz,
Worldwide CTO, McAfee
[Standard] antivirus is not "[signatures are] completely
effective anymore... Raimund ineffective as the only layer [of
Genes, CTO Trend Micro Inc endpoint security]… Nikolay
Grebennikov, CTO, Kaspersky

22. Changes of the traditional Endpoint Security
The Past, The Present and The Future

23. Endpoint Security – vendors and scope

24. Patching is the security priority
•The top security priority is
“patching client-side
software”1
» Streamline patch management and
reporting across OS’s AND
applications
•Patch and defend is not just a
Microsoft issue
» More than 2/3 of today’s
vulnerabilities come from non-
Microsoft applications
Source:
1 - SANS Institute

25. Importance of Application Whitelisting
• Blacklist (AV) • Application Control • Whitelist
» Detect, block and » Allow known good » Allow only known
remove known bad » Remove known bad good to execute
» Scan everything » Allow trusted change » Lower resource
» Higher resource » Insert AV scan into utilization
utilization process strategically » Low risk
» Risk of unknown » Optimize resource
utilization
» Optimize risk
Lockdown Policy
Open Lockdown
25

26. Endpoint Security requirements
» Antivirus / Anti-malware
» HIPS / File Integrity monitoring
» Firewall / VPN
» Encryption (whole disk, devices)
» Device Control
» Application Control / System Lockdown
» Vulnerability management, patch and
update management
» Configuration management
» NAC / Visibility

27. Endpoint Security Today
Point products tax IT resources with additional administration burden, custom
integration & maintenance limited user productivity across multiple
management consoles
Vulnerability Patch Systems AntiVirus Data Compliance
Assessment Management Management Malware Protection
45% of IT operations
professionals work
across 3-5 different
software consoles
while managing
security & operational
functions.*
Colleen Pat Rich
IT Ops Manager CIO IT Security Manager
*Worldwide State of The Endpoint Report 2009

28. Lumension Endpoint Management Security
Suite 2011
Introducing: Application Intelligent Whitelisting
Single
Agile n-tier pluggable Single Promotable
Console
architecture Agent

29. LEMSS 2011 – one agent platform
L.E.M.S.S.: Patch and Remediation
L.E.M.S.S.: Security Configuration Management
L.E.M.S.S.: Wake on LAN & Power Mgmt.
L.E.M.S.S.: Whole Disk Encryption
L.E.M.S.S.: Device Control
L.E.M.S.S.: App Control & Antivirus
L.E.M.S.S.: Risk & Compliance Management

30. LEMSS – principle of work

31. Clean IT
» Role of AntiVirus » Features of AntiVirus
» Remove malware prior to lockdown » Sandbox
» Scan for malware not identified at » Antispyware / Antivirus
time of lockdown
» DNA matching
» Scan when making changes
» Exploit detection
• Defense in depth
» AntiVirus no longer the primary
defence mechanism
» Less of a reactionary role
L.E.M.S.S.: Antivirus

32. Lock IT
» Role of Application Control » Features of Application Control
» Fast and easy policy definition » Kernel level solution
» Unique whitelist for every endpoint » ~ 10 years in development
» No disruption to productivity » Exploit detection
» Stops any executable after locking it
» Granularity of control
» Integration with Patch & Remediation
module for automated and first in
market - “Intelligent Application
Whitelisting”
L.E.M.S.S.: Application Control

33. Trust IT
» Role of Patch & Remediation » Features of Patch & Remediation
» Software and Patch » 20 years market leadership
deployment systems
» Patented patch fingerprint
» Automated discovery and technology
assessment of assets
» Largest coverage of OS’s and Apps
» Trusted change manager
» Automatically update of local
whitelist
» No disruption to productivity
» Single solution for
heterogeneous environment
L.E.M.S.S.: Patch And Remediation

34. Lumension Intelligent Application Whitelisting
Unifies workflows and technologies to deliver enhanced capabilities in the
management of endpoint operations, security and compliance
Endpoint Operations Intelligent Endpoint Security
Whitelisting
Asset Patch
Device Control
Management Management
Application Control
Software Configuration Trusted
DLP
Management Management Change
AntiVirus/Spyware
Power Compliance/
Content Wizard
Management Firewall Risk Mgt.
Management
Whole Disk
Reporting
Encryption
» Remove whitelisting market
adoption barriers

35. Lumension Intelligent Endpoint Integrity Service
• Cloud repository that correlates files, hashes and
attributes with applications
» “Speaking applications, not hashes”
Additional
Partners
• Positioned to provide HIGH INTEGRITY BY
VALIDATING source of HASH DATA
EIS Software Integrity
» Not community based, not designed to be “the biggest” at
Metadata Repository the sacrifice of integrity
» Will be the most trusted and provide risk management
EIS Services
information
» Partnership with Microsoft and additional vendors
Lumension • Multiple hash types (SHA-1 SHA-256) will provide
Application Control
flexibility and stronger security

36. Lumension Device Control
L.E.M.S.S.: Device Control
• Central Control of ALL desktop I/O Devices
» USB Removable Media, PDA’s, Cameras, CD/DVD R/W, modems etc.
Future Proof
• Device Usage Policy
» Integrates with Active Directory
» Policy per user, group or computer
» Read, Read/Write or No Access
» Temporary & Scheduled access – time of day/day of week
» On-line/Offline Device Permissions (e.g. - No modems/3G Data Cards when connected)
• Granularity of Control
» White list of Make/Models allowed (e.g. only Lexar 256MB or Fuji camera)
» Unique Identification of Device by serial number
» Authorisation of specific CD media
» USB Key-logger detection
• Control What Data Is Copied
» Limit how much data written out (e.g. Louis can copy 20MB per day max)
» File-Type Filtering - control which File Types copied IN/OUT
• Used for exception, e.g. cameras can be used for image file only and more…

37. Lumension Device Control
Supported Device Types:
• Biometric devices
• COM / Serial Ports
L.E.M.S.S.: Device Control • DVD/CD drives
• Floppy disk drives
• Imaging Devices / Scanners
• LPT / Parallel Ports
• Modems / Secondary Network Access
Devices
• Palm Handheld Devices
• Portable (Plug and Play) Devices
• Printers (USB/Bluetooth)
• PS/2 Ports
• Removable Storage Devices
• RIM BlackBerry Handhelds
• Smart Card Readers
• Tape Drives
• User Defined Devices
• Windows CE Handheld Devices
• Wireless Network Interface Cards (NICs)

38. Improving Endpoint Security with LEMSS
(Lumension Endpoint Management Security Suite)

39. Minimize Your True Endpoint Risk
Augment existing defense-in-depth tools
» Comprehensive Patch and »Device Control
Configuration Management
»Encryption
» Application Control / Whitelisting
Traditional
Endpoint Security
Blacklisting
As The Core
Zero Day Volume of
Malware
3rd Party Malware
Application As a
Risk Service

40. Minimize Your True Endpoint Risk
Rapid Patch and Configuration Areas of Risk
at the Endpoint
Management 5%
Zero-Day
• Analyze and deploy patches across all OS’s
and apps (incl. 3rd party)
30%
• Ensure all endpoints on the network are Missing Patches
managed
• Benchmark and continuously enforce patch and
configuration management processes
65%
• Don’t forget about the browser! Misconfigurations
» Un-patched browsers represent the highest risk for
web-borne malware.
Source: John Pescatore Vice
President, Gartner Fellow

41. Stop Malware Payloads with App Whitelisting
Antivirus
Apps Malware
• Use for malware clean-up
and removal
Authorized Known
• Operating Systems • Viruses
• Business Software • Worms
Application control • Trojans
• Much better defense to
prevent unknown or Un-Trusted
unwanted apps from Unknown
Unauthorized • Viruses
running • Games • Worms
• iTunes • Trojans
• Shareware • Keyloggers
• Spyware
• Unlicensed S/W

42. Stop Unwanted Applications
Immediate and simple risk mitigation
Denied Application Policy
prevents unwanted applications
even if they are already installed
Easily remove unwanted
applications

43. Reduce Local Administrator Risk
Monitor / Control Local Admin Usage
• Local Admins can do ANYTHING on their systems
» Install unwanted and unauthorized software
» Install malware
» Remove patches
» Bypass security measures
» Change configurations

44. Manage those Devices
Enforce Access
Policy
Enforce Encryption
Policy
Monitor, Manage,
Report

45. Encryption
Endpoints (Whole Disk) Removable Devices
• Secure all data on endpoint • Secure all data on removable
• Enforce secure pre-boot devices (e.g., USB flash drives)
authentication w/ single sign-on and/or media (e.g. CDs / DVDs)
• Recover forgotten passwords and • Centralized limits, enforcement,
data quickly and visibility
• Automated deployment
Lost UFDs (Ponemon 2011)
Laptop Thefts (IDC 2010)

46. Defense-in-Depth with Intelligent Whitelisting
Known Unknown Unwanted, Application Configuration
Malware Malware Unlicensed, Vulnerabilities Vulnerabilities
Unsupported
applications
AntiVirus X X
Application
X X
Control
Patch &
X X
Remediation
Security
Configuration X
Management

47. A Complete Defense With Lumension
Anti-Malware
Firewall / IPS
Patch Management
Physical
Intelligent Access
Whitelisting

48. Improving Endpoint Security
First in market solution
» Single Server / Management Console
» Single Agent
Single Console
» Modular, Extensible Design
» Organization-wide Reporting
Agile architecture
» Lower Total Cost of Ownership (TCO)
» Power of granularity
Single Promotable Agent

49. Real time risk & compliance manager
Regulation Authority Documents
GLBA PCI FISMA HIPAA NHS NERC SOX ISO/IEC…
Business Interests Corporate Policies
Business Processes
Revenue Streams
Trade Secrets IT Assets
Profile Risk Attributes
Open to the Internet
Contains Credit Card
Information
Contains Customer Data
Applicable Controls Pass/Fail Regulation Assessment
Password Length
Data Encryption
Power Save
HIPAA SOX PCI NERC
100% 65% 65% 30%

50. More Information
SMB Security Series SMB Market Survey
» Resource Center:
http://www.lumension.com/smb-budget www.lumension.com/smb-survey
» Webcast Part 2:
http://www.lumension.com/Resources/Webinars
/How-to-Reduce-Endpoint-Complexity-and-
Costs.aspx
Quantify Your IT Risk with Free
Scanners
» http://www.lumension.com/special-
offer/PREMIUM-SECURITY-TOOLS.ASPX
Lumension® Endpoint Management
and Security Suite
» Demo:
http://www.lumension.com/endpoint-
management-security-suite/demo.aspx
» Evaluation:
http://www.lumension.com/endpoint-
management-security-suite/free-trial.aspx

51. Please consider next steps
• Lumension® Intelligent Whitelisting™
» Overview
• www.lumension.com/Solutions/Intelligent-Whitelisting.aspx
» Free Demo
• www.lumension.com/Resources/Demo-Center/Overview-Endpoint-Protection.aspx
» Free Application Scanner
• www.lumension.com/special-offer/App-Scanner-Tool-V3.aspx
• Whitepaper and Videos
» Think Your Anti-Virus is Working? Think Again.
• www.lumension.com/special-offer/App-Whitelisting-V2.aspx
» Using Defense-in-Depth to Combat Endpoint Malware
• l.lumension.com/puavad
» Reducing Local Admin Access
• www.lumension.com/special-offer/us-local-admin.aspx

52. Global Headquarters
15880 N. Greenway-Hayden Loop
Suite 100
Scottsdale, AZ 85260
andris.soroka@dss.lv
GSM: +371 29162784