The document discusses challenges in modern endpoint security and strategies to address them. It outlines how attackers have changed their tactics to take advantage of outdated defenses. The key moves discussed to regain control include implementing defense-in-depth endpoint security, shifting to trust-based security focused on preventing execution rather than detection, focusing on operational basics like patching and asset management, and managing devices to limit local admin risks and unwanted applications. It also provides an example of how one company addressed their security issues by implementing the Lumension Endpoint Management and Security Suite.
6. Advanced Persistent Threats Highly skilled Cyber Armies unleashing new Advanced Malware…. While many of these attacks are well organized, they have simply taken advantage of the same old mistakes we’ve been making for years.
7.
8.
9.
10.
11.
12.
13. Key Moves We Can Make Against the “Bad Guys” to Regain Control
14.
15. Strategy 1: Implement Defense-in-Depth Traditional Endpoint Security Defense-N-Depth Blacklisting As The Core Zero Day 3 rd Party Application Risk Malware As a Service Volume of Malware Patch & Configuration Mgmt.
Defense in Depth Strategy Address the core IT Risk with Patch & Configuration Management Stop unwanted / untrusted change with Application Control Protect against insider risk Device Control Deploy a broad defensive perimeter with AntiVirus Reduce endpoint complexity with an Endpoint Management and Security Suite
Most overflows result in a system crash Occasionally, a vulnerability is discovered that allows the “overflowed” code to be executed That execution typically escapes any established security controls Because buffers are small and these attacks are difficult, many overflows attacks will try to download a more substantial payload
Application control or whitelisting provides a new layer in the foundation for endpoint protection. Whitelisting is about identifying the known good and by default not letting anything other than what’s on the whitelist from executing. Simply put, any executable – whether a business application, a video driver, or a web browser plug-in – not specified on the whitelist cannot load and run. It’s the most effective security layer as its prevents execution in the kernel.
On top of defense-in-depth, time to shift from threat-centric approach to one based on trust….
Trust Engine Challenge . Organizations need an automated method by which to determine whether or not to allow changes to the code running on their network assets, particularly the endpoints, in order to make the promise of application whitelisting operationally feasible. Without this, changes to the whitelist had to be made manually and oftentimes without any basis. The challenge is to implement a process by which changes can be automatically vetted and installed on network assets. Feature . LEMSS:AC allows any number of trust policies to be created and implemented which will automate the process of assessing the security and desirability of changes to programs running on network assets; these trust mechanisms allow for the automated or user-driven changes to the “known good” whitelist required in dynamic environments such as desktops and laptops without completely surrendering control over these changes. These trust mechanisms include: Trusted Publisher , Trusted Updater , Trusted Path , and Local Authorization . Benefit . This permits the organization to provide the higher level of security against malware and other undesirable programs available from a whitelisting / “default deny” approach without the additional administrative burden sometimes associated with it. Some specific examples of how the Trust Engine might help operationalize whitelisting in a real IT network with dynamic environments such as desktops or laptops include: Trusted Publisher (i.e., from a known good vendor with a signed certificate) – the organization may have whitelisted a specific Microsoft Operating System (OS) and applications (e.g., Word, Excel and Powerpoint) but finds that some users may want to add certain OS capabilities (such as additional drivers) or applications (such as Visio) from Microsoft; by implementing a policy which permits changes to the whitelist when those changes are accompanied by a valid, signed certificate from Microsoft, these changes could be made “on the fly” by the end user without additional work for the system administrators. Trusted Updater (i.e., from a known good process which updates existing software) – the organization may be using an automated patching solution (such as Lumension Patch and Remediation) or have certain continuously updated programs (such as WebEx) on their whitelist. Here again, by implementing a policy which permits changes to the whitelist when those changes are made by these specific programs, these changes could be made automatically without adding to the administrative burden. Trusted Path (i.e., from a known good location, generally inside the network) – it is not uncommon for IT administrators to create a library of known good applications, which is used when installing or updating an endpoint; organizations might want to restrict all endpoint changes to only those which come from this “source repository.” By creating / using a trusted path policy (and carefully controlling access to this “source repository”), the whitelist can be updated as changes are made in the library of known good applications. Local Authorization (i.e., allow specific users to self-authorize applications) – in some cases, an organization might allow specific users to augment the whitelist of known good applications under their own say-so, be they administrators or even end users; for instance, perhaps a “well known” salesman is on a customer call and needs to update her machine to allow her presentation to work on the customer’s equipment. This trust mechanism provides a way to permit these ad hoc changes while providing the traceability and control needed to ensure that, should they prove unwise, they can be reversed.
Vulnerabilities affecting a typical end-user PC from 2007-2009 almost doubled from 220 to 420 and its expected to double again in 2010 (Secunia Half Year Report 2010) A PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 third party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010. ( Secunia Half Year Report 2010) Discover: Gain complete visibility of all IT assets, both managed and unmanaged. Assess: Perform a deep analysis and thorough OS, application and security configuration vulnerability assessments. Prioritize: Focus on your most critical security risks first. Remediate: Automatically deploy patches to an entire network per defined policy to support all OS’s and applications. Report: Provide operational and management reports that consolidate discovery, assessment and remediation information on a single management console.
Using Lumension Device Control, you can mitigate these insider risks by: Enforcing a device and media access policy on your endpoints which won’t impede the productivity of the business Enforcing a data encryption policy for removable storage devices and media to protect that valuable data when is copied off of your endpoints, and by -Monitoring what’s happening in your environment; You can manage and report on all endpoint activity in your organization