4. achieving continuous compliance for your roaming endpoints

8/2/2019 4. Achieving Continuous Compliance for Your Roaming Endpoints

1/20


2/20

Agenda

Challenges for Endpoint Security& Compliance

Endpoint-specific RequirementsAcross The Regulations

Endpoint Mgmt Architectures: Compared Continuous Compliance Recommendations Summary / Q&A

2


3/20

First the Disclaimer

Security doesnt always equal compliance. Compliance doesnt always mean youre secure. However, both goals are equally important and can be

achieved in parallel, with the right strategy, technology, and

process in place.

And, compliance projects usually get the funding, right?!

33


4/20

Challenges for Endpoint Security and Compliance

Historical Approaches No Longer Work Perimeter protection still needed but must be tailored to todays environment

The Endpoint Explosion Multiple device types/platforms (laptops, smart phones, POS, tablet PCs, etc) Roaming on steroids (endpoints connected anytime, anywhere, to any network)

Multiple Attack Vectors Malware IM / Social Networks Phishing Blended Threats

Disparate, disconnected security tools Vulnerability assessment doesnt talk to

the tool that actually fixes the vulnerability!

Constantly evolving compliance requirements and audit procedures

4


5/20

The Regulatory Tornado

5

www.unifiedcompliance.com


6/20

The Tornado . . . Organized

6


7/20

Endpoint Security Requirements A Sample

Requirement PCI ISO27001

CobIT NIST800-53

Implement anti-malware and keependpoints current

5.1, 5.2 A12.6 DS5.9 SI-3

Define, implement, and enforce securityconfiguration baselines

2.1,2.2, 6.2

A12.1,A15.2

DS9 CM-2,4,6

Keep endpoints patched 6.1 A12.6 DS5.9 CM-2

Perform regular vulnerability scans andaddress findings

11.2 A12.6 PO9.3 RA-5

Keep a current network diagram, knowwhen things are added to the network

1.1 A7.1 DS13.3 CM-8

Install, maintain endpoint firewalls, NAC 1.4 A11.4 DS5.10 AC-19

77


8/20

The Endpoint Is The Perimeter

Yesterday

Configuration controls, auditsfocused on servers processing

regulated data + general

policies and processes

WAN, LAN, VPN allcomputers had to connect to

the network to get stuff done

AV, maybe FW on desktops &laptops, otherwise rely on

network security protections

Today

Auditors looking at distributedenvironment in much more detail

Large # of roaming laptops, smartphones, tablets, etc.

Some rarely access the network,use Salesforce.com, Outlook HTTPaccess, Google Docs, etc.

Network security tools are anecessary layer, but no longer

protect many endpoints

8 8


9/20

Has this happened to you?

Fix all these issues by the end of the

week9 9


10/20

10

1.The security team develops compliancepolicies.

2.The security team runs an assessmenttool (or tools) against that policy3.The security team forwards findings to

ops

4.Ops makes corrections as workloadallows, one item at a time using different

tools from security (which generates

different answers to questions like howmany endpoints do I have?

5.Users make changes causing endpointsto fall out of compliance again

6.Start assessment all over again

1.Security and ops work together to formulatepolicies and service-level agreements (SLAs)

2.Ops implements the baseline (patch, config,AV, etc.) across all endpoints in the

organization

3.Policy compliance is continuously monitoredand enforced at the endpoint, changes are

reported immediately

4.The security team can check on the currentstate of security and compliance (i.e. noassessment necessary)

5.Security and operations teams work togetherto continually strengthen security and adjust

to evolving requirements.

10


11/20

Getting Back to Basics

Endpoint Security and Compliance

Know what OSes and third party software you have.And where.

Identify usage patterns. Remove software thats not required (or being used!)

Precisely target patch updates. My Mac doesnt know or care what an .exe is! Dont forget about those roaming endpoints

Implement additional endpoint security tools HIPS, FW, standard security configurations

Automate as much as possible Bridge assessment with remediation

1111


12/20

Todays Endpoint Management Requirements

Apply and Confirm Critical Patches inHours 95%+ first-pass success rate Confirmation is critical for proving compliance Spray and Pray no longer adequate

Anytime, Anywhere, Any Connection Inside and outside of the firewall Bandwidth- and connection-aware

12


13/20


13

Automated, Closed Loop PatchManagement and Policy

Enforcement

One Tool for a Wide Variety ofEndpoint Operating Systems

and Platforms


14/20


Self-Repair and Quarantine Automatic re-application of patches Take endpoints off network until

remediation is complete

Custom Policy Definition Enables custom remediation Swiss Army Knife for IT admins

Remote Control Capabilities Reaching endpoints wherever they roam

14


15/20

Endpoint Management Architectures: Compared

Dumb Agents, Smart Servers Server contains policy repository, makes decisions

and sends instructions to agents

Agents do not autonomously enforce policies Relies on polling and distributed database repository

Smart Agents, Dumb Servers Server distributes policies to endpoint agents Agents store, enforce policies; continuously

enforcing them

Bulk of processing performed by agents

15


16/20

Real-World Zero-Day Case Study

Incident Details April 2008 51 computers out of 3,000 displaying

strange behavior:

Running port scans against the network Continual reboot cycle

Infection by New Polymorphic Virus Zilcat / Sality.w / Sality.ae No AV signatures available

Rapidly Spread to 200+ Computers

Initial Plan Proposed Drive around to offices, disconnecting from network until DAT file

updates published

16


17/20

Real-World Zero-Day Case Study Instead, They Used Endpoint Management

Identified infected machines across 3,000 endpoints in less than180 seconds

(system.ini file change the one common variable)

Auto-quarantined infected machines from the network Automatically remediate infected machines via single

management port once AV updates were available

Lessons Learned: When the first defense layer fails, have a

workable Plan B Real-time visibility and precise control

are priceless

17


18/20

Key Take-aways

Traditional network perimeter controls are less relevanttoday because: laptops enter hostile environments attack vectors such as end user documents and web surfing

Baking intelligence and policy enforcement into theendpoint is essential.

Improved visibility, automation and control will improvesecurity AND help us pass those audits!

1818


19/20

To learn more

www.ibm.com/security www.instituteforadvancedsecurity.com www.youtube.com/ibmsecuritysolutions Twitter:

www.twitter.com/ibmsecurity www.twitter.com/ibmxforce


20/20

Questions?Click on the questions tab on your screen, type in your question, name

and e-mail address; then hit submit.

4. achieving continuous compliance for your roaming endpoints

Documents