best practices for security in - isin practices for security in ... best practices for patch...

1Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 1Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information

Best Practices for Security in

today’s Modern Threat

Landscape

John Mc Laughlin – Channel Account Manager, EMEA


Agenda

1. A look at today’s threat landscape

– Signature based technology can’t keep up, Ineffective remediation

2. Zeus deployed malware, Encrypting Ransomware & Poweliks

3. Social engineering tactics with Rogues

4. Security Best Practices to prevent the effects of ransomware

5. Patch management is still essential

– Best practices for solid patch management

6. Belt & braces – backup is still vital

– What to backup, when and how

7. Security Solutions to complete the puzzle

– AV & filtering, the backbone of your security solutions


1. A look at today’s threat

landscape


A look at today’s threat landscape

» Micro release cycles overwhelm and defeat signature based technology

– Signatures require samples for analysis

– Research shows most malware variants infect < 50 PCs

– New malware 142M for 2014 58% increase over previous year

» Traditional antivirus programs struggle with remediation

– Tied to the research process

– Malware behaves differently in the wild

– Randomized

» Signature-based antivirus lacks necessary visibility

– 62% of breaches go unidentified for months or years

– Platform specific solutions provide inconsistent protection

– Average time to detection is 209 days


Signature based technology can’t keep up

• “Antivirus is dead” – Brian Dye, Symantec Senior Vice President, The Wall Street Journal May 2014

• “Signature-based malware detection has been limping along on life support for years” - Gartner, July 2011

• “Signature-based tools are only effective against 30–50 percent of current security threats” - IDC, Jan 2013

• “We are seeing about 150,000 new pieces of malware every day… we’re purely on the defensive.”- Simon Hunt, McAfee CTO Endpoint Solutions, May 2013

• “Signature-Based Endpoint Security on Its Way Out” - CIO Magazine, May 2013

2013-06-10 triumfant.com


2. Zeus and it’s deployment of

malware

How the fraud works


How the Zeus fraud works


Cridex & Dridex

Criminal improvements to the Zeus model


Dridex

» Dridex is a newer version of the similar (and earlier) Cridex

trojan

» Heir to the Zeus throne

» Mostly a banking Trojan (mainly targets banks)

» Has taken £20 million from UK banks

» Distributed through spam, emails. Propagates through Macros.


Dridex – Law enforcement

» It was announced in October of this year that the

botnet it relies on has been killed

» Moldovan Andrey Ghinkul has been charged by

the US with multiple related offences

» However as of print it still exists


Encrypting Ransomware

Tactics

Constant improvement to the landscape


CoinVault


TeslaCrypt


Decrypt Cryptolocker


Remediation

» No remediation once fully infected

» Paying the ransom can decrypt– Often days or weeks pass– Lost revenue and productivity

» Webroot SecureAnywhere – Business Endpoint Protection– Whitelisting agent– Cloud-based threat data– Critical focus on zero hour infections– Outbound Cloud-based Firewall– Web Threat Shield– Journaling and Rollback Technology


Poweliks

Malware in the registry


Poweliks


Poweliks

• This registry string is practically an encoded file• In this way it becomes “fileless” and gets a free pass

from traditional AV


3. Social Engineering Tactics

with Rogues


Social Engineering tactics with Rogues


4. Security Best Practices


Security best practices to prevent the effects of

ransomware

1. Verify you have a reputable AV installed and setup correctly

– We recommend Webroot and so do our partners but maybe we are biased

2. Ensure the latest Windows updates are applied

3. Keep all used plugins up to date (Java, Flash, Adobe etc.)

– Where feasible

4. Use a modern browser with an ad blocker plugin

5. Disable Autoruns

6. Disable Windows Scripting Host

– Stop malicious scripts from being run in the background

7. Have users running as limited users and not admins

8. Backup+ Backup+ Backup+ Backup!

– Did we say backup?


Security best practices cont’

» Having a second browser installed allows you to still connect even if

your primary is compromised

» Use the policy editor to block paths…make sure you test all new

policies though!

– Block the opening of executables in temp

– Block the modification of the VSS service

– Block the opening of executables in temp+appdata

– Blocking creation of startup entries

» Blocking access to the Volume Shadow Copy Service

– Encrypting Malware may try to access this service to remove

backups

» Disabling the Windows Script Host to block VBS scripts

– VBS scripts are used by malware authors either to cause disruption

in an environment or to run a process that will download more

advanced malware.


5. Patch management is still

essential


Best practices for patch management

» Surprisingly the majority of successful attacks come from exploiting known vulnerabilities

» Patch management can be time consuming and quite complex but this is often due to an organization not knowing what apps they have in house

A. Taking an inventory of keys apps is essential – production apps– Know the OS & version, App Owner, Physical location, Depts

using App

B. Standardise where possible– If you can rationalise the number of OS’ in use and the varieties

of applications running on those OS’ then this will save you a lot of time and heartache

C. Make a list of all the security controls you have in place– Firewalls, IDS, Routers, AV – in knowing what you have and how

they communicate/protect you will be able to mitigate risks as they arise – for example…


Best practices for patch management – cont’

D. Compare vulnerabilities against your own system inventory – there are online services providing vulnerability reports in real time or you can manage this on your own– Only worry about vulnerabilities relating to your

infrastructure and apps– Rationalising OS and Apps reduces this job– Knowing your apps and infrastructure essential to

mitigating the risk

E. Classify the risk– Assess the vulnerability of your systems and the likelihood

of the attack– Is the resource impacted by a vulnerability inside your

network, mission critical resource, cost of the resource going down


Best practices for patch management – cont’

F. Apply the patch– You know which systems are impacted, the severity of the

vulnerability and the cost of doing nothing – you now need to

schedule the update without impacting your internal systems

– This is where a patch management tool can more than pay for

itself and ease this burden – solutions like Labtech, Autotask,

Continuum, Kaseya & SCCM really help with the burden of

patching


6. Belt and Braces – backup is

still vital!


Backup that essential resource

» Some things to consider– It's probably not worth upgrading the storage built into your existing servers

– Buy the kind of data storage devices best suited to the services they support.

• For high performance apps use SCSI, file backups can use IDE/SATA

– If you need to add storage to your company network, consider NAS

» Know your environment…– It’s basic but…Decide what you need to back up

– Understand your data environment

• How much data, how frequently, retention time, data security, speed of restore

– Automate as much of your backup as possible – there are vendors like Datto and Storage Craft specialising in this

– Ensure that backup copies are valid and can be successfully restored

• keep logs, revisit procedures and test


Backup – plan, test and revisit

As with all successful strategies you need to…

– Understand your environment

– Define your appetite for risk and data

backup/restoration needs

– Plan your backup strategy

– Evaluate your plan and test


7. Security Solutions – the last

piece of the puzzle


Security solutions are still essential

» Typically compromises happen when a rogue application or piece of Malware executes on the endpoint

» An effective endpoint security solution is the only way to stop this from happening – Antivirus is not dead despite what Symantec have said

» Filtering solutions block Malware and scripts before they reach your network

» Security solutions based on definitions for detections are out dated– You need dynamic detections in real-time to be effective against

zero day Malware and phishing attacks…

» For larger customers Threat Intelligence feeds are being used

» Aggregating all data in a SIEM is probably advisable for a larger customer


Endpoint security

» You pay for what you get – freemium is usually not suitable for business

» AV Tests can help to decide on which solution is suitable but these tests are paid for and don’t take account of new and emerging technologies

» Performance and management important – endpoint security can be difficult to manage and heavy on an endpoint – this should be a consideration

» Getting a referral from an existing user is good practice

» Essential features – Web Threat Shield, Anti-Malware, Anti-Spyware, Anti-Phishing,

Features to mitigate effects of ransomware


Filtering Solutions

» Features – Web category filtering, malware protection, data type management & botnet protection

» Profiling – Giving users the option of an informed choice by warning them of potentially harmful sites really useful - The ability to block uncategorised will also reduce risk

» Reporting – The ability to create in depth reports on usage – the solution needs to tell you who did what

» Support – Solid support teams for any software solution make the difference

– Again ask for referrals


This presentation is available upon request –

email [email protected]

Thank you for your time!

best practices for security in - isin practices for security in ... best practices for patch...

Documents