It’s Your Move:The Changing Game of Endpoint Security

Today’s Speakers

2

Paul HenrySecurity & Forensics AnalystMCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE

Paul ZimskiVP of Solution StrategyLumension

Doug WallsCIOEMSolutions

Jason BrownNetwork EngineerEMSolutions

Today’s Agenda

How the “Bad Guys” Changed the Rules

Key Moves We Can Make to Regain Control

Real World IT Security Experience

Q&A

How the “Bad Guys” Have Changed the Rules

Current Day Recipe For Disaster

Perform below steps 1 to 5.

1. Bait an End User with Spear Phishing

2. Exploit a Vulnerability

3. Download a Back Door

4. Establish a Back Channel

5. Explore and Steal

Select another victim.

Repeat.

5

Advanced Persistent Threats

Highly skilled Cyber Armies unleashing new Advanced Malware….

6

While many of these attacks are well organized, they have simply taken advantage of the same old

mistakes we’ve been making for years.

Our Flaw Remediation Is Missing The Target

•Since 2009 the most hacked software was 3rd party apps and browser add-ons like Adobe and Quicktime.

•Yet we still today focus our attention on patching Microsoft OS/Applications.

7

The bad guys know it… and are taking full advantage

Traditional AV Can No Longer Keep Up

•More than 73,000 new malware instances every day.

•Obfuscation has effectively rendered traditional signature based defenses useless.

•Polymorphic malware that alters its signature with each infection has become commonplace.

8

Our defenses must evolve!

What Did We Expect Was Going To Happen?

•We are using the same defenses that failed us for the last decade…

oFocused on the gateway - and we have neglected our endpoints.

oFocused on blocking the delivery of malware - not preventing its execution.

9

Unless we make a definitive change in our defenses, we can expect the same results…

Next Generation Malware Has Arrived

• Instead of the infected machine waiting for a connection to be made from outside, the infected machine makes the connection itself.

• Introduces a new technique of code injection – Flux writes code directly into a host process and executes it there.

• Circumvents several desktop firewalls and makes it nearly invisible to current anti-malware software.

10

Flux is a new Trojan spreading covertly through the internet.

If a “bad guy” can…

1. Persuade you to run his program on your computer...

2. Alter the operating system on your computer…

3. Gain unrestricted physical access to your computer…

4. Upload programs to your website…

5. Crack your passwords…

11

… it’s not your computer, website or data anymore.

At the End of the Day…

It doesn’t matter what attack vector is used…

the “bad guys" are trying to install and run code on your machines to

gain unauthorized control!

12

Key Moves We Can Make Against the “Bad Guys” to Regain Control

1. Implement Defense-in-Depth Endpoint Security

2. Shift from Threat-Centric to Trust-Based Security

3. Focus on the Operational Basics

4. Manage Those Devices

Key Moves You Can Make

Strategy 1: Implement Defense-in-Depth

15

BlacklistingAs The Core

Zero Day

3rd Party Application Risk

MalwareAs a Service

Volume of Malware

Traditional Endpoint Security

Patch & Patch & ConfigurationConfiguration

Mgmt.Mgmt.

Defense-N-Depth

• Antivirus will provide some protection against known payloads, and remains a good layer for known malware detection and removal

• However as attack sophistication and targeting increases, malware becomes less effective as a primary defense

• Application control is a much better defense to stop unknown payloads from installing

16

Strategy 2: Stop Malware Payloads

Malware

What is Application Whitelisting?

17

Authorized•Operating Systems•Business Software

Known• Viruses• Worms• Trojans

Unauthorized•Games•iTunes

•Shareware•Unlicensed S/W

Unknown• Viruses• Worms• Trojans• Keyloggers• Spyware

ApplicationsU

n-T

rust

ed

Trust-Based Security

Flexible Trust

Trusted Publisher• Authorizes applications based on the vendor that “published” them through

the digital signing certificate.

19

Trusted Updater• Authorizes select systems management solutions to “update” software, patches

and custom remediations, while automatically updating them to the whitelist.

Trusted Path• Authorizes applications to run based on their location.

Local Authorization• Allows end-users to locally authorize applications which have not been otherwise

trusted by the whitelist or any other trust rules.

19

Strategy 3: Focus on the Operational Basics

20

Assess Prioritize Remediate Repeat• Identify all IT assets (including platforms, operating systems, applications, network services)

• Monitor external sources for vulnerabilities, threats and intelligence regarding remediation

• Scan all IT assets on a regular schedule for vulnerabilities, patches and configurations

• Maintain an inventory of IT assets

• Maintain a database of remediation intelligence

• Prioritize the order of remediation as a function of risk, compliance, audit and business value

• Model / stage / test remediation before deployment

• Deploy remediation (automated, or manually)

• Train administrators and end-users in vulnerability management best practices

• Scan to verify success of previous remediation

• Report for audit and compliance

• Continue to assess, prioritize and remediate

Source: Aberdeen Group, Managing Vulnerabilities and Threats (No, Anti-Virus is Not Enough), December 2010

Rethink Your Patch Strategy

Source:

1 - SANS Institute

21

•The top security priority is “patching client-side software”1

» Streamline patch management and reporting across OS’s AND applications

•Patch and defend is not just a Microsoft issue» More than 2/3 of today’s

vulnerabilities come from non-Microsoft applications

21

Stop Unwanted Applications

»Immediate and simple risk mitigation

22

Denied Application Policy prevents unwanted applications even if they are already installed

Easily remove unwanted applications

Reduce Local Administrator Risk

»Limit Local Admin Usage»Monitor and Control existing Local Admins

23

Strategy 4: Manage those Devices

24

Real World IT Security Experience

EMSolutions

•Headquartered in Arlington, VA» Established in May 2000» Four Satellite Offices

•Systems Engineering, Information Technology and Information Assurance, Science and Advanced Technology Solutions, and Modeling and Simulation for Government Organizations

26

IT Security Challenges

•Control use of removable devices on customer network» Monitor and control data entering and leaving

network

» Audit any and all use of peripherals and media introduced to the network

•Protect dedicated infrastructure that supports unclassified and corporate work

» Ensure constant uptime of hot desks

» Limit risk from local admin users

» Prevent execution of unwanted and malicious apps

» Current AV solution was not effective in preventing the issues

27

Addressing the Challenge

• Implemented Lumension® Endpoint Management and Security Suite (L.E.M.S.S.)

» Easy process to install, set up and maintain the application whitelist with all currently used corporate OSes and software

» Shifted from another antivirus provider to the AV module within L.E.M.S.S.

•Educated users about potential external threats and internal problems that could arise from lack of precaution

28

Results

•Improved Security» Eliminated malware outbreaks

» More robust patch management

•Improved User Productivity» Optimized performance of end user PCs

» Reduced IT help desk calls/complaints from users regarding malware-related PC issues

•Improved IT Productivity» Visibility into endpoints, apps and configurations

» Minimized time required for endpoint maintenance and user education

» Reduced admin burden by managing one solution

29

Q&A

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

info@lumension.com

http://blog.lumension.com