it's your move: the changing game of endpoint security
TRANSCRIPT
It’s Your Move:The Changing Game of Endpoint Security
Today’s Speakers
2
Paul HenrySecurity & Forensics AnalystMCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE
Paul ZimskiVP of Solution StrategyLumension
Doug WallsCIOEMSolutions
Jason BrownNetwork EngineerEMSolutions
Today’s Agenda
How the “Bad Guys” Changed the Rules
Key Moves We Can Make to Regain Control
Real World IT Security Experience
Q&A
How the “Bad Guys” Have Changed the Rules
Current Day Recipe For Disaster
Perform below steps 1 to 5.
1. Bait an End User with Spear Phishing
2. Exploit a Vulnerability
3. Download a Back Door
4. Establish a Back Channel
5. Explore and Steal
Select another victim.
Repeat.
5
Advanced Persistent Threats
Highly skilled Cyber Armies unleashing new Advanced Malware….
6
While many of these attacks are well organized, they have simply taken advantage of the same old
mistakes we’ve been making for years.
Our Flaw Remediation Is Missing The Target
•Since 2009 the most hacked software was 3rd party apps and browser add-ons like Adobe and Quicktime.
•Yet we still today focus our attention on patching Microsoft OS/Applications.
7
The bad guys know it… and are taking full advantage
Traditional AV Can No Longer Keep Up
•More than 73,000 new malware instances every day.
•Obfuscation has effectively rendered traditional signature based defenses useless.
•Polymorphic malware that alters its signature with each infection has become commonplace.
8
Our defenses must evolve!
What Did We Expect Was Going To Happen?
•We are using the same defenses that failed us for the last decade…
oFocused on the gateway - and we have neglected our endpoints.
oFocused on blocking the delivery of malware - not preventing its execution.
9
Unless we make a definitive change in our defenses, we can expect the same results…
Next Generation Malware Has Arrived
• Instead of the infected machine waiting for a connection to be made from outside, the infected machine makes the connection itself.
• Introduces a new technique of code injection – Flux writes code directly into a host process and executes it there.
• Circumvents several desktop firewalls and makes it nearly invisible to current anti-malware software.
10
Flux is a new Trojan spreading covertly through the internet.
If a “bad guy” can…
1. Persuade you to run his program on your computer...
2. Alter the operating system on your computer…
3. Gain unrestricted physical access to your computer…
4. Upload programs to your website…
5. Crack your passwords…
11
… it’s not your computer, website or data anymore.
At the End of the Day…
It doesn’t matter what attack vector is used…
the “bad guys" are trying to install and run code on your machines to
gain unauthorized control!
12
Key Moves We Can Make Against the “Bad Guys” to Regain Control
1. Implement Defense-in-Depth Endpoint Security
2. Shift from Threat-Centric to Trust-Based Security
3. Focus on the Operational Basics
4. Manage Those Devices
Key Moves You Can Make
Strategy 1: Implement Defense-in-Depth
15
BlacklistingAs The Core
Zero Day
3rd Party Application Risk
MalwareAs a Service
Volume of Malware
Traditional Endpoint Security
Patch & Patch & ConfigurationConfiguration
Mgmt.Mgmt.
Defense-N-Depth
• Antivirus will provide some protection against known payloads, and remains a good layer for known malware detection and removal
• However as attack sophistication and targeting increases, malware becomes less effective as a primary defense
• Application control is a much better defense to stop unknown payloads from installing
16
Strategy 2: Stop Malware Payloads
Malware
What is Application Whitelisting?
17
Authorized•Operating Systems•Business Software
Known• Viruses• Worms• Trojans
Unauthorized•Games•iTunes
•Shareware•Unlicensed S/W
Unknown• Viruses• Worms• Trojans• Keyloggers• Spyware
ApplicationsU
n-T
rust
ed
Trust-Based Security
Flexible Trust
Trusted Publisher• Authorizes applications based on the vendor that “published” them through
the digital signing certificate.
19
Trusted Updater• Authorizes select systems management solutions to “update” software, patches
and custom remediations, while automatically updating them to the whitelist.
Trusted Path• Authorizes applications to run based on their location.
Local Authorization• Allows end-users to locally authorize applications which have not been otherwise
trusted by the whitelist or any other trust rules.
19
Strategy 3: Focus on the Operational Basics
20
Assess Prioritize Remediate Repeat• Identify all IT assets (including platforms, operating systems, applications, network services)
• Monitor external sources for vulnerabilities, threats and intelligence regarding remediation
• Scan all IT assets on a regular schedule for vulnerabilities, patches and configurations
• Maintain an inventory of IT assets
• Maintain a database of remediation intelligence
• Prioritize the order of remediation as a function of risk, compliance, audit and business value
• Model / stage / test remediation before deployment
• Deploy remediation (automated, or manually)
• Train administrators and end-users in vulnerability management best practices
• Scan to verify success of previous remediation
• Report for audit and compliance
• Continue to assess, prioritize and remediate
Source: Aberdeen Group, Managing Vulnerabilities and Threats (No, Anti-Virus is Not Enough), December 2010
Rethink Your Patch Strategy
Source:
1 - SANS Institute
21
•The top security priority is “patching client-side software”1
» Streamline patch management and reporting across OS’s AND applications
•Patch and defend is not just a Microsoft issue» More than 2/3 of today’s
vulnerabilities come from non-Microsoft applications
21
Stop Unwanted Applications
»Immediate and simple risk mitigation
22
Denied Application Policy prevents unwanted applications even if they are already installed
Easily remove unwanted applications
Reduce Local Administrator Risk
»Limit Local Admin Usage»Monitor and Control existing Local Admins
23
Strategy 4: Manage those Devices
24
Real World IT Security Experience
EMSolutions
•Headquartered in Arlington, VA» Established in May 2000» Four Satellite Offices
•Systems Engineering, Information Technology and Information Assurance, Science and Advanced Technology Solutions, and Modeling and Simulation for Government Organizations
26
IT Security Challenges
•Control use of removable devices on customer network» Monitor and control data entering and leaving
network
» Audit any and all use of peripherals and media introduced to the network
•Protect dedicated infrastructure that supports unclassified and corporate work
» Ensure constant uptime of hot desks
» Limit risk from local admin users
» Prevent execution of unwanted and malicious apps
» Current AV solution was not effective in preventing the issues
27
Addressing the Challenge
• Implemented Lumension® Endpoint Management and Security Suite (L.E.M.S.S.)
» Easy process to install, set up and maintain the application whitelist with all currently used corporate OSes and software
» Shifted from another antivirus provider to the AV module within L.E.M.S.S.
•Educated users about potential external threats and internal problems that could arise from lack of precaution
28
Results
•Improved Security» Eliminated malware outbreaks
» More robust patch management
•Improved User Productivity» Optimized performance of end user PCs
» Reduced IT help desk calls/complaints from users regarding malware-related PC issues
•Improved IT Productivity» Visibility into endpoints, apps and configurations
» Minimized time required for endpoint maintenance and user education
» Reduced admin burden by managing one solution
29
Q&A
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
http://blog.lumension.com