ogren group whitepaper: tenets of endpoint security
DESCRIPTION
Whitepaper Abstract This special report presents the critical Tenets of Endpoint Control to IT architects with recommended actions for enterprise security officers. Information in this report derives from Ogren Group research and interviews with enterprise security officers of global organizations. Traditional security measures are simply not effective in the modern attack climate. Endpoint control, driven by application whitelisting, now offers an attractive alternative to security suites comprised of recycled security components. The Tenets of Endpoint Control are introduced in this special report. Organizations adopting these tenets and deploying endpoint control solutions are realizing benefits in more effective defenses against attacks, greater end-user satisfaction with performance gains, and lower operating costs due to reductions in the value of attack signature streams.TRANSCRIPT
TheTenetsofEndpointControl
AnOgrenGroupSpecialReport
April2008
Copyright2008,TheOgrenGroup.Allrightsreserved. Page2
EnterpriseITispayingoutlargechunksofitssecuritybudgetforsignature–orientedendpointsecurityproductsknowingthatthoseapproachescannotprotectthebusinessagainstlostdatafrommalicious
attacks.Thequestionisnotbest‐of‐breedversussecuritysuites,thequestioniswhybasetheprimarydefenseofendpointassetsontechnologythatisdecadesoldandisproventimeandagaintobeineffective.Attackersdeveloptargetedattacks,ormodifywellknownattacksthathaveproventobe
effectiveforyears,thatsignatureapproacheshavenochanceofdetecting,blocking,orremoving.
EndpointcontrolisacriticalnewapproachforITtomanagetheintegrityofendpointsandtoprotectconfidentialdata.Traditionalsecuritymeasures,currentlyofferedassecuritysuitesofcommoditizedcomponents,aresimplynoteffectiveinthemodernattackclimate.SecurityfunctionswithinIT
organizationsareoftencaughtupinthreatmyopia,aconditionwhereeverythreattothetechnicalinfrastructureneedstobeanalyzed,understood,andblockedattheedgeofthenetworkandagainattheendpoint.Securityhasalwaysbeenabest‐of‐breedindustry.Nobodywantstopayforathird‐rate
securityproductorpayforsecurityproductsthatdonotwork.Endpointcontrol,drivenbyapplicationwhitelisting,nowoffersanattractivealternativetosecuritysuitescomprisedofrecycledsecuritycomponents.
EndpointcontrolfocusesontheITrequirementstocontrolendpointconfigurations.Anyunauthorized
modificationoftheconfigurationisautomaticallyblocked.Thiseffectivelythwartsattacksthatneedahosttoexecute,storagesystemstohide,andnetworkaccesstopropagate.Bycontrollingtheendpoint,ITefficientlydeniesattacksaccesstokeyelementsontheendpoint.Thecriticalabilitytocontrol
executablesandnetworkaccessisamodelthatscalesstronglytoenterpriselevelsandiseffectiveatstoppingmosttypesofattacks.
TheTenetsofEndpointControlareintroducedinthisspecialreport.ThetenetsthatITisfollowingare:
• Controlwhatyouknow.Itismucheasiertocontrolconfigurationsandacceptableusepolicies;
itisimpossibletocontrolwhatanattackermighttry.• Controlatthelowestpossiblelevel.Endpointcontrolsolutionsneedtooperateinthekernel
wheretheycannotbeeasilysubvertedandhavevisibilitytoallnetwork,file,andprocessor
operations.• Controltransparently.Endpointcontrolsolutionsneedtogiveperformancebacktotheuser,
andallowthemtodotheirjobswithoutinterruptionsfromtheendpointsecuritysoftware.
Organizationsadoptingthesetenetsanddeployingendpointcontrolsolutionsarerealizingbenefitsin
moreeffectivedefensesagainstattacks,greaterend‐usersatisfactionwithperformancegains,andloweroperatingcostsduetoreductionsinthevalueofattacksignaturestreams.Theheightenedresistancetoexecutionofunauthorizedprograms,theprimesymptomofanattackthatneedsto
executetostealconfidentialdataorcausedamage,alsoreducestheamountofpanicpatchoperationsandhelpdeskcallsthatITmustmanage.
Copyright2008,TheOgrenGroup.Allrightsreserved. Page3
Whybaseendpointdefenseonoldtechnologythatisprovenineffective?
Thisspecialreport,commissionedbyCoreTrace,presentsthecriticalTenetsofEndpointControlstoITarchitectswithrecommendedactionsforenterprisesecurityofficers.Informationinthisreportderives
fromOgrenGroupresearchandinterviewswithenterprisesecurityofficersofglobalorganizations.
TheProblemswithSecuritySuites
Thesecurityindustryisdrivingtowardsendpointcontrolsolutions.ITislearningthatitismucheasiertocontrolwhattheyknowandunderstandthanitistotrytocontrolunknownattacks.Traditionalsecurityvendorspushsignature‐basedsecuritysuitestomarkettoprotectsubscriptionrevenuestreamsandto
givecustomersa“defenseindepth”solution.However,thesesuitesdonotintroducenewsecuritycapabilities;therearenosynergisticbenefits.
However,thesecollectionsofcommoditizeddefensesdonoteffectivelydetectandblockattacks.Exhibit1showsthreeattacks,NetSky,Bagle,andMydoomthat
allplaceexecutableimagesontheendpoint,andlaunchingtheseexecutableslaunchestheattack.Thefutilityofsignature‐basedapproachesisshownbythefactthatNetSkyand
Mydoomhavebeenaroundsince2004,yettheyarethrivingasmembersofthetop10ofattacksinthewildasofMarch2008.
Exhibit1:Attackscansucceedwithoutendpointcontrol
Theproblemswithsecuritysuitesarewellunderstoodandinclude:
• Attackschangefasterthansignaturefiles.Attackersdevelopnewattacks,orcreatevariantsofexistingattacksfasterthansecurityvendorscancreatesignaturesandantidotes;fasterthanITcandistributethemtothecommunityofendpoints.Thisleavesenterprisesdefenselessagainst
newtargetedattacks.Nomatterhowfastthesecurityvendoris,theycanneverthwartanattackbeforeitisalreadyinthewild.
Copyright2008,TheOgrenGroup.Allrightsreserved. Page4
Itiseasiertocontrolwhatisknownthantrytocontrolunknownattacks.
• Thelargerthelistofattackstoscan,themoreperformancedegrades.Theblacklistofattacksisincreasingatasteadyrate.Eachdaythesecuritysuiteofsignatureswilltakelongertoscan
objectsor,worse,omitagedsignaturecheckstomaintainperformanceontheendpoint.Thereisnoendtothedemandsofsignatureapproaches.
• Enterprisespaylargesumsofmoneyforsecuritysuitesubscriptions.Subscriptionservicesfor
receivingupdatestosecuritysuitesignaturefilesareoneofthelargerexpensesinthecorporatesecuritybudget,andtheyareanongoingannualexpense.
ITisimplementingendpointcontrolsolutionsasamorescalableapproachtopreventingmalwarefromexecutingwithinthetechnicalinfrastructure.Configurationsthatarelockeddownhavenoallowances
forunauthorizedsoftware.Withendpointcontrolmalicioussoftwarecannotexecutetostealconfidentialdataordisruptbusinessprocesses.
Tenet#1:Controlwhatyouknow
ITknowswhatapplicationseachendpointshouldbeexecutingandwhatnetworkaccessesshouldbeallowedtoabidewithcorporateusepolicies.Ratherthan
embarkingonthehopelesstaskofdelineatingallofthenegativeactionsthatmightoccur,itismucheasiertodescribewhatyouknowandtodefineacceptableuse
policies.EndpointcontroltechnologyallowsITtodefineitsrequirementswiththeknowledgethatactionsnotcomplyingwithITcontrolpolicy,suchasmaliciousattacks,willbeautomaticallyblocked.
• Identifytheacceptabletechnicalenvironment.Positivewhitelistapproachesarefundamental
toendpointcontrolarchitectures.ApplicationwhitelistsallowITtodescribedesiredconfigurationandacceptableusepoliciesfortheendpoint.Anyoperationnotalignedwiththispolicy–evenday0attacksthatarenotwellunderstood–areautomaticallyblockedbefore
damagecanoccur.Therearenofalsepositives;iftheoperationhasnotbeenapproveditisnotallowedtocomplete.Thisisthebenefitofsecuritywithoutsignaturesinpreventinglossofconfidentialdatafrommaliciousattacks.
• Allowfordifferencesamongendpoints.Endpointcontrolsolutionsmusttakeintoaccountthatanytwoendpointdevicesareseldomidenticalinconfiguration.Forinstance,adifferenceinendpointmanufacturingdatesmaybereflectedinslightvariationsinhardware,andresultant
versionsofdevicedrivers.Endpointcontrolneedstoresideoneachendpoint,inspectthedevicetounderstanditsspecificconfiguration,andthenlockdowntheendpointaccordingtothedictatesofITcontrol.
• Audittheend‐userandtheendpoint.EndpointcontrolprovidesITtheabilitytoauditactivityinordertoreplayactionsleadinguptoapolicyviolation,proactivelyhelpusersinneedofassistance,andtodocumentcompliancewithgovernmentandindustryregulations.Theaudit
featuresofendpointcontrolallowITtokeepthesystemintune,andtocorrectissuesbeforetheybecomeproblems.
Copyright2008,TheOgrenGroup.Allrightsreserved. Page5
OnlysecuritysoftwarethatfunctionsinthekernelcanreliablydeliverthecontrolsthatITrequires.
Tenet#2:Controlatthelowestlevelpossible
Endpointcontrolsolutionsmustoperateatthelowestpossiblelevel.Positioningendpointcontrolsolutionsinthekerneloftheoperatingsystemprovidesoperatingbenefitsthatcannotbeachievedwhenoperatinginuser‐mode.Thearchitecturalpositioning,asshowninExhibit2,ofendpointcontrolinthekernelallowsthesecuritysoftwaretoblockexecutionofunauthorizedprogramsoruseofthenetworkthatviolatessecuritypolicies.Thisisacriticalimplementationdecision.
Exhibit2:Endpointcontrolexecutesatthelowestpossiblelevel
OnlysecuritysoftwarethatfunctionsinthekernelcanreliablydeliverthecontrolsthatITrequires.
• Inspectalloperations.Onlyendpointcontrolsoftwareoperatinginthekernelcaninspectandcorrelatestorage,network,andprocessorfunctions.Kernel‐modesecuritysoftwareisgrantedvisibilityoftheentireendpointallowingthesolutiontoinspectalloperationstomakeoptimal
decisionsonbehalfofIT.• Isolatesecurityfromapplications.ITcanonlycontroltheendpointifthesecuritysoftware
executeswithoutinterferenceofapplications.Thiscanonlybeachievedinthekernel,where
anyoperationtosubvertITcontrolsfromuser‐modeapplicationscanbedetectedandblocked.Attacksoftwareexecutinginusermodecannotsubvertthelowerlevelendpointcontrolsolutionsthatareexecutinginthekernel.
• Blockinappropriateactivityfromreachingapplications.Theonlywaytopreventinappropriateexecutesfromoperating,orpreventI/Orequestsfromviolatingcorporatepolicy,istointercedebetweentheapplicationandtheoperatingsystem.Endpointcontrolsoftwarecanblock
nefariousactivityinthekernel–beforethatactivitycanaffecttheendpointorworkitswayintothekernel.
Copyright2008,TheOgrenGroup.Allrightsreserved. Page6
Securitymustbetransparenttoend‐users,andnotcreateadministrativeburdenstooperationalstaff.
Tenet#3:Controltransparently
Theacceptanceofend‐usersiscriticaltothesuccessofanendpointcontrolprogram,whetherthatendpointisadesktoporaserver.Controlsthatintrudeupontheuserexperiencewillberejected.Securitymustbetransparenttotheend‐users,andnotcreateadministrativeburdenstooperationsstaff.
• Preservetheuserexperiences.Endpointcontrolsolutionsarerequiredtomakeallow/denydecisionswithoutinterruptingtheusersoftheendpoint.TheusersmustnotevenknowthatITiscontrollingtheirendpointconfigurations.Prompts,questions,andnotificationsshouldbekepttoaminimum.
• Insistonnoperformancedegradation.Endpointcontrol,becauseitoperatesonthemuchshorterwhitelistthanattacksignatureapproaches,returnsprocessingpowerandmemorytobusinessapplications.End‐usersareapttodisengagesecuritysuitestogaintime.Endpointcontroltechnologyneedstooperateatbetterthan10timestheperformancelevelsofsignatureapproaches.ThatgivesITgreatereffectivenessatstoppingattackswhilefreeingmoreperformanceforbusinessapplications.
• Keepadministrativeactionsconfidential.ThesecurityofcommunicationsbetweenadministrativeconsolesandendpointsisanimportantingredientinallowingITtocontroltransparently.Mutualauthentication,encryptedcommunications,andsecuredeliveryofauditinformationallowITtocontrolcorporateendpointswithoutrequiringend‐userparticipationinthemanagementofthedevice.
Conclusions
Traditionalsuitesofsoftwarepackagedbysecurityvendorsfallfarshortoftherequirementsforprotectingcorporateendpoints.Thisisdemonstratedeverydaybythefailureofsignature‐based
securitytoprotectthebusinessagainstdatalossordisruptionofservicesduetomaliciouscodeexecutingonendpoints.Signature‐basedapproaches,commoninsuitesofproductssuchasanti‐virus,anti‐spyware,intrusionprevention,dataleakageprevention,andpersonalfirewalls,cannotkeepup
withthepaceofnewattacksnorhaveanychanceofrecognizinganewvariantofahistoricallyeffectiveattack.
ITwouldbebetterservedbycontrollingtheirdesktopandserverinfrastructuretodetectandblockinappropriateactionsbeforedamagecanbedone.ThetoolsareavailabletodayforITtocontrol
endpointsbasedonwhatpeopleneedtodotheirjobs.Thesetoolsareisolatedfromuser‐modeapplicationsbyintegratingintothekernel.
Copyright2008,TheOgrenGroup.Allrightsreserved. Page7
Thetenetsofendpointcontrolbearrepeating:
• Controlwhatyouknow• Controlatthelowestlevelpossible
• Controltransparently
Investigateendpointcontroltechnologyinacontrolleddatacenterenvironment.Deploytheproductsonserversthatrequireresistancetoattacks,butcannotaffordtheperformancepenaltiesofsignaturesuites.Onceyoubecomecomfortablewiththeeffectivenessofendpointcontrol,plantoextendthe
deploymenttodesktopsandlaptops.
Youwillfindthatthesetenetsofendpointcontrolseffectivelyprotectagainstmaliciouscodeattacks,allowITresourcestoconcentrateonaligningthetechnicalinfrastructurewithdynamicbusinessrequirements,andenhanceend‐userexperiencesviaincreasedperformance.Increasedcontrolalso
meansthatsomedayyouwillneverhavetopayforsecuritysignaturesagain.
TheOgrenGroupSpecialReportispublishedforthesoleuseofOgrenGroupclients.Itmaynotbeduplicated,reproduced,ortransmittedinwholeorinpartwithouttheexpresspermissionoftheOgrenGroup,92RobertRoad,Stow,MA01775.Formoreinformation,contacttheOgrenGroup:info@ogrengroup.com.Allrightsreserved.Allopinionsandestimatehereinconstituteourjudgmentasofthisdateandaresubjecttochangewithoutnotice.