1 / 15

Rich Bagurdes, CISSP

Endpoint Protection Application and Device control to dynamically control storage devices From kludge to B.A.U. Rich Bagurdes, CISSP. Consultant - Threat Intelligence January 2014. SEP ADC Storage Control Agenda. Intro. 1. Problem Statement. 2. Requirements. 3. Design/Logic. 4.

alika-roy
Download Presentation

Rich Bagurdes, CISSP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Endpoint Protection Application and Device control to dynamically control storage devicesFrom kludge to B.A.U Rich Bagurdes, CISSP Consultant - Threat Intelligence January 2014 Chicago User Group – January 2014

  2. SEP ADC Storage Control Agenda Intro 1 Problem Statement 2 Requirements 3 Design/Logic 4 Policy Walkthrough 5 Reporting 6 Summary 7 V2.0 Chicago User Group – January 2014

  3. Intro • Started out in IT in 1997 • Finance, Telecom, .com startups… • 13 years at Discover • 5 years • Datacenter design • OS2/Windows Engineering • Patch Management • 8 years InfoSec • Endpoint protection engineer • AV/HIPS/Encryption… Chicago User Group – January 2014

  4. Problem StatementControl Storage Devices • 2000-2007 – Administrative Controls • Written policies – what can be attached • Purse Strings – prevent users and managers from acquiring • 2007 -2011 – Technical Controls • Microsoft GPO’s – often didn’t apply – weak enforcement • No reporting – fire and forget – or spray and pray… • Business reluctance • 2011 - Present • Top down decision – set at CIO level • Flexible but secure system • User self service • Detailed reporting (entitlement and actual use) • Future • DLP Chicago User Group – January 2014

  5. RequirementsWhat you need to succeed! • Political support and good documentation • Windows XP – Windows 7 • XP requires KB943729 Group Policy Preference Client Side Extensions • Active Directory Functional level >2008 • SEP 12 with Application and Device control AND NTP • Groups and GPO’s to support 4 functional roles • Execute/Write/Read • Operations, End User Support, BCP users • Write/Read • VP’s and above, select groups that frequently write data (previous analysis) • Read • Default everyone • Lockdown • Contractors, offshore, PCI, PII, etc. • Employee self service • Centralized control, approval workflow Chicago User Group – January 2014

  6. Design and LogicHow does this all work? • AD groups, AD policies and Security Filtering • 1:1:1 mapping Group  GPO  Location • Plus one catch all • GPO Security Filter • Members of AD group can read aka “apply” policy • If policy is read – registry key is set • HKLM – single key with changing value. • HKCU – changing key • Permission keys • Registry Keys are triggers for SEP ADC • HKLM keys processed by Location Awareness • HKCU keys are processed by ADC policy directly Chicago User Group – January 2014

  7. Policy WalkthroughGPO Security Filtering • Security Filtering controls who receives policy • Remove Authenticated Users • Only allow members of AD group to read desired policy Chicago User Group – January 2014

  8. Policy WalkthroughGroup and GPO details • Group Policy Preferences set via HKLM • String Value (REG_SZ) • Value Name is consistent across all 4 GPO’s – but Value Data changes. • “StorageKey” in sample policies Chicago User Group – January 2014

  9. Policy WalkthroughSEP Locations • Create a location for every group, plus one (N+1) • Unassigned group • Catches non-domain machines or machines that have not been configured • Should be most common/default state – Read Only in our case. • Notification Messages are user friendly Chicago User Group – January 2014

  10. Policy WalkthroughApplication Controls and Rule Sets • Unique ADC policy for each location • Rule set to control functions • Include rule set to protect Storage Control keys • Use the Test and Production modes • A rule that would normally “prevent” and action can easily be turned into a “monitoring” policy with a mode flip Chicago User Group – January 2014

  11. Policy WalkthroughApplication Rules • Every rule must have at lease one application * • Rules are processed from the top down • Allow actions go before the block actions • Keep track of Rule Names, Actions and Severity • Important for later reporting and analysis • Concise/clear notifications on blocks <100 char • USB flash drives, and USB hard drives different controls • Flash Drives, Floppy Dives CD/DVD drives controlled via “Drive Type” • USB hard drives are controlled via USBSTOR* device ID type • Restricting DVD/CD burning is very tricky • IMAPI restrictions by file hash + restricted apps + GPO’s Chicago User Group – January 2014

  12. ReportingNative Tools • Potential for a lot of data. • Consider users who frequently backup, or move many files around. • Deep analysis is hard with native reporting. • Logs – Filter, Export, Excel Filter, Merge Repeat • Event logs Monitors  Logs and choose: • Log type = Application and Device Control • Log Content = Application Control Chicago User Group – January 2014

  13. ReportingITAnalytics • ITAnalytics or other analytics platform is needed • Count of writes or execution use per user per month • Drill down to names of files written, types of USB devices in use. Etc. • Track execution of unauthorized software, “portable” executables • Build your case for DLP Chicago User Group – January 2014

  14. SummaryImportant points • Support from the top • Test, then test some more. • Good documentation focus on process and help desk • Manage this like a program, not just a project • References • Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies • How to block CD/DVD Writing in Windows 7 • Location Awareness: Using registry values to switch locations • Creating custom application control rules • Testing application control rule sets Chicago User Group – January 2014

  15. Rich Bagurdes RichardBagurdes@discover.com Chicago User Group – January 2014

More Related