1 / 26

Endpoint Security 2.0: Next Generation Solutions & Why They Are Needed

Endpoint Security 2.0: Next Generation Solutions & Why They Are Needed . Greg Valentine gvalentine@coretrace.com Solutions Engineer CoreTrace Corporation. October 2008. Today’s Endpoint Control Challenges. Current generation endpoint security solutions are no longer effective:

viola
Download Presentation

Endpoint Security 2.0: Next Generation Solutions & Why They Are Needed

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Endpoint Security 2.0: Next Generation Solutions & Why They Are Needed Greg Valentine gvalentine@coretrace.com Solutions Engineer CoreTrace Corporation October 2008

  2. Today’s Endpoint Control Challenges • Current generation endpoint security solutions are no longereffective: • Malware is more targeted and increasing in volume and sophistication • Blacklisting & heuristics-based solutions are failing to catch zero day attacks • The Security — IT Operations balancing act • Frequent patching • Configuration control • Preventing UNAUTHORIZED change & rapidly allowing AUTHORIZED change • Help Desk burden • Compliance & Governance

  3. Overview • Endpoint Security 1.0 • Anti-virus Technology • Evolution of Malware • Malware Cloaking Techniques • Shortfalls of Endpoint Security 1.0 • A Broad Look at All Security Technologies • Endpoint Security 2.0 • Definition of Application Whitelisting • Implementation Philosophies • Concept of Authorized Change • Some Shortfalls • What the Press is Saying • Summary

  4. Antivirus Technology • Scans files for viruses • Several Components • A virus signature database • A remediation database • A kernel driver • One or more user mode applications • Two Important Modes • Traditional disk scan • On-access scanning • Limitations • Only as good as the database • Consumes system resources • Intrusive

  5. Inside On-Access Scanning AV filter intercepts application file open Stops the I/O and lets service scan the file If the file contains a virus that can’t be cleaned,AV quarantines and blocks open Application Antivirus Service user mode signature database kernel mode Antivirus Filter Driver File System Driver

  6. Evolution of Malware • Malware, including spyware, adware and viruses want to be hard to detect and hard to remove • Rootkits are a fast evolving technology to achieve these goals • Cloaking technology applied to malware • Not malware by itself • Example rootkit-based viruses: W32.Maslan.A@mm, W32.Opasa@mm • Rootkit history • Appeared as stealth viruses • One of the first known PC viruses, Brain, was stealth • First “rootkit” appeared on SunOS in 1994 • Replacement of core system utilities (ls, ps, etc.) to hide malware processes

  7. Cloaking Modern rootkits can cloak Several major rootkit technologies • Processes • Services • TCP/IP ports • Files • Registry keys • User accounts • User-mode API filtering • Kernel-mode API filtering • Kernel-mode data structure manipulation • Process hijacking Visit www.rootkit.com for rootkit tools and information

  8. Explorer.exe,Winlogon.exe Explorer.exe, Malware.exe, Winlogon.exe User-mode API Filtering Attack user-mode system query APIs Pro: can infect unprivileged user accounts Con: can be bypassed by going directly to kernel-mode APIs Examples: HackerDefender, Afx Taskmgr.exe Ntdll.dll Rootkit user mode kernel mode

  9. Explorer.exe,Winlogon.exe Explorer.exe,Winlogon.exe Explorer.exe, Malware.exe,Winlogon.exe Kernel-mode API Filtering • Attack kernel-mode system query APIs • Pro: very thorough cloak • Cons: requires admin privilege to install • difficult to write • Example: NT Rootkit Ntdll.dll Taskmgr.exe user mode kernel mode Rootkit

  10. Kernel-mode Data Structure Manipulation • Also called Direct Kernel Object Manipulation • Attacks active process data structure • Query API doesn’t see the process • Kernel still schedules process’ threads • Pro: more advanced variations possible • Cons: requires admin privilege to install • can cause crashes • detection already developed • Example: FU & FU2 Malware.exe Explorer.exe Winlogon.exe ActiveProcesses

  11. Process Hijacking • Hide inside a legitimate process • Pro: extremely hard to detect • Con: doesn’t survive reboot • Example: Code Red Explorer.exe Malware

  12. Malware Is a Booming Business! www.av-test.org — 2008

  13. “Larger Prey are Targets of Phishing”(April 16, 2008) 1 2 User baited with false subpoena e-mail User opens document Downloads keylogger or remote access Trojan 3 • More than 2000 executives infected • Detected by fewer than 40% of current AV products

  14. Even Blacklist-based Vendors Agree —A New Approach Is Needed! “The relationship between signature-based antivirus companies and the virus writers is almost comical. One releases something and then the other reacts, and they go back and forth. It's a silly little arms race that has no end.” Greg Shipley • CTO, Neohapsis “If the trend continues and bad programs outnumber good ones, then scanning for legitimate applications (whitelisting) makes more sense from both an efficiency and effectiveness perspective.” Mark Bregman • CTO, Symantec Corp. “Authenticate software that is allowed to run and let nothing else run. Anti-virus is a poor IT Security solution because it doesn’t do that. Instead it tries to spot software it thinks is bad. Anti-virus comes from a bygone era and that is where it belongs.” Robin Bloor • Partner, Hurwitz & Associates

  15. Protecting Critical Systems —What Is Needed Today? Gartner’s Nine Styles of HIPS Framework Allow Known Good (Block All Else) Block Known Bad (Allow All Else) Block Known Bad (Allow All Else) Unknown Unknown Application Control Resource Shielding Behavioral Containment Resource Shielding Behavioral Containment Execution Level Application and System Hardening Application Inspection Application Inspection Application Level Antivirus Antivirus Host Firewall Attack-Facing Network Inspection Vulnerability-Facing Network Inspection Attack-Facing Network Inspection Vulnerability-Facing Network Inspection Network Level

  16. Ogren Group:The Three Tenets of Endpoint Security • Control what you know • Easier to control what is known than try to control unknown attacks. • Control at the lowest possible level • Only security software that functions in the kernel can reliably deliver the controlsthat IT requires. • Control transparently • Security must be transparent to end-users and not create administrative burdento operational staff.

  17. Definition of Application Whitelisting • What is Whitelisting? • List of ‘Good’ Applications • Objectives • Tracking Applications • Only Listed Applications Run • Listed Applications are ‘Good’ • Some Currently Used List Attributes • Signed Binaries • Microsoft Group Policy Objects • Hashed Executables • Simple Executable Names w/Release Dates • Combinations of these

  18. Philosophy of ‘Good’ • How do you Determine Good? • Trusted Source • Signed Binary • Mega-whitelist Database • What do you do with Unknowns? • Recently Released Applications • Proprietary Applications • Miscellaneous dlls, drivers, etc. • CoreTrace Position • Build Whitelist from the Systems Themselves • Ideally Start with a New, Clean System

  19. Kernel-Level Application Whitelisting • Protect from within the kernel of the OS • Enforce a whitelist of approved applications only • Extend the whitelist to include memory protection • Utilize minimal system resources Rogue Application Whitelisted Application User Space Kernel Space / OS System Resources

  20. Enhance IT Operations • Security - IT Operations Balancing Act • Frequent Patching • Image Management • Preventing UNAUTHORIZED change & rapidly allowing AUTHORIZED change • Application Whitelisting must Allow Authorized Change • Periodic Application and Operating System Updates • Applications Available from Internal Server • Ad-hoc Application Installation by Authorized Users • Application Whitelisting can Enhance Operations • Patch on a Controlled Schedule • Allow Users Access to Approved Applications • Control Authorized Applications on Every Endpoint • East to Enforce, Monitor, and Report for Compliance

  21. How Authorized Change should work: Establish Trust Models in Administrator Console Establish Trust Models in Administrator Console Deploy Client to Multiple Endpoints Auto-Generate Custom Whitelist for Each Endpoint Trusted Updater: SMSAdmin.exe Trusted Application: Project.msl Trusted Network Share: \\server\share\ Trusted User: CORP\TomJ Trusted Digital Certificate: Microsoft Windows AutomaticallyEnforce Whitelist (Stopping Unauthorized Applications & Malware) Update Custom Whitelist for New Trusted Applications Report on Security or Configuration Issues

  22. Positive Environment for Users • User Expectations are Already Set • Company Policies • Compliance Requirements • Daily Business Operations • What can the User do on the Personal Computer? • Whitelist Policy can Match Up • Power User Allowing Regular Changes • Regular User Allowing Updates for Approved Software • Single Purpose System in Lockdown Configuration • Control and Monitor Change • Oversee Problem Users • Reporting for Compliance • Redirect Corporate Culture as Required

  23. What Does it Do For Me? • Only authorized code can execute • No zero-day threats • No chronic signature updating • No paying for chronic signature updating • Benefits of an Application Whitelisting approach • Blocks malware and unlicensed/ unauthorized software from installing and executing • Eliminates reactive security patching • Eliminates unplanned or unmanaged configuration drift • Shortfalls of the Technology • Privilege escalation via vulnerability exploitation • Doesn’t prevent data modification or theft • Some browser exploitation, e.g. certain plug-ins

  24. Press Coverage for Whitelisting is Exploding • Security Vendors Embrace Application Whitelisting • Antivirus is 'completely wasted money': Cisco CSO • Security experts look to 'whitelisting' future • Coming: A Change in Tactics in Malware Battle • Whitelisting and Trust • The Real Dirt on Whitelisting • Black versus White • Redefining Anti-Virus Software • McAfee CEO: Adware is killing AV blacklisting

  25. Summary • Application Whitelisting is the new foundation of endpoint control • Application whitelisting solutions must be able to easily andimmediately handle change • Application Whitelisting dramatically lowers endpoint TCO • Automatically prevents unauthorized and unplanned change • Easily allows authorized and planned change • Automatically meets compliance requirements for control and visibility • Dramatically improves security — with significantly less effort

  26. Thank You!Greg Valentinegvalentine@coretrace.com

More Related