1 / 29

New Trends in End-Point Security

New Trends in End-Point Security. Todd Beski Pre-Sales Consultant Todd.beski@securewave.com Phone: 586-477-2006 February 23 rd 2006. It’s in the News. Current Security Events. Today’s hot Topic: Patching.

yoshiko
Download Presentation

New Trends in End-Point Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Trends in End-Point Security Todd Beski Pre-Sales Consultant Todd.beski@securewave.com Phone: 586-477-2006 February 23rd 2006

  2. It’s in the News Current Security Events

  3. Today’s hot Topic: Patching • Microsoft's delay to patch fuels concernsMicrosoft's decision to cancel a security fix after finding problems with the patch has security experts questioning whether waiting for the fix to come next month might leave them open to attack. • Robert Lemos, SecurityFocus 2005-09-13 • Unofficial patch – WMF Exploit • For those of you wanting to try an unofficial patch with all the risks involved, please see here. (md5 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key) here. Initially it was only for Windows XP SP2.  Fellow handler Tom Liston worked with Ilfak Guilfanov to help confirm some information required to extend it to cover Windows XP SP1 and Windows 2000.Note: When MS comes out with a real patch, simply uninstall this from Add/Remove programs on the Control Panel. • - SANS Institute

  4. Today’s Hot Topic: Zero Day Virus Protection • Virus Fighters Can't Keep UpFast-moving malware has the antivirus industry looking for a new strategy that focuses on proactive, automated tools. • Thomas Claburn • InformationWeek • Dec 19, 2005 12:00 AM • "The majority of products are unable even to guarantee 90% protection. And this is the main problem facing the antivirus industry today." • Eugene Kaspersky

  5. Today’s Hot Topic: Zero Day Virus Protection • Kaspersky Lab receives 200 to 300 new malware samples a day. Sophos plc, a U.K. research lab, reports that the number of new threats rose by 48% this year. Panda Software warns that more than 10,000 new bots--automated worms or Trojans that infest PCs and turn them into zombies under a hacker's control--have appeared in 2005. "The game has definitely changed over the past few years, even in the past 12 months, about what is an acceptable speed of response to a new virus," says Richard Wang, manager of Sophos labs.

  6. Today’s Hot Topic: SpyWare Protection • “If you use the Internet, there is over a 90% chance your computer is infected with SpyWare - • “25% of all of our Support related calls are SpyWare related” • – Dell Computer • Nearly 80% of IT managers claim their organizations have been infiltrated in the last 12 months by spyware. • – Information Week

  7. In the News: Unauthorized Applications • Hackers Tap 40 Million Credit Cards • “MasterCard International said card numbers and expiration dates were harvested by a rogue program planted inside the computer network at CardSystems Inc., one of the firms that process merchant requests for credit card authorization. When a retailer swipes a customer's card, the information goes to companies such as CardSystems for approval before getting passed along to banks.”

  8. The Device Control Problem Diversity of removable media form factors

  9. What actions to take Develop a policy for the use of removable media • Gartner (July 2004) advises companies to forbid employees to use iPods and other USB/FireWire devices

  10. White List vs. Black List Approach White List vs. Black List Approach

  11. White List vs. Black List Approach • Different approaches same result • Attempt to detect and react to suspicious behaviors • The reactive model …. Doesn't Work • “Seek and Destroy” Malware • The Blacklist approach …. Doesn't Work • Block or stonewall communications ports • The Firewall, port-blocker, and epoxy methods • Use of GPO’s – can’t stop Malware • Cons of These Approach’s • Can only detect what it knows about • Constant updates required • Behavior models not exact

  12. White List vs. Black List Approach • Sanctuary White List Approach • Stops Spyware Cold • No Scanning or Black List Signatures • Defends Data Against Theft By Securing Network Endpoints • Only Trusted Applications Are Authorized • Only Trusted Devices Are Authorized • Everything is “Guilty Until Proven Innocent” Bottom Line • If it is not defined it will not load to memory or function as a device & becomes DEAD or DEADWARE

  13. SanctuaryUnlike… * Detects the spread of software not approved by policy

  14. Policy Enforcement & Management Policy Enforcement & Management

  15. Great Gadget Or Massive Security Risk? Intelligent Device Management 2,500 songs Or Your entire customer database to go? Intelligent Device Management Legitimate or Dangerous Devices

  16. USB Memory Sticks ZIP Drives USB Printers Smart Card Readers PDAs Desktop Tape Drives • USB • LPT • FireWire • Bluetooth • WiFi • IrDA • PCMCIA • COM • IDE • S-ATA Scanner CD/DVD Player/ Bruners HardDrives Digital Camera Floppy Drives Wireless Lan Adapters Biotech Devices Modems Sanctuary Device Control Manage Devices and Access Control Protect All Ports TREO MP3

  17. Fixes your Clock? Or CLEANSyour Clock? No Signatures, No Trojans, No Spyware. EVER. Helpful Update Or Your PASSWORD on a Silver Plate? No Signatures, No Trojans, No Spyware. EVER. Malware Threat

  18. Instant Messaging Or Instant OUTBREAK? No Signatures, No Trojans, No Spyware. EVER. Sample of Unauthorized Software

  19. Authorized • Operating Systems • Business Software user should have access to • Known • Viruses, Worms, Trojans • Hacker Intrusive Software • Unauthorized - Unwanted • Games, Shareware • Unlicensed Software • Software user should not have access to • Unauthorized - Unwanted • Games, Shareware • Unlicensed Software • Software user should not have access to • Unknown • Viruses, Worms, Trojans • Hacker Intrusive Software • Unknown • Viruses, Worms, Trojans • Hacker Intrusive Software • Unknown • Viruses, Worms, Trojans • Hacker Intrusive Software White List ApproachManage the known and allowed, deny all else… Applications Malware • Authorized • Operating Systems • Business Software user should have access to • Known • Viruses, Worms, Trojans • Hacker Intrusive Software • Unauthorized - Unwanted • Games, Shareware • Unlicensed Software • Software user should not have access to

  20. AV AS PFW Endpoint Scenarios: Unknown Malware Threats Keylogger Spyware Worms Virus Bots Trojans UNKNOWN MALWARE Malware Vectors Digital Assets Traditional Security Solutions

  21. AV AS PFW Endpoint Scenarios: Unauthorized Software Kazaa Yahoo IM E-Donkey World of App Trillian AOL IM Napster UNAUTHORIZED SOFTWARE Digital Assets Traditional Security Solutions

  22. 3. ASSIGN RIGHTS TO EXECUTE 2. ORGANIZE FILES INTO GROUPS Admin Tools Control Panels Internet Explorer Signature files 1. COLLECT MS Office Accounting Soft. Etc. Application Control – The Sanctuary ApproachAssign and Go • Accounting • Sales People • Network Admin. • Support team • Users from Dept. A • External people, Etc Active Directory Local System Services Individual User User Groups Administrator Remote and local users can now only run authorized executable files they are Allowed to when accessing organization’s PCs, Servers, and/or Terminal Services environment 0. IDENTIFY EXE SOURCES Operating Systems USE SFD’s Standard Software Server Software Customer Specific Applications Specific Server Application Software

  23. 0x4e4f36b5b2cf0c9ec85372ff8a7545 3x4e4f36b5b2cf0c9ec85372ff8a7545 1x4e4f36b5b2cf0c9ec85372ff8a7545 2x4e4f36b5b2cf0c9ec85372ff8a7545 3x4e4f36b5b2cf0c9ec85372ff8a7545 3x4e4f36b5b2cf0c9ec85372ff8a7545 OK 4x4e4f36b5b2cf0c9ec85372ff8a7545 File executes Authenticated Execution Users, Users Terminal Accounts or Services Kernel Driver List of centrally authorized files signatures File signature generation using SHA-1 hash Application Execution Request 3x4e4f36b5b2cf0c9ec85372ff8a7545 Comparison with list of authorized files signature Authorization Log

  24. 3x4e4f36b5b2cf0c9ec85372ff8a7545 No Matching Signature NO File execution is denied Authenticated Execution Users, Users Terminal Accounts or Services Kernel Driver List of centrally authorized files signatures File signature generation using SHA-1 hash Application Execution Request 0x4e4f36b5b2cf0c9ec85372ff8a7545 3x4e4f36b5b2cf0c9ec85372ff8a7545 1x4e4f36b5b2cf0c9ec85372ff8a7545 Comparison with list of authorized files signature 2x4e4f36b5b2cf0c9ec85372ff8a7545 3x4e4f36b5b2cf0c9ec85372ff8a7545 Authorization 4x4e4f36b5b2cf0c9ec85372ff8a7545 Log

  25. Summary • The model of being reactive is not working and forcing IT professional to be proactive to combat emerging threats. Security practices have focused on the endpoint due to the evolution of the security attacks.

  26. Questions?

  27. Thank you

More Related