re-defining endpoint protection: preventing compromise in the face of advanced attacks
Post on 14-Sep-2014
445 Views
Preview:
DESCRIPTION
TRANSCRIPT
© 2014 IBM Corporation
IBM Security
1 © 2014 IBM Corporation
Re-defining Endpoint Protection Mike Rothman, SecurosisAndy Land, IBM
Re-defining Endpoint Protection
Mike Rothman, Presidentmrothman@securosis.comTwitter: @securityincite
Advanced Endpoint and Server Protection: Tactics and Techniques
About Securosis
• Independent analysts with backgrounds on both the user and vendor side.
• Focused on deep technical and industry expertise.
• We like pragmatic.
• We are security guys – that’s all we do.
How customers view Endpoint Protection
• Compliance is the main driver for endpoint protection
• Whether it works or not is not the issue.
• And to be clear, traditional anti-malware technology doesn’t work anymore.
http://flic.kr/p/9kC2Q1
Milking the AV Cash Cow
• Add incremental functions:• HIPS/Heuristics• “Crowd-sourcing” threats• File reputation• Endpoint hygiene
http://flic.kr/p/3d2Uho
Threat Management Reimagined
PreventionNext you try to stop an attack from being successful. This is where most of the effort in security has gone for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It has become a question of reducing your attack surface as much as practical. If you can stop the simplistic attacks you can focus on more advanced ones.
Adversaries: Better and Better
Advanced Malware
Polymorphism
Sophisticated targeting
Professional Processes
http://www.flickr.com/photos/dzingeek/4587871752/
The Negative Security Modelhttp://www.despair.com/tradition.html
Traditional AV
But detection of advanced attacks is still problematic if detection is restricted to matching files at runtime. You have no chance to detect zero-day or polymorphic
malware attacks
You don’t know what malware is going to look like...
But you DO know what software should and should not do.
This calls for Advanced Heuristics
Advanced Heuristics
Heuristics have evolved to recognize normal application behavior. This dramatically improves accuracy because rules are built
and maintained at a specific application-level.
Look for what?
• Executables/dependencies• Injected threads• Process creation• System file/configuration/registry changes• File system changes• OS level functions including print screen,
network stack changes, key logging, etc.• Turning off protections• Account creation and privilege escalation
http://flic.kr/p/6Yz7MB
Application Control
• Define a set of authorized executables that can run on a device, and block everything else.
• Flexible “trust” model to offer “grace” period to install s/w• Authorized publishers, trusted
employees, etc.
• Though more flexible trust models weaken security…
http://flic.kr/p/97Kqk8
Application Control Use Cases
• Servers• Fixed function devices• High value endpoints
http://flic.kr/p/4yvVc8
Isolation
Spin up a walled garden to run applications. If app is compromised (detected using advanced heuristics), the sandbox prevents the application from accessing
core device features such as the file system and memory, and prevents the attacker from loading additional malware.
Old concept, New Packaging
• Isolation is not new. VM’s in use by sophisticated users for years.
• Isolation still needs to use some O/S level services, which provides attack surface.
• VM (or isolation) aware malware stays dormant• Sophisticated sophisticated evasion techniques
emerging: human interaction, timers, process hiding, etc…
Choosing Prevention
• What kind of adversaries do you face?
• Which applications are most frequently used?
• How disruptive will employees allow the protection to be?
• What percentage of devices have been replaced in the past year?
Understanding Effectiveness
• Hype, religion and snake oil will be common as vendors look to establish their approach as “best.”
• Comparative tests frequently gamed. Provide one data point.
• Look for testing outliers and go on from there.
http://flic.kr/p/7SrgR3
Summary
• Advanced Protection requires a broader view of threat management
• Innovation on endpoint/server prevention will accelerate
• Shift investment from ineffective legacy prevention to more effective advanced prevention, detection and investigation.
http://www.flickr.com/photos/74571262@N08/6710953053/
Read our stuff• Blog
• http://securosis.com/blog
• Research
• http://securosis.com/research
• We publish (almost) everything for free
• Contribute. Make it better.
Mike RothmanSecurosis LLC
mrothman@securosis.com
http://securosis.com/blog
Twitter: @securityincite
© 2014 IBM Corporation
IBM Security
24 © 2014 IBM Corporation
Trusteer Apex
© 2014 IBM Corporation
IBM Security
25
Are you fighting a losing battle?
IBM Internal Use Only
• Humans will always make mistakes• System and application
vulnerabilities continue to emerge• Malware detection will always lag
© 2014 IBM Corporation
IBM Security
26
Do you have the right weapons?
IBM Confidential until May XY, 2014
Fragmented market with point products
• Endpoint protection market is highly fragmented with many point solutions
- e.g., Sandboxing, application control, whitelisting
Majorsecurity control gaps
• Existing products offer no controls for major attack vectors
- e.g., Zero-day exploits, applicative Java attacks
Challenging manageability and operations
• Advanced threat solutions are difficult and costly to operate
• Difficult to scale manual remediation processes to thousands of enterprise endpoints
• High false positive rates
• Whitelisting processes on endpoints non-manageable
© 2014 IBM Corporation
IBM Security
27
Trusteer ApexPreemptive, low-impact defense for enterprise endpoints
IBM Confidential until May XY, 2014
ADVANCED MULTI-LAYERED DEFENSEComprehensive endpoint defense against advanced threats
DYNAMIC INTELLIGENCEAdvanced threat intelligence collected from tens of millions of endpoints
LOW OPERATIONAL IMPACTLow overhead on IT / security teams, transparent to end users
Trusteer Apex
© 2014 IBM Corporation
IBM Security
28
Apex multi-layered defense architecture
IBM Confidential until May XY, 2014
KB to create icon
Threat and Risk ReportingVulnerability Mapping and Critical Event Reporting
Advanced Threat Analysis and Turnkey Service
CredentialProtection
Exploit Chain Disruption
Cloud Based File Inspection
Malicious Communication
Prevention
Lockdownfor Java
Global Threat Research and IntelligenceGlobal threat intelligence delivered in near-real time from the cloud
• Alert and prevent phishing and reuse on non-corporate sites
• Prevent infections via exploits
• Zero-day defense by controlling exploit-chain choke point
• Legacy protection against known viruses
• Consolidates over 20 AV engines for maximal efficacy and operational simplicity
• Block malware communication
• Disrupt C&C control
• Prevent data exfiltration
• Prevent high-risk actions by malicious Java applications
© 2014 IBM Corporation
IBM Security
29
Attack Progression
Data exfiltration Exploit
Deliveryof weaponized
content
Exploitationof app vulnerability
Malwaredelivery
Malware persistency
Execution and malicious access
to content
Establish communication
channels
Dataexfiltration
Controlling exploit-chain chokepoints
IBM Confidential until May XY, 2014
Pre-exploit
0011100101110100001011110001100011001101
Strategic Strategic ChokepointChokepoint
Strategic Strategic ChokepointChokepoint
Strategic Strategic ChokepointChokepoint
FileFileInspectionInspection
Endpoint Endpoint Vulnerability Vulnerability
ReportingReportingCredentialCredentialProtectionProtection
Destinations (C&C traffic detection)
Endless
Unpatchedand zero-day vulnerabilities
(patching)
ManyWeaponized
content(IPS, sandbox)
Endless
Maliciousfiles
(antivirus, whitelisting)
Endless
Many
Maliciousbehavioractivities
(HIPs)
Exploit Chain Exploit Chain DisruptionDisruption
Lockdown for Lockdown for JavaJava
Malicious Malicious Communication Communication
BlockingBlocking
© 2014 IBM Corporation
IBM Security
30
Low operational impactAdvanced threat analysis and turnkey service
IBM Confidential until May XY, 2014
Eliminate the traditional security team approach
(detect, notify, and manually resolve)
Low-footprintthreat prevention
Exceptionalturnkey service
Low impact to IT security team
Minimize impact by blocking only the most
sensitive actions
Centralized risk assessment service
Directly updateendpoint users
© 2014 IBM Corporation
IBM Security
31
Dynamic intelligenceCrowd-sourced expertise in threat research and dynamic intelligence
Global Threat Research and Intelligence
• Combines the renowned expertise of X-Force with Trusteer malware research
• Catalog of 70K+ vulnerabilities,17B+ web pages, and data from 100M+ endpoints
• Intelligence databases dynamically updated on a minute-by-minute basis
Real-time sharing of Trusteer intelligence
PhishingSites
URL/WebCategories
IP/DomainReputation
ExploitTriage
MalwareTracking
Zero-dayResearch
IBM Confidential until May XY, 2014
© 2014 IBM Corporation
IBM Security
32
Client example: Major heavy equipment manufacturer Protecting endpoints against advanced threats and malware
IBM Confidential until May XY, 2014
Business challenge Protect 10,000 endpoints in multiple international locations Provide Remote Access to Suppliers, Contractors and Employees Prevent IP and Technology Data Theft
IBM Security Solution: Trusteer ApexTrusteer Apex protects endpoints throughout the threat lifecycle by applying an integrated, multi-layered defense to prevent endpoint compromise for both managed and remote endpoints. Threats are continually analyzed and protections provided by Trusteer’s turnkey service.
Discovered
32 threats and
100 suspicious activitieswithin weeks of deployment despite other security products
Advanced Threat Protection
© 2014 IBM Corporation
IBM Security
33
Apex is essential to the IBM Threat Protection System
IBM Confidential - NDA until May 5, 2014
Open Integrations
Ready for IBM Security Intelligence Ecosystem
Trusteer Apex Endpoint Exploit Chain Disruption
IBM Security Network Protection XGS
Smarter Prevention
IBM Security QRadar Security Intelligence
Security Intelligence
IBM EmergencyResponse Services
IBM Security QRadarIncident Forensics
Continuous Response
IBM X-Force Threat Intelligence
New real-time sharing of Trusteer threat intelligence from 100M+ endpoints with X-Force
Global Threat Intelligence
1 2 3
5 4
Java Lockdown Protection - granular control of untrusted code, cloud-based file inspection, and QRadar integration
Advanced Threat Quarantine integration from QRadar and third-party products, inclusion of Trusteer intelligence into XGS
Data Node appliance, new flow and event APIs, and QRadar Vulnerability Manager scanning improvements
Integrated forensics module with full packet search and visual reconstruction of relationships
Increased global coverage and expertise related to malware analysis and forensics
New functionality from partners including FireEye, TrendMicro, Damballa and other protection vendors
© 2014 IBM Corporation
IBM Security
34
Introducing IBM Trusteer ApexRe-defining endpoint protection for the advanced threat landscape
Trusteer Fast Facts:
Acquired by IBM August 2013Adds endpoint protection capabilities to the IBM Security Portfolio
Unique IntegrationsIntegrated into IBM Threat Protection System
Advanced Threat Defense LeadersAnalyzing and preventing APT’s for the last 8 years
DisclaimerPlease Note:
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
top related