best practices in managing your devices and applications jérôme bei
TRANSCRIPT
Did the bad guys surrender?
There have been no massive attacks lately...
WHY?• Broadband attacks make CSO‘s increase their IT security
• Lack of massive attacks makes CSO‘s think their systems are secure
• Today, we‘re facing targeted attacks• silent and focussed• goal: steal know how• victims will hardly admit data theft
Botnets Today
2 MILLION ENDPOINTS CONTROLLED BY CONFICKER
(SOURCE: HEISE)
TOTAL CONFICKER INFECTIONS: 15 MILLION ENDPOINTS
(SOURCE: HEISE)
300.000 ENDPOINTS CONTROLLED BY TORPIG(SOURCE: UCSB)
5% OF ALL COMPANY HOSTS INFECTED BY BOTNET WORMS
(SOURCE: DAMBALLA STUDY)
ARE
YOU PART OF A BOTNET?
Borderless Networks
Who enters your
network?
• Mobile Workers• Trading Partners• Customers• Vendors THEY WALK RIGHT PAST YOUR
FIREWALL!
As a consequence, the security solution needs to be host
based
Do you feel safe with AV only?
April 2006
16 leading anti-virus vendors tested
for 243.671 pieces of known malwareOne vendor missed OVER 90.000 pieces
of malware
4 out of 16 missed over 10.000 of them!
www.av-comparatives.org
Do you feel safe with AV only?
February 2007
15 leading anti-virus vendors tested
for 481.850 pieces of known malwareOne vendor missed OVER 80.000 pieces
of malware
Another vendor missed 30.000 of them!
NO vendor had all needed patterns! www.av-comparatives.org
Do you feel safe with AV only?
May 2009
16 leading anti-virus vendors tested
for proactive heuristic detectionOne vendor missed OVER 86% of malware
The best vendor still missed 31%NO vendor detected all tested malware!
www.av-comparatives.org
Lumension Application Control
RIS
KApplicati
onsMalwareMalware
AUTHORIZEDOperating SystemsBusiness Software
KNOWNViruses, Worms, Trojan Horses,
Spyware
UNWANTEDGames, Shareware, Unlicensed software
UNKNOWNViruses, Worms, Trojan Horses,
Spyware
BLACK LISTAPPROACH
Lumension Application Control
MA
NA
GE
Applications
MalwareMalware
AUTHORIZEDOperating SystemsBusiness Software
KNOWNViruses, Worms, Trojan Horses,
Spyware
UNWANTEDGames, Shareware, Unlicensed software
UNKNOWNViruses, Worms, Trojan Horses,
Spyware
WHITE LISTAPPROACH
Black List vs. White List
Unwanted Software(Games, Players, ...) Not supported Denied by default
Updates Weekly, daily, hourlyOnly when new applications / patches are installedZero day protection
New malware is always one step ahead
Implicit
Operational performanceFile filter slows down performance + pattern comparison
Kernel based (=fast), no pattern comparison requiredScalability Today: 800.000
Tomorrow? Next Year?
Heavy loaded PC with 50 applications has 25.000 signatures – STABLE -
Black List White List
Product Operation – Application Control
Individual User Groups of Users
• Accounting• Sales People
• Network Admins• Support Team
0. IDENTIFY
EXESOURCES
Operating Systems
Standard Software
Customer specific
applications
USE SFD‘s
1. COLLECT• Scan
Explorer• Log
Explorer• EXE
Explorer
SignatureFiles
Organize intoFile Groups
Admin Tools
Entertainment
Communication
MS Office
etc...
3. ASSIGN RIGHTS
TO EXECUTE
What do users / groups of users need to run on their machine to perform their allowed tasks?Users can now only run the executables they are allowed to
Product Operation
1. Client boots, user logs on,
computer connects to the
corporate network
2. Client driver sends Identification
message (= machine ID, user ID, domain ID, group ID’s,
driver version, OS version).
3. The Application Server queries the
database for access rules and caches
results.
4. The Access Rules are created,
cryptographic signatures are
added and Access Rules are pushed to
the client driver
5. The Access Rules are cached locally, policy enforcement
is performed at kernel level
SQLDatabase(Cluster)
Kernel Driver
Active Directory / eDirectory
synchronizes users, groups and
computer accounts
periodically
SecureWaveApplication
Server(s)
6. Computer may leave corporate
network and will stay secure due to
local white list
Digital signature
Digital signature
Policies
How Application Control works
Users Kernel Driver
Application ExecutionRequest
File signature generation using SHA-1 hash
0x20ee7cf645efeba7C81bd660fe307
Comparison with list of centrally authorized files signature
0x7ddf86e8a4672a420760b8809a1c
0xcbac13bb07f7dd0e10e93f4b63de9
0xd535561209f0199f63b72c2ebc13c
0x4e4f36b5b2cf0c9ec85372ff8a7548
Authorization?
Log
No
List of centrally authorized files signatures
File execution is denied
0x20ee7cf645efeba7C81bd660fe307
No Matching S
ignature
How Application Control works
0x7ddf86e8a4672a420760b8809a1c
0xcbac13bb07f7dd0e10e93f4b63de9
0xd535561209f0199f63b72c2ebc13c
0x20ee7cf645efeba7C81bd660fe307
List of centrally authorized files signatures
Users Kernel Driver
Application ExecutionRequest
File signature generation using SHA-1 hash
0x20ee7cf645efeba7C81bd660fe307
Comparison with list of centrally authorized files signature
Authorization?
File executes
Log
Yes
0x20ee7cf645efeba7C81bd660fe307
0x20ee7cf645efeba7C81bd660fe307
Major Features
White List
Full Macro Protection
Instant Policy Updates
Offline Protection
NT / AD Domain / Novell eDirectory support
Silent Unattended Installation
Optimized Network Communication
Learning Mode
Logging & Auditing
Social Engineering the USB way
Security Audit at a credit union (Source: http://www.darkreading.com)
Step 1Prepare 20 USB drives with a trojan horse that gathers critical data (such as user account information) from the PC it is connected to and sends it by email
Step 2Drop these USB drives within the accomodations of the company
Step 3Wait 3 days ...
Result15 out of 20 drives have been used by employees, critical data from their PC‘s has been exposed
Assign and Go
Individual User Groups of Users
• Accounting• Sales People
• Network Admins• Support Team
1.1 PREDEFINED DEVICE CLASSES
3. ASSIGN ACCESS
ATTRIBUT
ES
What are users / user groups’ needs in terms of device / mediaaccess rights to perform their allowed tasks?
Users can now access their allowed devices / mediaaccording to their granted attributes
0. IDENTIFY DEVICES AND
MEDIA
Unique MediaCD / DVD, Zip
drives, Disk on key
1.2 SPECIFIC DEVICE TYPE / BRAND
1.3 ADD SPECIFIC MEDIA
DEVICESCD / DVD ROMs
MODEM
REMOVABLE MEDIA
USB PRINTER
USB Disk Pro
SND1 MP3 Player
MEDIA LIST
Managed Device Access Control
Users
Device AccessRequest
Kernel Driver
Known Device check
List of classes & known devices
Known device?
Log
Device Policies
Users, Groups,Device Classes, Devices
and Access Attributes
AuthorizationDevice Access
Yes
Yes
Managed Device Access Control
Users
Device AccessRequest
Kernel Driver
Known Device check
List of classes & known devices
Known device?
Log
Device Policies
Users, Groups,Device Classes, Devices
and Access Attributes
Authorization
Yes
NoNo Access
Implementing Device Control
Requirement Gathering Security Requirements Operational Implications
Sales
Use Memory Keys Only with encryptionAudit of copied data
Standard rule for sales to use memory keys
with decentralized encryption and
shadowing
Wireless Network Only outside corporate network
Offline rule for notebooks with wireless cards
Marketing
Usage of digital cameras
Only during business hours
No misuse as data storage
Time-based rule for digital camera usage,
with filter on image data (JPG, GIF,
BMP)
Usage of CD‘s / DVD‘s
Only specific media Explicit assignment of specific media
Implementing Device Control
Requirement Gathering Security Requirements Operational Implications
Front Desk
Badge printing Deny usage of any other device
Machine-based „Lockdown“, standard
rule for local printer
Support Dept.
Usage of customer devices
Prevent data loss (custromer data /
internal data)
Standard rule for Read Only-access to
customer devices
Production server
Maximum stability Deny any device usage
Machine-based „Lockdown“
Encryption with Device Control
1) Administrator creates encryption rule
2) User plugs in memory key
3) Transparent encryption on corporate computers
4) Volume Browser tool on stick for 3rd party computers
Access Attributes
•Read and / or Write•Scheduled Access
• From 08:00h to 18:00h Monday to Friday•Temporary Access
• For the next 15 minutes• Starting next Monday, for 2 days
•Online / Offline• Assign permissions when no network connection is
present, all device classes supported•Quota Management
• Limit copied data to 100 MB / day•Encryption enforcement
• Access is granted only if medium has been encrypted (decentralized encryption) with password recovery option
•File Type Filtering• Limit the access to specific file types
Attributes can be allocated to...
• A complete device class• All USB Printers
• A device sub class• USB printer HP 7575, CD/DVD Nec 3520A
• A unique device based on• Encryption• serial number
• Specific CD‘s / DVD‘s• Specific Bus (USB, IrDa,
Firewire...)• Groups of devices
Security Features
• Kernel Driver• Invisible (no task manager process)• Fast (no performance loss)• Compatible (no conflict with other software)
• Encryption of devices with AES• AES 256 = market standard• Fast and transparent within the network• Strong password enforcement for usage outside the
corporate network• Client / Server Traffic
• Private/Public key mechanism• Impossible to tamper with• Easily generated and deployed
Security Features
• Client Hardening• Even a local administrator cannot uninstall the client
• Prevention from Keyloggers• Removable Media Encryption
• Assign any removable media to any user and then encrypt the media. Encrypted device is accessible only by the user who owns the access rights on the removable media
• Offline Protection• Local copy of the latest devices access permission list
stored on the disconnected workstation or laptop
Auditing & Logging
• User Actions Logging• Read Denied / Write denied• Device entered / Medium inserted• Open API for 3rd party reporting tools
• Shadowing of all copied data• Level 1: shows File Name and attributes of
copied data• Level 2: Captures and retains full copy of data
written to extenal device or read from such a device
• Administrator Auditing• Keeps track of all policy changes made by SDC admins