Protect Your Desktops from Malware and Unauthorized Software

2 04/21/23

3 04/21/23

4 04/21/23

20 Years of Chasing Malicious Software

• Tries to keep a list of all bad software

• Tries to identify bad behavior

• Lets unrecognized executables run

Using the most popular antivirus applications … 8 out of 10 pieces of malicious code are going to get in”.

AusCERT

Using the most popular antivirus applications … 8 out of 10 pieces of malicious code are going to get in”.

AusCERT

Blacklisting

Challenges

Security

New threats continually outsmart existing defenses

Computers polluted with illegal and unauthorized software

Compliance

Manageability

Disruptive software causing down time and unnecessary support calls

Known Malware

Patches

CentrallyDistributedApplications

ProvisionedBase Image

BotnetsBotnets

SpywareSpyware

UnlicensedUnlicensed

RootkitsRootkits

GamesGames

InstantMessenger

InstantMessenger

SkypeSkype

UnknownMalware

UnknownMalware

Unmanaged Software:• Invisible• Untraceable• Uncontrollable• Unpatched• Vulnerable

The Endpoint Protection Gap

ManagedSoftware

ManagedMalware

Addressing The Gap

Mainstream approaches have proven unsuccessful

The need …

Manageable and effective approach to controlling all unauthorized software.

Ineffective against new threats

IT always has to get involved

Impossible to manage

Overwhelming false positives

Annoying and unscalable

Antivirus (Existing)

Remove Admin Rights

Restriction Policies

Behavioral HIPS

Vista UAC

Time

Co

mp

lex

ity

of

Ad

min

istr

ati

on Blacklisting

New TypesOf Attacks

SignatureFile Size

TargetedAttacks

AgentBloating

FalsePositives

SpywareLegitimacy

Security at an Inflection Point

Whitelisting

FirstExecution

BlockFlexiblePolicies

AutomatedSoftwareApproval Software

Identification

PolicySimulation

ApplicationGrouping

SoftwareReputation

Service

Application Whitelisting In The Press

Symantec

Mark Bregman, CTO

“Eventually, a comprehensive whitelist of legitimate software may be as close to a silver bullet as one can hope to find – one that best serves the evolving security needs of the growing cybercommunity.

John Thompson, CEO

“I'll be chasing my tail forever trying to block every one of those things. ”

Microsoft

David Cross, Product Unit Manager

April, 2008

“Microsoft wants to make better use of things such as application whitelisting, which prevents any application from running other than those explicitly allowed by the user.”

Cisco

John Stewart, CSO

May, 2008

"I am not so sure that we can get to a place of feeling confident in our infrastructure without doing whitelisting“.

“Whitelisting is the next generation of defense“

McAfee

Dave DeWalt, CEO

June 13

“Blacklisting — where vendors compile lists of known malware — has become technically unfeasible.”

“As blacklisting becomes increasingly difficult, whitelisting holds promise.”

Today’s Endpoint Management

Trends

• Suites/Platforms emerge for both Security & Ops

• MSFT/OS increasing functionality (AV, AS, PF, Encr …)

Trends

• Suites/Platforms emerge for both Security & Ops

• MSFT/OS increasing functionality (AV, AS, PF, Encr …)

Future of Endpoint Management

Endpoint Mgmt

Control

Trends

• Endpoint Control increasing more important

• MSFT commoditizes AV, AS, PF, Encr, SD, PM

Trends

• Endpoint Control increasing more important

• MSFT commoditizes AV, AS, PF, Encr, SD, PM

Introducing Bit9

Bit9 ensures that only

approved software runs.

Visibility Knowledge Control

Bit9 Parity

Bit9 ParityCenter

Bit9 Architecture

Bit9 Clients

ServersDesktops Laptops

External Data Sources

Internet

Web-enabled Console

Bit9 Parity Server

File HashesEvents

Policies

File Hashes

Active Directory

Customer Premises Bit9’s Hosted Web Service

CrawlingPartnershipsPhysical MediaHoney potsThird-party metadata

Threats, Attributes

PublisherProductSourceThreat LevelTrust Factor

Bit9 ParityCenter

6B+ File Records

Commercial SoftwareOpenSourceSharewareMalware

InternetInternet

??

? ??

?

Lockdown

Monitor

Block & Ask

Lockdown

Lockdown

Lockdown

Bit9 ParityCenter

How Bit9’s Application Control WorksDeploy and Enforce Policy

Software Identification, Authentication & Trust

Bit9 ParityCenter6B+ records

Multi-Scanner Risk Assessment

Automated Software

Categorization

Automated Vista Compatibility

Requires and Adaptive Whitelist

• Trust Software Distribution

• Trust Patch Management

• Trust Self-Updating Products

• Trust Publishers

• Trust Directories

• Trust Privileged Users

• …

Case Studies

Ritz CameraRetail ElectronicsCompliance

Before Bit9:• Compliance

unauthorized software on kiosks

• Hundreds of stores with non-networked PCs

After Bit9: Antivirus replaced Kiosks controlled

General DynamicsDefense ContractorControl

Before Bit9:• Unauthorized software

used by outsourcer cost $$• Sensitive data not

protected when transferred to devices

After Bit9: Eliminated costs Data protected

Fox InteractiveMedia ConglomerateVisibility

Before Bit9:• Creative culture required

that users can install new apps

• Known vulnerabilities were uncontrollable

After Bit9: Most apps pre-

approved Zero-day threats

blocked

Closing the Endpoint Protection Gap

Known Malware

Patches

CentrallyDistributedApplications

ProvisionedBase Image

BotnetsBotnets

SpywareSpyware

RootkitsRootkits

GamesGames

InstantMessenger

InstantMessenger

SkypeSkype

UnknownMalware

UnknownMalware

ManagedSoftware

ManagedMalware

Whitelist

Blacklist

Blacklist• Not approved• Not allowed to run

Whitelist• Trusted Software• Allowed to Run

Bit9 Parity

The easiest way to control what can and can’t run on your Windows computers.

3 Year Cost to Maintain a Desktop

Well-Managed Average Managed Poorly Managed

$3,300

$4,300

$5,300

Key Application Whitelisting Takeaways …

• Default Deny on Unrecognized Software

• Custom By Company / Organization

• Adaptive to Include New Software

Regain Control with App Whitelisting!

Security– Only trusted software is allowed to run

Compliance– Visibility and control over endpoints

Manageability– Drastic reduction in support costs