Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Transcription

1 Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation

2 Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client Computers Malware Defense for Servers Network-Based Malware Defense Solutions to implement Malware Defense-in-Depth November

3 Understanding Characteristics of malicious software November

4 Malicious Software: Identifying Challenges to an Organization Malware: A collection of software developed to intentionally perform malicious tasks on a computer system Feedback from IT and security professionals includes: The users executed the attachment from their even though we ve told them again and again that they aren t supposed to. The antivirus software should have caught this, but the signature for this virus hadn t been installed yet. We didn t know our servers needed to be updated. This never should have made it through our firewall; we didn t even realize those ports could be attacked.

5 Understanding Malware Attack Techniques Common malware attack techniques include: Social engineering Backdoor creation address theft Embedded engines Exploiting product vulnerabilities Exploiting new Internet technologies

6 Understanding the Vulnerability Timeline Most attacks occur here Product shipped Vulnerability discovered Vulnerability disclosed Update made available Update deployed by customer

7 Understanding the Exploit Timeline Exploit Malware Attack Days between update and exploit Days between update Nimda 331 Product Vulnerability VulnerabilityUpdate made Update shipped SQL Slammer discovered180 and exploit have disclosed available decreased deployed Welchia/Nachi 151 by customer Blaster 25 Sasser 14

8 Identifying Common Malware Defense Methods Malware Attack Defense Method Mydoom Sasser Blaster SQL Slammer Download.Ject Block port 1034 Update antivirus signatures Implement application security Block ports 445, 5554, and 9996 Install the latest security update Install the latest security update Block TCP ports 135, 139, 445, and 593 and UDP ports 135, 137, and 138, and also block UDP ports 69 (TFTP) and TCP 4444 for remote command shell. Update antivirus signatures Install the latest security update Block UDP port 1434 Install the latest security update Increase security on the Local Machine zone in Internet Explorer Clean any infections related to IIS

9 What Is Defense-in-Depth? Using a layered approach: Increases an attacker s risk of detection Reduces an attacker s chance of success Data Application Host Internal network Perimeter Strong passwords, ACLs, encryption, EFS, backup and restore strategy Application hardening OS hardening, authentication, update management, antivirus updates, auditing Network segments, IPSec, NIDS Firewalls, boarder routers, VPNs with quarantine procedures Physical security Policies, procedures, and awareness Guards, locks, tracking devices Security policies, procedures, and education

10 Applying Defense-in-Depth to Malware Defense Client defenses Data Application Host Server defenses Data Application Host Network defenses Internal network Perimeter Physical security Policies, procedures, and awareness

11 Implementing Host Protection Policies, Procedures, and Awareness Recommended policies and procedures include: Host protection defense policies: Scanning policy Signature update policy Allowed application policy Security update policy: 1. Assess environment to be updated 2. Identify new updates 3. Evaluate and plan update deployment 4. Deploy the updates Network defense policies: Change control Network monitoring Attack detection Home computer access Visitor access Wireless network policy

12 Implementing Physical Security and Antivirus Defense Elements of an effective physical defense plan include: Premises security Personnel security Network access points Server computers Workstation computers Mobile computers and devices

13 Protecting Client Computers: What Are the Challenges? Challenges related to protecting client computers include: Host challenges Maintaining security updates Maintaining antivirus software Implementing a personal firewall Application challenges Controlling application usage Secure application configuration settings Maintaining application security updates Data challenges Implementing data storage policies Implementing data security Regulatory compliance

14 Implementing Client-Based Malware Defense Steps to implement a client-based defense include: Reduce the attack surface Apply security updates Enable a host-based firewall Install antivirus software Test with configuration scanners Use least-privilege policies Restrict unauthorized applications

15 Configuring Applications to Protect Client Computers Applications that may be malware targets include: client applications Desktop applications Instant messaging applications Web browsers Peer-to-peer applications

16 Managing Internet Explorer Browser Security Security feature MIME security improvements Better security management Local Machine zone Feature Control Security Zone settings Group Policy settings Consistency checks Stricter rules Description Add-on control and management features Better prompts New script-initiated windows restrictions Ability to control security in the local machine zone MIME sniffing Security elevation Windows restriction Administrative control for feature control security zones

17 Protecting Client Computers: Best Practices Identify threats within the host, application, and data layers of the defense-in-depth strategy Implement an effective security update management policy Implement an effective antivirus management policy Use Active Directory Group Policy to manage application security requirements Implement software restriction policies to control applications

18 What Is Server-Based Malware Defense? Basic steps to defend servers against malware include: Reduce the attack surface Apply security updates Enable a host-based firewall Analyze using configuration scanners Analyze port information

19 Protecting Servers: Best Practices Consider each server role implemented in your organization to implement specific host protection solutions Stage all updates through a test environment before releasing into production Deploy regular security and antivirus updates as required Implement a self-managed host protection solution to decrease management costs

20 Protecting the Network: What Are the Challenges? Challenges related to protecting the network layer include: Balance between security and usability Lack of network-based detection or monitoring for attacks

21 Implementing Network-Based Intrusion-Detection Systems Network-based intrusion-detection system Provides rapid detection and reporting of external malware attacks Important points to note: Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected ISA Server 2006 provides network-based intrusion-detection abilities

22 Implementing Application Layer Filtering Application layer filtering includes the following: Web browsing and can be scanned to ensure that content specific to each does not contain illegitimate data Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol

23 Protecting the Network: Best Practices Have a proactive antivirus response team monitoring early warning sites such as antivirus vendor Web sites Have an incident response plan Implement automated monitoring and report policies Implement ISA Server 2006 to provide intrusion- detection capabilities

24 More advanced More frequent Profit motivated Application-oriented Too many point products Poor interoperability Lack of integration Multiple consoles Uncoordinated event reporting & analysis Cost and complexity November

25 Protect Information and Control Access at Operating system Server applications Network edge Content Heterogeneity Third-party products Secure custom apps 24/7 security research and response Cross-product integration MSFT security products MSFT server applications Integration with Microsoft IT infrastructure Active Directory, SQL Server, Operations Manager, etc. Integration with ecosystem partners and custom apps Unified view and analytics Reduced number of management consoles Simplified deployment Appliances and appliance-like experience Technical and industry guidance Simplified licensing November

26 Unified malware protection for business desktops, laptops and server operating systems that is easy to manage and control One solution for spyware and virus protection Built on protection technology used by millions worldwide Effective threat response One console for simplified security administration Define one policy to manage client protection agent settings Integrates with your existing infrastructure One dashboard for visibility into threats and vulnerabilities View insightful reports Stay informed with state assessment scans and security alerts

27 November

28 Security Summary

29 Windows Vista Server and Domain Isolation (SD&I) Forefront Client Security Combined Solution User Account Control IE7 with Protected Mode Randomize Address Space Layout Advanced Desktop Firewall Kernel Patch Protection (64bit) Policy Based Network Segmentation Restrict-To-Trusted Net Communications Infrastructure Software Integration Unified Virus & Spyware Protection Central Management Reporting, Alerting and State Assessment

30 Services Edge Server Applications Client and Server OS Information Protection Identity Management Active Directory Federation Services (ADFS) Systems Management Guidance Developer Tools November

31 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.