SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

Similar documents
Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Symantec Ransomware Protection

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

A Guide to Closing All Potential VDI Security Gaps

Teradata and Protegrity High-Value Protection for High-Value Data

CloudSOC and Security.cloud for Microsoft Office 365

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

SentinelOne Technical Brief

Trend Micro. Apex One as a Service / Apex One. Best Practice Guide for Malware Protection. 1 Best Practice Guide Apex One as a Service / Apex Central

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Changing face of endpoint security

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Ceedo Client Family Products Security

SentinelOne Technical Brief

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Chapter 9. Firewalls

BUFFERZONE Advanced Endpoint Security

Building Resilience in a Digital Enterprise

Symantec Endpoint Protection Family Feature Comparison

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

GUIDE. MetaDefender Kiosk Deployment Guide

Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing

Next Generation Endpoint Security Confused?

Imperva Incapsula Website Security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

6 Vulnerabilities of the Retail Payment Ecosystem

Un SOC avanzato per una efficace risposta al cybercrime

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

BUFFERZONE Advanced Endpoint Security

Mobile Devices prioritize User Experience

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

INTRODUCING SOPHOS INTERCEPT X

Securing Today s Mobile Workforce

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Security+ SY0-501 Study Guide Table of Contents

COMPUTER NETWORK SECURITY

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Stopping Advanced Persistent Threats In Cloud and DataCenters

IT & DATA SECURITY BREACH PREVENTION

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

CYBER SECURITY. formerly Wick Hill DOCUMENT* PRESENTED BY I nuvias.com/cybersecurity I

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

CA Security Management

WHITE PAPER. AirGap. The Technology That Makes Isla a Powerful Web Malware Isolation System

Streaming Prevention in Cb Defense. Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV

Consumerization. Copyright 2014 Trend Micro Inc. IT Work Load

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Barracuda Advanced Threat Protection. Bringing a New Layer of Security for . White Paper

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

Carbon Black PCI Compliance Mapping Checklist

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

RSA Security Analytics

Authentication Methods

Endpoint Protection : Last line of defense?

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

Trend Micro and IBM Security QRadar SIEM

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Integrated Access Management Solutions. Access Televentures

CIS Controls Measures and Metrics for Version 7

AKAMAI CLOUD SECURITY SOLUTIONS

McAfee epolicy Orchestrator

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Symantec Endpoint Protection 14

Advanced Endpoint Protection

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

Cisco Advanced Malware Protection (AMP) for Endpoints

SECURITY PRACTICES OVERVIEW

Paloalto Networks PCNSA EXAM

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

THE RISE OF GLOBAL THREAT INTELLIGENCE

Prevx 3.0 v Product Overview - Core Functionality. April, includes overviews of. MyPrevx, Prevx 3.0 Enterprise,

Defend what you create. Why Dr.Web

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

CIS Controls Measures and Metrics for Version 7

A company built on security

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Cyber Security. Our part of the journey

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

MODERN DESKTOP SECURITY

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

Review Kaspersky Internet Security - multi-device 2015 online software downloader ]

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Transcription:

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY www.securelink.net

BACKGROUND Macro trends like cloud and mobility change the requirements for endpoint security. Data can be stored on premise, in public clouds, or at the endpoints and needs to be protected and available 24x7 regardless of where it resides. At the same time this data is a high-value target for today s organized crime. The total global impact of cybercrime has risen to USD 3 trillion, making it more profitable than the global trade in marijuana, cocaine and heroin combined. So how can you keep your data and business protected without losing the agility required to compete in your quickly evolving marketspace? www.securelink.net

CHALLENGES Antivirus/anti-spyware databases are 90-99% effective at detecting well-known, widely circulating threats. However, they are only 20-50% effective at detecting new or low-volume threats. KNOWN VS UNKNOWN THREATS Historically the technical battle between cybercrime and protection has been very reactive. First a threat needs to present itself, then the industry can mitigate this threat by writing different types of signatures to detect and block it. Some examples: A malicious file is found and an antivirus signature is written to match the exact fingerprint of the file to be able to detect and block it. Forensics of an infected endpoint provides a set of IOCs (Indicators of Compromise). These can be shared across endpoints/customers/industries to find other infected endpoints. A botnet is discovered. The IP addresses and/ or URLs of the command and control servers (C&C) are identified and shared to help block C&C connections and identify infected endpoints. This type of functionality is important to help us detect and protect against well-known threats. But, since there is no such thing as 100% protection, how can we protect better against the unknown? Some examples: A critical SCADA system may not require a lot of interaction with the outside world, so by isolating it from a network point of view, the risk of infection or attack could be massively reduced. The software running on a Point-of-Sales terminal should probably not change that often, so by locking down what applications that are allowed to run, the risk is massively reduced. The above examples do however not work very well on normal end-users laptops, since endusers often require a lot of interaction with the outside world, hence also a flexibility to update and add software they need in order to be able to do their job. To address the above challenges, the security industry has come up with a selection of different approaches to manage the risks with related to end-user needs and behavior. They all have their advantages and disadvantages. The next section provides an overview of some important types of endpoint security features and their respective key benefits. There are a number of alternative technical approaches to better protect against unknown threats. Which one chooses to use depends on the balance between the need for security on one hand and the demands on availability and agility on the other hand. IT IS ALL ABOUT BALANCE 3 www.securelink.net

ENDPOINT SECURITY CATEGORIES In the best of worlds all the endpoint security needed would be available in one product, or even better, just integrated into the operating system. This is however unfortunately not the case. There are many different types of features needed and different vendors excel in different areas. The following are some of the more common and important areas. 01. PERIPHERAL DEVICE SECURITY Somewhat simplified, peripheral devices can be viewed as basically all the things you connect to your USB port. This includes USB memory sticks, keyboards, external harddrives, etc. One popular way of getting into companies is the so called candy drop, i.e. to spread infected USB sticks in the public areas of a company, hoping that someone will pick it up and connect it to their laptop. You could argue that no-one would be so unaware that they click on a file from an unknown USB key. However, too many people do, and for those that do not, the cybercrime industry actually thought of that too. The USB standard is written so that the device will tell the laptop what type of device it is. This means that by just stating that it is a keyboard the USB key can actually just execute its own code once connected to the laptop (even though autorun is disabled). To mitigate this threat there are Device Control features available that will help you control what users plug into their laptops. This helps increase security, but the big challenge lies in providing an effective work environment and managing real-world situations, such as when the CEO calls and has an issue with downloading pictures from his smartphone. 02. COMPLIANCE Many of the different security standards (PCI, CIS, NIST, etc) recommend or require that as soon as a system is put in a known and trusted state, all subsequent changes are detected and logged. To enable this, there are File Integrity Monitoring features that monitor all changes, log them and compare them to different best practices and compliance frameworks. This helps detect suspicious or unauthorized deviations and changes. 03. SECURE ACCESS Information is worthless if it is not available to those who need it. In order to provide secure access to company information, organizations need to control who has access to what. It is also important to ensure that information can not be eavesdropped or modified during transit, and that access is not provided to an infected endpoint that could steal information and infect other devices. Secure access can be divided into two different categories: Remote access (often referred to as VPN or SSL-VPN) Local Access (often referred to as NAC (Network Access Control) Secure Access functionality can be part of the OS, included in an endpoint security product, or added as a stand-alone software that specializes in only providing this functionality. 4 www.securelink.net

04. DATA SECURITY Disk encryption This is used to prevent data from being accessed if your device is stolen or lost. The drawback is that once you start your machine the disk is decrypted so a malware on your laptop will have access to unencrypted data as soon as the laptop is started. File encryption This is used to protect very sensitive files. The files are only decrypted when they are accessed, so a malware will not have access to unencrypted data. Please note that advanced malware can record your keystrokes to get hold of decryption passwords and decrypt the files. Data Loss Prevention This is a feature that is designed to detect potential data breach and data exfiltration by detecting, monitoring and blocking sensitive data. Large-scale implementations of DLP aimed at achieving full value from the solutions, typically means that your data needs to be classified by your company in order to get the proper level of protection. HOW DO YOU KEEP YOUR DATA AND BUSINESS PROTECTED WITHOUT LOSING AGILITY TO COMPETE IN YOUR MARKETSPACE? 5 www.securelink.net

05. EXPLOIT PROTECTION A common way to infect an endpoint is to send a PDF or office document that is infected with malicious code. When the end-user opens the document it executes the code that exploits a vulnerability in the application opening the document. To protect against such application and memory based exploits there are a couple of different features available: HostIPS (HIPS): There is no standard terminology for different HIPS techniques, but it typically includes some type of signature-based detection to find exploits towards known vulnerabilities. Exploit Mitigation/Traps: Inject code that will detect when code tries to do malicious activity. Memory Protection: Protect against memory exploits, process injections and escalations. 06. MALWARE PROTECTION Traditionally, the main task for antivirus products has been to detect malicious programs. This has historically been done by creating signatures for every new malware that is detected, push this to all the endpoints that can then detect the malware. Since there are several hundreds of thousands of new malware created every day, this approach is no longer optimal. In addition, this also requires that someone else has already found the malware so that a signature can be written for it. This means that you can only protect against the known and not the unknown. Below are some of the different options available for protecting against malware: Malware Signatures Traditional Antivirus The main benefit of signature-based detection is that the malware is known, meaning that there is often additional information available about the malware and what it tries to do. A drawback with signatures is that they are reactive and provide very limited protection against zero-day malware and targeted attacks. Threat Intelligence Adding a feed of IPs or URLs of known malicious domains or botnets to the analysis, means that connection to these sites can be blocked to prevent download of malware or callbacks to such domains. This is generally a very good complement for detection, but it is still reactive since someone needs to detect these domains and they seldom have a long lifespan. IN THE BEST OF WORLDS ALL THE ENDPOINT SECURITY NEEDED WOULD BE AVAILABLE IN ONE PRODUCT, OR EVEN BETTER, JUST INTEGRATED INTO THE OPERATING SYTEM. THIS IS HOWEVER UNFORTUNATELY NOT THE CASE. 6 www.securelink.net

Application Control By only allowing specified applications to run (white listing), a malicious process cannot start. Application control is a good solution for devices in the Internet of Things space that do not update or add software often. It is more cumbersome to manage for normal end-user laptops that are more dynamic and heterogeneous in nature. Sandboxing/Emulation This concept means sending unknown files to a controlled environment where they are executed. Once executed the behavior is monitored to look for malicious activity. This can help detect zero-day malware based on the execution behavior and also create threat intelligence that can help detect other infected endpoints. Sandboxing typically means a delay in delivery of the file to the target, while the suspicious file is executed and analyzed.this means that it is a common and good feature for mail and web gateways, but maybe not optimal for all endpoint deployments. For endpoints there are some things to consider: Location: Are you running the sandbox platform locally or in the cloud? Scalability: If locally, how many devices do you need to support all of your endpoints? Remote users: How will remote users send files to the sandboxes? Delay: There will be a delay while waiting for the file to finish running in the sandbox. Is this acceptable to the end-user? Patient Zero effect : If, for delay reasons, you are allowing the file to be locally executed while the analysis is still being performed, this first laptop (Patient Zero) will be infected before you can stop future attacks. How do you manage this patient zero effect? Evasion: How good is the sandbox technology at detecting different evasion techniques? Endpoint Isolation This concept leverages different virtualization techniques, e.g. micro-virtualization, to execute files locally on the laptop in a separate sandbox. This prevents the malicious file from reaching the operating system. Once the session is over, the virtual environment is discarded. The main benefit is that no files need to be sent away for scanning in sandboxes and that nothing should leave the local sandbox. A drawback is that this concept usually has a performance impact on the endpoint and that the isolation vendor needs to certify all OSs and applications that are supported. For environments running standard OS and applications and that can enforce that no other applications can be run outside of the isolation environment, this can be a good approach to ensure that execution of malicious code is only done in the virtual environment. 7 www.securelink.net

Machine learning Machine learning is today a common tool to solve complex problems in an effective way. Things like voice recognition, consumer profiling and insurance companies are using different type of machine learning to learn patterns and quickly categorize new events in a correct way. For malware detection machine learning means identifying millions of different characteristics of a file, then run millions of good and bad files into a large advanced system for machine learning to understand the differences in these characteristics between good and bad files. This means that a malware can be detected regardless of how many times it is rewritten to change its fingerprint, since the characteristics will be the same and be identified as bad. The verification will be done by a mathematical model that, will examine a file prior to execution and provide a sub-second verdict based on advanced algorithms. This model has a very small impact on system performance and is not depending on any external signatures or sandboxes to detect and block zero-day malicious files from executing. This approach works well in all different types of environments and could complement or replace traditional signature-based antivirus in most cases. 07. DETECTION & RESPONSE There is no such thing as 100% protection, so how should you respond when you detect breached endpoints and do you have the tools to respond to this breach. When an infected endpoint is found inside the company there are a lot of questions that you would like to be able to answer: Is any other endpoint infected? When was this endpoint infected? How was it infected? What type of information is at risk? Has any data been stolen? Who did it and why? To help customers with incident response there is a specific set of tools referred to as Endpoint Detection & Response tools. They provide very advanced functionality for helping to quickly understand the impact of the breach and will help respond against it. 8 www.securelink.net

TOP 5 TIPS FOR SECURING YOUR WINDOWS ENDPOINT! Do not allow execution of unsigned programs from a users profile directory. Reason: A common location for malware to install itself to. (Require exceptions) Disable support for executing Javascript, Java and Visual Basic scripts outside of the web browser. Reason: A common attach vector. (Could require changes of administration via scripts) Upgrade PowerShell to version 4, enable logging and disable execution of unsign scripts. Reason: Built-in security functions and much more detailed logging. Do not allow or limit the usage of local administrative privileges. Reason: Should an attacker infect a user with local administrative privileges, it would give the attacker the same privileged access. Enforce separation of duties between daily work and system access. Strong authentication, preferable a secure vault with functionality to mask the password. Reason: The first thing an attacker would like to get is access to privileged accounts. Implementing privileged account security will limit the impact of the breach and also enable detection of it. 9 www.securelink.net

PROTECT YOUR DATA, IN USE, AT REST AND IN TRANSIT! www.securelink.net

SUMMARY Today s protection of endpoints can and should include many different protective measures, to ensure protection against different types of threats. Different vendors have solutions for one or several of the threat types. However, the core functionality of endpoint protection, to protect against malicious code, is an area where the bad guys have outrun the security vendors by far over the last years. Only recently have new technologies emerged, that try to attack the problem with new methods and tools. These new technologies include machine-based learning (algorithm-based detection), virtualization techniques, etc. These new types of protection methods are so called disruptive innovations in the endpoint market. They have moved away from the traditional signature-based detection to try to find more effective methods. As an organization looks at securing its endpoints, it is important to identify and prioritize the different needs and requirements on endpoint protection. Different solutions are good for different types of deployments, and the organization may very well end up with needing more than one endpoint protection agent to protect themselves. Use-cases covered Current Endpoint Protection Old market suppply curve Old market demand curve Next Generation Endpoint Protection New market suppply curve New market demand curve Use-cases covered Protections against unknown threats Time The picture illustrates how existing, traditional signature-based endpoint protection products often include many of the modules described above. However, they are not really solving the market demand of protecting against unknown threats. The newer, innovative endpoint protection vendors are focused on addressing this, but they may not yet have all the modules customers are looking for. As the innovative vendors develop their products and capabilities, it is however very likely that we will see a big shift in the endpoint protection market. If you would like to discuss which endpoint solution that will best address your specific needs, please contact your local SecureLink sales representative. 11 www.securelink.net

WWW.SECURELINK.NET

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback