SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY www.securelink.net
BACKGROUND Macro trends like cloud and mobility change the requirements for endpoint security. Data can be stored on premise, in public clouds, or at the endpoints and needs to be protected and available 24x7 regardless of where it resides. At the same time this data is a high-value target for today s organized crime. The total global impact of cybercrime has risen to USD 3 trillion, making it more profitable than the global trade in marijuana, cocaine and heroin combined. So how can you keep your data and business protected without losing the agility required to compete in your quickly evolving marketspace? www.securelink.net
CHALLENGES Antivirus/anti-spyware databases are 90-99% effective at detecting well-known, widely circulating threats. However, they are only 20-50% effective at detecting new or low-volume threats. KNOWN VS UNKNOWN THREATS Historically the technical battle between cybercrime and protection has been very reactive. First a threat needs to present itself, then the industry can mitigate this threat by writing different types of signatures to detect and block it. Some examples: A malicious file is found and an antivirus signature is written to match the exact fingerprint of the file to be able to detect and block it. Forensics of an infected endpoint provides a set of IOCs (Indicators of Compromise). These can be shared across endpoints/customers/industries to find other infected endpoints. A botnet is discovered. The IP addresses and/ or URLs of the command and control servers (C&C) are identified and shared to help block C&C connections and identify infected endpoints. This type of functionality is important to help us detect and protect against well-known threats. But, since there is no such thing as 100% protection, how can we protect better against the unknown? Some examples: A critical SCADA system may not require a lot of interaction with the outside world, so by isolating it from a network point of view, the risk of infection or attack could be massively reduced. The software running on a Point-of-Sales terminal should probably not change that often, so by locking down what applications that are allowed to run, the risk is massively reduced. The above examples do however not work very well on normal end-users laptops, since endusers often require a lot of interaction with the outside world, hence also a flexibility to update and add software they need in order to be able to do their job. To address the above challenges, the security industry has come up with a selection of different approaches to manage the risks with related to end-user needs and behavior. They all have their advantages and disadvantages. The next section provides an overview of some important types of endpoint security features and their respective key benefits. There are a number of alternative technical approaches to better protect against unknown threats. Which one chooses to use depends on the balance between the need for security on one hand and the demands on availability and agility on the other hand. IT IS ALL ABOUT BALANCE 3 www.securelink.net
ENDPOINT SECURITY CATEGORIES In the best of worlds all the endpoint security needed would be available in one product, or even better, just integrated into the operating system. This is however unfortunately not the case. There are many different types of features needed and different vendors excel in different areas. The following are some of the more common and important areas. 01. PERIPHERAL DEVICE SECURITY Somewhat simplified, peripheral devices can be viewed as basically all the things you connect to your USB port. This includes USB memory sticks, keyboards, external harddrives, etc. One popular way of getting into companies is the so called candy drop, i.e. to spread infected USB sticks in the public areas of a company, hoping that someone will pick it up and connect it to their laptop. You could argue that no-one would be so unaware that they click on a file from an unknown USB key. However, too many people do, and for those that do not, the cybercrime industry actually thought of that too. The USB standard is written so that the device will tell the laptop what type of device it is. This means that by just stating that it is a keyboard the USB key can actually just execute its own code once connected to the laptop (even though autorun is disabled). To mitigate this threat there are Device Control features available that will help you control what users plug into their laptops. This helps increase security, but the big challenge lies in providing an effective work environment and managing real-world situations, such as when the CEO calls and has an issue with downloading pictures from his smartphone. 02. COMPLIANCE Many of the different security standards (PCI, CIS, NIST, etc) recommend or require that as soon as a system is put in a known and trusted state, all subsequent changes are detected and logged. To enable this, there are File Integrity Monitoring features that monitor all changes, log them and compare them to different best practices and compliance frameworks. This helps detect suspicious or unauthorized deviations and changes. 03. SECURE ACCESS Information is worthless if it is not available to those who need it. In order to provide secure access to company information, organizations need to control who has access to what. It is also important to ensure that information can not be eavesdropped or modified during transit, and that access is not provided to an infected endpoint that could steal information and infect other devices. Secure access can be divided into two different categories: Remote access (often referred to as VPN or SSL-VPN) Local Access (often referred to as NAC (Network Access Control) Secure Access functionality can be part of the OS, included in an endpoint security product, or added as a stand-alone software that specializes in only providing this functionality. 4 www.securelink.net
04. DATA SECURITY Disk encryption This is used to prevent data from being accessed if your device is stolen or lost. The drawback is that once you start your machine the disk is decrypted so a malware on your laptop will have access to unencrypted data as soon as the laptop is started. File encryption This is used to protect very sensitive files. The files are only decrypted when they are accessed, so a malware will not have access to unencrypted data. Please note that advanced malware can record your keystrokes to get hold of decryption passwords and decrypt the files. Data Loss Prevention This is a feature that is designed to detect potential data breach and data exfiltration by detecting, monitoring and blocking sensitive data. Large-scale implementations of DLP aimed at achieving full value from the solutions, typically means that your data needs to be classified by your company in order to get the proper level of protection. HOW DO YOU KEEP YOUR DATA AND BUSINESS PROTECTED WITHOUT LOSING AGILITY TO COMPETE IN YOUR MARKETSPACE? 5 www.securelink.net
05. EXPLOIT PROTECTION A common way to infect an endpoint is to send a PDF or office document that is infected with malicious code. When the end-user opens the document it executes the code that exploits a vulnerability in the application opening the document. To protect against such application and memory based exploits there are a couple of different features available: HostIPS (HIPS): There is no standard terminology for different HIPS techniques, but it typically includes some type of signature-based detection to find exploits towards known vulnerabilities. Exploit Mitigation/Traps: Inject code that will detect when code tries to do malicious activity. Memory Protection: Protect against memory exploits, process injections and escalations. 06. MALWARE PROTECTION Traditionally, the main task for antivirus products has been to detect malicious programs. This has historically been done by creating signatures for every new malware that is detected, push this to all the endpoints that can then detect the malware. Since there are several hundreds of thousands of new malware created every day, this approach is no longer optimal. In addition, this also requires that someone else has already found the malware so that a signature can be written for it. This means that you can only protect against the known and not the unknown. Below are some of the different options available for protecting against malware: Malware Signatures Traditional Antivirus The main benefit of signature-based detection is that the malware is known, meaning that there is often additional information available about the malware and what it tries to do. A drawback with signatures is that they are reactive and provide very limited protection against zero-day malware and targeted attacks. Threat Intelligence Adding a feed of IPs or URLs of known malicious domains or botnets to the analysis, means that connection to these sites can be blocked to prevent download of malware or callbacks to such domains. This is generally a very good complement for detection, but it is still reactive since someone needs to detect these domains and they seldom have a long lifespan. IN THE BEST OF WORLDS ALL THE ENDPOINT SECURITY NEEDED WOULD BE AVAILABLE IN ONE PRODUCT, OR EVEN BETTER, JUST INTEGRATED INTO THE OPERATING SYTEM. THIS IS HOWEVER UNFORTUNATELY NOT THE CASE. 6 www.securelink.net
Application Control By only allowing specified applications to run (white listing), a malicious process cannot start. Application control is a good solution for devices in the Internet of Things space that do not update or add software often. It is more cumbersome to manage for normal end-user laptops that are more dynamic and heterogeneous in nature. Sandboxing/Emulation This concept means sending unknown files to a controlled environment where they are executed. Once executed the behavior is monitored to look for malicious activity. This can help detect zero-day malware based on the execution behavior and also create threat intelligence that can help detect other infected endpoints. Sandboxing typically means a delay in delivery of the file to the target, while the suspicious file is executed and analyzed.this means that it is a common and good feature for mail and web gateways, but maybe not optimal for all endpoint deployments. For endpoints there are some things to consider: Location: Are you running the sandbox platform locally or in the cloud? Scalability: If locally, how many devices do you need to support all of your endpoints? Remote users: How will remote users send files to the sandboxes? Delay: There will be a delay while waiting for the file to finish running in the sandbox. Is this acceptable to the end-user? Patient Zero effect : If, for delay reasons, you are allowing the file to be locally executed while the analysis is still being performed, this first laptop (Patient Zero) will be infected before you can stop future attacks. How do you manage this patient zero effect? Evasion: How good is the sandbox technology at detecting different evasion techniques? Endpoint Isolation This concept leverages different virtualization techniques, e.g. micro-virtualization, to execute files locally on the laptop in a separate sandbox. This prevents the malicious file from reaching the operating system. Once the session is over, the virtual environment is discarded. The main benefit is that no files need to be sent away for scanning in sandboxes and that nothing should leave the local sandbox. A drawback is that this concept usually has a performance impact on the endpoint and that the isolation vendor needs to certify all OSs and applications that are supported. For environments running standard OS and applications and that can enforce that no other applications can be run outside of the isolation environment, this can be a good approach to ensure that execution of malicious code is only done in the virtual environment. 7 www.securelink.net
Machine learning Machine learning is today a common tool to solve complex problems in an effective way. Things like voice recognition, consumer profiling and insurance companies are using different type of machine learning to learn patterns and quickly categorize new events in a correct way. For malware detection machine learning means identifying millions of different characteristics of a file, then run millions of good and bad files into a large advanced system for machine learning to understand the differences in these characteristics between good and bad files. This means that a malware can be detected regardless of how many times it is rewritten to change its fingerprint, since the characteristics will be the same and be identified as bad. The verification will be done by a mathematical model that, will examine a file prior to execution and provide a sub-second verdict based on advanced algorithms. This model has a very small impact on system performance and is not depending on any external signatures or sandboxes to detect and block zero-day malicious files from executing. This approach works well in all different types of environments and could complement or replace traditional signature-based antivirus in most cases. 07. DETECTION & RESPONSE There is no such thing as 100% protection, so how should you respond when you detect breached endpoints and do you have the tools to respond to this breach. When an infected endpoint is found inside the company there are a lot of questions that you would like to be able to answer: Is any other endpoint infected? When was this endpoint infected? How was it infected? What type of information is at risk? Has any data been stolen? Who did it and why? To help customers with incident response there is a specific set of tools referred to as Endpoint Detection & Response tools. They provide very advanced functionality for helping to quickly understand the impact of the breach and will help respond against it. 8 www.securelink.net
TOP 5 TIPS FOR SECURING YOUR WINDOWS ENDPOINT! Do not allow execution of unsigned programs from a users profile directory. Reason: A common location for malware to install itself to. (Require exceptions) Disable support for executing Javascript, Java and Visual Basic scripts outside of the web browser. Reason: A common attach vector. (Could require changes of administration via scripts) Upgrade PowerShell to version 4, enable logging and disable execution of unsign scripts. Reason: Built-in security functions and much more detailed logging. Do not allow or limit the usage of local administrative privileges. Reason: Should an attacker infect a user with local administrative privileges, it would give the attacker the same privileged access. Enforce separation of duties between daily work and system access. Strong authentication, preferable a secure vault with functionality to mask the password. Reason: The first thing an attacker would like to get is access to privileged accounts. Implementing privileged account security will limit the impact of the breach and also enable detection of it. 9 www.securelink.net
PROTECT YOUR DATA, IN USE, AT REST AND IN TRANSIT! www.securelink.net
SUMMARY Today s protection of endpoints can and should include many different protective measures, to ensure protection against different types of threats. Different vendors have solutions for one or several of the threat types. However, the core functionality of endpoint protection, to protect against malicious code, is an area where the bad guys have outrun the security vendors by far over the last years. Only recently have new technologies emerged, that try to attack the problem with new methods and tools. These new technologies include machine-based learning (algorithm-based detection), virtualization techniques, etc. These new types of protection methods are so called disruptive innovations in the endpoint market. They have moved away from the traditional signature-based detection to try to find more effective methods. As an organization looks at securing its endpoints, it is important to identify and prioritize the different needs and requirements on endpoint protection. Different solutions are good for different types of deployments, and the organization may very well end up with needing more than one endpoint protection agent to protect themselves. Use-cases covered Current Endpoint Protection Old market suppply curve Old market demand curve Next Generation Endpoint Protection New market suppply curve New market demand curve Use-cases covered Protections against unknown threats Time The picture illustrates how existing, traditional signature-based endpoint protection products often include many of the modules described above. However, they are not really solving the market demand of protecting against unknown threats. The newer, innovative endpoint protection vendors are focused on addressing this, but they may not yet have all the modules customers are looking for. As the innovative vendors develop their products and capabilities, it is however very likely that we will see a big shift in the endpoint protection market. If you would like to discuss which endpoint solution that will best address your specific needs, please contact your local SecureLink sales representative. 11 www.securelink.net
WWW.SECURELINK.NET