Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation
Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client Computers Malware Defense for Servers Network-Based Malware Defense Solutions to implement Malware Defense-in-Depth November 2006 2
Understanding Characteristics of malicious software November 2006 3
Malicious Software: Identifying Challenges to an Organization Malware: A collection of software developed to intentionally perform malicious tasks on a computer system Feedback from IT and security professionals includes: The users executed the attachment from their e-mail even though we ve told them again and again that they aren t supposed to. The antivirus software should have caught this, but the signature for this virus hadn t been installed yet. We didn t know our servers needed to be updated. This never should have made it through our firewall; we didn t even realize those ports could be attacked.
Understanding Malware Attack Techniques Common malware attack techniques include: Social engineering Backdoor creation E-mail address theft Embedded e-mail engines Exploiting product vulnerabilities Exploiting new Internet technologies
Understanding the Vulnerability Timeline Most attacks occur here Product shipped Vulnerability discovered Vulnerability disclosed Update made available Update deployed by customer
Understanding the Exploit Timeline Exploit Malware Attack Days between update and exploit Days between update Nimda 331 Product Vulnerability VulnerabilityUpdate made Update shipped SQL Slammer discovered180 and exploit have disclosed available decreased deployed Welchia/Nachi 151 by customer Blaster 25 Sasser 14
Identifying Common Malware Defense Methods Malware Attack Defense Method Mydoom Sasser Blaster SQL Slammer Download.Ject Block port 1034 Update antivirus signatures Implement application security Block ports 445, 5554, and 9996 Install the latest security update Install the latest security update Block TCP ports 135, 139, 445, and 593 and UDP ports 135, 137, and 138, and also block UDP ports 69 (TFTP) and TCP 4444 for remote command shell. Update antivirus signatures Install the latest security update Block UDP port 1434 Install the latest security update Increase security on the Local Machine zone in Internet Explorer Clean any infections related to IIS
What Is Defense-in-Depth? Using a layered approach: Increases an attacker s risk of detection Reduces an attacker s chance of success Data Application Host Internal network Perimeter Strong passwords, ACLs, encryption, EFS, backup and restore strategy Application hardening OS hardening, authentication, update management, antivirus updates, auditing Network segments, IPSec, NIDS Firewalls, boarder routers, VPNs with quarantine procedures Physical security Policies, procedures, and awareness Guards, locks, tracking devices Security policies, procedures, and education
Applying Defense-in-Depth to Malware Defense Client defenses Data Application Host Server defenses Data Application Host Network defenses Internal network Perimeter Physical security Policies, procedures, and awareness
Implementing Host Protection Policies, Procedures, and Awareness Recommended policies and procedures include: Host protection defense policies: Scanning policy Signature update policy Allowed application policy Security update policy: 1. Assess environment to be updated 2. Identify new updates 3. Evaluate and plan update deployment 4. Deploy the updates Network defense policies: Change control Network monitoring Attack detection Home computer access Visitor access Wireless network policy
Implementing Physical Security and Antivirus Defense Elements of an effective physical defense plan include: Premises security Personnel security Network access points Server computers Workstation computers Mobile computers and devices
Protecting Client Computers: What Are the Challenges? Challenges related to protecting client computers include: Host challenges Maintaining security updates Maintaining antivirus software Implementing a personal firewall Application challenges Controlling application usage Secure application configuration settings Maintaining application security updates Data challenges Implementing data storage policies Implementing data security Regulatory compliance
Implementing Client-Based Malware Defense Steps to implement a client-based defense include: 1 2 3 4 5 6 7 Reduce the attack surface Apply security updates Enable a host-based firewall Install antivirus software Test with configuration scanners Use least-privilege policies Restrict unauthorized applications
Configuring Applications to Protect Client Computers Applications that may be malware targets include: E-mail client applications Desktop applications Instant messaging applications Web browsers Peer-to-peer applications
Managing Internet Explorer Browser Security Security feature MIME security improvements Better security management Local Machine zone Feature Control Security Zone settings Group Policy settings Consistency checks Stricter rules Description Add-on control and management features Better prompts New script-initiated windows restrictions Ability to control security in the local machine zone MIME sniffing Security elevation Windows restriction Administrative control for feature control security zones
Protecting Client Computers: Best Practices Identify threats within the host, application, and data layers of the defense-in-depth strategy Implement an effective security update management policy Implement an effective antivirus management policy Use Active Directory Group Policy to manage application security requirements Implement software restriction policies to control applications
What Is Server-Based Malware Defense? Basic steps to defend servers against malware include: Reduce the attack surface Apply security updates Enable a host-based firewall Analyze using configuration scanners Analyze port information
Protecting Servers: Best Practices Consider each server role implemented in your organization to implement specific host protection solutions Stage all updates through a test environment before releasing into production Deploy regular security and antivirus updates as required Implement a self-managed host protection solution to decrease management costs
Protecting the Network: What Are the Challenges? Challenges related to protecting the network layer include: Balance between security and usability Lack of network-based detection or monitoring for attacks
Implementing Network-Based Intrusion-Detection Systems Network-based intrusion-detection system Provides rapid detection and reporting of external malware attacks Important points to note: Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected ISA Server 2006 provides network-based intrusion-detection abilities
Implementing Application Layer Filtering Application layer filtering includes the following: Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol
Protecting the Network: Best Practices Have a proactive antivirus response team monitoring early warning sites such as antivirus vendor Web sites Have an incident response plan Implement automated monitoring and report policies Implement ISA Server 2006 to provide intrusion- detection capabilities
More advanced More frequent Profit motivated Application-oriented Too many point products Poor interoperability Lack of integration Multiple consoles Uncoordinated event reporting & analysis Cost and complexity November 2006 24
Protect Information and Control Access at Operating system Server applications Network edge Content Heterogeneity Third-party products Secure custom apps 24/7 security research and response Cross-product integration MSFT security products MSFT server applications Integration with Microsoft IT infrastructure Active Directory, SQL Server, Operations Manager, etc. Integration with ecosystem partners and custom apps Unified view and analytics Reduced number of management consoles Simplified deployment Appliances and appliance-like experience Technical and industry guidance Simplified licensing November 2006 25
Unified malware protection for business desktops, laptops and server operating systems that is easy to manage and control One solution for spyware and virus protection Built on protection technology used by millions worldwide Effective threat response One console for simplified security administration Define one policy to manage client protection agent settings Integrates with your existing infrastructure One dashboard for visibility into threats and vulnerabilities View insightful reports Stay informed with state assessment scans and security alerts
November 2006 27
Security Summary
Windows Vista Server and Domain Isolation (SD&I) Forefront Client Security Combined Solution User Account Control IE7 with Protected Mode Randomize Address Space Layout Advanced Desktop Firewall Kernel Patch Protection (64bit) Policy Based Network Segmentation Restrict-To-Trusted Net Communications Infrastructure Software Integration Unified Virus & Spyware Protection Central Management Reporting, Alerting and State Assessment
Services Edge Server Applications Client and Server OS Information Protection Identity Management Active Directory Federation Services (ADFS) Systems Management Guidance Developer Tools November 2006 30
2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.