Securing the Enterprise Endpoint
@danielcolonnese
@lighthousecs
“Enterprise” Laptop Market Share
www.netmarketshare.com
Phone Market Share
Sample “Enterprise” Use-Case
“End-Points” = “End Users”
0days / year
 No Enterprise is safe against a targeted attack
‒
Best we can do is Trust the OS
 OS is the source of truth for agents and authenticated scans
‒
Non-Auditability of the Windows Registry
‒
APT can bring their own OS
 OS is the source of truth for memory state and disk state
‒
Largest source of tools for Windows:
‒
registry, powershell, netbois, peer discovery
Endpoints OS are and will be COMPRIMISED
What to Do About it?
‒ Surveillance
‒ Scanning
 session audit “cameras”
 Authenticated OS scans
 proxy servers
 Scheduled usually
‒ Blacklisting
‒ Patching
 Anti-Virus
 JAVA
 Anti-Malware
 Configuration Drift
‒ Whitelisting
‒ Compliance reporting
 Heuristics / Risk
 Attack surface over time
 Machine Learning
 Satisfy an auditor
“Limit the Damage”
 Reduce the enterprise “attack surface”
‒ fewer, more patched OS
‒ savvy, less-privileged users
Reduce the damage a compromised end-point could do
“The median number of days an organization was compromised in
2015 before the organization discovered the breach (or was notified
about the breach) was 146”
-fireeye whitepaper 2016
Getting compromised and recovering
Use Cases #1:
Endpoint Indicator of Compromise
Use Cases #1: Endpoint Indicator of Compromise
(i.e.: malware or virus)
IBM BigFix
Microsoft SCCM
McAfee Agent
Carbon Black Bit9
FireEye
Palo Alto
DNS Security
Common Requirements
To Interrogate Endpoint OS
̶ Look for indicators of compromise:
indicators of compromise - suspicious files, MD5 hash,
registry key, active connections to malicious IP addresses,
processes listening on a specific port – *BIN in Registry*
̶ Stop and control random attacks
Disable usage of TIFF image
 Control the impact to business ops made by a malware
Hijacked hosts file interrupts AV application
 Determine if a business process is running
Check if AV program or security monitoring agent is
running
(CVE-2013-3906)
Uninstall QuickTime to stop random code
execution
 Ensure the integrity of the software package
Find MD5 hash of the downloaded software
What’s the first thing? AV
A lot of computers are required (by law or compliance with a regulation)
to have an AV product installed and running at all times.
“"Additionally, new scanners joining the community will need to
prove a certification and/or independent reviews from security testers
according to best practices of Anti-Malware Testing Standards
Organization (AMTSO).“”
Scanning Endpoints
Visualize the Exploit Chain
Remediation
do you believe in APT
automatic remediation?
 Trusteer Apex
 Bit9
 Mobile AV
Enterprise Security Use Cases
Use Cases #2: Use Behavior Analytics (i.e. rouge insider)
IBM
Exabeam
Securonix
Use Case #3: Data Loss Prevention (i.e. post-exploit exfiltration)
Stealbits
IBM
Microsoft
Scanning Endpoints
Deep Query the OS
Vulnerability Assessment
Assesses Windows endpoints against standardized, Open Vulnerability and Assessment
Language (OVAL) based security vulnerability definitions
Reports on non-compliance in real time to support the elimination of known vulnerabilities
across endpoints
Integration available with QRadar to strengthen risk assessments and speed detection of
malware
Patching Endpoints
IBM Technology
MDM
IBM / Technology
Enrollment
MaaS360
Expense
IBM Emptoris
Rivermine
Policy
MaaS360
Network
Email Filtering
Infrastructure
IBM / Technology
Directory
IBM Directory
Server
IAM
IBM Access
Manager
CASB
Security Enforcer
Endpoints
IBM / Technology
Anti-Virus
Trend Micro
Patch
Management
BigFix
Software Lifecycle
BigFix
IBM / Technology
MSS Proxy
CVSS Vulnerability QRadar VM
Scanner
Security
Intelligence,
Analytics,SOC
QRadar SEIM
Mobile App
Development
AppScan Mobile
Remote Help Desk BigFix
System Imaging
BigFix
Anti-Fraud
Trusteer
Microsoft Technology
MDM
MS / Technology
Enrollment
InTune
Expense
None
Policy
InTune
Network
MS / Technology
Email Filtering
None
CVSS Vulnerability Microsoft Baseline
Scanner
Security Analyze
Security
Intelligence,
Analytics,SOC
Microsoft Security
Response Center:
Interflow
Mobile App
Development
Universal Windows
Platform
Infrastructure
MS / Technology
Directory
AD
IAM
ADFS
CASB
Adallom
Endpoints
IBM / Technology
Anti-Virus
Widows Defender
Patch
Management
System Center
Software Lifecycle
System Center
Remote Help Desk System Center
System Imaging
System Center
Anti-Fraud
DLP for Office
Video and VoiP
Files and content within files
Instant messages
E-mails (sender, recipients, content)
On-line activity
(web pages, Facebook, Twitter, etc.)
Audit of Everything
Patches
Critical Fix
Configuration
Change
Record of who
made change
The Mobile “Blind-Spot”
Cloud Applications
Enterprise
Global Points
Of Presence
London
Etc.
Dallas
Hong
Kong
IBM Cloud
Security
Enforcer
•
•
•
•
•
Mobile clients
 Smart phones
 Tablets
 Laptop/Desktop
2016
User specific
sanctioned app
catalog
Discovery
Risk Assessment
Alerting
Identity and Access Control
Behavioral analysis
Mobile Threats Blocked
1. Backdoors
2. Content Analyzer
3. Command and Control
4. Cross-Site Scripting
5. Distributed Denial of Service
6. Denial of Service
7. Exploit Kits
8. Instant Messenger
9. Microsoft Shell Link File
10. Peer to Peer
11. Rootkits
12. Scada
13. Shell Command Injection
14. SQL Injection
15. Tunneling
16. Voice Over Internet Protocol
Mobile (backdoors) and (open) Windows
Keylogger $0.99
Phone RAT $1.99
Enterprise Reporting
 SSO
 checklists
Quickly Find Known Attributes and Risk
Indicators in Seconds
View Real Time ‘State of Security and
Compliance’
Protect against Unknown Indicators of
Compromise
Challenge #1:
Siloed IT Operations and Security Teams
Disparate tools, manual processes, lack of integration and narrow visibility
SECURITY
IT OPERATIONS
• Scan for compliance status
• Apply patches and fixes
• Create security policies
• Implement security and operational policy
• Identify vulnerabilities
• Manual process takes weeks / months
Challenge #2: Money
Architecture
Slow, scan-based architectures
Limited coverage
Not cost-effective at scale
Complexity
Resources
 Heavy, resource-intensive
agent(s)
Too much admin and infrastructure
 Multiple products,
multiple agents
Each task detracts from higher value
projects
 Not Internet-friendly
Little pre-built content
Securing the Endpoint is Difficult
 Quickly Find Known Attributes and Risk Indicators in Seconds
 View Real Time ‘State of Security and Compliance’
 Protect against Unknown Indicators of Compromise
Trends towards the future
 Endpoints will continue to be exploited
 Vendors will (be forced) work together
 Laptop and Mobile are moving into a model of real-time compliance
 Automation between endpoint security tools
 IT and Infosec gap is closing
35
© Lighthouse Computer Services, All rights reserved