Endpoint Security John D. Johnson Next Generation Security Summit Château Élan, Atlanta, GA February 1, 2012

Agenda

Define the endpoint

Examine use cases

Identify the threats

Identify security tools and controls

Review our options

Propose a roadmap

Group discussion

Define the endpoint

Desktops, Laptops

Application Servers

Mobile Devices

Embedded Systems

Storage Devices

Printers

Any resource with an OS that can be attacked

Desktops & Laptops Employees want anytime-anywhere access

Increasingly mobile

Employees engage in risky behavior

BYOD

The devices we manage need to be kept

“healthy” (std build, licensed sw, compromise-

free)

Thought: Should we trust all employees and

company assets the same?

Thought: How do we manage the risk introduced

by the end user actions and choices?

Increasingly, servers are exposed to the Internet

More suppliers have VPN connections to our

internal network to provide services

More outsourcing requires Suppliers have a desktop (i.e. RDP, SSH, ability to execute remote

code)

Servers increasingly using shared services, VM

farms and SAN

Observation: Because servers are thought of as

immobile, we still protect them with coarse firewall rules and ACLs

Servers

Employees and Suppliers want anywhere,

anytime access to company Email

SharePoint and other collaboration tools exposed

to Internet, in order to provide access to business partners Sometimes externally hosted

Contractors provide administrative support (i.e. SAP, Identity Management, Active Directory)

and other transactional data processing

Suppliers & contractors need access to view & modify IP

Observation: The enterprise network has been

extended to the cloud

Application Servers

Innovation: New technology can be disruptive,

providing competitive business advantage,

increases in productivity, market differentiation

Smart phones and tablets offer something

different for different classes of user

Employees want work-life balance

Many companies already have email sync

Embedded systems becoming commonplace

Observation: Mobile devices and cloud storage

are increasing risk by further extending our

enterprise through device consumerization

Mobile Devices

Role-Based Access to Resources

User Class

Employee

Contingent (on-site, role-based)

Contingent (off-site)

Contract (on-site, project-based)

Contract (off-site)

Supplier, Dealer, Business Partner

Customer

User Device Class

Company Managed Device

•Standard

•Supported

•Compliant

•Local Storage

Non-Company Device

•Device w/local storage (i.e. company standard virtual image, data caching or residual data)

Non-Company Device

•Device w/no local company data (i.e. thin client or VDI used to access company resources or encrypted web session)

Access Class

Transactional (via Web App or similar programmatic access

w/managed credentials)

Administrative (function is application administration and

support, i.e. SAP or IDM)

Server Administration (ability to install/execute code)

Remote Control (desktop, browser or other methods to access intranet resources they

may not be authorized for)

Creating IP (i.e. access engineering data)

Full intranet Access (access is too broad to restrict)

Exchange Only

Access Source

Internal

Internal (Nation specific issues)

Internet (ANY)

Dedicated Connection

•Company-manages network equipment

•Company Segment

Dedicated Connection

•Mixed Environment

The Network: Today

The Network: In Practice

Endpoint Security Threats M

alw

are

& S

py

wa

re

•Email, Phishing

•Social Media

•Mobile Apps

•Network-Borne

•Privacy Threats

•Trojans & Keyloggers

Ba

d A

cto

rs

•Malicious Users

•Activists

•Corporate Espionage

•Organized Crime

•Terrorists

•Nation States R

og

ue

& U

nm

an

ag

ed

•Mobile Devices

•Embedded Systems

•Printers

•Rogue Devices V

uln

era

bilitie

s •0-Day

•Operating Systems

•Applications

•Configs

•HW & VM

•Protocols

•Bluetooth

•Wireless

•VoIP

•Backdoor Connections

As the perimeter erodes, we must focus on protecting the

endpoint (ultimately the data) from new threats introduced by

new technology and new business use cases.

Maturity Model for Security

Since the mid-1990s, we have moved from focusing on the

perimeter to focusing on the endpoint, and our security tools

have become more sophisticated.

1995

2012+

Endpoint Protection &

Security Controls

Policy Enforcement

Monitor & Alert

(Reactive)

HR Legal

MFA

VPN-S

VLAN

Syslog,

IPS

Technical Enforcement (Proactive)

• Authentication • Authorization • Network Restrictions

• OS Restrictions, Hardening

• Whitelisting • GPO • Admin Rights • Access Method • Endpoint Security:

AV, HIPS, NAC, DLP

• Mobile Device Mgmt

• Contract Language • Supervision of

Contractor • Notice of Status

Change • Security Policy • Awareness, Training • Monitor Compliance

• NIPS • HIPS

• SIM, Syslog • Fraud Detection • DLP • Monitor Access

Changes • Admin • IP

The perimeter is disappearing

Business choices require merging our technical solutions (proactive & reactive) with policy-based

Role-based / identity-based access to resources required for end users to do what the business requires, anytime anywhere

Focus on what is important to the business and protect it

Layered security is still important to raise efficacy; the old problems haven’t gone away, we just have more problems now

The pace of technology won’t slow down, it will just roll over you if you don’t respond quick enough!

Summary

Discussion

What are your endpoint problems?

How are you addressing them?

Short-term?

Long-term?

Did I miss or mischaracterize:

Business needs?

Technology trends?

Threats?

Security solutions or controls?

Regulatory drivers?