Upload
fedscoop
View
1.046
Download
1
Embed Size (px)
DESCRIPTION
Scott Montgomery, Vice President, Public Sector Solutions, McAfee
Citation preview
VICE PRESIDENT, PUBLIC SECTOR SOLUTIONS, MCAFEE
SCOTT MONTGOMERY
McAfee Confidential—Internal Use Only
Disadvantaged Bandwidth, Disconnected Network and Fixed Function DevicesConsiderations and Alternatives
Scott MontgomeryVP, Public Sector Solutions
[email protected]+1 240 498 2941 m
McAfee Confidential—Internal Use Only
McA
fee
Agen
t
Managed Systems
ePO
Anti-Virus (AV)
Anti-Spyware (AS)
Host IPS/Firewall (HIPS)
Policy Auditor (PA)
Rogue System Detection (RSD)
Asset Baseline Monitor (ABM)
Host Data Loss Prevention (HDLP)
Host Based Security System Current Baseline
McAfee Agent (MA)
Securely interfaces with ePO to install and update products
Host IPS/FW (HIPS)
Provides protection from both known and zero-day threats
Application Control
Stateful desktop firewall
Rogue System Detection (RSD)
Identify unmanaged hosts
Asset Baseline Monitor (ABM)
Detect system-level changes per INFOCON Policy SD 527-1
Policy Auditor (PA)
Measure compliance to and report on configuration standards (Patch level, STIG, FDCC, etc.)
Device Control (DCM is a part of HDLP)
Control what devices can connect to hosts
Restrict USB storage devices
Restrict CD/DVD Write operations
AV Program
HBSS Program
Upgradeable
3
McAfee Confidential—Internal Use Only
Some current HBSS perceptions
Unwieldy in disconnected networks
Unwieldy in networks with disadvantaged bandwidth
Put here on earth to punish Warfighters for bad karma from past lives
Offers no protection for legacy systems such as WinNT and Win2000 where a POR still requires the use of those systems
Unwieldy protection for firm or fixed function devices
Offers limited protection for Unix operating systems
4
McAfee Confidential—Internal Use Only5
Identifying Broad Levels of Protection Categories
Level 1: Protection by Source Identification • Identify threat source: rogue websites, open ports, external
devices (CD, USB), email
Level 2: Protection via Threat Techniques • Network-based, application vulnerability-based, content-
based
Level 3: Protection from Unwanted Execution • Anti-virus, Application Whitelisting
Level 4: Protection from Known Behavioral Exploits • Access Protection, File Integrity Monitoring, Behavioral rules
(stateless and stateful),
McAfee Confidential—Internal Use Only6
Mapping Threats Against Categories of Protections
McAfee Confidential—Internal Use Only7
Adding in specific threat vectors
McAfee Confidential—Internal Use Only8
Blacklist or Whitelist?
AD-HOC STATICPLANNED
BLACK
NetBook
Consumer PC
WHITE+
BLACK WHITE
POS
Kiosks
Medical Devices
SCADASystems
ATMs
Printer
Servers
CorporateDesktop
Rugged Platforms
Tactical Systems
McAfee Confidential—Internal Use Only
Risk Tolerance and Security Optimization
9
FLEXIBILITY OF THE SECURED SYSTEM LowHigh
ZE
RO
DA
Y P
RO
TE
CT
ION
Anti-Virus
HIPS
Application Control
McAfee Confidential—Internal Use Only10
NSA Application Whitelisting Feedback
http://www.nsa.gov/ia/_files/factsheets/Application_Whitelisting_Trifold.pdf
McAfee Confidential—Internal Use Only11
Unknown Binaryis Unauthorized
Whitelist
Whitelist created during install-time by scanning system for applications, libraries, drivers, scripts.
1. Application attempts to launch
• Could be an executable or OS component
2. MAC verifies binary code from Whitelist
3. If not in Whitelist, then program is not launched.
• Attempt is logged for alerts and auditing
Whitelisting Basics
McAfee Confidential—Internal Use Only12
Memory Protection —Security Beyond Whitelisting
Kernel32.dll
User32.dll
NTDll.dll
Make System Change
CriticalSystem API
Application (loaded in memory)
Injected Code(via buffer overflow)
Drop Payload
AWL (Verify Source of
Request)
• A vulnerable program trusted by the whitelist can be dangerous
• Besides whitelisting AWLsolutions need to protectapps in memory
McAfee Confidential—Internal Use Only
Dynamic Whitelisting
Prevent all unauthorized code from running
Protect againstmemory-based attacks, and application tampering
Image Deviation
Compare deployedsystem images to desired standard images withon-demand reporting
McAfee Application Control Multi-layered Security Solution
13
Memory Protection
!
X
McAfee Confidential—Internal Use Only
Integrity Monitoring
Alerts upon unauthorized system changes
Provides reporting and search capabilities that include who made changes in addition to the change details
Change Prevention
Selectively prevents out-of-policy changes and logs any attempted out-of-policy change
McAfee Change Control Multi-layered Security Solution
14
Change Audit
!
X
McAfee Confidential—Internal Use Only
Application Control Benefits
1. Improved Protection– From Targeted Attacks– From Advanced Persistent Threats (APTs)
2. Protection without patching– MP & AWL will provide coverage and eliminates urgency for
security patches
3. Extending Life of Legacy Systems– Win NT, Win 2000 are not supported by MS– Systems with low memory/CPU can be supported
4. Negligible System Performance Impact (CPU/IO/Memory)
5. Protection for Firm/Fixed Function devices
6. Drastically reduced/eliminated bandwidth requirements– Much cleaner disconnected network/disadvantaged bandwidth solution
15
McAfee Confidential—Internal Use Only16
Whitelist automatically updated
Locked down with Whitelisting
Returned toWhitelist Lockdown
Trust Model – Enabler for “Dynamic” whitelisting
Trusted Updaters
Trusted Directory
Trusted Certificates
Trusted Admin
McAfee Confidential—Internal Use Only
Disconnected Network / Disadvantaged Bandwidth
17
Tactical Community User
McAfee Confidential—Internal Use Only18
Firm/Fixed Function
Tactical Garrison
McAfee Confidential—Internal Use Only19
Application control / change control certs
AC and CC v.5.1
Details FIPS Common Criteria
CC Listing Country
UC APL
Status Validated Certified
Canada In ProcessLevel 180-3 EAL 3+
Version v.5.1 v.5.1
McAfee Confidential—Internal Use Only
McA
fee
Agen
t
Managed Systems
ePO Change Control (CC)
Rogue System Detection (RSD)
Asset Baseline Monitor (ABM)
Device Control (DCM)
Application Control (AC)
Recommended Package Disconnected Network, Disadvantaged Bandwidth, Firm/Fixed Function Devices
McAfee Agent (MA)
Securely interfaces with ePO to install and update products
Application Control
Protection from unauthorized applications
Dynamically managed whitelists
Change Control
Enforces policies to prevent unauthorized changes to critical files, directories, and configurations
Rogue System Detection (RSD)
Identify unmanaged hosts
Device Control (DCM is a part of HDLP)
Control what devices can connect to hosts
Restrict USB storage devices
Restrict CD/DVD Write operations
HBSS Program
20