Control and Tactical Systems Security

VICE PRESIDENT, PUBLIC SECTOR SOLUTIONS, MCAFEE

SCOTT MONTGOMERY

McAfee Confidential—Internal Use Only

Disadvantaged Bandwidth, Disconnected Network and Fixed Function DevicesConsiderations and Alternatives

Scott MontgomeryVP, Public Sector Solutions

[email protected]+1 240 498 2941 m


McA

fee

Agen

t

Managed Systems

ePO

Anti-Virus (AV)

Anti-Spyware (AS)

Host IPS/Firewall (HIPS)

Policy Auditor (PA)

Rogue System Detection (RSD)

Asset Baseline Monitor (ABM)

Host Data Loss Prevention (HDLP)

Host Based Security System Current Baseline

McAfee Agent (MA)

Securely interfaces with ePO to install and update products

Host IPS/FW (HIPS)

Provides protection from both known and zero-day threats

Application Control

Stateful desktop firewall


Identify unmanaged hosts


Detect system-level changes per INFOCON Policy SD 527-1

Policy Auditor (PA)

Measure compliance to and report on configuration standards (Patch level, STIG, FDCC, etc.)

Device Control (DCM is a part of HDLP)

Control what devices can connect to hosts

Restrict USB storage devices

Restrict CD/DVD Write operations

AV Program

HBSS Program

Upgradeable

3


Some current HBSS perceptions

Unwieldy in disconnected networks

Unwieldy in networks with disadvantaged bandwidth

Put here on earth to punish Warfighters for bad karma from past lives

Offers no protection for legacy systems such as WinNT and Win2000 where a POR still requires the use of those systems

Unwieldy protection for firm or fixed function devices

Offers limited protection for Unix operating systems

4

McAfee Confidential—Internal Use Only5

Identifying Broad Levels of Protection Categories

Level 1: Protection by Source Identification • Identify threat source: rogue websites, open ports, external

devices (CD, USB), email

Level 2: Protection via Threat Techniques • Network-based, application vulnerability-based, content-

based

Level 3: Protection from Unwanted Execution • Anti-virus, Application Whitelisting

Level 4: Protection from Known Behavioral Exploits • Access Protection, File Integrity Monitoring, Behavioral rules

(stateless and stateful),


Mapping Threats Against Categories of Protections


Adding in specific threat vectors


Blacklist or Whitelist?

AD-HOC STATICPLANNED

BLACK

NetBook

Consumer PC

WHITE+

BLACK WHITE

POS

Kiosks

Medical Devices

SCADASystems

ATMs

Printer

Servers

CorporateDesktop

Rugged Platforms

Tactical Systems


Risk Tolerance and Security Optimization

9

FLEXIBILITY OF THE SECURED SYSTEM LowHigh

ZE

RO

DA

Y P

RO

TE

CT

ION

Anti-Virus

HIPS

Application Control


NSA Application Whitelisting Feedback

http://www.nsa.gov/ia/_files/factsheets/Application_Whitelisting_Trifold.pdf


Unknown Binaryis Unauthorized

Whitelist

Whitelist created during install-time by scanning system for applications, libraries, drivers, scripts.

1. Application attempts to launch

• Could be an executable or OS component

2. MAC verifies binary code from Whitelist

3. If not in Whitelist, then program is not launched.

• Attempt is logged for alerts and auditing

Whitelisting Basics


Memory Protection —Security Beyond Whitelisting

Kernel32.dll

User32.dll

NTDll.dll

Make System Change

CriticalSystem API

Application (loaded in memory)

Injected Code(via buffer overflow)

Drop Payload

AWL (Verify Source of

Request)

• A vulnerable program trusted by the whitelist can be dangerous

• Besides whitelisting AWLsolutions need to protectapps in memory


Dynamic Whitelisting

Prevent all unauthorized code from running

Protect againstmemory-based attacks, and application tampering

Image Deviation

Compare deployedsystem images to desired standard images withon-demand reporting

McAfee Application Control Multi-layered Security Solution

13

Memory Protection

!

X


Integrity Monitoring

Alerts upon unauthorized system changes

Provides reporting and search capabilities that include who made changes in addition to the change details

Change Prevention

Selectively prevents out-of-policy changes and logs any attempted out-of-policy change

McAfee Change Control Multi-layered Security Solution

14

Change Audit

!

X


Application Control Benefits

1. Improved Protection– From Targeted Attacks– From Advanced Persistent Threats (APTs)

2. Protection without patching– MP & AWL will provide coverage and eliminates urgency for

security patches

3. Extending Life of Legacy Systems– Win NT, Win 2000 are not supported by MS– Systems with low memory/CPU can be supported

4. Negligible System Performance Impact (CPU/IO/Memory)

5. Protection for Firm/Fixed Function devices

6. Drastically reduced/eliminated bandwidth requirements– Much cleaner disconnected network/disadvantaged bandwidth solution

15


Whitelist automatically updated

Locked down with Whitelisting

Returned toWhitelist Lockdown

Trust Model – Enabler for “Dynamic” whitelisting

Trusted Updaters

Trusted Directory

Trusted Certificates

Trusted Admin


Disconnected Network / Disadvantaged Bandwidth

17

Tactical Community User


Firm/Fixed Function

Tactical Garrison


Application control / change control certs

AC and CC v.5.1

Details FIPS Common Criteria

CC Listing Country

UC APL

Status Validated Certified

Canada In ProcessLevel 180-3 EAL 3+

Version v.5.1 v.5.1

http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm%231189

http://www.cse-cst.gc.ca/its-sti/services/cc/mcafee-appl-v50-eng.html

https://aplits.disa.mil/processSchedule.do


McA

fee

Agen

t

Managed Systems

ePO Change Control (CC)



Device Control (DCM)

Application Control (AC)

Recommended Package Disconnected Network, Disadvantaged Bandwidth, Firm/Fixed Function Devices

McAfee Agent (MA)

Securely interfaces with ePO to install and update products

Application Control

Protection from unauthorized applications

Dynamically managed whitelists

Change Control

Enforces policies to prevent unauthorized changes to critical files, directories, and configurations


Identify unmanaged hosts

Device Control (DCM is a part of HDLP)

Control what devices can connect to hosts

Restrict USB storage devices

Restrict CD/DVD Write operations

HBSS Program

20

Technology

Control and Tactical Systems Security