Upload
andris-soroka
View
863
Download
3
Embed Size (px)
DESCRIPTION
Presentation from "DSS" organized ITSEC conference on 24th of November, RIga, Latvia.
Citation preview
Shift to Intelligent
Endpoint Security
Management
Riga, Latvia
24th of November, 2011
Andris Soroka
Data Security Solutions, [email protected]
Lumension Security business card • Offices Worldwide + Strong Partner Base (500+)
• More than 6000 customers in 70 countries
• More than 5 million endpoints protected
• Award-Winning Innovator
Portfolio – ANNO 1991
Power Management
License Monitoring
Application Deployment
Asset Identification and
Inventory
Contract Management
Vulnerability Assessment
Patching and Remediation
Security Configuration
Management
X-Platform Content
Support
AntiVirus/Malware
Malware Remediation
Application Control-
Whitelsiting
Application Identity &
Assurance
Compliance-Control
Mapping
Continuous Monitoring
Control Harmonization
IT Risk Assessment
Deficiency Remediation
Compliance and
IT Risk Management
Endpoint
Operations
Vulnerability
Management
Endpoint
Protection
Data
Protection
Device Control
Data Encryption
Whole Disk Encryption
Content Filtering
Data Discovery
Agenda
Recent/Upcoming Product Releases Bryan Fish, Dee Liebenstein, Chris Chevalier and Rich Hoffecker
»Traditional Endpoint Security – threats, drivers
»Evolutions and shifts in Endpoint Security
»Lumension LEMSS – the innovative platform
» Device Control
» Application Control
» Antivirus
» Whole Disk Encryption
» Patch & remediation and more
Business Drivers and Threats The Endpoint Security Landscape
Security Today
General Categories
• Financially Motivated
» Bank Accts, Passwords, etc.
» Identity Theft
» Insiders
• Intellectual Property Theft
• Hacktivists
» IP / Customer data
» Denial of Service
» Reputational Damage
Threats and solutions of Security Today
Endpoint Security Today – most important
Reality check
• Weakest link - endpoint
» 70% of incidents are caused on
the endpoint
» >2 million unique malware
samples every day
» On average lifetime of a malware
is less than 24 hours
» Traditional defense is not enough
Today’s business environment
» IT continues taking the lead in business (ERP,
CRM, document management, digital
prototyping etc.)
» Development of e-World continues (B2B,
B2C, e-Services, e-Government, e-Health,
social networking, Web 2.0, unified
communications etc.)
» Consumerization, mobility and borderless
enterprise is a reality
» Cyber culture grows faster than cyber security
(as well – not all countries have compliance,
regulas or penalties)
Every technology is vulnerable
Not a Microsoft world anymore..
Apple & Adobe two of the top three applications disclosing vulnerabilities
Apple and Linux two of the top three reporting vulnerabilities
Virtualization vulnerabilities have grown in total # in recent years
The cycle from vulnerability to worm is shortening dramatically – putting
increasing pressure on IT departments to remediate vulnerabilities faster than
ever.
Endpoints are at risk every day
The applications we use today for productivity
Collaborative / Browser-based / Open Source
Social Communities, Gadgets, Blogging and Widgets open up our networks to increasing risk everyday.
Source: Verizon, 2010 Data Breach Investigations Report
Growing Application Centric Risk
» Social networking applications were
detected in 95% of organizations.
» 78% of Web 2.0 applications support file
transfer.
» 2/3 of applications have known
vulnerabilities.
» 28% of applications were known to
propagate malware.
» AV best rate of capture malware is 33%
per day. After 30days 93%...
» ~2M pieces of unique malware
signatures detected each day.. And
numbers are growing very fast
Growing Device Centric Risk
» Over 70% IT security incidents are
caused by insider’s device
» 60% of confidential data resides on
endpoints
» Devices are bi-directional threats
» USB devices are well known “weapons”
of social engineering
» 48% of users utilize company tools for
personal usage
Endpoint Security Today
Traditional Defenses …
• Antivirus
• Patching Microsoft OS and Apps
• Firewalls
• Strong Passwords
• End-User Education Programs
… Don’t Always Work:
If They Did, We Wouldn’t Have
IT Security Breaches!
Summary of Endpoint threats
Where Traditional Defenses Fall
Short
• Risk from Un-patched 3rd Party Apps
• Controlling Local Admins Gone Wild
• Preventing Zero-Day Attacks and
Targeted Malware
• End-User Education Isn’t Keeping Up
• Actionable Reporting and Security
Measurement
Results of threats
We end up with -
• There are Internet shops full of credit
card, bank account, privacy, business
and other confidential data
• Also there are available services to rent
a botnet, malicious code and attack
anyone
• Video trainings and eLearning available
in social media, such as YouTube
• «Black market community» (forums,
blogs, interest groups, conferences etc.)
• Lost business & reputation
Some examples
FBI warns USA Congress that cybercriminals can hack any
internet-linked system
Gordon M. Snow, assistant director of the FBI’s Cyber Division
(13th of April, 2011)
Exclusive: Computer Virus Hits U.S. Drone Fleet
Noah Shachtman, Wired Magazine
(7th of October, 2011)
Betfair admits data hack... after 18 months - over two million
card details were stolen
Rory Cellan-Jones, BBC Technology
(30th of September, 2011)
Endpoint Security Today
“Organizations are looking to application control solutions to augment signature-based antivirus protection and to exert more control over endpoints. Although this space has been dominated by the smaller vendors, larger endpoint protection and management providers are entering the
market.” -- Gartner Analysts Neil MacDonald and Michael A. Silver
Endpoint Security Today
Organizations do not feel more secure
than they did last year.
This is mainly due to the use of ineffective
technology solutions when better, more effective
and efficient technologies exist but are not
heavily implemented.
Paul Henry
Security & Forensics Analyst MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-
ISSAP, CISM, CISA, CIFI, CCE
SANS Institute Instructor
Quotes from AV vendors
Basic security protection
is not good enough,”
Rowan Trollope Senior
Vice President, Symantec
“You can’t just rely on
antivirus software – and
we’re an antivirus
company” George Kurtz,
Worldwide CTO, McAfee
[Standard] antivirus is not
effective anymore... Raimund
Genes, CTO Trend Micro Inc
"[signatures are] completely
ineffective as the only layer [of
endpoint security]… Nikolay
Grebennikov, CTO, Kaspersky
Changes of the traditional Endpoint Security The Past, The Present and The Future
Endpoint Security – vendors and scope
Patching is the security priority
Source:
1 - SANS Institute
•The top security priority is
“patching client-side
software”1
» Streamline patch management and
reporting across OS’s AND
applications
•Patch and defend is not just a
Microsoft issue » More than 2/3 of today’s
vulnerabilities come from non-
Microsoft applications
Importance of Application Whitelisting
•Blacklist (AV)
» Detect, block and
remove known bad
» Scan everything
» Higher resource
utilization
» Risk of unknown
25
•Application Control
» Allow known good
» Remove known bad
» Allow trusted change
» Insert AV scan into
process strategically
» Optimize resource
utilization
» Optimize risk
•Whitelist
» Allow only known
good to execute
» Lower resource
utilization
» Low risk
Lockdown Policy
Open Lockdown
Endpoint Security requirements
» Antivirus / Anti-malware
» HIPS / File Integrity monitoring
» Firewall / VPN
» Encryption (whole disk, devices)
» Device Control
» Application Control / System Lockdown
» Vulnerability management, patch and
update management
» Configuration management
» NAC / Visibility
Endpoint Security Today
Vulnerability
Assessment
Systems
Management
Patch
Management
AntiVirus
Malware
Data
Protection
Compliance
Point products tax IT resources with additional administration burden, custom
integration & maintenance limited user productivity across multiple
management consoles
Colleen
IT Ops Manager
Pat
CIO
Rich
IT Security Manager
45% of IT operations
professionals work
across 3-5 different
software consoles
while managing
security & operational
functions.*
*Worldwide State of The Endpoint Report 2009
Lumension Endpoint Management Security
Suite 2011 Introducing: Application Intelligent Whitelisting
Agile n-tier pluggable
architecture
Single Promotable
Agent
Single
Console
LEMSS 2011 – one agent platform
L.E.M.S.S.: Patch and Remediation
L.E.M.S.S.: Wake on LAN & Power Mgmt.
L.E.M.S.S.: Whole Disk Encryption
L.E.M.S.S.: Security Configuration Management
L.E.M.S.S.: Device Control
L.E.M.S.S.: Risk & Compliance Management
L.E.M.S.S.: App Control & Antivirus
LEMSS – principle of work
Clean IT
L.E.M.S.S.: Antivirus
» Role of AntiVirus
» Remove malware prior to lockdown
» Scan for malware not identified at
time of lockdown
» Scan when making changes
• Defense in depth
» AntiVirus no longer the primary
defence mechanism
» Less of a reactionary role
» Features of AntiVirus
» Sandbox
» Antispyware / Antivirus
» DNA matching
» Exploit detection
Lock IT
L.E.M.S.S.: Application Control
» Role of Application Control
» Fast and easy policy definition
» Unique whitelist for every endpoint
» No disruption to productivity
» Stops any executable after locking it
» Granularity of control
» Integration with Patch & Remediation
module for automated and first in
market - “Intelligent Application
Whitelisting”
» Features of Application Control
» Kernel level solution
» ~ 10 years in development
» Exploit detection
Trust IT
L.E.M.S.S.: Patch And Remediation
» Role of Patch & Remediation
» Software and Patch
deployment systems
» Automated discovery and
assessment of assets
» Trusted change manager
» Automatically update of local
whitelist
» No disruption to productivity
» Single solution for
heterogeneous environment
» Features of Patch & Remediation
» 20 years market leadership
» Patented patch fingerprint
technology
» Largest coverage of OS’s and Apps
Lumension Intelligent Application Whitelisting
Unifies workflows and technologies to deliver enhanced capabilities in the
management of endpoint operations, security and compliance
» Remove whitelisting market
adoption barriers
Device Control Asset
Management
Software
Management
Power
Management
Configuration
Management
Endpoint Operations Endpoint Security
Content Wizard
Reporting
DLP
Compliance/
Risk Mgt.
Trusted
Change AntiVirus/Spyware
Patch
Management Application Control
Firewall
Management
Intelligent
Whitelisting
Whole Disk
Encryption
Lumension Intelligent Endpoint Integrity Service
• Cloud repository that correlates files, hashes and
attributes with applications
» “Speaking applications, not hashes”
• Positioned to provide HIGH INTEGRITY BY
VALIDATING source of HASH DATA
» Not community based, not designed to be “the biggest” at
the sacrifice of integrity
» Will be the most trusted and provide risk management
information
» Partnership with Microsoft and additional vendors
• Multiple hash types (SHA-1 SHA-256) will provide
flexibility and stronger security
Additional
Partners
EIS Software Integrity
Metadata Repository
EIS Services
Lumension
Application Control
Lumension Device Control
• Central Control of ALL desktop I/O Devices
» USB Removable Media, PDA’s, Cameras, CD/DVD R/W, modems etc.
Future Proof
•Device Usage Policy
» Integrates with Active Directory
» Policy per user, group or computer
» Read, Read/Write or No Access
» Temporary & Scheduled access – time of day/day of week
» On-line/Offline Device Permissions (e.g. - No modems/3G Data Cards when connected)
• Granularity of Control
» White list of Make/Models allowed (e.g. only Lexar 256MB or Fuji camera)
» Unique Identification of Device by serial number
» Authorisation of specific CD media
» USB Key-logger detection
• Control What Data Is Copied
» Limit how much data written out (e.g. Louis can copy 20MB per day max)
» File-Type Filtering - control which File Types copied IN/OUT
• Used for exception, e.g. cameras can be used for image file only and more…
L.E.M.S.S.: Device Control
Lumension Device Control
L.E.M.S.S.: Device Control
Supported Device Types:
• Biometric devices
• COM / Serial Ports
• DVD/CD drives
• Floppy disk drives
• Imaging Devices / Scanners
• LPT / Parallel Ports
• Modems / Secondary Network Access
Devices
• Palm Handheld Devices
• Portable (Plug and Play) Devices
• Printers (USB/Bluetooth)
• PS/2 Ports
• Removable Storage Devices
• RIM BlackBerry Handhelds
• Smart Card Readers
• Tape Drives
• User Defined Devices
• Windows CE Handheld Devices
• Wireless Network Interface Cards (NICs)
Improving Endpoint Security with LEMSS (Lumension Endpoint Management Security Suite)
Minimize Your True Endpoint Risk Augment existing defense-in-depth tools
» Comprehensive Patch and
Configuration Management
» Application Control / Whitelisting
»Device Control
»Encryption
Blacklisting
As The Core
Zero Day
3rd Party
Application
Risk
Malware
As a
Service
Volume of
Malware
Traditional
Endpoint Security
Minimize Your True Endpoint Risk
Source: John Pescatore Vice
President, Gartner Fellow
30%
Missing Patches
Areas of Risk
at the Endpoint
65%
Misconfigurations
5%
Zero-Day
Rapid Patch and Configuration
Management
• Analyze and deploy patches across all OS’s
and apps (incl. 3rd party)
• Ensure all endpoints on the network are
managed
• Benchmark and continuously enforce patch and
configuration management processes
• Don’t forget about the browser!
» Un-patched browsers represent the highest risk for
web-borne malware.
Known
• Viruses • Worms • Trojans
Unknown
• Viruses • Worms • Trojans • Keyloggers • Spyware
Antivirus
• Use for malware clean-up
and removal
Application control
• Much better defense to
prevent unknown or
unwanted apps from
running
Stop Malware Payloads with App Whitelisting
Malware
Authorized
• Operating Systems
• Business Software
Unauthorized
• Games
• iTunes
• Shareware
• Unlicensed S/W
Apps
Un
-Tru
ste
d
Stop Unwanted Applications
Immediate and simple risk mitigation
Denied Application Policy
prevents unwanted applications
even if they are already installed
Easily remove unwanted
applications
Reduce Local Administrator Risk
Monitor / Control Local Admin Usage
• Local Admins can do ANYTHING on their systems
» Install unwanted and unauthorized software
» Install malware
» Remove patches
» Bypass security measures
» Change configurations
Manage those Devices
Enforce Access Policy
Enforce Encryption Policy
Monitor, Manage, Report
Encryption
Endpoints (Whole Disk)
• Secure all data on endpoint
• Enforce secure pre-boot
authentication w/ single sign-on
• Recover forgotten passwords and
data quickly
• Automated deployment
Removable Devices
• Secure all data on removable
devices (e.g., USB flash drives)
and/or media (e.g. CDs / DVDs)
• Centralized limits, enforcement,
and visibility
Laptop Thefts (IDC 2010)
Lost UFDs (Ponemon 2011)
Defense-in-Depth with Intelligent Whitelisting
Known
Malware
Unknown
Malware
Unwanted,
Unlicensed,
Unsupported
applications
Application
Vulnerabilities
Configuration
Vulnerabilities
AntiVirus X X
Application
Control X X
Patch &
Remediation X X
Security
Configuration
Management
X
A Complete Defense With Lumension
Intelligent
Whitelisting
Fir
ew
all / IP
S
An
ti-M
alw
are
Patc
h M
an
ag
em
en
t
Physical
Access
Improving Endpoint Security
First in market solution
» Single Server / Management Console
» Single Agent
» Modular, Extensible Design
» Organization-wide Reporting
» Lower Total Cost of Ownership (TCO)
» Power of granularity
Single Console
Agile architecture
Single Promotable Agent
Real time risk & compliance manager
Regulation Authority Documents
Business Interests Corporate Policies
Profile Risk Attributes
Open to the Internet
Contains Credit Card
Information
Contains Customer Data
Pass/Fail Regulation Assessment
HIPAA
100%
SOX
65%
PCI
65%
NERC
30%
Applicable Controls
Password Length
Data Encryption
Power Save
IT Assets
Business Processes
Revenue Streams
Trade Secrets
GLBA PCI FISMA HIPAA NHS NERC SOX ISO/IEC…
More Information
SMB Security Series » Resource Center:
http://www.lumension.com/smb-budget
» Webcast Part 2:
http://www.lumension.com/Resources/Webinars
/How-to-Reduce-Endpoint-Complexity-and-
Costs.aspx
Quantify Your IT Risk with Free
Scanners » http://www.lumension.com/special-
offer/PREMIUM-SECURITY-TOOLS.ASPX
Lumension® Endpoint Management
and Security Suite » Demo:
http://www.lumension.com/endpoint-
management-security-suite/demo.aspx
» Evaluation:
http://www.lumension.com/endpoint-
management-security-suite/free-trial.aspx
SMB Market Survey
www.lumension.com/smb-survey
Please consider next steps
• Lumension® Intelligent Whitelisting™ » Overview
• www.lumension.com/Solutions/Intelligent-Whitelisting.aspx
» Free Demo
• www.lumension.com/Resources/Demo-Center/Overview-Endpoint-Protection.aspx
» Free Application Scanner
• www.lumension.com/special-offer/App-Scanner-Tool-V3.aspx
• Whitepaper and Videos » Think Your Anti-Virus is Working? Think Again.
• www.lumension.com/special-offer/App-Whitelisting-V2.aspx
» Using Defense-in-Depth to Combat Endpoint Malware
• l.lumension.com/puavad
» Reducing Local Admin Access
• www.lumension.com/special-offer/us-local-admin.aspx
Global Headquarters
15880 N. Greenway-Hayden Loop
Suite 100
Scottsdale, AZ 85260
GSM: +371 29162784