Re-defining Endpoint Protection: Preventing Compromise in the Face of Advanced Attacks

© 2014 IBM Corporation

IBM Security

1 © 2014 IBM Corporation

Re-defining Endpoint Protection Mike Rothman, SecurosisAndy Land, IBM

Re-defining Endpoint Protection

Mike Rothman, [email protected]: @securityincite

Advanced Endpoint and Server Protection: Tactics and Techniques

mailto:[email protected]

About Securosis

• Independent analysts with backgrounds on both the user and vendor side.

• Focused on deep technical and industry expertise.

• We like pragmatic.

• We are security guys – that’s all we do.

How customers view Endpoint Protection

• Compliance is the main driver for endpoint protection

• Whether it works or not is not the issue.

• And to be clear, traditional anti-malware technology doesn’t work anymore.

http://flic.kr/p/9kC2Q1

http://flic.kr/p/9kC2Q1

Milking the AV Cash Cow

• Add incremental functions:• HIPS/Heuristics• “Crowd-sourcing” threats• File reputation• Endpoint hygiene

http://flic.kr/p/3d2Uho

Threat Management Reimagined

PreventionNext you try to stop an attack from being successful. This is where most of the effort in security has gone for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It has become a question of reducing your attack surface as much as practical. If you can stop the simplistic attacks you can focus on more advanced ones.

Adversaries: Better and Better

Advanced Malware

Polymorphism

Sophisticated targeting

Professional Processes

http://www.flickr.com/photos/dzingeek/4587871752/

http://www.flickr.com/photos/dzingeek/4587871752/

The Negative Security Modelhttp://www.despair.com/tradition.html

http://www.despair.com/tradition.html

Traditional AV

But detection of advanced attacks is still problematic if detection is restricted to matching files at runtime. You have no chance to detect zero-day or polymorphic

malware attacks

You don’t know what malware is going to look like...

But you DO know what software should and should not do.

This calls for Advanced Heuristics

Advanced Heuristics

Heuristics have evolved to recognize normal application behavior. This dramatically improves accuracy because rules are built

and maintained at a specific application-level.

Look for what?

• Executables/dependencies• Injected threads• Process creation• System file/configuration/registry changes• File system changes• OS level functions including print screen,

network stack changes, key logging, etc.• Turning off protections• Account creation and privilege escalation

http://flic.kr/p/6Yz7MB

Application Control

• Define a set of authorized executables that can run on a device, and block everything else.

• Flexible “trust” model to offer “grace” period to install s/w• Authorized publishers, trusted

employees, etc.

• Though more flexible trust models weaken security…

http://flic.kr/p/97Kqk8

Application Control Use Cases

• Servers• Fixed function devices• High value endpoints

http://flic.kr/p/4yvVc8

Isolation

Spin up a walled garden to run applications. If app is compromised (detected using advanced heuristics), the sandbox prevents the application from accessing

core device features such as the file system and memory, and prevents the attacker from loading additional malware.

Old concept, New Packaging

• Isolation is not new. VM’s in use by sophisticated users for years.

• Isolation still needs to use some O/S level services, which provides attack surface.

• VM (or isolation) aware malware stays dormant• Sophisticated sophisticated evasion techniques

emerging: human interaction, timers, process hiding, etc…

Choosing Prevention

• What kind of adversaries do you face?

• Which applications are most frequently used?

• How disruptive will employees allow the protection to be?

• What percentage of devices have been replaced in the past year?

Understanding Effectiveness

• Hype, religion and snake oil will be common as vendors look to establish their approach as “best.”

• Comparative tests frequently gamed. Provide one data point.

• Look for testing outliers and go on from there.

http://flic.kr/p/7SrgR3

Summary

• Advanced Protection requires a broader view of threat management

• Innovation on endpoint/server prevention will accelerate

• Shift investment from ineffective legacy prevention to more effective advanced prevention, detection and investigation.

http://www.flickr.com/photos/74571262@N08/6710953053/

http://www.flickr.com/photos/74571262@N08/6710953053/

Read our stuff• Blog

• http://securosis.com/blog

• Research

• http://securosis.com/research

• We publish (almost) everything for free

• Contribute. Make it better.

http://securosis.com/blog

http://securosis.com/research

Mike RothmanSecurosis LLC

[email protected]


Twitter: @securityincite

mailto:[email protected]



IBM Security

24 © 2014 IBM Corporation

Trusteer Apex


IBM Security

25

Are you fighting a losing battle?

IBM Internal Use Only

• Humans will always make mistakes• System and application

vulnerabilities continue to emerge• Malware detection will always lag


IBM Security

26

Do you have the right weapons?

IBM Confidential until May XY, 2014

Fragmented market with point products

• Endpoint protection market is highly fragmented with many point solutions

- e.g., Sandboxing, application control, whitelisting

Majorsecurity control gaps

• Existing products offer no controls for major attack vectors

- e.g., Zero-day exploits, applicative Java attacks

Challenging manageability and operations

• Advanced threat solutions are difficult and costly to operate

• Difficult to scale manual remediation processes to thousands of enterprise endpoints

• High false positive rates

• Whitelisting processes on endpoints non-manageable


IBM Security

27

Trusteer ApexPreemptive, low-impact defense for enterprise endpoints


ADVANCED MULTI-LAYERED DEFENSEComprehensive endpoint defense against advanced threats

DYNAMIC INTELLIGENCEAdvanced threat intelligence collected from tens of millions of endpoints

LOW OPERATIONAL IMPACTLow overhead on IT / security teams, transparent to end users

Trusteer Apex


IBM Security

28

Apex multi-layered defense architecture


KB to create icon

Threat and Risk ReportingVulnerability Mapping and Critical Event Reporting

Advanced Threat Analysis and Turnkey Service

CredentialProtection

Exploit Chain Disruption

Cloud Based File Inspection

Malicious Communication

Prevention

Lockdownfor Java

Global Threat Research and IntelligenceGlobal threat intelligence delivered in near-real time from the cloud

• Alert and prevent phishing and reuse on non-corporate sites

• Prevent infections via exploits

• Zero-day defense by controlling exploit-chain choke point

• Legacy protection against known viruses

• Consolidates over 20 AV engines for maximal efficacy and operational simplicity

• Block malware communication

• Disrupt C&C control

• Prevent data exfiltration

• Prevent high-risk actions by malicious Java applications


IBM Security

29

Attack Progression

Data exfiltration Exploit

Deliveryof weaponized

content

Exploitationof app vulnerability

Malwaredelivery

Malware persistency

Execution and malicious access

to content

Establish communication

channels

Dataexfiltration

Controlling exploit-chain chokepoints


Pre-exploit

0011100101110100001011110001100011001101

Strategic Strategic ChokepointChokepoint



FileFileInspectionInspection

Endpoint Endpoint Vulnerability Vulnerability

ReportingReportingCredentialCredentialProtectionProtection

Destinations (C&C traffic detection)

Endless

Unpatchedand zero-day vulnerabilities

(patching)

ManyWeaponized

content(IPS, sandbox)

Endless

Maliciousfiles

(antivirus, whitelisting)

Endless

Many

Maliciousbehavioractivities

(HIPs)

Exploit Chain Exploit Chain DisruptionDisruption

Lockdown for Lockdown for JavaJava

Malicious Malicious Communication Communication

BlockingBlocking


IBM Security

30

Low operational impactAdvanced threat analysis and turnkey service


Eliminate the traditional security team approach

(detect, notify, and manually resolve)

Low-footprintthreat prevention

Exceptionalturnkey service

Low impact to IT security team

Minimize impact by blocking only the most

sensitive actions

Centralized risk assessment service

Directly updateendpoint users


IBM Security

31

Dynamic intelligenceCrowd-sourced expertise in threat research and dynamic intelligence

Global Threat Research and Intelligence

• Combines the renowned expertise of X-Force with Trusteer malware research

• Catalog of 70K+ vulnerabilities,17B+ web pages, and data from 100M+ endpoints

• Intelligence databases dynamically updated on a minute-by-minute basis

Real-time sharing of Trusteer intelligence

PhishingSites

URL/WebCategories

IP/DomainReputation

ExploitTriage

MalwareTracking

Zero-dayResearch



IBM Security

32

Client example: Major heavy equipment manufacturer Protecting endpoints against advanced threats and malware


Business challenge Protect 10,000 endpoints in multiple international locations Provide Remote Access to Suppliers, Contractors and Employees Prevent IP and Technology Data Theft

IBM Security Solution: Trusteer ApexTrusteer Apex protects endpoints throughout the threat lifecycle by applying an integrated, multi-layered defense to prevent endpoint compromise for both managed and remote endpoints. Threats are continually analyzed and protections provided by Trusteer’s turnkey service.

Discovered

32 threats and

100 suspicious activitieswithin weeks of deployment despite other security products

Advanced Threat Protection


IBM Security

33

Apex is essential to the IBM Threat Protection System

IBM Confidential - NDA until May 5, 2014

Open Integrations

Ready for IBM Security Intelligence Ecosystem

Trusteer Apex Endpoint Exploit Chain Disruption

IBM Security Network Protection XGS

Smarter Prevention

IBM Security QRadar Security Intelligence

Security Intelligence

IBM EmergencyResponse Services

IBM Security QRadarIncident Forensics

Continuous Response

IBM X-Force Threat Intelligence

New real-time sharing of Trusteer threat intelligence from 100M+ endpoints with X-Force

Global Threat Intelligence

1 2 3

5 4

Java Lockdown Protection - granular control of untrusted code, cloud-based file inspection, and QRadar integration

Advanced Threat Quarantine integration from QRadar and third-party products, inclusion of Trusteer intelligence into XGS

Data Node appliance, new flow and event APIs, and QRadar Vulnerability Manager scanning improvements

Integrated forensics module with full packet search and visual reconstruction of relationships

Increased global coverage and expertise related to malware analysis and forensics

New functionality from partners including FireEye, TrendMicro, Damballa and other protection vendors


IBM Security

34

Introducing IBM Trusteer ApexRe-defining endpoint protection for the advanced threat landscape

Trusteer Fast Facts:

Acquired by IBM August 2013Adds endpoint protection capabilities to the IBM Security Portfolio

Unique IntegrationsIntegrated into IBM Threat Protection System

Advanced Threat Defense LeadersAnalyzing and preventing APT’s for the last 8 years

DisclaimerPlease Note:

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

Date post:	14-Sep-2014
Category:	Technology
View:	446 times
Download:	0 times