Presented By:

Darrin Mourer

Solution Architect

Invincea

Meet the Presenter

Darrin is a Solution Architect with Invincea specializing in advanced threat prevention, detection, and forensics. He has been involved in the information security space for over 15 years in both information security officer and vendor roles. He has held various certifications including CISSP, CISA, SANS, and ITIL. Previous to Invincea, Darrin spent over 10 years in various security leadership roles at Symantec.

Topics We’ll Cover

• Current threat curve (recap)

• Whitelisting vs. Containerization

– Security efficacy

– Total cost of ownership

– Increase of capability

• Endpoint Security Reference Architecture implications

Recap: Malware Evolution

(circa 2010)

Mass Targeting Pinpoint

Targeting

High

Sophis

ticatio

n

Low

Script KiddiesLone Wolves

Organized

Crime

“Hacktivists”

Nation States

(Tier 2)

Nation States

(Tier 1)

Threat Curve

circa 2010

Anti-Virus defenses

Advanced detection and whitelisting

Operation DeathClick Vectors

Evade Network Sandbox & AV

• Invincea discovered a concerted campaign

against US Defense companies

• Represents a blending of traditional cyber-

crime techniques (malvertising) with APT

targeting and objectives

• Leverages advertising networks on ad-

supported web sites to compromise

specific company networks

• The threat evades almost all network-

based and traditional endpoint controls.

There is no patch.

Anti-Virus Evasion

6

Test

exploit

against all

anti-virus

vendors to

guarantee

no

detection

before

attacking

Most Vulnerable Products

2013

Source: National Vulnerability Database and GFI

2014+ changing Threat Curve

Mass Targeting Pinpoint

Targeting

High

Sophis

ticatio

n

Low

Script Kiddies

Lone Wolves

Organized

Crime

“Hacktivists”

Nation States

(Tier 2)

Nation States

(Tier 1)

Threat Curve

(today)

Takeaway:

Less advanced

adversaries now have

access to very

sophisticated

techniques

Anti-Virus defenses

Advanced detection

and whitelisting

New Defenses are Needed

Mass Targeting Pinpoint

Targeting

High

Sophis

ticatio

n

Low

Script Kiddies

Lone Wolves

Organized

Crime

“Hacktivists”

Nation States

(Tier 2)

Nation States

(Tier 1)

Threat Curve

(today)

Anti-Virus defenses

Advanced Threat Endpoint Protection

Advanced detection

and whitelisting

Whitelisting and Dynamic

Application IsolationTechnical Discussion

DETECTION | PREVENTION | INTELLIGENCE

What is Whitelisting

• Create a set of allowed file executions to run on a

system

• Deny attempts to run anything not on that list

• Can be combined/chained to create simple or complex

rule sets

Where is Whitelisting found?

• Integrated into the operating system

– Applocker for Windows, App Limits for Mac

• Integrated into endpoint security packages

– McAfee, Symantec, Trend, etc

• Standalone products

– Bit9, CoreTrace, Lumension, etc.

Comparison: Security Efficacy

• Whitelisting focuses exclusively on one aspect of the

attack, preventing the execution of malicious binaries

• There is another technology that primarily focuses on the

execution of malicious binaries—namely antivirus

ReconWeapo

nDeliver

yExploit Install

Command and

Control

Actions on Objectives

Disrupt to kill

Cyber Kill Chain

X

Comparison: Security Efficacy

• So can whitelisting replace AV. Sources say “no”

– http://www.networkworld.com/article/2200901/network

-security/whitelisting-on-its-own-not-a-substitute-for-

antivirus-software.html (NetworkWorld, Burton Group)

– http://www.infosecurity-

magazine.com/news/coretrace-claims-whitelisting-no-

replacement-for/ (CoreTrace (a whitelisting vendor))

– http://blogs.gartner.com/neil_macdonald/2009/03/31/

will-whitelisting-eliminate-the-need-for-antivirus/

(Gartner)

Comparison: Security Efficacy

• So can application isolation replace traditional endpoint

security?

– Again, answer is “no”

• So when evaluating the security efficacy and cost of a

solution, one should consider their value in relation to

what else is already on the system.

– And the “what else” that is running on every system is

AV

• But, are all AV solutions created equal?

Comparison: Security Efficacy

• AV has not exactly been “standing still” in the last decade. They’ve been approaching the problem in other ways including:

– Behavioral-based detection

– Algorithmic (machine learning) detection

– File reputation

– Cloud analysis (dynamic and static)

– And even whitelisting capabilities

• Examples

– McAfee/Intel: http://www.mcafee.com/us/products/threat-intelligence-exchange.aspx

– Symantec: http://www.symantec.com/reputation-based-security

– Trend Micro: http://www.trendmicro.com/cloud-content/us/pdfs/about/ds_smart-protection-network.pdf

Comparison: Security Efficacy

• How have whitelisting vendors attempted to distance

themselves from free and bundled competitors:

– Simplified profiling of the target environment

– Better reporting on all binaries in use

– Creation and maintenance of known good and known

bad files by measures beyond file hashes, such as by

digital signatures, trusted publishers, and other

characteristics

• The value, then, is simply operational gains in managing

said whitelist over free or bundled toolsets

What’s Old is New Again

• Mainframe Logical and Workload Partitioning (DLPAR /

WPAR)

• Hypervisors

• Chroot and application jails

Existing Architecture

Office ApplicationsExcel, Word, PowerPoint

BrowsersIE, Firefox, Chrome

Operating System…

Hardware

Host Security Controls

AV, DLP, SSO

Revised architecture

Secure Virtual

Container- Container runs all

untrusted content

- Isolates all user

areas of the host

filesystem.

- Copy on Write

filesystem and

registry

- Low overhead

- Ecosystem

interoperability

Secure Virtual Container

ProtectionAttacks against the browser, plugins, or

document readers are air-locked from

the host operating system. Detection, kill

and forensic capture occurs inside the

secure virtual container.

DetectionContainerized application behavior is

meticulously whitelisted. Any deviation

from known behavior is immediately

flagged as suspicious.

This means no signatures are required

and 0-day threat detection is realized.

Removing threats

Restore to a Clean State

Comparison: Security Efficacy

• In-memory exploitation – Code that dropped by an exploit into memory and run under the context of an authorized process, such as java.exe

• Hijacked or authorized applications – Exploits are not able to hijack other processes to exfiltrate data, nor are they able to leverage system utilities to further subvert the system

• Hijacked certificates – Malicious binaries signed by an authorized provider are not treated any differently than unsigned binaries. This is a critical consideration for whitelisting technology that depends on authorized publishers and why going after these certificates are of high value to an attacker

– http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/

Comparison – Cost of

Ownership

Whitelisting

• Deployment cost

– Identify line of business owner

– Cataloging of applications

– Approve list of apps, maybe 500, maybe 5000

– Not protected during break-in period of 6-12 months

• Operational cost

– Review all attempts to run non-approved apps

– What is malicious, what isn’t?

• Cleanup costs

– Whitelisting will not clean up virus artifacts or live

infections

Comparison – Cost of Ownership

App Isolation

• Deployment costs

– Identify line of business owner and deploy

– Make exceptions for custom or esoteric business

apps that need direct access to protected applications

(e.g. SSO, DLP)

• Ongoing costs

– Quarterly software updates if desired

• Cleanup costs

– None

Comparison – Increase of

Capability

• AV/Whitelisting – Capture information about the file that

was executed

• App Isolation – Capture:

– Details about the initial point of infection (website,

doc, process, etc)

– All attempted file, registry changes

– All process starts, including child processes

– Activity performed by hijacked processes

– All network communications, including n stage

Comparison – Increase of

Capability with App Isolation

Comparison – Increase of

Capability with App Isolation

Comparison – Increase of

Capability with App Isolation

Cyber Kill Chain Revisited

ReconWeapo

nDeliver

yExploit Install

Command and

Control

Actions on Objectives

Disrupt to kill

Current Focus

X

Isolate to thwart, delay, and record

Revised Focus

ReconWeapo

nDeliver

y

ReconWeapo

nDeliver

yExploit Install

Command and

Control

Actions on Objectives

Threat Protection Profile

AntiMalware

Whitelisting

ContainerizationBinary Protection

App Protection

Optimal Reference Architecture

1. Tier 1 traditional endpoint security suite (includes

firewalling, device control, encryption, and signature

detection capabilities)

2. Secure containerization to remove the largest potential

threat vectors on the endpoint and increase forensic

capability

3. Full forensic package for any threats that are otherwise

able to enter the endpoint (e.g. laterally)

Webinar Recording : http://www.invincea.com/2014/11/containerization-vs-whitelisting-

12-4-webinar

Demo Request: http://www.invincea.com/get-protected/enterprise-request-form

Q&A

Thank you!

Invincea @Invincea

Darrin Mourer @DMourer