Meet the Presenter
Darrin is a Solution Architect with Invincea specializing in advanced threat prevention, detection, and forensics. He has been involved in the information security space for over 15 years in both information security officer and vendor roles. He has held various certifications including CISSP, CISA, SANS, and ITIL. Previous to Invincea, Darrin spent over 10 years in various security leadership roles at Symantec.
Topics We’ll Cover
• Current threat curve (recap)
• Whitelisting vs. Containerization
– Security efficacy
– Total cost of ownership
– Increase of capability
• Endpoint Security Reference Architecture implications
Recap: Malware Evolution
(circa 2010)
Mass Targeting Pinpoint
Targeting
High
Sophis
ticatio
n
Low
Script KiddiesLone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Threat Curve
circa 2010
Anti-Virus defenses
Advanced detection and whitelisting
Operation DeathClick Vectors
Evade Network Sandbox & AV
• Invincea discovered a concerted campaign
against US Defense companies
• Represents a blending of traditional cyber-
crime techniques (malvertising) with APT
targeting and objectives
• Leverages advertising networks on ad-
supported web sites to compromise
specific company networks
• The threat evades almost all network-
based and traditional endpoint controls.
There is no patch.
Anti-Virus Evasion
6
Test
exploit
against all
anti-virus
vendors to
guarantee
no
detection
before
attacking
2014+ changing Threat Curve
Mass Targeting Pinpoint
Targeting
High
Sophis
ticatio
n
Low
Script Kiddies
Lone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Threat Curve
(today)
Takeaway:
Less advanced
adversaries now have
access to very
sophisticated
techniques
Anti-Virus defenses
Advanced detection
and whitelisting
New Defenses are Needed
Mass Targeting Pinpoint
Targeting
High
Sophis
ticatio
n
Low
Script Kiddies
Lone Wolves
Organized
Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Threat Curve
(today)
Anti-Virus defenses
Advanced Threat Endpoint Protection
Advanced detection
and whitelisting
Whitelisting and Dynamic
Application IsolationTechnical Discussion
DETECTION | PREVENTION | INTELLIGENCE
What is Whitelisting
• Create a set of allowed file executions to run on a
system
• Deny attempts to run anything not on that list
• Can be combined/chained to create simple or complex
rule sets
Where is Whitelisting found?
• Integrated into the operating system
– Applocker for Windows, App Limits for Mac
• Integrated into endpoint security packages
– McAfee, Symantec, Trend, etc
• Standalone products
– Bit9, CoreTrace, Lumension, etc.
Comparison: Security Efficacy
• Whitelisting focuses exclusively on one aspect of the
attack, preventing the execution of malicious binaries
• There is another technology that primarily focuses on the
execution of malicious binaries—namely antivirus
ReconWeapo
nDeliver
yExploit Install
Command and
Control
Actions on Objectives
Disrupt to kill
Cyber Kill Chain
X
Comparison: Security Efficacy
• So can whitelisting replace AV. Sources say “no”
– http://www.networkworld.com/article/2200901/network
-security/whitelisting-on-its-own-not-a-substitute-for-
antivirus-software.html (NetworkWorld, Burton Group)
– http://www.infosecurity-
magazine.com/news/coretrace-claims-whitelisting-no-
replacement-for/ (CoreTrace (a whitelisting vendor))
– http://blogs.gartner.com/neil_macdonald/2009/03/31/
will-whitelisting-eliminate-the-need-for-antivirus/
(Gartner)
Comparison: Security Efficacy
• So can application isolation replace traditional endpoint
security?
– Again, answer is “no”
• So when evaluating the security efficacy and cost of a
solution, one should consider their value in relation to
what else is already on the system.
– And the “what else” that is running on every system is
AV
• But, are all AV solutions created equal?
Comparison: Security Efficacy
• AV has not exactly been “standing still” in the last decade. They’ve been approaching the problem in other ways including:
– Behavioral-based detection
– Algorithmic (machine learning) detection
– File reputation
– Cloud analysis (dynamic and static)
– And even whitelisting capabilities
• Examples
– McAfee/Intel: http://www.mcafee.com/us/products/threat-intelligence-exchange.aspx
– Symantec: http://www.symantec.com/reputation-based-security
– Trend Micro: http://www.trendmicro.com/cloud-content/us/pdfs/about/ds_smart-protection-network.pdf
Comparison: Security Efficacy
• How have whitelisting vendors attempted to distance
themselves from free and bundled competitors:
– Simplified profiling of the target environment
– Better reporting on all binaries in use
– Creation and maintenance of known good and known
bad files by measures beyond file hashes, such as by
digital signatures, trusted publishers, and other
characteristics
• The value, then, is simply operational gains in managing
said whitelist over free or bundled toolsets
What’s Old is New Again
• Mainframe Logical and Workload Partitioning (DLPAR /
WPAR)
• Hypervisors
• Chroot and application jails
Existing Architecture
Office ApplicationsExcel, Word, PowerPoint
BrowsersIE, Firefox, Chrome
Operating System…
Hardware
Host Security Controls
AV, DLP, SSO
Revised architecture
Secure Virtual
Container- Container runs all
untrusted content
- Isolates all user
areas of the host
filesystem.
- Copy on Write
filesystem and
registry
- Low overhead
- Ecosystem
interoperability
Secure Virtual Container
ProtectionAttacks against the browser, plugins, or
document readers are air-locked from
the host operating system. Detection, kill
and forensic capture occurs inside the
secure virtual container.
DetectionContainerized application behavior is
meticulously whitelisted. Any deviation
from known behavior is immediately
flagged as suspicious.
This means no signatures are required
and 0-day threat detection is realized.
Comparison: Security Efficacy
• In-memory exploitation – Code that dropped by an exploit into memory and run under the context of an authorized process, such as java.exe
• Hijacked or authorized applications – Exploits are not able to hijack other processes to exfiltrate data, nor are they able to leverage system utilities to further subvert the system
• Hijacked certificates – Malicious binaries signed by an authorized provider are not treated any differently than unsigned binaries. This is a critical consideration for whitelisting technology that depends on authorized publishers and why going after these certificates are of high value to an attacker
– http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
Comparison – Cost of
Ownership
Whitelisting
• Deployment cost
– Identify line of business owner
– Cataloging of applications
– Approve list of apps, maybe 500, maybe 5000
– Not protected during break-in period of 6-12 months
• Operational cost
– Review all attempts to run non-approved apps
– What is malicious, what isn’t?
• Cleanup costs
– Whitelisting will not clean up virus artifacts or live
infections
Comparison – Cost of Ownership
App Isolation
• Deployment costs
– Identify line of business owner and deploy
– Make exceptions for custom or esoteric business
apps that need direct access to protected applications
(e.g. SSO, DLP)
• Ongoing costs
– Quarterly software updates if desired
• Cleanup costs
– None
Comparison – Increase of
Capability
• AV/Whitelisting – Capture information about the file that
was executed
• App Isolation – Capture:
– Details about the initial point of infection (website,
doc, process, etc)
– All attempted file, registry changes
– All process starts, including child processes
– Activity performed by hijacked processes
– All network communications, including n stage
Cyber Kill Chain Revisited
ReconWeapo
nDeliver
yExploit Install
Command and
Control
Actions on Objectives
Disrupt to kill
Current Focus
X
Isolate to thwart, delay, and record
Revised Focus
ReconWeapo
nDeliver
y
ReconWeapo
nDeliver
yExploit Install
Command and
Control
Actions on Objectives
Optimal Reference Architecture
1. Tier 1 traditional endpoint security suite (includes
firewalling, device control, encryption, and signature
detection capabilities)
2. Secure containerization to remove the largest potential
threat vectors on the endpoint and increase forensic
capability
3. Full forensic package for any threats that are otherwise
able to enter the endpoint (e.g. laterally)
Webinar Recording : http://www.invincea.com/2014/11/containerization-vs-whitelisting-
12-4-webinar
Demo Request: http://www.invincea.com/get-protected/enterprise-request-form
Q&A