Presentation on theme: "“Trends in Endpoint Security” by Richard Lau 29 September 2005"— Presentation transcript:
1“Trends in Endpoint Security” by Richard Lau 29 September 2005
2AgendaThe Challenges: Market, Technical, RegulatoryTrends and Key DevelopmentsRequirements of Endpoint SecurityCast StudyConclusions
3Business Impact of Multi-Layered Attacks Average Worm$2 million in lost revenue per incident per victim (Aberdeen Group)Code Red700,000 machines infected$2-2.9 billion in damage$200 million in damage per day during attacks(Computer Economics)Worst-Case Worm$50 billion in U.S. damage alone(International Computer Science Institute)
4Enterprise Protection Problem ComplexityIncreasingly Complex IT InfrastructureDiverse devices, access points, users, agents, applicationsVulnerabilityExploits are attacking every layerOperating System, Application, Network, DeviceSpreading faster than patches or SignaturesLack of ControlDifficult to control w/out curtailing benefitsWireless, Guests, Outsourcing, Mobility, USB, IM, RoguesInefficiencyTraditional security products aren’t effective99% have AV - 68% get virusesNew agent for every threat, poor management, no integrationYou have to choose between security and productivity
6The Problems Compromised and Rogue Devices 20 percent of the systems that operations, network and security admins know about are compromised – misused, misconfigured, exposed to malicious access (Gartner).20% of the IP addresses in use on corporate network admins know nothing about (Gartner).Virus and worm events can cost IT staffs upwards of $250 per system infectedTypical American enterprise spent $200K on worm attacks
7Vulnerability-Exploit Gap Decreasing 5 variants, 359,000 machines infectedVulnerability AnnouncedKey Points:Overall, the threat against servers is increasing, not decreasing.Server threats are increasing in frequency (more often)The speed of attack is also increasing dramatically – down to as little as one day (Witty worm)The number of variants of new worms is increasingThe average number of infected servers per attack is increasingRed Color = Appeared in Less Than 30 DaysMore FrequentMore VariantsMore SophisticatedShorter Time DelayFaster PropagationMore Destructive75 variants, 500,000+ machines infected17 variants, 1,000,000+ machines infectedDays Until First Attack
8Traditional Security Has Not Blocked Attacks Ex: Zero-Day WormDamage is done by the time the virus definition is deployedCan’t block access to ports used for legitimate purposesPacket scanning only effective against recognizable signaturesWindow of vulnerability prior to patch being appliedNot effective against unknown attacksCan’t lockdown the system enough to prevent worms from acting like an authorized applications or traffic.Can only reliably detect worms after they have compromised some systems and are actively spreadingPerimeter FirewallsNetwork Intrusion DetectionCurrent solutions have limits – next slide shows how we address those limits.System Hardening – what does “basic” security measures mean? I don’t understand this ‘limitation’.Host Based Security – what does “designed for other purposes” mean? “Setting up and tuning… is difficult and error-prone” is an absurd ‘product specific’ assertion.Key Points:Even though security administrators have tried everything, memory-based attacks are still getting through.Explain how a modern day attack gets through all of the existing security measures?Existing technologies only provide partial protection (50%?)Basic Personal FirewallPatch Management SolutionsAnti-VirusComprehensive NAC and Host-based Intrusion Prevention Systems are required…
9LAN Security Challenges The LAN edge represents the largest area of vulnerabilityNeed to consider securing next generation devicesOpening infected attachment from hotmail.comGuest userRouge DeviceMobile User brought virus with them
10VPN Security Challenges Rogue Device EliminationSecurity Policy ComplianceWhen we talk to C-level executives about security they are concerned about two things rogues and regulationsThey want to eliminate rogues so their networks and computers are protected from hackers and thieves. Rogue are:good computers gone bad – out of compliance and thereby offer vulnerabilities that can be exploited,good employees gone bad orcomputers manned by hackers or thieves to exploit other systems.2. They want to comply with regulations so that they don’t get unwanted attention from their shareholders or the press or fines from the governmentOur solution solves both concerns by ensuring continuous complianceContinuous compliance means at every minute of every day your computers are fully compliant with all of the appropriate security policies and protected from Rogues regardless of:Whether that computer is within the 4 walls of their company or roaming the globeWhether that computer is connected to the corporate network or notWhether it is connected via wireless, dial up, DSL, VPN, wireless or EthernetWhat application is being usedNon-compliant VPN connected systems may infect the corporate networkUnprotected Systems can launch man-in- the-middle attacks on IPSec VPNs“Dirty” public systems may contain malware, keyloggers, and other privacy threats
11Regulatory Challenges Increasing government or industry regulations are presenting new challenges to IT organizations, especially in the financial and health care sectors, e.g. HIPPA, SOX, Basel II and etc.How can I ensure continuous compliance?How do I know that patient-confidential information is protected?Can I demonstrate Sarbanes-Oxley (SOX) compliance?What can I do to prevent regulatory violations?How can I ensure that my users are not violating use policies?
12Business CompromisedCompanies lose production systems, revenue is compromised,companies lose customer credit card numbers, relationships are compromised,companies lose software source code, product lines are compromised,companies lose copyrighted material, shareholders are compromised.companies lose employee productivity, profitability is compromised.
13AgendaThe Challenges: Market, Technical, RegulatoryTrends and Key DevelopmentsRequirements of Endpoint SecurityCase StudyConclusions
15Continuous Compliance Model SecurityPolicyRely on User DisciplineSystem Enforcement
16Network Access Control Process Define PolicyDiscover Policy ComplianceAgentOn-Demand AgentNetwork InterrogationEnforce Network Access ControlLAN, DHCP, Gateway EnforcerSelf-EnforcementInfrastructure IntegrationUniversal Enforcement APISecurityPolicyWe address limits of current solutions by implementing a process to ensure compliance on contact and a solution that covers all endpoints and access points – then we lay on our special sauce (hIPS).Remediate Non-Compliant EndpointsContinuous Monitoring
17Key Developments – Network Access Control Gartner created reference design for Network Access ControlCisco has announced Network Admission ControlMicrosoft has announced Network Access ProtectionThe Trusted Computing Group has announced Trusted Network Connect802.1x Standard
18Gartner – Network Access Control Policy – outline the security configurations wish to enforce as a prerequisite for network access, including patches, AV, custom security software, or special configurationsBaseline – is used to compare systems connecting to the network with the configured policyAccess Control – is used to give the connecting system the appropriate level of network accessQuarantine – systems exhibiting anomalous behavior must be sent into a quarantine areaRemediation – to bring the system into compliance
19Cisco’s NACA closed, “invitation only” architecture for protecting Cisco infrastructures onlyRequires end-to-end Cisco to be effectiveLAN enforcement will not be available until later this yearRounded up some AV vendors’ support
20Cisco NAC Components and Decision Making Flow 4. Based on results, CTA provisions routerCisco ACS ServerAV agentCiscoTrustAgentFW agentOS agent3. ACS checks configured policy version for each policy1. Individual agents report status2. CTA delivers to ACS
21Layer 3 Protection is not complete L3 Cisco NAC Enabled RouterCNAC Stops infection at routerXMobile user spreads infection on his Layer 2 segment
22Sygate Simplifies CNAC 5. Based on results, CTA provisions routerCisco ACS ServerCiscoTrustAgentSygate agent1. Sygate collects all compliance information2. CTA delivers to ACS4. ACS checks configured Sygate policy version
26Microsoft’s NAPA more open program designed to protect the Microsoft ecosystem onlyOpen to participation by any network infrastructure vendorNo plans for any support for non- Microsoft OSAvailable with Longhorn Server- sometime in 2006
27Standards Organization focused on computer system security Over 50 MembersDeveloping an open standard for any operating system and network infrastructureCompletely open, anyone can joinSpecification available early 2005Also developed a hardware chip specification to:Help ensure the authenticity of hardware- prove system identityProtect systems from executing software that has become corrupted or hacked
28What is 802.1x802.1x is an IEEE standard for access control for wireless and wired LANs, 802.1x provides a means of authenticating and authorizing devices to attach to a LAN port.This standard defines the Extensible Authentication Protocol (EAP), which uses a central authentication server to authenticate each user on the network.Layer 2 protocol802.1x happens before TCP/IP is established
29Purpose of 802.1x Authenticate the user/computer at the network level Block unauthorized computers from accessing the networkProvide different levels of authentication and encryption security based on administrator’s decision and network needsMost vendors have extended 802.1x from the RFC definition
30Enforcement with 802.1x Permit or Deny Internet Login Credentials Sygate LAN EnforcerSMSRemediation ServerRADIUSPermit or DenyInternetRADIUS802.1x and EAPLogin Credentials
31802.1x NAC Solution Most secure LAN solution Standards-based Ethernet802.1x NACQuarantineNetworkQuarantine Patch ServerWired UserSygate Policy ServerSwitch forwards to LESystem sends NAC and user data via EAPLE Checks user loginRADIUS serverSygate LAN EnforcerLAN Enforcer connects system to corporate or quarantine networkMost secure LAN solutionNAC status, or NAC+User credentialsStandards-basedNearly all vendors support
32How DHCP Enforcement works Systems connecting to the network get a DHCP lease with a short lease time in a “quarantine address space”Secondary IP space or DHCP route filtersDHCP Enforcer checks for SSA agent and statusIf the agent is present and system is up-to-date, DHCP Enforcer gives the system a new address in the normal address spaceIf there is no agent, system remains in the quarantine address spaceExceptions are provided by OS type and MAC address.
33DHCP NAC Solution- In compliance Mobile Users,WirelessDHCP ServerDHCP EnforcerWired UserEthernet SwitchDHCP RequestUnknown system- send route filters or Quarantine AddressRoute blahProbe for agent and policy statusTrigger release/renew on passDHCP RequestCompliant- send regular address
34New DHCP NAC Solution- Out of Compliance Mobile Users,WirelessDHCP ServerDHCP EnforcerWired UserEthernet SwitchDHCP RequestUnknown system- send route filtersRoute blahRemediation ServerProbe for agent and policy statusTrigger remediation on failurePerform Remediation actionTrigger Release/Renew upon completionDHCP RequestCompliant- Remove route filters
36Ubiquitous Enforcement Requires ON-Demand enforcement capability Not all systems on a network can have agents installedNot all systems on a network are owned by the companyGuests may require safe network accessInformation must be protected when employees access via 3rd party devicesInternet KiosksHotel Business CentersHome PCs
37On-Demand Value Problem Solution Theft of data from unmanaged devices Unprotected or compromised devices connecting to the enterprise via web infrastructureDelivering endpoint security to unmanaged devices (contractors, kiosks, home machines)SolutionProtects confidential data by creating a secure environment that provides encryption and file deletion upon session terminationProtection from viruses, worms by enforcing AV, Personal Firewall via Host IntegrityLower TCO by delivering endpoint protection on-demand via existing web infrastructure
38The Market in Which SODA Plays Gartner Has Defined the Market… Six Critical Requirement for On-Demand Security:Client Integrity CheckersSODA Host IntegrityBrowser Cache File CleanupSODA Cache CleanerBehavioral Malicious Code ScannersSODA Malicious Code PreventionPersonal Firewall Mini-Engines:SODA Connection ControlProtected Virtual User SessionsSODA Virtual DesktopDynamic User Access PoliciesSODA Adaptive PoliciesSource: “Access From Anywhere Drives Innovation for On-Demand Security, Gartner, ID Number: G ”, March 21, 2005.
40When Do You Need On-Demand? Thin Client/Server ApplicationsWeb-based ApplicationsSSL VPNGuest WirelessWebmailEnterprise Web Apps (ERP/CRM)Online Banking/E-CommerceTerminal Services (Citrix)TraditionalClient/ServerApplicationsFile SharePublic KioskTraveling ExecutivesPartner Extranet
41Citrix Business Drivers: Data at Risk: Speed application deployment Access from anywhereAccess from any deviceData at Risk:Citrix login passwordScreen imagesBrowser history
42HR/Financial/Partner Portals Business Drivers:Web-based access to payroll and employee informationEliminate cost of printing and mailing paychecksData at Risk:Portal login passwordPDF paycheck stubPayroll system
43Architecture - How It Works Sygate On-Demand AgentDownloads (Java)Sygate On-Demand AgentVerifies Host IntegritySygate On-Demand AgentAdapts Policies to EnvironmentIf compliant, On-Demand launches the Virtual Desktop or Cache CleanerUser can securely download, view, modify, and upload corporate informationUpon inactivity or closing, VD is closed and data erasedVirtual Desktop or Cache Cleaner then launches the login processUser logs into SSL VPN/Web App and gets access to networkSygate On-Demand ManagerUser Connects to Login PageAdministrator UploadsSygate On-Demand AgentAdministrator CreatesSygate On-Demand AgentSygate EnforcerRadiusRemediationCorrelatorWeb ApplicationsVD, HIInternal LANGuest LaptopPublic InternetKioskVD, HI, PersistentHome NetworkEmployee HomeTrustedAirport WLANCorporate-Owned, Running SSAPolicyNetwork LocationDevice TypeAdaptive PoliciesPatch UpdatedService Pack UpdatedPersonal Firewall OnAnti-Virus UpdatedAnti-Virus OnStatu sHost Integrity RuleDiscovery Engine802.1x SwitchFirewallATMPrinterWirelessWorkstationIPSEC VPNKioskGuestSSL VPNHotelTravelingExecutivePartner
44Sygate On-Demand Qualification Enterprises providing access to corporate information through web applicationsWeb Mail – Outlook Web Access and Lotus InotesSSL VPN – Netscreen, Aventail, Nortel, NetillaCitrixPortals – Financial, HR, PartnerWeb CRM - SiebelFinancial Applications – SAP financialsCritical Qualification InformationWhat are the web applications in use?What are the different types of users and devices?Do they want different policies for different situations?Do they want to check the security of the computer before allowing access?
45SSL VPN Business Drivers: Data at Risk: Low cost remote access Thin Client/Server ApplicationsWeb-based ApplicationsBusiness Drivers:Low cost remote accessAccess from anywhereData at Risk:SSL VPN login passwordShared filesApplication dataTraditionalClient/ServerApplicationsFile SharePublic KioskTraveling ExecutivesPartner Extranet
46Securing Remote Access with SSL VPN WWW PrivateNetworkProtected network resource, application,or serviceBind to AM Policy based on scanSygate Security Agent is pre-installed on the managed device to provide firewall, intrusion prevention, and policy enforcement. The Juniper Host Checker verifies that the Sygate Security Agent is running.NetScreen Host Checker packaged with NHC Server API extensionsManaged DeviceUnmanaged DeviceUpload Sygate On-Demand Agent using either Customer UI or as a Host Checker PackageSygate On-Demand Agent(Part of Sygate On-Demand)Sygate Security Agent(Part of Sygate Secure Enterprise)- User connects to SSL VPN and is subject to Host Integrity Check- Sygate On-Demand Agent checks Host Integrity, and installs Cache Cleaner or Virtual Desktop.
47AgendaThe Challenges: Market, Technical, RegulatoryTrends and Key DevelopmentsRequirements of Endpoint SecurityCase StudyConclusions
48Enterprise Protection Problem - Networks and endpoints are vulnerable, causing:Propagation of Malicious codeLeakage of sensitive informationLost user productivityIncreased support costsSolution - Safeguard computers, networks, and data by:Ridding the network of non-compliant endpoints with NACEnsuring Compliance on Contact™ across all entry pointsProtecting endpoints with a Host Intrusion PreventionHere’s a bit more colorIf you’re going to implement Continuous Compliance for strategic advantage, you need to design a solution that has the capability to cover everything. Sygate offers agents which deliver Continuous Compliance for corporate issues equipment. We have virtual agents for devices you can’t put agents such as partner, employee’s home equipment or kiosks. We also have a new product that scans things that are fundamentally unagentable like Printers or medical equipment, or any IP addressable device that could expose a corporate network to damage or loss. And again the solution works on devices outside the LAN and inside.Three products, one solution – eliminate compromised devices from the corporate networkSygate Secure Enterprise (SSE) – managed devicesAgents runs on corporate owned devices to ensure complianceSygate Security Portal (SSP) – unmanaged devicesDownloadable agent checks on partners, contractors & vendors devices before allowing them to connect to corporate networkNew Sygate solution – unmanageable devicesDiscovers devices and checks their compliance levelsSegue Finally, it isn’t strategic if it can’t be amortized across multiple challenges, if it doesn’t get you ahead of the game. Let’s look at each one of these products in more detai.
50Enterprise End-Point Device Protection Features Host Intrusion Prevention System (HIPS)Network Access Control (NAC)Adaptive PoliciesEnd-Point Intrusion PreventionEnd-Point Firewall
51HIPS & The Vulnerability Lifecycle 14-90 DaysExploit ReleasedPatch AvailablePatch DeployedVulnerability Discovered0-200 Days3 Days to NeverNetwork Access ControlBehavioral (HIPS) & White List (Firewall)Blacklist (Anti-Virus & IDS Signatures)Patches
52Host Intrusion Prevention System Protection LayerBlack List MethodWhite List MethodBehavior MethodNetwork LayerCode RedPersonal FirewallARP PoisoningApplication LayerSQL SlammerAllow Only Browser,Block IIS Buffer OverflowOS LayerBlaster SignaturePrevent Malware from Creating AccountsBlock OS Buffer Overflow (RPC DCOM)Device LayerBlock iPod USB KeyAllow only Mice and KeyboardsBlock read/ write/exe by device and location
56Network Access Control Problem - Insecure Endpoints Connecting to Networks Results In:Malicious Code PropagationTheft of Sensitive InformationExposure to Regulatory PenaltiesSolution - NAC protects enterprise networks by:Discovering endpoints & compliance w/ security policiesEnforcing network access throughout the entire networkRemediating non-compliant endpointsMonitoring the network continuously
57Enterprise NAC Requirements Pervasive Endpoint CoverageManaged Laptops, Desktops, ServersUnmanaged Guests, Contractors, Home ComputersCentral, Scalable, Flexible Policy ManagementDistributed servers, redundancy, data base replication, AD integrationUniversal enforcement(W)LAN, IPSec VPN, SSL VPN, Web PortalIntegration with Existing and Emerging Standards802.1x, Cisco NAC, Microsoft NAP, TCG’s TNCAutomated Remediation ProcessNo user intervention required toLearning mode and discovery tools
58Endpoint Intrusion Prevention Intrusion Prevention protects against known attacks on services that are requiredRuns “behind the firewall” to increase system protectionUses signatures to match known attacks, reducing the occurrence of false positivesExamples- SQL Slammer, Code RedMust log security eventsCode RedXValid RequestFirewallIDP
59Endpoint Firewall Requirements Packet FilteringCloses ports that are not required but left open by default- Windows Messenger, SQL, etcStateful Packet InspectionBlock inbound packets that do not correspond to established flowsProtects open ports from attackBlocks protocol-based attacksMust operate both inbound and outboundBlock unauthorized outbound communicationsMust log security eventsSlammer ExploitXSQL Port 1434/udpMessenger SpamXMessenger Port 6891/tcpUser RequestPermitted ResponseXUnexpected ResponseFirewall
60Agent + EP FW + Host Integrity Vulnerabilities Exploited – Gartner Layered ProtectionStrategic Planning Assumption: Ninety percent of all Internet security incidents will take advantage of misconfigured or misadministered software (0.8 probability).IPSAgent + EP FW + Host IntegrityDayMisconfigurationOld PatchHere we see the way Gartner Groups looks at the problem of protection. They are above all pragmatists and their research has shown that:60% of all exploits take advantage of misconfigurations such as:file sharing being left on when wirelessly connected to the internet from StarbucksSecurity applications that have been turned offAV virus definitions that are not up-to-dateUse of forbidden applications, unnecessary services being turned on or unsafe usage patternsAnother 25% take advantage of old patches that haven’t been installed on computers even though they have been around for ample time to have been installedAnother 10% of exploits take advantage of known vulnerabilities that have been fixed by recent patchesFinally the last 5% or less are brand new vulnerabilities that are exploited before signatures or patches are available.Sygate takes a layered approach which provides superior protection against all of these exploit classes. Our protection has 4 elements:smart agent with host integrity capabilityworld class personal firewall,proven signature based IPS solutionpragmatic behavioral based intrusion preventionOur strong belief is that configuration issues are best fixed by making sure that computers are configured properly prior to allowing them to access to the corporate network. We also believe that configurations must be checked even if the computer isn’t currently connected to the corporate network but rather surfing the internet from some remote location. Our smart agent can do both, while making sure that only right configurations and right applications are permitted and wrong applications and services are turned off.Our personal firewall makes sure that only authorized applications, ports, and protocols are allowed to communicate on the network. The Sygate personal firewall component protects endpoints from network-propagated worms, malicious applications that attempt to send outbound network traffic, and other network-based exploits. It also stealths your computer so that hackers can’t scan you system to understand it’s vulnerabilities and prevents hackers from being able to take over your system.Our IPS engine takes a signature-based approach to Protection – this means that exploits are blocked quickly and efficiently without the pain of numerous false positives that burn staff time chasing them down. IPS signatures are the smartest way to address known vulnerabilities before the OS or applications have had a chance to be patched. Sygate is a subscriber to the I-Defense vulnerability service which provides us early warning about vulnerabilities and their associated exploits and gives our signature team time the craft signatures in time to block most exploits before they cause harm. The elements of our IPS engine include:Signature-Based Protection Features• Deep Packet Inspection – Filters packets based on any part of the packet, includingthe header and data portion, to block known exploits.• Trojan Protection – Monitors every running application to verify that no Trojan isrunning.• DoS Protection – Protects against DoS attacks by blocking anomalous network trafficpatterns.The Sygate Agent delivers strong zero-day protection to protect against exploits targeting new vulnerabilities. Our agent uses 6 behavior techniques to protect against day zero exploits including:Behavior-Based Protection Features (Zero-Day protection)• Application-Centric Policy Control – Blocks anomalous behavior, preventing codeinjection and application compromise, thus ensuring that applications only utilizecorrect ports, services and DLLs.• Smart Protocol Filtering – Behavior-based protection from protocol-borne exploits• Anti-IP and Anti-MAC Spoofing – Prevents hackers from masquerading as anauthorized user, using that user’s IP and MAC addresses.• Driver Level Protection – Blocks hackers from loading their own protocol drivers bybringing drivers under policy control and monitoring.• Port Scan Protection – Behavior-based protection that blocks hackers from portscanning, which is often used to discover open ports for exploit.• Host Integrity Checking – The Sygate Agent tests the endpoint’s compliance with thecomplete set of security policies prior to network access and only grants access if theendpoint is 100% compliant.ConclusionSygate’s unique layered approach delivers unprecedented protection by attacking each class of exploits with the best possible approach. The intelligent Sygate agent and the personal firewall eliminate the exposures caused by mis-configuration and missing patches by making sure that computers are properly configured before they are allowed to connect. For recent exploits Sygate’s product provides a proven signature based IPS engine that can protect computers with greater accuracy that behavioral protection alone. Sygate’s behavioral based features eliminate “Zero Day” exploits by blocking anomalous behaviors.Some of our competitors have tried to make the best of their narrow protection solution by trying to focus your attention only on day zero exploits. Attempting to address all of these different classes of exploits with a single, difficult-to-deploy technology isn’t in any company’s best interest. It can’t address the configuration issues at all and attempts to address the other exploit classes with a complex system prone to generating false positives and blocking legitimate applications which will cause pain to both IT and users.Sygate’s unique layered approach brings the intelligence of the Sygate agent, it’s best of class personal firewall, proven IPS solution and pragmatic behavior based approach to deliver unprecedented protection.Recent PatchSource: Gartner ResearchWe believe the root of most Internet security evil can be traced to Netscape, may it rest in peace. Not only did Netscape drive Internet browsers into every desktop computer, but its development practices forever altered the security landscape. Netscape released a new version of its browser and server products every six months or so, and encouraged users to download each version directly from the Internet. Since six months is barely enough time to write software for the new version, testing was left up to the users under the guise of beta testing. The plug-in architecture also led to users downloading additional untested software that, in essence, modified the browsers and servers.To annihilate Netscape, Microsoft not only matched this ready-fire-aim approach to software development, but it went a step further: it incorporated the insecure browser and server code into its Windows desktop and server OS. From a security perspective, we had the worst of all worlds: bad software, updated often, enmeshed with critical OS software.Action Item: The single-most-important action for increasing Internet security is to stop using software that has frequent security vulnerabilities. Barring that, enterprises have to greatly increase the resources they apply to assuring that all software is safely configured and patched.New VulnerabilityVulnerabilities Exploited – Gartner
61Continuous Compliance Model SecurityPolicyRely on User DisciplineSystem Enforcement
62Requirements for Enforcement Continuous- must work across all access methods, at all times, for all usersConsider corporate owned, guest, managed, unmanaged, and unmanageable systemsMust provide automatic remediation, not just deny access All endpoints, all accesses, all networks, all users
64Location Based (Adaptive) Rules Security policies must adapt from HQ to hotel to home to hotspotPolicies must change by role, device type, location and connectionWithout adaptive policies, companies must choose either good security or productive usersAdaptive protection allows Chief Security Officers and their staffs to have both happy users and secure endpoints. Our agent is smart enough to adapt security policies as users change location from HQ to hotel, to home to a hotspot and change connection methods from Ethernet to VPN to DSL to wireless. Without adaptive policy you will be forced to choose between employee happiness and security. You should not have to make the choice – with our solution you don’t.Adaptive PoliciesRoleDevice TypeNetwork LocationPolicyExecutiveCorporate OwnedEnterprise LANTrusted, file sharing on, full application accessSales personEmployee OwnedHome wirelessFile sharing off, IM off, print sharing off, VPN on, limited application accessOutsourcerUnknownPublic InternetVD, HI, SSL VPN access only and web mail only with data sanitization
65Enterprise-Class Management Scalable Multi-Server ArchitecturePolicy & Log ReplicationPolicy Distribution (Push/Pull)Configurable Priority/Load BalancingPolicy ManagementGroup hierarchy w/ inheritanceManage by computer or userReusable policy objectsAD user and group synchronizationCentralized Logging and ReportingEvent forwarding (Syslog, SIMs)Daily or Weekly ed Reports
66AgendaThe Challenges: Market, Technical, RegulatoryTrends and Key DevelopmentsRequirements of Endpoint SecurityCase StudyConclusions
67Solution Highlights VPN & Wireless Protection Rogue Prevention (802.1x)Zero-Day ProtectionApplication ControlDevice DiscoveryPolicy EnforcementSafe Third-Party AccessRegulatory ComplianceOn-Demand ProtectionSolution HighlightsThe way we think of it as a vendor, evolution favors a strategic solution, one that can be amortized over multiple problems. Sygate ensures VM strategies do just that -When it was just hackers and script kiddies doing port scans, personal firewalls were an effective solution.VPN and Wireless created a second set of exposures required enhanced sensitivity to the environment (I.e home networks).AV and patch enforcement emerged as another category of exposure recently.Changes in national security levels became another exposure relative to cyberthreats to which required realtime enforced policy reactions.Protecting corporate networks from exposure by outsourcers or other business partners while improving their access to valuable applications and information has moved to the fore recently.Protecting web access at kiosks was brought into sharp focus by the Kinko’s keystroke logger incident.Making XP safe locking down unwanted features enables deployment of a improved environment.And most recently, application vendors like Diebold are using endpoint protection as part of the strategy to keep access to the most fundamental of all customer facing applications, the ATM machine, safe.
68Case Study – Enforcing Basic Security Standards Customer : US division of a large international retail food companyBusiness : The company owns 1600 retail food stores on the eastern seaboard under various brand namesBusiness Drivers :Reduce Cost associated with virus and worm outbreaksSupport outsourcing relationships in which vendors’ equipment is on siteReduce cost of laptop management
69Case Study – Enforcing Basic Security Standards Business Requirement :Maintain minimum security safequards on the company’s 2000 laptops, most of which login remotelyEnable remote 3rd party control (administrative rights) over specific internal servers without compromising corporate securityProtect internal network from end-point security breachesAble to work on a variety of Windows versions, including 2000, XP, and NT
70Case Study – Enforcing Basic Security Standards Actions :Install End-Point Security Agents on all existing laptops during scheduled configuration upgradeInstall End-Point Security Enterprise Management Server for policy enforcementAdd End-Point Security Agents to standard configuration policy on all new machines, including internal serversInstall End-Point Security Agents on existing internal servers administered by outside vendor partnersInstall End-Point Security Agents on all new servers deployed
71Case Study – Enforcing Basic Security Standards Protecting their networkWhen the End-Point Security Agents launched Norton Antivirus on those home machines, they caught and identified upwards of 200 viruses that would have otherwise entered their network,Each incident could have easily cost the company US$50,000 to clean up, not to mention productivity losses during network interruptions.If one of those viruses had gotten lose in the system, an eight-man LAN server team and a three-man mitigation team would have had to spring into action. This type of remediation could take as many as three days for each virus.
72Case Study – Enforcing Basic Security Standards Unexpected Benefit :Blaster worm outbreakUse Tivoli software distribution to push out a security patchEnd-Point security icons blinking red on executives’ machineChecking the logs for the attack originFollowed the IP addresses and find four new laboratory production servers, being as yet unregistered, missed the patch push
73SummaryFusion of endpoint security and network access control will be a top priority for large enterprisesCorporations need more sophisticated endpoint security solutionsE.g. Central management, reporting, policy controlAutomates the complete compliance and enforcement process on contactall computers - corporate, consultant, guest, student, outsourcerall access - LAN, Wireless, Remote, Mobile,all users - from engineers to executives,on all networks friendly or hostile - corporate, home, hotel, business center, airport, the Internetfrom all threats - malicious access, misconfiguration, and misuse
74THANK YOU! Richard Lau email@example.com UDS Data Systems Ltd.