Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trends in Endpoint Security by Richard Lau Trends in Endpoint Security by Richard Lau 29 September 2005.

Similar presentations

Presentation on theme: "Trends in Endpoint Security by Richard Lau Trends in Endpoint Security by Richard Lau 29 September 2005."— Presentation transcript:

1 Trends in Endpoint Security by Richard Lau Trends in Endpoint Security by Richard Lau 29 September 2005

2 2 Agenda The Challenges: Market, Technical, Regulatory Trends and Key Developments Requirements of Endpoint Security Cast Study Conclusions

3 3 Business Impact of Multi-Layered Attacks Code Red 700,000 machines infected $2-2.9 billion in damage $200 million in damage per day during attacks (Computer Economics) Average Worm $2 million in lost revenue per incident per victim (Aberdeen Group) Worst-Case Worm $50 billion in U.S. damage alone (International Computer Science Institute)

4 4 Enterprise Protection Problem Inefficiency Traditional security products arent effective 99% have AV - 68% get viruses New agent for every threat, poor management, no integration You have to choose between security and productivity Lack of Control Difficult to control w/out curtailing benefits Wireless, Guests, Outsourcing, Mobility, USB, IM, Rogues Vulnerability Exploits are attacking every layer Operating System, Application, Network, Device Spreading faster than patches or Signatures Complexity Increasingly Complex IT Infrastructure Diverse devices, access points, users, agents, applications

5 5 Vulnerabilities Exploited Old Patch Recent Patch New Vulnerability Misconfiguration Copyright © 2002 Misuse, misconfiguration and malicious access of systems compromises business. The Problems (Gartner Research)

6 6 The Problems Compromised and Rogue Devices -20 percent of the systems that operations, network and security admins know about are compromised – misused, misconfigured, exposed to malicious access (Gartner). -20% of the IP addresses in use on corporate network admins know nothing about (Gartner). Virus and worm events can cost IT staffs upwards of $250 per system infected Typical American enterprise spent $200K on worm attacks

7 7 Vulnerability Announced 5 variants, 359,000 machines infected Days Until First Attack 75 variants, 500,000+ machines infected 17 variants, 1,000,000+ machines infected Vulnerability-Exploit Gap Decreasing

8 8 Traditional Security Has Not Blocked Attacks Basic Personal Firewall Anti-Virus Patch Management Solutions Perimeter Firewalls Cant block access to ports used for legitimate purposes Packet scanning only effective against recognizable signatures Window of vulnerability prior to patch being applied Not effective against unknown attacks Ex: Zero-Day Worm Cant lockdown the system enough to prevent worms from acting like an authorized applications or traffic. Can only reliably detect worms after they have compromised some systems and are actively spreading Network Intrusion Detection Damage is done by the time the virus definition is deployed Comprehensive NAC and Host-based Intrusion Prevention Systems are required…

9 9 LAN Security Challenges The LAN edge represents the largest area of vulnerability Need to consider securing next generation devices Opening infected attachment from Mobile User brought virus with them Guest user Rouge Device

10 10 VPN Security Challenges Non-compliant VPN connected systems may infect the corporate network Unprotected Systems can launch man-in- the-middle attacks on IPSec VPNs Dirty public systems may contain malware, keyloggers, and other privacy threats Rogue Device Elimination Security Policy Compliance

11 11 Regulatory Challenges Increasing government or industry regulations are presenting new challenges to IT organizations, especially in the financial and health care sectors, e.g. HIPPA, SOX, Basel II and etc. How can I ensure continuous compliance? How do I know that patient-confidential information is protected? Can I demonstrate Sarbanes-Oxley (SOX) compliance? What can I do to prevent regulatory violations? How can I ensure that my users are not violating use policies?

12 12 Business Compromised Companies lose production systems, revenue is compromised, companies lose customer credit card numbers, relationships are compromised, companies lose software source code, product lines are compromised, companies lose copyrighted material, shareholders are compromised. companies lose employee productivity, profitability is compromised.

13 13 Agenda The Challenges: Market, Technical, Regulatory Trends and Key Developments Requirements of Endpoint Security Case Study Conclusions

14 14 Magic Quadrant for Personal Firewall

15 15 Continuous Compliance Model Rely on User Discipline System Enforcement Security Policy

16 16 Network Access Control Process 1. Define Policy 2. Discover Policy Compliance Agent On-Demand Agent Network Interrogation 3. Enforce Network Access Control LAN, DHCP, Gateway Enforcer Self-Enforcement Infrastructure Integration Universal Enforcement API 4. Remediate Non-Compliant Endpoints 5. Continuous Monitoring Security Policy

17 17 Key Developments – Network Access Control Gartner created reference design for Network Access Control Cisco has announced Network Admission Control Microsoft has announced Network Access Protection The Trusted Computing Group has announced Trusted Network Connect 802.1x Standard

18 18 Gartner – Network Access Control Policy – outline the security configurations wish to enforce as a prerequisite for network access, including patches, AV, custom security software, or special configurations Baseline – is used to compare systems connecting to the network with the configured policy Access Control – is used to give the connecting system the appropriate level of network access Quarantine – systems exhibiting anomalous behavior must be sent into a quarantine area Remediation – to bring the system into compliance

19 19 Ciscos NAC A closed, invitation only architecture for protecting Cisco infrastructures only Requires end-to-end Cisco to be effective LAN enforcement will not be available until later this year Rounded up some AV vendors support

20 20 Cisco NAC Components and Decision Making Flow AV agent FW agent OS agent Cisco Trust Agent Cisco ACS Server 1. Individual agents report status 2. CTA delivers to ACS 3. ACS checks configured policy version for each policy 4. Based on results, CTA provisions router

21 21 Layer 3 Protection is not complete L3 Cisco NAC Enabled Router Mobile user spreads infection on his Layer 2 segment X CNAC Stops infection at router

22 22 Sygate Simplifies CNAC Sygate agent Cisco Trust Agent Cisco ACS Server 1. Sygate collects all compliance information 2. CTA delivers to ACS 5. Based on results, CTA provisions router 4. ACS checks configured Sygate policy version

23 23 Cisco NAC Architecture

24 24 Cisco NAC Architecture In Context Of Other Layers Access Device Policy Enforcement Point Policy Decision Point CNAC Policy Mgmt

25 25 NAC in a Corporate Network Clients 3 rd party Applications (AV, Patch, Config, etc.) OS ( like MSFT ) and/or 3 rd Party network access clients ( DHCP / VPN /.1x / IPsec / Dialer ) Network Access Devices Network Services Radius ServerDHCP Server Windows Macintosh Linux PocketPC … DNS Server … Security Agent Policy Decision Point LAN EnforcerDHCP EnforcerGateway EnforcerEndpoint EnforcerOn Demand Enforcer Policy Mgmt SSA SODA Site 1Site 2Site 3 AD Modem/DSL Web Server ACS Policy Enforcement Points CTA CNAC Access Devices

26 26 Microsofts NAP A more open program designed to protect the Microsoft ecosystem only Open to participation by any network infrastructure vendor No plans for any support for non- Microsoft OS Available with Longhorn Server- sometime in 2006

27 27 Standards Organization focused on computer system security -Over 50 Members Developing an open standard for any operating system and network infrastructure -Completely open, anyone can join -Specification available early 2005 Also developed a hardware chip specification to: -Help ensure the authenticity of hardware- prove system identity -Protect systems from executing software that has become corrupted or hacked

28 28 What is 802.1x 802.1x is an IEEE standard for access control for wireless and wired LANs, 802.1x provides a means of authenticating and authorizing devices to attach to a LAN port. This standard defines the Extensible Authentication Protocol (EAP), which uses a central authentication server to authenticate each user on the network. Layer 2 protocol 802.1x happens before TCP/IP is established

29 29 Purpose of 802.1x Authenticate the user/computer at the network level Block unauthorized computers from accessing the network Provide different levels of authentication and encryption security based on administrators decision and network needs Most vendors have extended 802.1x from the RFC definition

30 30 Enforcement with 802.1x Remediation Server Sygate LAN Enforcer SMS RADIUS Internet 802.1x and EAP RADIUS Login Credentials Permit or Deny

31 x NAC Solution Most secure LAN solution -NAC status, or NAC+User credentials Standards-based -Nearly all vendors support Ethernet 802.1x NAC Wired User LE Checks user login System sends NAC and user data via EAP RADIUS server Sygate LAN Enforcer Sygate Policy Server Switch forwards to LE Quarantine Network Quarantine Patch Server LAN Enforcer connects system to corporate or quarantine network

32 32 How DHCP Enforcement works Systems connecting to the network get a DHCP lease with a short lease time in a quarantine address space -Secondary IP space or DHCP route filters DHCP Enforcer checks for SSA agent and status If the agent is present and system is up-to-date, DHCP Enforcer gives the system a new address in the normal address space If there is no agent, system remains in the quarantine address space Exceptions are provided by OS type and MAC address.

33 33 DHCP NAC Solution- In compliance Mobile Users, Wireless Ethernet Switch Wired User DHCP Enforcer Probe for agent and policy status Trigger release/renew on pass DHCP Server DHCP Request Unknown system- send route filters or Quarantine Address Route blah DHCP Request Compliant- send regular address

34 34 New DHCP NAC Solution- Out of Compliance Mobile Users, Wireless Ethernet Switch Wired User Remediation Server DHCP Server DHCP Request Probe for agent and policy status Unknown system- send route filters Route blah Trigger remediation on failureTrigger Release/Renew upon completion Perform Remediation action DHCP Request DHCP Enforcer Compliant- Remove route filters

35 35 On-Demand Security

36 36 Ubiquitous Enforcement Requires ON-Demand enforcement capability Not all systems on a network can have agents installed Not all systems on a network are owned by the company Guests may require safe network access Information must be protected when employees access via 3 rd party devices -Internet Kiosks -Hotel Business Centers -Home PCs

37 37 On-Demand Value Problem -Theft of data from unmanaged devices -Unprotected or compromised devices connecting to the enterprise via web infrastructure -Delivering endpoint security to unmanaged devices (contractors, kiosks, home machines) Solution -Protects confidential data by creating a secure environment that provides encryption and file deletion upon session termination -Protection from viruses, worms by enforcing AV, Personal Firewall via Host Integrity -Lower TCO by delivering endpoint protection on- demand via existing web infrastructure

38 38 The Market in Which SODA Plays Gartner Has Defined the Market… Six Critical Requirement for On-Demand Security: Client Integrity Checkers -SODA Host Integrity Browser Cache File Cleanup -SODA Cache Cleaner Behavioral Malicious Code Scanners -SODA Malicious Code Prevention Personal Firewall Mini-Engines: -SODA Connection Control Protected Virtual User Sessions -SODA Virtual Desktop Dynamic User Access Policies -SODA Adaptive Policies Source: Access From Anywhere Drives Innovation for On-Demand Security, Gartner, ID Number: G , March 21, 2005.

39 39 On-Demand Security Agent Host Integrity Adaptive Policies Virtual Desktop Data Sanitization Persistent Desktop Malicious Code Protection Customizable User Environment On-Demand Agent

40 40 When Do You Need On-Demand? Web-based Applications File Share Thin Client/Server Applications Traditional Client/Server Applications Traveling Executives Partner Extranet Public Kiosk SSL VPN Guest Wireless Webmail Enterprise Web Apps (ERP/CRM) Online Banking/E-Commerce Terminal Services (Citrix)

41 41 Citrix Business Drivers: -Speed application deployment -Access from anywhere -Access from any device Data at Risk: -Citrix login password -Screen images -Browser history

42 42 HR/Financial/Partner Portals Business Drivers: -Web-based access to payroll and employee information -Eliminate cost of printing and mailing paychecks Data at Risk: -Portal login password -PDF paycheck stub -Payroll system

43 43 Architecture - How It Works Traveling Executive Hotel Partner Kiosk Printer Workstation Guest ATM Remediation Radius Web Applications Sygate Enforcer Sygate On-Demand Manager SSL VPN IPSEC VPN Wireless Firewall 802.1x Switch Correlator Discovery Engine Administrator Creates Sygate On-Demand Agent Administrator Uploads Sygate On-Demand Agent User Connects to Login Page VD, HIInternal LANGuest Laptop VD, HIPublic InternetKiosk VD, HI, Persistent Home NetworkEmployee Home TrustedAirport WLANCorporate-Owned, Running SSA PolicyNetwork Location Device Type Adaptive Policies Sygate On-Demand Agent Downloads (Java) Sygate On-Demand Agent Adapts Policies to Environment Sygate On-Demand Agent Verifies Host Integrity If compliant, On-Demand launches the Virtual Desktop or Cache Cleaner Patch Updated Service Pack Updated Personal Firewall On Anti-Virus Updated Anti-Virus On Statu s Host Integrity Rule Virtual Desktop or Cache Cleaner then launches the login process User logs into SSL VPN/Web App and gets access to network User can securely download, view, modify, and upload corporate information Upon inactivity or closing, VD is closed and data erased

44 44 Sygate On-Demand Qualification Enterprises providing access to corporate information through web applications -Web Mail – Outlook Web Access and Lotus Inotes -SSL VPN – Netscreen, Aventail, Nortel, Netilla -Citrix -Portals – Financial, HR, Partner -Web CRM - Siebel -Financial Applications – SAP financials Critical Qualification Information -What are the web applications in use? -What are the different types of users and devices? -Do they want different policies for different situations? -Do they want to check the security of the computer before allowing access?

45 45 SSL VPN Web-based Applications File Share Thin Client/Server Applications Traditional Client/Server Applications Business Drivers: -Low cost remote access -Access from anywhere Data at Risk: -SSL VPN login password -Shared files -Application data Traveling Executives Partner Extranet Public Kiosk

46 46 NetScreen Host Checker packaged with NHC Server API extensions Securing Remote Access with SSL VPN Upload Sygate On-Demand Agent using either Customer UI or as a Host Checker Package - User connects to SSL VPN and is subject to Host Integrity Check - Sygate On-Demand Agent checks Host Integrity, and installs Cache Cleaner or Virtual Desktop. Protected network resource, application, or service Managed Device Unmanaged Device WWWPrivate Network Bind to AM Policy based on scan Sygate Security Agent is pre-installed on the managed device to provide firewall, intrusion prevention, and policy enforcement. The Juniper Host Checker verifies that the Sygate Security Agent is running. Sygate On-Demand Agent (Part of Sygate On-Demand) Sygate Security Agent (Part of Sygate Secure Enterprise)

47 47 Agenda The Challenges: Market, Technical, Regulatory Trends and Key Developments Requirements of Endpoint Security Case Study Conclusions

48 48 Enterprise Protection Problem - Networks and endpoints are vulnerable, causing: Propagation of Malicious code Leakage of sensitive information Lost user productivity Increased support costs Solution - Safeguard computers, networks, and data by: Ridding the network of non-compliant endpoints with NAC Ensuring Compliance on Contact across all entry points Protecting endpoints with a Host Intrusion Prevention

49 49 Enterprise Protection Features FW Traditional Desktop FW IDS FW Current Enterprise Protection IDS Adaptive Policies NAC AS OS Protection Buffer Overflow Protection File/Registry Access Control Process Execution Control FW Next Enterprise Protection IDS Adaptive Policies NAC AS Device HIPS Peripheral Device Control DHCP Enforcement Host Integrity IF...Then...Else 802.1x Wireless Support Cisco NAC Wireless Detection And...Or...Not Conditions Signature-Based IDS Enterprise Management Anti-Spyware Desktop Firewall

50 50 Enterprise End-Point Device Protection Features Host Intrusion Prevention System (HIPS) Network Access Control (NAC) Adaptive Policies End-Point Intrusion Prevention End-Point Firewall

51 51 HIPS & The Vulnerability Lifecycle Days Vulnerability Discovered Days Exploit Released 3 Days to Never Patch Available Patch Deployed Behavioral (HIPS) & White List (Firewall) Blacklist (Anti-Virus & IDS Signatures) Patches Network Access Control

52 52 Host Intrusion Prevention System Protection Layer Black List Method White List Method Behavior Method Network Layer Code RedPersonal Firewall ARP Poisoning Application Layer SQL Slammer Allow Only Browser, Block IIS Buffer Overflow OS Layer Blaster Signature Prevent Malware from Creating Accounts Block OS Buffer Overflow (RPC DCOM) Device Layer Block iPod USB Key Allow only Mice and Keyboards Block read/ write/exe by device and location

53 53 Server Protection Solution CPU & Kernel Rootkits Account Creation Auto Start Code Execution File Integrity File Registry SQL Injection Privilege Escalation Applications File Registry File Access Registry Control Anti-Hijacking Applications Process Execution Application Behavior Block DLL Loading System Lockdown CPU & Kernel Memory Buffer Overflows Shatter Attacks DoS Worms Network Memory Memory Firewall NX Emulation Firewall IPS Network Data Theft Spyware Device Device Control File Read/Write/Exe Device

54 54 NAC in a Corporate Network Clients 3 rd party Applications (AV, Patch, Config, etc.) OS ( like MSFT ) and/or 3 rd Party network access clients ( DHCP / VPN /.1x / IPsec / Dialer ) Network Access Devices Network Services Radius ServerDHCP Server Windows Macintosh Linux PocketPC … DNS Server … Security Agent Policy Decision Point LAN EnforcerDHCP EnforcerGateway EnforcerEndpoint EnforcerOn Demand Enforcer Policy Mgmt SSA SODA Site 1Site 2Site 3 AD Modem/DSL Web Server Policy Enforcement Points Access Devices

55 55 Network Access Control Solution

56 56 Network Access Control Problem - Insecure Endpoints Connecting to Networks Results In: Malicious Code Propagation Theft of Sensitive Information Exposure to Regulatory Penalties Solution - NAC protects enterprise networks by: Discovering endpoints & compliance w/ security policies Enforcing network access throughout the entire network Remediating non-compliant endpoints Monitoring the network continuously

57 57 Enterprise NAC Requirements Pervasive Endpoint Coverage -Managed Laptops, Desktops, Servers -Unmanaged Guests, Contractors, Home Computers Central, Scalable, Flexible Policy Management -Distributed servers, redundancy, data base replication, AD integration Universal enforcement -(W)LAN, IPSec VPN, SSL VPN, Web Portal Integration with Existing and Emerging Standards x, Cisco NAC, Microsoft NAP, TCGs TNC Automated Remediation Process -No user intervention required to Learning mode and discovery tools

58 58 Endpoint Intrusion Prevention Intrusion Prevention protects against known attacks on services that are required Runs behind the firewall to increase system protection Uses signatures to match known attacks, reducing the occurrence of false positives Examples- SQL Slammer, Code Red Must log security events Code Red X Firewall IDP Valid Request

59 59 Endpoint Firewall Requirements Packet Filtering -Closes ports that are not required but left open by default- Windows Messenger, SQL, etc Stateful Packet Inspection -Block inbound packets that do not correspond to established flows -Protects open ports from attack -Blocks protocol-based attacks Must operate both inbound and outbound -Block unauthorized outbound communications Must log security events SQL Port 1434/udp Slammer Exploit X Messenger Port 6891/tcp Messenger Spam X User Request Permitted Response X Unexpected Response Firewall

60 60 Layered Protection Old Patch Recent Patch New Vulnerability Misconfiguration Vulnerabilities Exploited – Gartner 0 Day IPS

61 61 Continuous Compliance Model Rely on User Discipline System Enforcement Security Policy

62 62 Requirements for Enforcement Continuous- must work across all access methods, at all times, for all users Consider corporate owned, guest, managed, unmanaged, and unmanageable systems Must provide automatic remediation, not just deny access All endpoints, all accesses, all networks, all users

63 63 Enterprise Protection Solution

64 64 Location Based (Adaptive) Rules Security policies must adapt from HQ to hotel to home to hotspot Policies must change by role, device type, location and connection Without adaptive policies, companies must choose either good security or productive users Adaptive Policies RoleDevice TypeNetwork Location Policy ExecutiveCorporate Owned Enterprise LAN Trusted, file sharing on, full application access Sales person Employee Owned Home wireless File sharing off, IM off, print sharing off, VPN on, limited application access OutsourcerUnknownPublic Internet VD, HI, SSL VPN access only and web mail only with data sanitization

65 65 Enterprise-Class Management Scalable Multi-Server Architecture -Policy & Log Replication -Policy Distribution (Push/Pull) -Configurable Priority/Load Balancing Policy Management -Group hierarchy w/ inheritance -Manage by computer or user -Reusable policy objects -AD user and group synchronization Centralized Logging and Reporting -Event forwarding (Syslog, SIMs) -Daily or Weekly ed Reports

66 66 Agenda The Challenges: Market, Technical, Regulatory Trends and Key Developments Requirements of Endpoint Security Case Study Conclusions

67 67 Solution Highlights VPN & Wireless Protection Rogue Prevention (802.1x) Zero-Day Protection Application Control Device Discovery Policy Enforcement Safe Third-Party AccessRegulatory Compliance On-Demand Protection Solution Highlights

68 68 Case Study – Enforcing Basic Security Standards Customer : US division of a large international retail food company Business : The company owns 1600 retail food stores on the eastern seaboard under various brand names Business Drivers : -Reduce Cost associated with virus and worm outbreaks -Support outsourcing relationships in which vendors equipment is on site -Reduce cost of laptop management

69 69 Business Requirement : -Maintain minimum security safequards on the companys 2000 laptops, most of which login remotely -Enable remote 3 rd party control (administrative rights) over specific internal servers without compromising corporate security -Protect internal network from end-point security breaches -Able to work on a variety of Windows versions, including 2000, XP, and NT Case Study – Enforcing Basic Security Standards

70 70 Actions : -Install End-Point Security Agents on all existing laptops during scheduled configuration upgrade -Install End-Point Security Enterprise Management Server for policy enforcement -Add End-Point Security Agents to standard configuration policy on all new machines, including internal servers -Install End-Point Security Agents on existing internal servers administered by outside vendor partners -Install End-Point Security Agents on all new servers deployed Case Study – Enforcing Basic Security Standards

71 71 Protecting their network When the End-Point Security Agents launched Norton Antivirus on those home machines, they caught and identified upwards of 200 viruses that would have otherwise entered their network, Each incident could have easily cost the company US$50,000 to clean up, not to mention productivity losses during network interruptions. If one of those viruses had gotten lose in the system, an eight-man LAN server team and a three-man mitigation team would have had to spring into action. This type of remediation could take as many as three days for each virus. Case Study – Enforcing Basic Security Standards

72 72 Unexpected Benefit : Blaster worm outbreak Use Tivoli software distribution to push out a security patch End-Point security icons blinking red on executives machine Checking the logs for the attack origin Followed the IP addresses and find four new laboratory production servers, being as yet unregistered, missed the patch push Case Study – Enforcing Basic Security Standards

73 73 Summary Fusion of endpoint security and network access control will be a top priority for large enterprises Corporations need more sophisticated endpoint security solutions -E.g. Central management, reporting, policy control Automates the complete compliance and enforcement process on contact -all computers - corporate, consultant, guest, student, outsourcer -all access - LAN, Wireless, Remote, Mobile, -all users - from engineers to executives, -on all networks friendly or hostile - corporate, home, hotel, business center, airport, the Internet from all threats - malicious access, misconfiguration, and misuse

74 THANK YOU! Richard Lau UDS Data Systems Ltd.

Download ppt "Trends in Endpoint Security by Richard Lau Trends in Endpoint Security by Richard Lau 29 September 2005."

Similar presentations

Ads by Google