Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Trends in Endpoint Security” by Richard Lau 29 September 2005

Similar presentations


Presentation on theme: "“Trends in Endpoint Security” by Richard Lau 29 September 2005"— Presentation transcript:

1 “Trends in Endpoint Security” by Richard Lau 29 September 2005

2 Agenda The Challenges: Market, Technical, Regulatory Trends and Key Developments Requirements of Endpoint Security Cast Study Conclusions

3 Business Impact of Multi-Layered Attacks
Average Worm $2 million in lost revenue per incident per victim (Aberdeen Group) Code Red 700,000 machines infected $2-2.9 billion in damage $200 million in damage per day during attacks (Computer Economics) Worst-Case Worm $50 billion in U.S. damage alone (International Computer Science Institute)

4 Enterprise Protection Problem
Complexity Increasingly Complex IT Infrastructure Diverse devices, access points, users, agents, applications Vulnerability Exploits are attacking every layer Operating System, Application, Network, Device Spreading faster than patches or Signatures Lack of Control Difficult to control w/out curtailing benefits Wireless, Guests, Outsourcing, Mobility, USB, IM, Rogues Inefficiency Traditional security products aren’t effective 99% have AV - 68% get viruses New agent for every threat, poor management, no integration You have to choose between security and productivity

5 Vulnerabilities Exploited
The Problems (Gartner Research) Strategic Planning Assumption: Ninety percent of all Internet security incidents will take advantage of misconfigured or misadministered software (0.8 probability). Vulnerabilities Exploited Misconfiguration Old Patch Recent Patch New Vulnerability Source: Gartner Research We believe the root of most Internet security evil can be traced to Netscape, may it rest in peace. Not only did Netscape drive Internet browsers into every desktop computer, but its development practices forever altered the security landscape. Netscape released a new version of its browser and server products every six months or so, and encouraged users to download each version directly from the Internet. Since six months is barely enough time to write software for the new version, testing was left up to the users under the guise of beta testing. The plug-in architecture also led to users downloading additional untested software that, in essence, modified the browsers and servers. To annihilate Netscape, Microsoft not only matched this ready-fire-aim approach to software development, but it went a step further: it incorporated the insecure browser and server code into its Windows desktop and server OS. From a security perspective, we had the worst of all worlds: bad software, updated often, enmeshed with critical OS software. Action Item: The single-most-important action for increasing Internet security is to stop using software that has frequent security vulnerabilities. Barring that, enterprises have to greatly increase the resources they apply to assuring that all software is safely configured and patched. Misuse, misconfiguration and malicious access of systems compromises business. Copyright © 2002

6 The Problems Compromised and Rogue Devices
20 percent of the systems that operations, network and security admins know about are compromised – misused, misconfigured, exposed to malicious access (Gartner). 20% of the IP addresses in use on corporate network admins know nothing about (Gartner). Virus and worm events can cost IT staffs upwards of $250 per system infected Typical American enterprise spent $200K on worm attacks

7 Vulnerability-Exploit Gap Decreasing
5 variants, 359,000 machines infected Vulnerability Announced Key Points: Overall, the threat against servers is increasing, not decreasing. Server threats are increasing in frequency (more often) The speed of attack is also increasing dramatically – down to as little as one day (Witty worm) The number of variants of new worms is increasing The average number of infected servers per attack is increasing Red Color = Appeared in Less Than 30 Days More Frequent More Variants More Sophisticated Shorter Time Delay Faster Propagation More Destructive 75 variants, 500,000+ machines infected 17 variants, 1,000,000+ machines infected Days Until First Attack

8 Traditional Security Has Not Blocked Attacks
Ex: Zero-Day Worm Damage is done by the time the virus definition is deployed Can’t block access to ports used for legitimate purposes Packet scanning only effective against recognizable signatures Window of vulnerability prior to patch being applied Not effective against unknown attacks Can’t lockdown the system enough to prevent worms from acting like an authorized applications or traffic. Can only reliably detect worms after they have compromised some systems and are actively spreading Perimeter Firewalls Network Intrusion Detection Current solutions have limits – next slide shows how we address those limits. System Hardening – what does “basic” security measures mean? I don’t understand this ‘limitation’. Host Based Security – what does “designed for other purposes” mean? “Setting up and tuning… is difficult and error-prone” is an absurd ‘product specific’ assertion. Key Points: Even though security administrators have tried everything, memory-based attacks are still getting through. Explain how a modern day attack gets through all of the existing security measures? Existing technologies only provide partial protection (50%?) Basic Personal Firewall Patch Management Solutions Anti-Virus Comprehensive NAC and Host-based Intrusion Prevention Systems are required…

9 LAN Security Challenges
The LAN edge represents the largest area of vulnerability Need to consider securing next generation devices Opening infected attachment from hotmail.com Guest user Rouge Device Mobile User brought virus with them

10 VPN Security Challenges
Rogue Device Elimination Security Policy Compliance When we talk to C-level executives about security they are concerned about two things rogues and regulations They want to eliminate rogues so their networks and computers are protected from hackers and thieves. Rogue are: good computers gone bad – out of compliance and thereby offer vulnerabilities that can be exploited, good employees gone bad or computers manned by hackers or thieves to exploit other systems. 2. They want to comply with regulations so that they don’t get unwanted attention from their shareholders or the press or fines from the government Our solution solves both concerns by ensuring continuous compliance Continuous compliance means at every minute of every day your computers are fully compliant with all of the appropriate security policies and protected from Rogues regardless of: Whether that computer is within the 4 walls of their company or roaming the globe Whether that computer is connected to the corporate network or not Whether it is connected via wireless, dial up, DSL, VPN, wireless or Ethernet What application is being used Non-compliant VPN connected systems may infect the corporate network Unprotected Systems can launch man-in- the-middle attacks on IPSec VPNs “Dirty” public systems may contain malware, keyloggers, and other privacy threats

11 Regulatory Challenges
Increasing government or industry regulations are presenting new challenges to IT organizations, especially in the financial and health care sectors, e.g. HIPPA, SOX, Basel II and etc. How can I ensure continuous compliance? How do I know that patient-confidential information is protected? Can I demonstrate Sarbanes-Oxley (SOX) compliance? What can I do to prevent regulatory violations? How can I ensure that my users are not violating use policies?

12 Business Compromised Companies lose production systems, revenue is compromised, companies lose customer credit card numbers, relationships are compromised, companies lose software source code, product lines are compromised, companies lose copyrighted material, shareholders are compromised. companies lose employee productivity, profitability is compromised.

13 Agenda The Challenges: Market, Technical, Regulatory Trends and Key Developments Requirements of Endpoint Security Case Study Conclusions

14 Magic Quadrant for Personal Firewall

15 Continuous Compliance Model
Security Policy Rely on User Discipline System Enforcement

16 Network Access Control Process
Define Policy Discover Policy Compliance Agent On-Demand Agent Network Interrogation Enforce Network Access Control LAN, DHCP, Gateway Enforcer Self-Enforcement Infrastructure Integration Universal Enforcement API Security Policy We address limits of current solutions by implementing a process to ensure compliance on contact and a solution that covers all endpoints and access points – then we lay on our special sauce (hIPS). Remediate Non-Compliant Endpoints Continuous Monitoring

17 Key Developments – Network Access Control
Gartner created reference design for Network Access Control Cisco has announced Network Admission Control Microsoft has announced Network Access Protection The Trusted Computing Group has announced Trusted Network Connect 802.1x Standard

18 Gartner – Network Access Control
Policy – outline the security configurations wish to enforce as a prerequisite for network access, including patches, AV, custom security software, or special configurations Baseline – is used to compare systems connecting to the network with the configured policy Access Control – is used to give the connecting system the appropriate level of network access Quarantine – systems exhibiting anomalous behavior must be sent into a quarantine area Remediation – to bring the system into compliance

19 Cisco’s NAC A closed, “invitation only” architecture for protecting Cisco infrastructures only Requires end-to-end Cisco to be effective LAN enforcement will not be available until later this year Rounded up some AV vendors’ support

20 Cisco NAC Components and Decision Making Flow
4. Based on results, CTA provisions router Cisco ACS Server AV agent Cisco Trust Agent FW agent OS agent 3. ACS checks configured policy version for each policy 1. Individual agents report status 2. CTA delivers to ACS

21 Layer 3 Protection is not complete
L3 Cisco NAC Enabled Router CNAC Stops infection at router X Mobile user spreads infection on his Layer 2 segment

22 Sygate Simplifies CNAC
5. Based on results, CTA provisions router Cisco ACS Server Cisco Trust Agent Sygate agent 1. Sygate collects all compliance information 2. CTA delivers to ACS 4. ACS checks configured Sygate policy version

23 Cisco NAC Architecture

24 Cisco NAC Architecture In Context Of Other Layers
Policy Mgmt Policy Decision Point CNAC Policy Enforcement Point Access Device

25 NAC in a Corporate Network
Security Agent Policy Decision Point LAN Enforcer DHCP Enforcer Gateway Enforcer Endpoint Enforcer On Demand Enforcer Policy Mgmt SSA SODA Site 1 Site 2 Site 3 AD CNAC Network Services Policy Enforcement Points ACS Radius Server DHCP Server DNS Server Web Server Network Access Devices Modem/DSL CTA OS (like MSFT) and/or 3rd Party network access clients ( DHCP / VPN / .1x / IPsec / Dialer ) Windows Macintosh Linux PocketPC Access Devices Clients 3rd party Applications (AV, Patch, Config, etc.)

26 Microsoft’s NAP A more open program designed to protect the Microsoft ecosystem only Open to participation by any network infrastructure vendor No plans for any support for non- Microsoft OS Available with Longhorn Server- sometime in 2006

27 Standards Organization focused on computer system security
Over 50 Members Developing an open standard for any operating system and network infrastructure Completely open, anyone can join Specification available early 2005 Also developed a hardware chip specification to: Help ensure the authenticity of hardware- prove system identity Protect systems from executing software that has become corrupted or hacked

28 What is 802.1x 802.1x is an IEEE standard for access control for wireless and wired LANs, 802.1x provides a means of authenticating and authorizing devices to attach to a LAN port. This standard defines the Extensible Authentication Protocol (EAP), which uses a central authentication server to authenticate each user on the network. Layer 2 protocol 802.1x happens before TCP/IP is established

29 Purpose of 802.1x Authenticate the user/computer at the network level
Block unauthorized computers from accessing the network Provide different levels of authentication and encryption security based on administrator’s decision and network needs Most vendors have extended 802.1x from the RFC definition

30 Enforcement with 802.1x Permit or Deny Internet Login Credentials
Sygate LAN Enforcer SMS Remediation Server RADIUS Permit or Deny Internet RADIUS 802.1x and EAP Login Credentials

31 802.1x NAC Solution Most secure LAN solution Standards-based
Ethernet 802.1x NAC Quarantine Network Quarantine Patch Server Wired User Sygate Policy Server Switch forwards to LE System sends NAC and user data via EAP LE Checks user login RADIUS server Sygate LAN Enforcer LAN Enforcer connects system to corporate or quarantine network Most secure LAN solution NAC status, or NAC+User credentials Standards-based Nearly all vendors support

32 How DHCP Enforcement works
Systems connecting to the network get a DHCP lease with a short lease time in a “quarantine address space” Secondary IP space or DHCP route filters DHCP Enforcer checks for SSA agent and status If the agent is present and system is up-to-date, DHCP Enforcer gives the system a new address in the normal address space If there is no agent, system remains in the quarantine address space Exceptions are provided by OS type and MAC address.

33 DHCP NAC Solution- In compliance
Mobile Users, Wireless DHCP Server DHCP Enforcer Wired User Ethernet Switch DHCP Request Unknown system- send route filters or Quarantine Address Route blah Probe for agent and policy status Trigger release/renew on pass DHCP Request Compliant- send regular address

34 New DHCP NAC Solution- Out of Compliance
Mobile Users, Wireless DHCP Server DHCP Enforcer Wired User Ethernet Switch DHCP Request Unknown system- send route filters Route blah Remediation Server Probe for agent and policy status Trigger remediation on failure Perform Remediation action Trigger Release/Renew upon completion DHCP Request Compliant- Remove route filters

35 On-Demand Security

36 Ubiquitous Enforcement Requires ON-Demand enforcement capability
Not all systems on a network can have agents installed Not all systems on a network are owned by the company Guests may require safe network access Information must be protected when employees access via 3rd party devices Internet Kiosks Hotel Business Centers Home PCs

37 On-Demand Value Problem Solution Theft of data from unmanaged devices
Unprotected or compromised devices connecting to the enterprise via web infrastructure Delivering endpoint security to unmanaged devices (contractors, kiosks, home machines) Solution Protects confidential data by creating a secure environment that provides encryption and file deletion upon session termination Protection from viruses, worms by enforcing AV, Personal Firewall via Host Integrity Lower TCO by delivering endpoint protection on-demand via existing web infrastructure

38 The Market in Which SODA Plays Gartner Has Defined the Market…
Six Critical Requirement for On-Demand Security: Client Integrity Checkers SODA Host Integrity Browser Cache File Cleanup SODA Cache Cleaner Behavioral Malicious Code Scanners SODA Malicious Code Prevention Personal Firewall Mini-Engines: SODA Connection Control Protected Virtual User Sessions SODA Virtual Desktop Dynamic User Access Policies SODA Adaptive Policies Source: “Access From Anywhere Drives Innovation for On-Demand Security, Gartner, ID Number: G ”, March 21, 2005.

39 On-Demand Security Agent
Host Integrity Adaptive Policies Virtual Desktop Data Sanitization Persistent Desktop Malicious Code Protection Customizable User Environment On-Demand Agent

40 When Do You Need On-Demand?
Thin Client/Server Applications Web-based Applications SSL VPN Guest Wireless Webmail Enterprise Web Apps (ERP/CRM) Online Banking/E-Commerce Terminal Services (Citrix) Traditional Client/Server Applications File Share Public Kiosk Traveling Executives Partner Extranet

41 Citrix Business Drivers: Data at Risk: Speed application deployment
Access from anywhere Access from any device Data at Risk: Citrix login password Screen images Browser history

42 HR/Financial/Partner Portals
Business Drivers: Web-based access to payroll and employee information Eliminate cost of printing and mailing paychecks Data at Risk: Portal login password PDF paycheck stub Payroll system

43 Architecture - How It Works
Sygate On-Demand Agent Downloads (Java) Sygate On-Demand Agent Verifies Host Integrity Sygate On-Demand Agent Adapts Policies to Environment If compliant, On-Demand launches the Virtual Desktop or Cache Cleaner User can securely download, view, modify, and upload corporate information Upon inactivity or closing, VD is closed and data erased Virtual Desktop or Cache Cleaner then launches the login process User logs into SSL VPN/Web App and gets access to network Sygate On-Demand Manager User Connects to Login Page Administrator Uploads Sygate On-Demand Agent Administrator Creates Sygate On-Demand Agent Sygate Enforcer Radius Remediation Correlator Web Applications VD, HI Internal LAN Guest Laptop Public Internet Kiosk VD, HI, Persistent Home Network Employee Home Trusted Airport WLAN Corporate-Owned, Running SSA Policy Network Location Device Type Adaptive Policies Patch Updated Service Pack Updated Personal Firewall On Anti-Virus Updated Anti-Virus On Statu s Host Integrity Rule Discovery Engine 802.1x Switch Firewall ATM Printer Wireless Workstation IPSEC VPN Kiosk Guest SSL VPN Hotel Traveling Executive Partner

44 Sygate On-Demand Qualification
Enterprises providing access to corporate information through web applications Web Mail – Outlook Web Access and Lotus Inotes SSL VPN – Netscreen, Aventail, Nortel, Netilla Citrix Portals – Financial, HR, Partner Web CRM - Siebel Financial Applications – SAP financials Critical Qualification Information What are the web applications in use? What are the different types of users and devices? Do they want different policies for different situations? Do they want to check the security of the computer before allowing access?

45 SSL VPN Business Drivers: Data at Risk: Low cost remote access
Thin Client/Server Applications Web-based Applications Business Drivers: Low cost remote access Access from anywhere Data at Risk: SSL VPN login password Shared files Application data Traditional Client/Server Applications File Share Public Kiosk Traveling Executives Partner Extranet

46 Securing Remote Access with SSL VPN
WWW Private Network Protected network resource, application, or service Bind to AM Policy based on scan Sygate Security Agent is pre-installed on the managed device to provide firewall, intrusion prevention, and policy enforcement. The Juniper Host Checker verifies that the Sygate Security Agent is running. NetScreen Host Checker packaged with NHC Server API extensions Managed Device Unmanaged Device Upload Sygate On-Demand Agent using either Customer UI or as a Host Checker Package Sygate On-Demand Agent (Part of Sygate On-Demand) Sygate Security Agent (Part of Sygate Secure Enterprise) - User connects to SSL VPN and is subject to Host Integrity Check - Sygate On-Demand Agent checks Host Integrity, and installs Cache Cleaner or Virtual Desktop.

47 Agenda The Challenges: Market, Technical, Regulatory Trends and Key Developments Requirements of Endpoint Security Case Study Conclusions

48 Enterprise Protection
Problem - Networks and endpoints are vulnerable, causing: Propagation of Malicious code Leakage of sensitive information Lost user productivity Increased support costs Solution - Safeguard computers, networks, and data by: Ridding the network of non-compliant endpoints with NAC Ensuring Compliance on Contact™ across all entry points Protecting endpoints with a Host Intrusion Prevention Here’s a bit more color If you’re going to implement Continuous Compliance for strategic advantage, you need to design a solution that has the capability to cover everything. Sygate offers agents which deliver Continuous Compliance for corporate issues equipment. We have virtual agents for devices you can’t put agents such as partner, employee’s home equipment or kiosks. We also have a new product that scans things that are fundamentally unagentable like Printers or medical equipment, or any IP addressable device that could expose a corporate network to damage or loss. And again the solution works on devices outside the LAN and inside. Three products, one solution – eliminate compromised devices from the corporate network Sygate Secure Enterprise (SSE) – managed devices Agents runs on corporate owned devices to ensure compliance Sygate Security Portal (SSP) – unmanaged devices Downloadable agent checks on partners, contractors & vendors devices before allowing them to connect to corporate network New Sygate solution – unmanageable devices Discovers devices and checks their compliance levels Segue Finally, it isn’t strategic if it can’t be amortized across multiple challenges, if it doesn’t get you ahead of the game. Let’s look at each one of these products in more detai.

49 Enterprise Protection Features
Enterprise Management HIPS OS Protection Buffer Overflow Protection File/Registry Access Control Process Execution Control Device Peripheral Device Control AS Anti-Spyware NAC DHCP Enforcement Host Integrity IF...Then...Else 802.1x Wireless Support Cisco NAC Enterprise Management AS NAC Adaptive Policies Wireless Detection And...Or...Not Conditions Adaptive Policies IDS IDS Signature-Based IDS FW FW IDS Desktop Firewall FW Traditional Desktop FW Current Enterprise Protection Next Enterprise Protection

50 Enterprise End-Point Device Protection Features
Host Intrusion Prevention System (HIPS) Network Access Control (NAC) Adaptive Policies End-Point Intrusion Prevention End-Point Firewall

51 HIPS & The Vulnerability Lifecycle
14-90 Days Exploit Released Patch Available Patch Deployed Vulnerability Discovered 0-200 Days 3 Days to Never Network Access Control Behavioral (HIPS) & White List (Firewall) Blacklist (Anti-Virus & IDS Signatures) Patches

52 Host Intrusion Prevention System
Protection Layer Black List Method White List Method Behavior Method Network Layer Code Red Personal Firewall ARP Poisoning Application Layer SQL Slammer Allow Only Browser, Block IIS Buffer Overflow OS Layer Blaster Signature Prevent Malware from Creating Accounts Block OS Buffer Overflow (RPC DCOM) Device Layer Block iPod USB Key Allow only Mice and Keyboards Block read/ write/exe by device and location

53 Server Protection Solution
Applications Process Execution Application Behavior Block DLL Loading SQL Injection Privilege Escalation Applications Account Creation Auto Start Code Execution File Integrity File Registry File Registry File Access Registry Control Anti-Hijacking Device Control File Read/Write/Exe Device Data Theft Spyware Device System Lockdown CPU & Kernel CPU & Kernel Rootkits DoS Worms Network Memory Buffer Overflows Shatter Attacks Firewall IPS Network Memory Memory Firewall NX Emulation

54 NAC in a Corporate Network
Security Agent Policy Decision Point LAN Enforcer DHCP Enforcer Gateway Enforcer Endpoint Enforcer On Demand Enforcer Policy Mgmt SSA SODA Site 1 Site 2 Site 3 AD Network Services Policy Enforcement Points Radius Server DHCP Server DNS Server Web Server Network Access Devices Modem/DSL OS (like MSFT) and/or 3rd Party network access clients ( DHCP / VPN / .1x / IPsec / Dialer ) Windows Macintosh Linux PocketPC Access Devices Clients 3rd party Applications (AV, Patch, Config, etc.)

55 Network Access Control Solution

56 Network Access Control
Problem - Insecure Endpoints Connecting to Networks Results In: Malicious Code Propagation Theft of Sensitive Information Exposure to Regulatory Penalties Solution - NAC protects enterprise networks by: Discovering endpoints & compliance w/ security policies Enforcing network access throughout the entire network Remediating non-compliant endpoints Monitoring the network continuously

57 Enterprise NAC Requirements
Pervasive Endpoint Coverage Managed Laptops, Desktops, Servers Unmanaged Guests, Contractors, Home Computers Central, Scalable, Flexible Policy Management Distributed servers, redundancy, data base replication, AD integration Universal enforcement (W)LAN, IPSec VPN, SSL VPN, Web Portal Integration with Existing and Emerging Standards 802.1x, Cisco NAC, Microsoft NAP, TCG’s TNC Automated Remediation Process No user intervention required to Learning mode and discovery tools

58 Endpoint Intrusion Prevention
Intrusion Prevention protects against known attacks on services that are required Runs “behind the firewall” to increase system protection Uses signatures to match known attacks, reducing the occurrence of false positives Examples- SQL Slammer, Code Red Must log security events Code Red X Valid Request Firewall IDP

59 Endpoint Firewall Requirements
Packet Filtering Closes ports that are not required but left open by default- Windows Messenger, SQL, etc Stateful Packet Inspection Block inbound packets that do not correspond to established flows Protects open ports from attack Blocks protocol-based attacks Must operate both inbound and outbound Block unauthorized outbound communications Must log security events Slammer Exploit X SQL Port 1434/udp Messenger Spam X Messenger Port 6891/tcp User Request Permitted Response X Unexpected Response Firewall

60 Agent + EP FW + Host Integrity Vulnerabilities Exploited – Gartner
Layered Protection Strategic Planning Assumption: Ninety percent of all Internet security incidents will take advantage of misconfigured or misadministered software (0.8 probability). IPS Agent + EP FW + Host Integrity Day Misconfiguration Old Patch Here we see the way Gartner Groups looks at the problem of protection. They are above all pragmatists and their research has shown that: 60% of all exploits take advantage of misconfigurations such as: file sharing being left on when wirelessly connected to the internet from Starbucks Security applications that have been turned off AV virus definitions that are not up-to-date Use of forbidden applications, unnecessary services being turned on or unsafe usage patterns Another 25% take advantage of old patches that haven’t been installed on computers even though they have been around for ample time to have been installed Another 10% of exploits take advantage of known vulnerabilities that have been fixed by recent patches Finally the last 5% or less are brand new vulnerabilities that are exploited before signatures or patches are available. Sygate takes a layered approach which provides superior protection against all of these exploit classes. Our protection has 4 elements: smart agent with host integrity capability world class personal firewall, proven signature based IPS solution pragmatic behavioral based intrusion prevention Our strong belief is that configuration issues are best fixed by making sure that computers are configured properly prior to allowing them to access to the corporate network. We also believe that configurations must be checked even if the computer isn’t currently connected to the corporate network but rather surfing the internet from some remote location. Our smart agent can do both, while making sure that only right configurations and right applications are permitted and wrong applications and services are turned off. Our personal firewall makes sure that only authorized applications, ports, and protocols are allowed to communicate on the network. The Sygate personal firewall component protects endpoints from network-propagated worms, malicious applications that attempt to send outbound network traffic, and other network-based exploits. It also stealths your computer so that hackers can’t scan you system to understand it’s vulnerabilities and prevents hackers from being able to take over your system. Our IPS engine takes a signature-based approach to Protection – this means that exploits are blocked quickly and efficiently without the pain of numerous false positives that burn staff time chasing them down. IPS signatures are the smartest way to address known vulnerabilities before the OS or applications have had a chance to be patched. Sygate is a subscriber to the I-Defense vulnerability service which provides us early warning about vulnerabilities and their associated exploits and gives our signature team time the craft signatures in time to block most exploits before they cause harm. The elements of our IPS engine include: Signature-Based Protection Features • Deep Packet Inspection – Filters packets based on any part of the packet, including the header and data portion, to block known exploits. • Trojan Protection – Monitors every running application to verify that no Trojan is running. • DoS Protection – Protects against DoS attacks by blocking anomalous network traffic patterns. The Sygate Agent delivers strong zero-day protection to protect against exploits targeting new vulnerabilities. Our agent uses 6 behavior techniques to protect against day zero exploits including: Behavior-Based Protection Features (Zero-Day protection) • Application-Centric Policy Control – Blocks anomalous behavior, preventing code injection and application compromise, thus ensuring that applications only utilize correct ports, services and DLLs. • Smart Protocol Filtering – Behavior-based protection from protocol-borne exploits • Anti-IP and Anti-MAC Spoofing – Prevents hackers from masquerading as an authorized user, using that user’s IP and MAC addresses. • Driver Level Protection – Blocks hackers from loading their own protocol drivers by bringing drivers under policy control and monitoring. • Port Scan Protection – Behavior-based protection that blocks hackers from port scanning, which is often used to discover open ports for exploit. • Host Integrity Checking – The Sygate Agent tests the endpoint’s compliance with the complete set of security policies prior to network access and only grants access if the endpoint is 100% compliant. Conclusion Sygate’s unique layered approach delivers unprecedented protection by attacking each class of exploits with the best possible approach. The intelligent Sygate agent and the personal firewall eliminate the exposures caused by mis-configuration and missing patches by making sure that computers are properly configured before they are allowed to connect. For recent exploits Sygate’s product provides a proven signature based IPS engine that can protect computers with greater accuracy that behavioral protection alone. Sygate’s behavioral based features eliminate “Zero Day” exploits by blocking anomalous behaviors. Some of our competitors have tried to make the best of their narrow protection solution by trying to focus your attention only on day zero exploits. Attempting to address all of these different classes of exploits with a single, difficult-to-deploy technology isn’t in any company’s best interest. It can’t address the configuration issues at all and attempts to address the other exploit classes with a complex system prone to generating false positives and blocking legitimate applications which will cause pain to both IT and users. Sygate’s unique layered approach brings the intelligence of the Sygate agent, it’s best of class personal firewall, proven IPS solution and pragmatic behavior based approach to deliver unprecedented protection. Recent Patch Source: Gartner Research We believe the root of most Internet security evil can be traced to Netscape, may it rest in peace. Not only did Netscape drive Internet browsers into every desktop computer, but its development practices forever altered the security landscape. Netscape released a new version of its browser and server products every six months or so, and encouraged users to download each version directly from the Internet. Since six months is barely enough time to write software for the new version, testing was left up to the users under the guise of beta testing. The plug-in architecture also led to users downloading additional untested software that, in essence, modified the browsers and servers. To annihilate Netscape, Microsoft not only matched this ready-fire-aim approach to software development, but it went a step further: it incorporated the insecure browser and server code into its Windows desktop and server OS. From a security perspective, we had the worst of all worlds: bad software, updated often, enmeshed with critical OS software. Action Item: The single-most-important action for increasing Internet security is to stop using software that has frequent security vulnerabilities. Barring that, enterprises have to greatly increase the resources they apply to assuring that all software is safely configured and patched. New Vulnerability Vulnerabilities Exploited – Gartner

61 Continuous Compliance Model
Security Policy Rely on User Discipline System Enforcement

62 Requirements for Enforcement
Continuous- must work across all access methods, at all times, for all users Consider corporate owned, guest, managed, unmanaged, and unmanageable systems Must provide automatic remediation, not just deny access  All endpoints, all accesses, all networks, all users

63 Enterprise Protection Solution

64 Location Based (Adaptive) Rules
Security policies must adapt from HQ to hotel to home to hotspot Policies must change by role, device type, location and connection Without adaptive policies, companies must choose either good security or productive users Adaptive protection allows Chief Security Officers and their staffs to have both happy users and secure endpoints. Our agent is smart enough to adapt security policies as users change location from HQ to hotel, to home to a hotspot and change connection methods from Ethernet to VPN to DSL to wireless. Without adaptive policy you will be forced to choose between employee happiness and security. You should not have to make the choice – with our solution you don’t. Adaptive Policies Role Device Type Network Location Policy Executive Corporate Owned Enterprise LAN Trusted, file sharing on, full application access Sales person Employee Owned Home wireless File sharing off, IM off, print sharing off, VPN on, limited application access Outsourcer Unknown Public Internet VD, HI, SSL VPN access only and web mail only with data sanitization

65 Enterprise-Class Management
Scalable Multi-Server Architecture Policy & Log Replication Policy Distribution (Push/Pull) Configurable Priority/Load Balancing Policy Management Group hierarchy w/ inheritance Manage by computer or user Reusable policy objects AD user and group synchronization Centralized Logging and Reporting Event forwarding (Syslog, SIMs) Daily or Weekly ed Reports

66 Agenda The Challenges: Market, Technical, Regulatory Trends and Key Developments Requirements of Endpoint Security Case Study Conclusions

67 Solution Highlights VPN & Wireless Protection
Rogue Prevention (802.1x) Zero-Day Protection Application Control Device Discovery Policy Enforcement Safe Third-Party Access Regulatory Compliance On-Demand Protection Solution Highlights The way we think of it as a vendor, evolution favors a strategic solution, one that can be amortized over multiple problems. Sygate ensures VM strategies do just that - When it was just hackers and script kiddies doing port scans, personal firewalls were an effective solution. VPN and Wireless created a second set of exposures required enhanced sensitivity to the environment (I.e home networks). AV and patch enforcement emerged as another category of exposure recently. Changes in national security levels became another exposure relative to cyberthreats to which required realtime enforced policy reactions. Protecting corporate networks from exposure by outsourcers or other business partners while improving their access to valuable applications and information has moved to the fore recently. Protecting web access at kiosks was brought into sharp focus by the Kinko’s keystroke logger incident. Making XP safe locking down unwanted features enables deployment of a improved environment. And most recently, application vendors like Diebold are using endpoint protection as part of the strategy to keep access to the most fundamental of all customer facing applications, the ATM machine, safe.

68 Case Study – Enforcing Basic Security Standards
Customer : US division of a large international retail food company Business : The company owns 1600 retail food stores on the eastern seaboard under various brand names Business Drivers : Reduce Cost associated with virus and worm outbreaks Support outsourcing relationships in which vendors’ equipment is on site Reduce cost of laptop management

69 Case Study – Enforcing Basic Security Standards
Business Requirement : Maintain minimum security safequards on the company’s 2000 laptops, most of which login remotely Enable remote 3rd party control (administrative rights) over specific internal servers without compromising corporate security Protect internal network from end-point security breaches Able to work on a variety of Windows versions, including 2000, XP, and NT

70 Case Study – Enforcing Basic Security Standards
Actions : Install End-Point Security Agents on all existing laptops during scheduled configuration upgrade Install End-Point Security Enterprise Management Server for policy enforcement Add End-Point Security Agents to standard configuration policy on all new machines, including internal servers Install End-Point Security Agents on existing internal servers administered by outside vendor partners Install End-Point Security Agents on all new servers deployed

71 Case Study – Enforcing Basic Security Standards
Protecting their network When the End-Point Security Agents launched Norton Antivirus on those home machines, they caught and identified upwards of 200 viruses that would have otherwise entered their network, Each incident could have easily cost the company US$50,000 to clean up, not to mention productivity losses during network interruptions. If one of those viruses had gotten lose in the system, an eight-man LAN server team and a three-man mitigation team would have had to spring into action. This type of remediation could take as many as three days for each virus.

72 Case Study – Enforcing Basic Security Standards
Unexpected Benefit : Blaster worm outbreak Use Tivoli software distribution to push out a security patch End-Point security icons blinking red on executives’ machine Checking the logs for the attack origin Followed the IP addresses and find four new laboratory production servers, being as yet unregistered, missed the patch push

73 Summary Fusion of endpoint security and network access control will be a top priority for large enterprises Corporations need more sophisticated endpoint security solutions E.g. Central management, reporting, policy control Automates the complete compliance and enforcement process on contact all computers - corporate, consultant, guest, student, outsourcer all access - LAN, Wireless, Remote, Mobile, all users - from engineers to executives, on all networks friendly or hostile - corporate, home, hotel, business center, airport, the Internet from all threats - malicious access, misconfiguration, and misuse

74 THANK YOU! Richard Lau richardlau@udshk.com UDS Data Systems Ltd.


Download ppt "“Trends in Endpoint Security” by Richard Lau 29 September 2005"

Similar presentations


Ads by Google