Presentation is loading. Please wait.

Presentation is loading. Please wait.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Published byAlvin Grandon Modified over 9 years ago

Similar presentations

Presentation on theme: "Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013."— Presentation transcript:

1 Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013

2 Agenda Threat landscape and current approach The anatomy of an attack Next generation endpoint security

3 THREAT LANDSCAPE AND CURRENT APPROACH

4 Recapping the Problem

5 >99.9% of malware samples received in 2012 were Targeted at Windows

6 The Traditional Approach – works to a point Signatures

7 The Traditional Approach – works to a point Generics

8 The Traditional Approach – works to a point Heuristics and Sandboxing

9 Two fundamental problems with todays approach… Detection –1 new threat each second versus 1 signature update per day –New signature updates could be produced more frequently but cannot be consumed more quickly –The cloud helps, but we cannot check each file with the cloud –Signatures don’t help against APTs and Zero-day attacks Performance –Scanning all files for all things takes time –As the number of threats multiply, the impact of scanning multiplies

10 THE ANATOMY OF AN ATTACK

11 Four Phases of an Attack First Contact Physical Access Unsolicited Message Network Access Malicious Website or URL Local Execution Social Engineering Configuration Error Exploit Establish Presence Download Malware Escalate Privilege Self-Preservation Persist on System Malicious Activity Propagation Bot Activities Identity & Financial Fraud Tampering Adware & Scareware How the attacker first crosses path with target How the attacker gets code running How code persists code on the system, to survive reboot The business logic, what the attacker wants to accomplish

12 Four Phases of an Attack, e.g. Fake AV First Contact Physical Access Unsolicited Message Network Access Malicious Website or URL Local Execution Social Engineering Configuration Error Exploit Establish Presence Download Malware Escalate Privilege Self-Preservation Persist on System Malicious Activity Propagation Bot Activities Identity & Financial Fraud Tampering Adware & Scareware Persist on System Exploit Malicious Website or URL How the attacker first crosses path with target How the attacker gets code running How code persists code on the system, to survive reboot The business logic, what the attacker wants to accomplish

13 A generic approach to protection First Contact Physical Access Unsolicited Message Network Access Malicious Website or URL Local Execution Social Engineering Configuration Error Exploit Establish Presence Download Malware Escalate Privilege Self-Preservation Persist on System Malicious Activity Propagation Bot Activities Identity & Financial Fraud Tampering Adware & Scareware Device control  Hard disk encryption Web filtering Host firewall  Network access control Email filtering Memory & kernel protection  Database monitoring On-access scanning  Access protection rules  Application whitelisting Auditing  Access protection rules Web filtering  Host firewall Memory & kernel protection  Database monitoring  Auditing Access protection rules Access protection rules  Kernel protection On-access scanning  Application whitelisting Web filtering  Host firewall On-access scanning  Application whitelisting On-access scanning  Access protection rules  Application whitelisting On-access scanning  Application whitelisting Integrity monitoring How the attacker first crosses path with target How the attacker gets code running How code persists code on the system, to survive reboot The business logic, what the attacker wants to accomplish

14 Does this approach work? Source: Aberdeen Group, March 2012

15 NEXT GENERATION ENDPOINT SECURITY

16 Context-Aware Endpoint Platform Next-Generation Endpoint Security NEXT-GENERATION ENDPOINT SECURITY Cloud Application Database OS Chip Unified Security Operations Security Information and Events Risk and Compliance Real-time information FIRST-GENERATION Desktop/Laptop Blacklist Files Focus on Devices Windows Only Static Device Policy Disparate, Disconnected Management DesktopLaptopMobileServerVirtualEmbedded Data Center

17 Next Generation Anti-Malware Core: Technology Overview Flexible Multiple content streams | Updateable components Reputation enabled File, IP, site, domain | Prevalence Resilient Advanced repair | Built-in false prevention logic | Centralized quarantine Signature-less detection Shell code & script exploits | Reputation and trust based process restrictions | Environmental heuristics | Process profiling High performance Adaptive scanning and dynamic scan avoidance using trust logic | Static and dynamic whitelisting Context awareness OS | Application | Network | File | Registry | Memory | Process execution

18 Adaptive scanning and false avoidance

19 Traditional combined with reputation Global Threat Intelligence Cloud lookups for file, URL, domain, IP reputation, and metadata Traditional signatures Generics and heuristics What do you do about the remaining items, with various levels of suspiciousness?

20 Intelligent Trust and Selective Scanning Normal Low High Define multiple scanning states, providing differing levels of monitoring, hooking different kernel activity etc.: Trusted - limited set of their events monitored Normal – intermediate set of events monitored Suspicious - full set of their events monitored Categorise file based on knowledge: Where did it come from (Internet, USB, local net, …)? How did it arrive, (trusted process, user, …)? What else is known about it? Processes inherit the trust of their binary image file Monitor processes based on scanning state

21 Adaptive Scanning based on behavior Malware families follow certain behavioral patterns Observe what grey files and processes do, looking for suspicious behavior Keep track of events in a local database Normal Low High Change state based on behaviours, e.g. –If something suspicious seen, increase event monitoring for that process: Connects to known bad IP or URL: More suspicious Signed by known trusted certificate: Less suspicious –Get aggressive, but in a highly targeted way!

22 Summary First gen endpoint solutions scan with signatures once and if no infection found allow any action –Increased malware volume means this technique will impact on performance –Increased speed of propagation renders this approach ineffective against new malware, zero-day attacks and APTs Next gen endpoint solutions need –Light scan to minimise performance impact –Heavy scan to detect new malware An adaptive approach is the only way to improve detection whilst reducing performance impact

23 THANK YOU

Download ppt "Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013."

Similar presentations

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.

11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.
Windows Defender Next Generation Anti-malware

Windows Defender Next Generation Anti-malware
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
INTRODUCING: KASPERSKY Security FOR VIRTUALIZATION | LIGHT AGENT FOR MICROSOFT AND CITRIX VIRTUAL ENVIRONMENTS.

INTRODUCING: KASPERSKY Security FOR VIRTUALIZATION | LIGHT AGENT FOR MICROSOFT AND CITRIX VIRTUAL ENVIRONMENTS.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”

How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Similar presentations

Ads by Google