Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Holistic Approach to Malware Defense Bruce Cowper Senior Program Manager; Security Initiative Microsoft Canada.

Similar presentations


Presentation on theme: "A Holistic Approach to Malware Defense Bruce Cowper Senior Program Manager; Security Initiative Microsoft Canada."— Presentation transcript:

1 A Holistic Approach to Malware Defense Bruce Cowper Senior Program Manager; Security Initiative Microsoft Canada

2 Understanding Malware Attack Techniques Common malware attack techniques include: Social engineering Backdoor creation E-mail address theft Embedded e-mail engines Exploiting product vulnerabilities Exploiting new Internet technologies Social engineering Backdoor creation E-mail address theft Embedded e-mail engines Exploiting product vulnerabilities Exploiting new Internet technologies

3 What Is Defense-in-Depth? Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Security policies, procedures, and education Policies, procedures, and awareness Guards, locks, tracking devices Physical security Application hardening Application OS hardening, authentication, update management, antivirus updates, auditing Host Network segments, IPSec, NIDS Internal network Firewalls, boarder routers, VPNs with quarantine procedures Perimeter Strong passwords, ACLs, encryption, EFS, backup and restore strategy Data

4 Malware Defense at the Perimeter Using application layer firewalls to detect and block malware at the perimeter Leveraging a layered approach to AntiVirus and Spam Filtering Protecting all of the Assets.

5 Application Layer Content: ??????????????????????????????? A Traditional View of a Packet Only packet headers are inspected Application layer content appears as “black box” IP Header: Source Address, Dest. Address, TTL, Checksum TCP Header: Sequence Number Source Port, Destination Port, Checksum Forwarding decisions based on port numbers –Legitimate traffic and application layer attacks use identical ports Internet Expected HTTP Traffic Unexpected HTTP Traffic Attacks Non-HTTP Traffic Corporate Network

6 Application Layer Content: MSNBC - MSNBC Front Page <link rel="stylesheet" Application Layer View of a Packet Packet headers and application content are inspected IP Header: Source Address, Dest. Address, TTL, Checksum TCP Header: Sequence Number Source Port, Destination Port, Checksum Forwarding decisions based on content –Only legitimate and allowed traffic is processed Internet Allowed HTTP Traffic Prohibited HTTP Traffic Attacks Non-HTTP Traffic Corporate Network

7 Example: Blocking Apps Over HTTP Application Search in HTTP header Signature MSN Messenger Request headers User-Agent: MSN Messenger Windows Messenger Request headers User-Agent:MSMSGS AOL Messenger (and Gecko browsers) Request headers User-Agent:Gecko/ Yahoo Messenger Request headers Hostmsg.yahoo.com Kazaa P2P-Agent Kazaa Kazaaclient: Kazaa Request headers User-Agent:KazaaClient Kazaa X-Kazaa- Network: KaZaA Gnutella Request headers User-Agent: Gnutella Gnucleus Edonkey Request headers User-Agent:e2dk Morpheus Response header ServerMorpheus

8 Layered AntiVirus & AntiSpam Live Communications Server SharePoint Server Exchange Servers ISA Server Windows SMTP Server VirusesWorms IM and Documents Antigen Antigen Antigen Antigen E-mail Antigen

9 Multiple Scan Engine Management Manage up to 9 scan engines Manage up to 9 scan engines Eliminate single point of failure Eliminate single point of failure Minimize window of exposure during outbreaks Minimize window of exposure during outbreaks Scan Engine 1 Scan Engine 4 Scan Engine 2 Scan Engine 3 Quarantine Antigen

10 Malware Defense at the client

11 Service Hardening Windows Service Hardening Defense in depth Services run with reduced privilege compared to Windows XP Windows services are profiled for allowed actions to the network, file system, and registry Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile Active protection File system Registry Network

12 Social Engineering Protections Phishing Filter and Colored Address Bar Dangerous Settings Notification Secure defaults for IDN Protection from Exploits Unified URL Parsing Code quality improvements (SDLC) ActiveX Opt-in Protected Mode to prevent malicious software Internet Explorer 7

13 Phishing Filter Dynamic Protection Against Fraudulent Websites 3 “checks” to protect users from phishing scams: 1.Compares web site with local list of known legitimate sites 2.Scans the web site for characteristics common to phishing sites 3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour Level 1: Warn Suspicious Website Signaled Level 2: Block Confirmed Phishing Site Signaled and Blocked Two Levels of Warning and Protection in IE7 Security Status Bar

14 Windows Defender Improved Detection and Removal Redesigned and Simplified User Interface Protection for all users

15 Windows Vista Firewall Combined firewall and IPsec management New management tools – Windows Firewall with Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies Firewall rules become more intelligent Specify security requirements such as authentication and encryption Specify Active Directory computer or user groups Outbound filtering Enterprise management feature – not for consumers Simplified protection policy reduces management overhead

16 Network Access Protection 1 RestrictedNetwork MSFTNetwork Policy Server 3 Policy Servers e.g. MSFT Security Center, SMS, Antigen or 3 rd party Policy compliant DHCP, VPN Switch/Router 2 Windows Vista Client Fix Up Servers e.g. MSFT WSUS, SMS & 3 rd party Corporate Network 5 Not policy compliant 4 Enhanced Security All communications are authenticated, authorized & healthy Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X Policy-based access that IT Pros can set and control

17 Device Group Policy Device installation restrictions Determine what devices can be installed on computers. Prevent installation of drivers Prevent installation of devices

18 Goal: Allow businesses to move to a better- managed desktop and consumers to use parental controls Make the system work well for standard users Allow standard users to change time zone and power management settings, add printers, and connect to secure wireless networks High application compatibility Make it clear when elevation to admin is required and allow that to happen in-place without logging off High application compatibility with file/registry virtualization Administrators use full privilege only for administrative tasks or applications User provides explicit consent before using elevated privilege User Account Control

19 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


Download ppt "A Holistic Approach to Malware Defense Bruce Cowper Senior Program Manager; Security Initiative Microsoft Canada."

Similar presentations


Ads by Google