Download presentation
Presentation is loading. Please wait.
Published byMaryann Dixon Modified over 6 years ago
1
Protecting ICS Systems with Application Whitelisting
Welcome to Protecting ICS Systems with Application Whitelisting. My name is Walter Siryk, I am the CEO of Savant Protection. I am joined today by John Fox, our Director of Engineering and Rene Thibault, our VP of Sales and Service. We hope to provide you with an overview understanding of how Application Whitelisting can be used as part of a Defense in Depth Strategy to secure your systems. We’d like to thank our partner, Rockwell Automation, for the opportunity to present to you today. We also want to thank you for your time. Presented by:
2
The ICS Threat Landscape
Walter Siryk C.E.O. Savant Protection, Inc. Tel:
3
Agenda Application Whitelisting in the ICS Threat Landscape
Security Challenges Unique to ICS Application Whitelisting in ICS What is Application Whitelisting How does it work Why is it Unique Savant Protection’s Unique Solution Demo of Savant Enforcer Customer Success Stories Our Agenda. I will give a brief overview of Application Whitelisting and it application to ICS. In particular I will cover ______. John Fox, our director of Engineering will cover What is Application Whitelisting. And Rene Thibault will wrap it up with a demo of the product and some customer success stories. I like to make one very important point before we get started. Our intention is to provide you with information on using AWL in ICS and not subjecting you to a sales pitch. That said, there are maybe 2 or 3 legitimate AWL vendors in the market. While we may offer similar functionality, the nuts and bolts of how we deliver that functionality vary greatly. So – you will hear us describing AWL from our products perspective. We apologize if it feels like a sales pitch at times, we just cant’ avoid it. So without further ado, let’s get started.
4
Industry Security Challenges & Gaps
Existing Security Firewalls OS Patching Application Patching Antivirus Intrusion Prevention Control systems no longer air gapped – more attack paths Cannot stop insiders Cannot stop unknown / zero-day attacks GAP
5
ICS Sectors are Under Attack
ICS Cert responses to sector specific cybersecurity threats ICS sectors are under attack. There is a heightened awareness and growing concern over the threats facing our nations critical infrastructure. This chart, from the ICS Cert Year in Review, identifies sectors where ICS was asked by industry for help. The first number is the number of instances, while the second number is the percentage of total responses. We know that there are many more incidences that go unreported or are handled by the private sector. Source: ICS Cert Year in Review 2013
6
Wide Range of Attacks Observed on ICS
Unauthorized Access and Exploitation of Internet-facing ICS/SCADA devices Malware infections within Air-gapped control system networks SQL Injection and Application Vulnerability Exploitation Lateral movement between network zones Targeted Spear Phishing Campaigns Watering Hole Attacks
7
Attackers: Varying Intents, Common Features
Year Malware Intent Features 2010 Stuxnet Sabotage Multi-vector, APT’s, propagation 2011 Duqu Espionage Recon for future attacks, APT’s 2012 Shamoon Esp/Sabatoge Uploads then erases files, overwrites master boot record Flame Rootkit, listening & recording 2014 Havex Compromised vendor site, waterholing, APT’s BlackEnegy Crimeware $ Found on Internet connected HMI’s Regin Multiple Payloads, Existed since 2008, APT’s Traditional banking malware Malware disguised at HMI updates
8
#1 Vulnerability – Users & System Staff
May 21, 2014 Compliance ≠ Security 100% Use Anti-Virus Firewalls Patching Network monitoring Incident Response Forensics 100% Compliance with Security Standards 60% of companies have suffered a major data security breach and don’t even know it. #1 Vulnerability – Users & System Staff Compliance should be the security floor not the ceiling Cybercrime 66% of breaches are reported to the victim company by a third party Espionage 93% of employees admit to violating security policies 243 days... the median number of days attackers are on a network before detection. Sabotage Incidence Response Companies state that 100% of breached companies use AV and have firewalls in place. Users & Security Staff are your #1 Vulnerability – the human mind is the only OS that can’t be locked down so it’s a big target. I mention your system staff because its very difficult to be perfect. During incidence response, its often discovered that the breached company had a lot of security products, spent a lot of money, but made errors in configuration and left open security holes. How much data could an attacker steal from your organization in 243 days? Sources: Mandiant, FBI InfraGard, Corporate Executive Board
9
ICS Priorities differ from Enterprise IT
TRADITIONALLY Focus on uptime and cost control Security NOT a priority, an obstacle NOW Sophisticated cyber attacks have demonstrated seriousness of risks… catastrophic To add to the confusion, Security and IT professionals have approached ICS security challenges from the IT implementation stand point. But the InfoSec priorities for ICS are different from IT. We can measure the difference in Security Priorities using the Information Security model to assess risk, we can use the bedrock principles of minimizing the risk from loss in Confidentiality, Integrity, and Availability or CIA.
10
Multiple Vectors to Attack Control Stations
Targets
11
The Antivirus Gap - Not Designed for ICS
Must know the signature of the attack to stop it Requires constant updating and high bandwidth to internet Ineffective against targeted and zero day attacks “If any security expert claims systems can be secured by just using antivirus products on the Windows computers in a control system, they are crazy, irresponsible or both.” Eric Byres | Sep “There is almost no defense against a zero-day attack” Symantec Research on Zero Day Attacks Oct 16, 2012 Can destroy forensics “Avoid running any antivirus software “after the fact” as the antivirus scan changes critical file dates and impedes discovery and analysis of suspected malicious files and timelines.“ ICS-TIP —TARGETED CYBER INTRUSION DETECTION AND MITIGATION STRATEGIES May 25, 2012 AV is not designed for ICS.
12
Whitelisting Ideal for Securing Control Systems
Provides the most cost effective way to reduce catastrophic risk. By default, blocks all unauthorized changes and actions by malware Immediately provides strong layer and wall of protection for vulnerable control systems Closes current defensive gaps Augments other security systems – reduces effects of configuration errors Recommended by Industry, Government, Experts AWL is ideal for ICS.
13
Whitelisting Stops Many High Risk Attacks
14
Whitelisting in the Attacker Kill Chain
Reconnaissance Scanning Exploitation Creating Back Doors Covering Tracks Capability Kill Chain Function Prevention Exploitation All unauthorized software and malware blocked from execution on endpoints & servers. Policy-based enforcement even when disconnected from network. Strong defense against sophisticated outside attacks and Insider Threats to endpoint data. Detection Visibility to all executable/application activity on endpoints. Containment Exploitation & Creating Back Doors Malware proliferation prevented between endpoints and across the network. No central database that could be a single point of failure. Unique encrypted whitelist database on each endpoint. Investigation Covering Tracks Comprehensive executable/application event logging (installs, denies, blocked changes, allowed changes). Compatible with logging tools (syslog, SIEMS, etc).
15
Whitelisting Requirements in ICS
Runs in Isolation Outbound only Communications No Change During Install No Reboot No Process Breakage No Manual Reconfiguration Existing System Support Regulatory Formats Event Model Embedded and Full OS Transparency No effect on running Software Bulletproof Stable and Standalone Real-time AIC not CIA
16
Securing Control Stations - Most Impact
$$$$ Perimeter Network Application Whitelisting Protects the “Keys to the Kingdom” Protects path to downstream devices Prevents insiders from making changes Immediately enhances security – while staying operational Buys time” to complete more complex projects Long-term implementation Reconfigure Networks Role Based Access Control Identity Management SIEM $$ Control Stations Controllers Sensors Focus here now! $$$$$$$ Too big, many discrete devices Application Whitelisting should be included as part of an integrated Defense-in-Depth Strategy to diversify your risk. Any layer of protection might fail, especially when relying on the Human OS. Locking down your critical systems with AWL will greatly limit the damage from breaches. Encrypt communications Update machines
17
What is Application Whitelisting
John Fox Director of Engineering Savant Protection, Inc. Tel:
18
How Does Application Whitelisting Work?
Application Whitelisting enforces a "default-deny" of program execution Anything authorized to run is allowed and all other program execution is denied It oversees all executable files: .exe, .dll, .sys, .ocx, etc. It can also control access to interpreted files .bat, .java, .py, etc.
19
Deny by Default Denied
20
How Does Savant Enforcer Work?
Savant Enforcer's core component is an OS kernel-level minifilter driver The driver provides all protection Even if management components are not operating or not present Also protects itself from removal or tampering The driver intercepts all access to the file system It either allows or denies program execution or file modification It allows authorized programs to run and denies all others.
21
Building the Whitelist Database
All files that are authorized are entered into the whitelist database Each entry in the database has a signature of the file The signature uniquely identifies the location and contents of the file If a file is modified or moved, it would have a different signature The signature is very quick to calculate The signature uses a hash algorithm, but one unique and proprietary to Savant Enforcer Every time a program executes its signature is calculated and compared to the database. Execution is allowed only if the signature matches an entry in the database
22
Savant Enforcer is the MOST Secure
Each endpoint protected by Savant Enforcer has its own unique whitelist database There is no central whitelist database Allows each endpoint to operate completely standalone Eliminates the possibility of a single point of failure with a central whitelist Eliminates proliferation of any potential compromise to other endpoints The signature of any particular file is unique on each endpoint further increasing the difficulty of the proliferation of any attack from one system to another.
23
Savant Works with Existing Systems
Intelligent change management makes system management a snap When you need to install new software, just install it, Savant Enforcer will automatically learn to trust what you ask it to It can trust Remote Management agents (e.g. Remote Desktop Control, LogMeIn, TeamViewer, etc.) and automatically learn to trust what those agents do You continue to manage your systems exactly the way you already do
24
Savant is Simple to Manage
Management of Savant Enforcer can be done any one of three ways: Via local user interface on the endpoint Via the Savant Enforcer Manager (SEM) which can centrally manage many endpoints at once Via the XML API that can manage each endpoint by sending management data via encrypted XML documents This allows managing completely disconnected endpoints or using central management to remotely manage many endpoints at once
25
Overall Architecture Endpoint – Savant Enforcer
Local UI can configure all settings Use of central mgr is optional Sends logs to central mgr if present Server – Savant Enforcer Manager Web-based UI Configures many endpoints Optional to use OR MSSQL with IIS Server ONLY CONFIDENTIAL
26
Savant Enforcer vs Stuxnet
27
Savant Enforcer vs Stuxnet Summary
28
Savant Protection’s Unique Solution
Rene Thibault VP Sales & Services Savant Protection
29
Savant Enforcer is THE Game Changer
May 21, 2014 Savant Protection fills the gap with a transparent layer of protection that stops the attacks that bypass existing security Downloadable client Easy to deploy Immediate security Air gapped, Anti virus, OS/Application Patches Group Policies, Personal Firewalls etc.
30
The Secret Sauce Most Secure, Easiest to Administer and Use Solution
Unique encrypted whitelists (patented) Stops proliferation of any potential compromise to other endpoints No single point of failure means the strongest endpoint security Stored locally, encrypted and protected from all access Automated Application Whitelist Management Built-in integration with 3rd party solutions for rapid deployment Protection is never interrupted, even during trusted changes Local Graphical User Interface Supports connected or disconnected operation in air gapped environments Stand alone or centrally managed CONFIDENTIAL
31
Application Success Stories
Manufacturing Medical Devices, Pharmaceutical Process, Plumbing, HVAC & Refrigeration Electric Switching, Distribution Chemical Process Control, Mixing, Environmental Monitoring Transportation Flight Management, Traffic Control Systems Oil and Gas Exploration Power Generation Control
32
Demonstration What you are going to see…
Unauthorized User (Locked down or hardened system) Cannot: Delete Modify ….any executables on the whitelist Run …any executable not on the whitelist Install any new executables Privileged User Can do any or all of above – depending on how configured Designated users and/or IT Admins
33
Deploying Application Whitelisting
DISCOVER Install Savant Enforcer client. Perform a system scan for a complete executable inventory. Know what’s running on each endpoint and unauthorize unwanted apps TRUST Automatically create the whitelist and list of Trusted Updater Agents. Account for programs that self update or need to access, modify or create temporary dll files to run properly. PROTECT Lockdown (“Default-Deny”) or Protect, and assign users Privileges based on your policies VERIFY Monitor and record all activity to give you real-time data about application and executable installs, denials, updates, changes, external device activity (e.g. USB, DVD) and more. Logs stored locally or can be uploaded to SEM, SIEM or other third party logging/alerting
34
Next Steps For more information or a free trial contact: Rene Thibault
VP Sales & Services Savant Protection, Inc. Tel: Dayan Rodriguez Business Development Manager Rockwell Automation
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.