SlideShare una empresa de Scribd logo

Mitigating the clicker

Descargar como PPTX, PDF
Claus Cramon Houmann
Claus Cramon Houmann

My IDC ICT conference presentation for September 26th, 2013 about how new Innovative tools (AMPs) can actually prevent threats today.

Tecnología
1 de 23
Mitigating the CLICK’er how AMP’s (Advanced Malware protection) /Advanced innovative tools can finally help protect your infrastructure Claus Cramon Houmann Banque Öhman 2013-09-25
2 Öhman Remember: • Never ever rely on a single solution • Defense in depth • Both threat prevention and threat detection are important • If the bad guys want to get in bad enough, they will – be able to reduce the ”dwell time” they have inside your systems • The ”CLICKER” I define as the colleague who just cannot help clicking on that ”interesting link” in a suspicious e-mail, because ”probably nothing will happen” or ”just to see what happens” or doesn’t even think about it... Banque Öhman 2013-09-25
3 Öhman 1 Single 0-day or unpatched system is all ”they” need Banque Öhman 2013-09-25
4 Öhman Banque Öhman 2013-09-25 IT Security, a quick overview
5 Öhman Breach methods • There are many points-of-entry for hackers when breaching a system/network: – Hacking (Fx SQL injection against DB servers) – Malware (fx phishing) – Social engineering – Physical Banque Öhman 2013-09-25
6 Öhman Banque Öhman 2013-09-25 Source: Verizon’s 2012 Data Breach investigations report
7 Öhman Protecting against external threats • As your organizations “Infosec level” matures – you may be able to pass or almost pass a pentest. Most low hanging fruits have been “picked” already • This makes it very hard for “them” to get in via hacking methods • -> they will try malware next Banque Öhman 2013-09-25
8 Öhman Advanced Malware leveraging fx 0-days= CIO/CISO nightmare • Slowly but steadily 1 thing will make you lose sleep at night. How do you protect against colleagues clicking on phishing emails or visiting bad websites (waterholes fx)? • The CLICKER becomes your biggest external threat! Banque Öhman 2013-09-25
9 Öhman Banque Öhman 2013-09-25 SO, you can have all this. And it helps you little/nothing
10 Öhman Mitigating the “CLICKER” • There are now innovative next-generation tools available for advanced threat prevention and/or detection = AMP’s – Microvirtualization – Advanced code handling/analysis/reverse-engineering tools – Network level Sandboxing or detection based on behavioural analysis/packet inspection – System and registry level lockdown of process/user-rights – Cloud based Big Data analytical/defense tools – Whitelisting tech – Others – this “market segment” is booming right now Banque Öhman 2013-09-25
11 Öhman Why is the AMP market booming? Background • The AV industry in the traditional sense has declared their tools insufficient and the war on malware lost • Hacking is increasing supported by big budgets – think nation- state-sponsored APT’s • 0-days abound in the Wild – being purchased by “hackers” – unofficial hackers or nation-state sponsored hackers alike • The black market cyber-industry is a huge! economy Banque Öhman 2013-09-25
12 Öhman Baby years • As the AMP industry is in it’s “baby years” you’ve got to make allowances for products being heavily changed/developed still • Immature market • No 100% tools – no one can cover everything. If you meet a vendor that claims they can, don’t trust it • And that said, on to look at the NG tools! Banque Öhman 2013-09-25
13 Öhman How does Microvirtualization work? • Hardware level virtualization gives complete separation of user tasks in separate individual Hypervisors (Micro-size) Banque Öhman 2013-09-25
14 Öhman Why Microvirtualization • Mitigates the following threats: – USB sticks with malicious content – Waterholes – Malicious attachments in e-mail – Clicking links leading to malware on websites/e-mails • Pros: + Workflow enabler + Small amount of custom config needed + Disregardable performance impact on endpoints + Unknown by hackers + No depence on traditional ”signature” based methods • Cons: – No server protection vs hacking attemps – Early life cycle stage – unfinished products Banque Öhman 2013-09-25
15 Öhman How & Why – advanced code handling tools • The similarities across products here are that they employ innovative stragegies to ”identify” bad behaviour despite encryption, obfuscation, fragmented files etc. – methods and tools that malware authors use to hide the true function of their software • Malware can be identified and/or blocked and/or removed efficiently • Pros: + Reduced dwell-time + No dependency on traditional signature methods + Potentially scales very well for large corporations • Cons: – Most tools like these are detection tools and have limited prevention capabilities – Client understanding of how the tool works is minimal Banque Öhman 2013-09-25
16 Öhman How & Why: Network level sandboxing • The idea here is to catch and analyze malware before it reaches the end users – prevention, but also to do detection. It kind of ”re- plays” malware in a stack of different virtual machines to give it a good chance of hitting an environment that it’s meant to ”go off” in. • Pros: + Threat detection vs clicker-threats • Cons: – Network perimeter technologies cannot protect roaming users – and users are increasingly mobile – Malware is getting smarter. It can evade these tools by waiting for the user to do something (use the mouse/keyboard, for example) – These tools just ALERT you – they do not PROTECT you Banque Öhman 2013-09-25
17 Öhman System and registry level lockdown of process/user-rights These tools all try to prevent malware by preventing it’s access/rights to drop files, inject DLL’s etc. • Pros: + Tight lock down • Cons: – Configuration “heavy” – Is saying “no” to users the answer? – Change Management becomes somewhat harder Banque Öhman 2013-09-25
18 Öhman Cloud based Big Data analytical/defense tools • Vendors here try to detect and block threats using Big Data approaches to “Signatures” or “known samples” • Pros: + Potential to see inside virtual switches & traffic between virtual machines – traffic that sometimes never reaches a firewall or network appliance • Cons – Uploading samples identified in your environment to a vendors cloud is a risk in itself – the sample has enumeration data on your environment, and maybe more – Traditional signature approach has limitations, even with a big data approach, since Malware can be adapted to evade Banque Öhman 2013-09-25
19 Öhman Whitelisting • The Idea behind whitelisting is to block malware by simply only allowing known trusted websites, or trusted applications etc. • Pros: – Whitelisting can be an effective technique for dealing with traditional file based malware such as viruses and spyware. Unsophisticated attacks that rely on downloading and running an arbitrary executable file are generally foiled by whitelisting. – Whitelisting can be particularly effective in “locking down” dedicated appliance like systems that don’t function as general purpose productivity tools. • Cons: – Maintaining what is “trusted” as things change. Operational nightmare? – Vulnerable to unknown/Zero Day attacks, malicious content within whitelisted apps (even “trusted” code can have vulnerabilities…) – Vulnerable to non-file based attacks, which are carried out without ever downloading or executing a file for the whitelist to block (such as memory-only attacks that inject into a running process) – Is saying “no” to users the answer? – Trusting the whitelist – what if it’s compromised? Banque Öhman 2013-09-25
20 Öhman Conclusion • To efficiently protect against APT’s and Advanced Malware you want to: – Have capabilities within Threat Prevention, Detection, Alerting, Incident Response, maybe even some kind of IOC / Threat sharing community. AMP + more. – Have defense in depth • To efficiently mitigate the risks of the CLICKER you want to – Block not only known threats, but also the unknown while enabling the business to do its “thing” – Be able to detect and efficiently remove threats Banque Öhman 2013-09-25
21 Öhman About me • Claus Cramon Houmann, 38, married to Tina and I have 3 lovely kids • CISSP, ITIL Certified Expert, Prince2 practitioner • You can contact me anytime: – Skype: Claushj0707 – Twitter: @claushoumann or @improveitlux • Sources used: – Verizon: Data Breach investigations report 2012 – @gollmann from IOactive Blog posts Banque Öhman 2013-09-25
22 Öhman Questions? Banque Öhman 2013-09-25
23 Öhman More questions? Banque Öhman 2013-09-25

Recomendados

Daddy Thwane. CV
Daddy Thwane. CVDaddy Thwane. CV
Daddy Thwane. CVDaddy Jonathan Thwane
 
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...Sreejesh Madonandy
 
ProjectReport_Finalversion
ProjectReport_FinalversionProjectReport_Finalversion
ProjectReport_FinalversionMamoon Ismail Khalid
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Security what it means to your business - circa 1999
Security what it means to your business - circa 1999Security what it means to your business - circa 1999
Security what it means to your business - circa 1999Chaim Yudkowsky
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 

Recomendados

Daddy Thwane. CV
Daddy Thwane. CVDaddy Thwane. CV
Daddy Thwane. CVDaddy Jonathan Thwane
 
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...Sreejesh Madonandy
 
ProjectReport_Finalversion
ProjectReport_FinalversionProjectReport_Finalversion
ProjectReport_FinalversionMamoon Ismail Khalid
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Security what it means to your business - circa 1999
Security what it means to your business - circa 1999Security what it means to your business - circa 1999
Security what it means to your business - circa 1999Chaim Yudkowsky
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
New Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersEric Vétillard
 
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...Ivanti
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Preparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie ApocalypsePreparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie ApocalypsePantheon
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1jemtallon
 
Info Sec2007 End Point Final
Info Sec2007 End Point FinalInfo Sec2007 End Point Final
Info Sec2007 End Point FinalBen Rothke
 
Ea sy presentation4
Ea sy presentation4Ea sy presentation4
Ea sy presentation4benjaminUWStout
 
Being online
Being onlineBeing online
Being onlinehpinn
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingRochester Security Summit
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Getting Your Electronic World Working for You
Getting Your Electronic World Working for YouGetting Your Electronic World Working for You
Getting Your Electronic World Working for YouCarol Thomson-Duvall
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentFaheem Ul Hasan
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
The unspeakable-pitfalls of mobile security
The unspeakable-pitfalls of mobile securityThe unspeakable-pitfalls of mobile security
The unspeakable-pitfalls of mobile securityClaus Cramon Houmann
 
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0Claus Cramon Houmann
 

Más contenido relacionado

La actualidad más candente

New Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersEric Vétillard
 
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...Ivanti
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Preparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie ApocalypsePreparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie ApocalypsePantheon
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1jemtallon
 
Info Sec2007 End Point Final
Info Sec2007 End Point FinalInfo Sec2007 End Point Final
Info Sec2007 End Point FinalBen Rothke
 
Being online
Being onlineBeing online
Being onlinehpinn
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Getting Your Electronic World Working for You
Getting Your Electronic World Working for YouGetting Your Electronic World Working for You
Getting Your Electronic World Working for YouCarol Thomson-Duvall
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentFaheem Ul Hasan
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 

La actualidad más candente (20)

New Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web Servers
 
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
OSB140: Want a Safer Network? You Can Remove Local Admin Rights with Ivanti A...
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Preparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie ApocalypsePreparing for the Internet Zombie Apocalypse
Preparing for the Internet Zombie Apocalypse
 
Access control Week 1
Access control Week 1Access control Week 1
Access control Week 1
 
Info Sec2007 End Point Final
Info Sec2007 End Point FinalInfo Sec2007 End Point Final
Info Sec2007 End Point Final
 
Ea sy presentation4
Ea sy presentation4Ea sy presentation4
Ea sy presentation4
 
Being online
Being onlineBeing online
Being online
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint Security
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Getting Your Electronic World Working for You
Getting Your Electronic World Working for YouGetting Your Electronic World Working for You
Getting Your Electronic World Working for You
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat Landscape
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
 

Destacado

The unspeakable-pitfalls of mobile security
The unspeakable-pitfalls of mobile securityThe unspeakable-pitfalls of mobile security
The unspeakable-pitfalls of mobile securityClaus Cramon Houmann
 
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0Claus Cramon Houmann
 
Release grande festa junina quinta da boa vista
Release grande festa junina quinta da boa vistaRelease grande festa junina quinta da boa vista
Release grande festa junina quinta da boa vistaDELEGACIADOCONSUMIDOR
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...Claus Cramon Houmann
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015Claus Cramon Houmann
 
Css 2013 claushoumann Building comprehensively for IT Security
Css 2013 claushoumann Building comprehensively for IT SecurityCss 2013 claushoumann Building comprehensively for IT Security
Css 2013 claushoumann Building comprehensively for IT SecurityClaus Cramon Houmann
 
Acctiva: expertise in Business Intelligence, Data Warehousing, Data Governance
Acctiva: expertise in Business Intelligence, Data Warehousing, Data GovernanceAcctiva: expertise in Business Intelligence, Data Warehousing, Data Governance
Acctiva: expertise in Business Intelligence, Data Warehousing, Data GovernanceAcctiva Ltd.
 
Horton, kathy SFDC Consultant resume
Horton, kathy SFDC Consultant resumeHorton, kathy SFDC Consultant resume
Horton, kathy SFDC Consultant resumeKathy Horton
 

Destacado (17)

The unspeakable-pitfalls of mobile security
The unspeakable-pitfalls of mobile securityThe unspeakable-pitfalls of mobile security
The unspeakable-pitfalls of mobile security
 
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
 
Top100musicians
Top100musiciansTop100musicians
Top100musicians
 
Release grande festa junina quinta da boa vista
Release grande festa junina quinta da boa vistaRelease grande festa junina quinta da boa vista
Release grande festa junina quinta da boa vista
 
Defensive strategies
Defensive strategiesDefensive strategies
Defensive strategies
 
Film260
Film260Film260
Film260
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
 
Film260
Film260Film260
Film260
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
 
Css 2013 claushoumann Building comprehensively for IT Security
Css 2013 claushoumann Building comprehensively for IT SecurityCss 2013 claushoumann Building comprehensively for IT Security
Css 2013 claushoumann Building comprehensively for IT Security
 
Nathans poems
Nathans poemsNathans poems
Nathans poems
 
Presentation1
Presentation1Presentation1
Presentation1
 
Acctiva: expertise in Business Intelligence, Data Warehousing, Data Governance
Acctiva: expertise in Business Intelligence, Data Warehousing, Data GovernanceAcctiva: expertise in Business Intelligence, Data Warehousing, Data Governance
Acctiva: expertise in Business Intelligence, Data Warehousing, Data Governance
 
Top100musicians
Top100musiciansTop100musicians
Top100musicians
 
Horton, kathy SFDC Consultant resume
Horton, kathy SFDC Consultant resumeHorton, kathy SFDC Consultant resume
Horton, kathy SFDC Consultant resume
 

Similar a Mitigating the clicker

Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
Newsletter connect - June 2016
Newsletter connect - June 2016Newsletter connect - June 2016
Newsletter connect - June 2016Arish Roy
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsDinis Cruz
 
10 critical elements of next generation of endpoint layered security
10 critical elements of next generation of endpoint layered security10 critical elements of next generation of endpoint layered security
10 critical elements of next generation of endpoint layered securityJose Lopez
 
How to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetHow to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetLumension
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsSecureDocs
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from SymantecArrow ECS UK
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityLumension
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration RecommendationsMeg Weber
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldiMIS
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldiMIS
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017Bret Piatt
 

Similar a Mitigating the clicker (20)

Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Newsletter connect - June 2016
Newsletter connect - June 2016Newsletter connect - June 2016
Newsletter connect - June 2016
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
PACE-IT: Common Network Security Issues
PACE-IT: Common Network Security IssuesPACE-IT: Common Network Security Issues
PACE-IT: Common Network Security Issues
 
10 critical elements of next generation of endpoint layered security
10 critical elements of next generation of endpoint layered security10 critical elements of next generation of endpoint layered security
10 critical elements of next generation of endpoint layered security
 
How to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetHow to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budget
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from Symantec
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
 
Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)Digital Self Defense (RRLC version)
Digital Self Defense (RRLC version)
 
Securing Your Business
Securing Your BusinessSecuring Your Business
Securing Your Business
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017
 

Último

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Último (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Mitigating the clicker

  • 1. Mitigating the CLICK’er how AMP’s (Advanced Malware protection) /Advanced innovative tools can finally help protect your infrastructure Claus Cramon Houmann Banque Öhman 2013-09-25
  • 2. 2 Öhman Remember: • Never ever rely on a single solution • Defense in depth • Both threat prevention and threat detection are important • If the bad guys want to get in bad enough, they will – be able to reduce the ”dwell time” they have inside your systems • The ”CLICKER” I define as the colleague who just cannot help clicking on that ”interesting link” in a suspicious e-mail, because ”probably nothing will happen” or ”just to see what happens” or doesn’t even think about it... Banque Öhman 2013-09-25
  • 3. 3 Öhman 1 Single 0-day or unpatched system is all ”they” need Banque Öhman 2013-09-25
  • 4. 4 Öhman Banque Öhman 2013-09-25 IT Security, a quick overview
  • 5. 5 Öhman Breach methods • There are many points-of-entry for hackers when breaching a system/network: – Hacking (Fx SQL injection against DB servers) – Malware (fx phishing) – Social engineering – Physical Banque Öhman 2013-09-25
  • 6. 6 Öhman Banque Öhman 2013-09-25 Source: Verizon’s 2012 Data Breach investigations report
  • 7. 7 Öhman Protecting against external threats • As your organizations “Infosec level” matures – you may be able to pass or almost pass a pentest. Most low hanging fruits have been “picked” already • This makes it very hard for “them” to get in via hacking methods • -> they will try malware next Banque Öhman 2013-09-25
  • 8. 8 Öhman Advanced Malware leveraging fx 0-days= CIO/CISO nightmare • Slowly but steadily 1 thing will make you lose sleep at night. How do you protect against colleagues clicking on phishing emails or visiting bad websites (waterholes fx)? • The CLICKER becomes your biggest external threat! Banque Öhman 2013-09-25
  • 9. 9 Öhman Banque Öhman 2013-09-25 SO, you can have all this. And it helps you little/nothing
  • 10. 10 Öhman Mitigating the “CLICKER” • There are now innovative next-generation tools available for advanced threat prevention and/or detection = AMP’s – Microvirtualization – Advanced code handling/analysis/reverse-engineering tools – Network level Sandboxing or detection based on behavioural analysis/packet inspection – System and registry level lockdown of process/user-rights – Cloud based Big Data analytical/defense tools – Whitelisting tech – Others – this “market segment” is booming right now Banque Öhman 2013-09-25
  • 11. 11 Öhman Why is the AMP market booming? Background • The AV industry in the traditional sense has declared their tools insufficient and the war on malware lost • Hacking is increasing supported by big budgets – think nation- state-sponsored APT’s • 0-days abound in the Wild – being purchased by “hackers” – unofficial hackers or nation-state sponsored hackers alike • The black market cyber-industry is a huge! economy Banque Öhman 2013-09-25
  • 12. 12 Öhman Baby years • As the AMP industry is in it’s “baby years” you’ve got to make allowances for products being heavily changed/developed still • Immature market • No 100% tools – no one can cover everything. If you meet a vendor that claims they can, don’t trust it • And that said, on to look at the NG tools! Banque Öhman 2013-09-25
  • 13. 13 Öhman How does Microvirtualization work? • Hardware level virtualization gives complete separation of user tasks in separate individual Hypervisors (Micro-size) Banque Öhman 2013-09-25
  • 14. 14 Öhman Why Microvirtualization • Mitigates the following threats: – USB sticks with malicious content – Waterholes – Malicious attachments in e-mail – Clicking links leading to malware on websites/e-mails • Pros: + Workflow enabler + Small amount of custom config needed + Disregardable performance impact on endpoints + Unknown by hackers + No depence on traditional ”signature” based methods • Cons: – No server protection vs hacking attemps – Early life cycle stage – unfinished products Banque Öhman 2013-09-25
  • 15. 15 Öhman How & Why – advanced code handling tools • The similarities across products here are that they employ innovative stragegies to ”identify” bad behaviour despite encryption, obfuscation, fragmented files etc. – methods and tools that malware authors use to hide the true function of their software • Malware can be identified and/or blocked and/or removed efficiently • Pros: + Reduced dwell-time + No dependency on traditional signature methods + Potentially scales very well for large corporations • Cons: – Most tools like these are detection tools and have limited prevention capabilities – Client understanding of how the tool works is minimal Banque Öhman 2013-09-25
  • 16. 16 Öhman How & Why: Network level sandboxing • The idea here is to catch and analyze malware before it reaches the end users – prevention, but also to do detection. It kind of ”re- plays” malware in a stack of different virtual machines to give it a good chance of hitting an environment that it’s meant to ”go off” in. • Pros: + Threat detection vs clicker-threats • Cons: – Network perimeter technologies cannot protect roaming users – and users are increasingly mobile – Malware is getting smarter. It can evade these tools by waiting for the user to do something (use the mouse/keyboard, for example) – These tools just ALERT you – they do not PROTECT you Banque Öhman 2013-09-25
  • 17. 17 Öhman System and registry level lockdown of process/user-rights These tools all try to prevent malware by preventing it’s access/rights to drop files, inject DLL’s etc. • Pros: + Tight lock down • Cons: – Configuration “heavy” – Is saying “no” to users the answer? – Change Management becomes somewhat harder Banque Öhman 2013-09-25
  • 18. 18 Öhman Cloud based Big Data analytical/defense tools • Vendors here try to detect and block threats using Big Data approaches to “Signatures” or “known samples” • Pros: + Potential to see inside virtual switches & traffic between virtual machines – traffic that sometimes never reaches a firewall or network appliance • Cons – Uploading samples identified in your environment to a vendors cloud is a risk in itself – the sample has enumeration data on your environment, and maybe more – Traditional signature approach has limitations, even with a big data approach, since Malware can be adapted to evade Banque Öhman 2013-09-25
  • 19. 19 Öhman Whitelisting • The Idea behind whitelisting is to block malware by simply only allowing known trusted websites, or trusted applications etc. • Pros: – Whitelisting can be an effective technique for dealing with traditional file based malware such as viruses and spyware. Unsophisticated attacks that rely on downloading and running an arbitrary executable file are generally foiled by whitelisting. – Whitelisting can be particularly effective in “locking down” dedicated appliance like systems that don’t function as general purpose productivity tools. • Cons: – Maintaining what is “trusted” as things change. Operational nightmare? – Vulnerable to unknown/Zero Day attacks, malicious content within whitelisted apps (even “trusted” code can have vulnerabilities…) – Vulnerable to non-file based attacks, which are carried out without ever downloading or executing a file for the whitelist to block (such as memory-only attacks that inject into a running process) – Is saying “no” to users the answer? – Trusting the whitelist – what if it’s compromised? Banque Öhman 2013-09-25
  • 20. 20 Öhman Conclusion • To efficiently protect against APT’s and Advanced Malware you want to: – Have capabilities within Threat Prevention, Detection, Alerting, Incident Response, maybe even some kind of IOC / Threat sharing community. AMP + more. – Have defense in depth • To efficiently mitigate the risks of the CLICKER you want to – Block not only known threats, but also the unknown while enabling the business to do its “thing” – Be able to detect and efficiently remove threats Banque Öhman 2013-09-25
  • 21. 21 Öhman About me • Claus Cramon Houmann, 38, married to Tina and I have 3 lovely kids • CISSP, ITIL Certified Expert, Prince2 practitioner • You can contact me anytime: – Skype: Claushj0707 – Twitter: @claushoumann or @improveitlux • Sources used: – Verizon: Data Breach investigations report 2012 – @gollmann from IOactive Blog posts Banque Öhman 2013-09-25