Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Countering malware threats - Eric Vanderburg

407 visualizaciones

Publicado el

Malware is a significant threat as it provides a way for an attacker to use your machine for nefarious means or take data from you and those connected to you. Learn how to combat this threat and protect yourself.

Publicado en: Tecnología
  • Inicia sesión para ver los comentarios

  • Sé el primero en recomendar esto

Countering malware threats - Eric Vanderburg

  1. 1. Combating malware threats © 2014 Property of JurInnov Ltd. All Rights Reserved Eric A. Vanderburg, MBA, CISSP Director, Information Systems and Security Computer Forensic and Investigation Services
  2. 2. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Outline • Security model • Malicious software • Countering malware threats – Whitelisting – Behavioral detection – Automatic execution detection 2
  3. 3. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Security model • Select security products that provide maximum security without significantly impacting productivity • Have a security model capable of handling direct attack of security solutions present on endpoints – Have a security model with fail-safe protection – Consider security products that use obfuscation – Consider security solutions that are less prominent • Be willing to adapt your security model to address a quickly evolving threat landscape 3
  4. 4. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Malicious software • Malicious software development is a for-profit business • There are more threats today than ever before • Threats today are designed to bypass the most prominent security solutions 4
  5. 5. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Security Trade offs • System performance and resource consumption • Impact on end-user productivity • Increased IT administration requirements 5
  6. 6. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved One step ahead • Malicious software developers are familiar with emerging security techniques • Malicious software developers can respond faster than security vendors • Companies are slow to adopt new security solutions 6
  7. 7. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Security solution adoption • No need to bypass security solutions that were never installed • Malicious software developers can impede solution adoption • Threats can create false positives that break legitimate software • Threats can increase hassle to administer new security solutions 7
  8. 8. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Application whitelisting • Opposite of signature-based approach • Unknown executable binaries are considered malicious • Usually has three different modes of operation: Lock- down, Prompt, or Audit • Many threats require launching binaries • Effectively stops unknown binaries from executing • Protects against threats signature-based solutions cannot • Does not detect threats that are present at time of installation 8
  9. 9. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Application whitelisting • Does not detect threats running inside of approved processes • May not detect malicious scripts • Exploit features designed to increase the usability of whitelisting solutions • File system filter drivers can negatively impact performance • Rarely compatible with other security solutions • End-users may not have the flexibility necessary to perform their jobs • Administering automated installations and updates can be a hassle • Modify legitimate files on disk to get whitelisting solution to prohibit execution • Break the ability to easily install or update software • Degrade system performance 9
  10. 10. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Behavioral detection • Instead of identifying malicious binaries, identify malicious behaviors • Often used in conjunction with sandboxing, hardware solutions, and cloud security • Uses static and dynamic analysis • Can detect unknown threats signature-based solutions cannot • Can detect infections that are present before installation • Can detect that legitimate applications have been hijacked 10
  11. 11. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Behavioral detection • Malicious software present before install can block installation • Obfuscation can hide malicious behaviors • Prompting end-users can result in infected computers • Behavioral detection negatively impacts system performance • False positives can result in legitimate software being blocked • End-users may not be able to run legitimate software needed to do their jobs 11
  12. 12. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Behavioral detection • Administrators must keep up to date whitelist of legitimate applications with malicious behavior • Launch processes designed to decrease system performance • Inject malicious code into legitimate software to prevent it from running • Install components shared by multiple legitimate applications to break legitimate applications • Cloud solutions are vulnerable to distributed denial of service attacks 12
  13. 13. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Automatic execution detection • Malicious software has incentive to persist on the endpoint, so most malicious software attempts to • Prevents malicious software from persisting • Restricts access to key Windows file system and registry locations to prevent automatic execution • Provides protection against known and unknown threats • Does not require reactive updating to address new threats 13
  14. 14. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Automatic execution detection • Allows more end-user flexibility than application whitelisting • Superior performance and security solution compatibility • Like whitelisting, malicious software present at time of install is not detected • In-memory threats that do not attempt to persist are not detected • Threats that replace legitimate files are not always detected 14
  15. 15. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved Automatic execution detection • End-users can optionally be given permission to install persistent software • End-users who need to install persistent software will need IT approval • Administrators need to configure automated installs and updates to proceed unhindered • Tools to minimize administrative impact potentially open up security vulnerabilities 15
  16. 16. © 2014 Property of JurInnov Ltd. All Rights Reserved Questions
  17. 17. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved For assistance or additional information • Phone: 216-664-1100 • Web: www.jurinnov.com • Email: eric.vanderburg@jurinnov.com • Twitter: @evanderburg • Facebook: www.facebook.com/VanderburgE • Linkedin: www.linkedin.com/in/evanderburg • Youtube: www.youtube.com/user/evanderburg JurInnov Ltd. The Idea Center 1375 Euclid Avenue, Suite 400 Cleveland, Ohio 44115

×