More Related Content Similar to Countering malware threats - Eric Vanderburg (20) More from Eric Vanderburg (16) Countering malware threats - Eric Vanderburg1. Combating malware threats
© 2014 Property of JurInnov Ltd. All Rights Reserved
Eric A. Vanderburg, MBA, CISSP
Director, Information Systems and Security
Computer Forensic and Investigation Services
2. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Outline
• Security model
• Malicious software
• Countering malware threats
– Whitelisting
– Behavioral detection
– Automatic execution detection
2
3. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Security model
• Select security products that provide maximum security
without significantly impacting productivity
• Have a security model capable of handling direct attack
of security solutions present on endpoints
– Have a security model with fail-safe protection
– Consider security products that use obfuscation
– Consider security solutions that are less prominent
• Be willing to adapt your security model to address a
quickly evolving threat landscape
3
4. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Malicious software
• Malicious software development is a for-profit
business
• There are more threats today than ever before
• Threats today are designed to bypass the most
prominent security solutions
4
5. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Security Trade offs
• System performance and resource consumption
• Impact on end-user productivity
• Increased IT administration requirements
5
6. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
One step ahead
• Malicious software developers are familiar with
emerging security techniques
• Malicious software developers can respond
faster than security vendors
• Companies are slow to adopt new security
solutions
6
7. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Security solution adoption
• No need to bypass security solutions that were
never installed
• Malicious software developers can impede
solution adoption
• Threats can create false positives that break
legitimate software
• Threats can increase hassle to administer new
security solutions
7
8. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Application whitelisting
• Opposite of signature-based approach
• Unknown executable binaries are considered malicious
• Usually has three different modes of operation: Lock-
down, Prompt, or Audit
• Many threats require launching binaries
• Effectively stops unknown binaries from executing
• Protects against threats signature-based solutions
cannot
• Does not detect threats that are present at time of
installation
8
9. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Application whitelisting
• Does not detect threats running inside of approved processes
• May not detect malicious scripts
• Exploit features designed to increase the usability of whitelisting
solutions
• File system filter drivers can negatively impact performance
• Rarely compatible with other security solutions
• End-users may not have the flexibility necessary to perform their
jobs
• Administering automated installations and updates can be a hassle
• Modify legitimate files on disk to get whitelisting solution to prohibit
execution
• Break the ability to easily install or update software
• Degrade system performance
9
10. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Behavioral detection
• Instead of identifying malicious binaries, identify
malicious behaviors
• Often used in conjunction with sandboxing, hardware
solutions, and cloud security
• Uses static and dynamic analysis
• Can detect unknown threats signature-based solutions
cannot
• Can detect infections that are present before installation
• Can detect that legitimate applications have been
hijacked
10
11. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Behavioral detection
• Malicious software present before install can block
installation
• Obfuscation can hide malicious behaviors
• Prompting end-users can result in infected computers
• Behavioral detection negatively impacts system
performance
• False positives can result in legitimate software being
blocked
• End-users may not be able to run legitimate software
needed to do their jobs
11
12. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Behavioral detection
• Administrators must keep up to date whitelist of
legitimate applications with malicious behavior
• Launch processes designed to decrease system
performance
• Inject malicious code into legitimate software to prevent
it from running
• Install components shared by multiple legitimate
applications to break legitimate applications
• Cloud solutions are vulnerable to distributed denial of
service attacks
12
13. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Automatic execution detection
• Malicious software has incentive to persist on the
endpoint, so most malicious software attempts to
• Prevents malicious software from persisting
• Restricts access to key Windows file system and registry
locations to prevent automatic execution
• Provides protection against known and unknown threats
• Does not require reactive updating to address new
threats
13
14. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Automatic execution detection
• Allows more end-user flexibility than application
whitelisting
• Superior performance and security solution compatibility
• Like whitelisting, malicious software present at time of
install is not detected
• In-memory threats that do not attempt to persist are not
detected
• Threats that replace legitimate files are not always
detected
14
15. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
Automatic execution detection
• End-users can optionally be given permission to
install persistent software
• End-users who need to install persistent
software will need IT approval
• Administrators need to configure automated
installs and updates to proceed unhindered
• Tools to minimize administrative impact
potentially open up security vulnerabilities
15
17. © 2014 Property of JurInnov Ltd. All Rights Reserved© 2014 Property of JurInnov Ltd. All Rights Reserved
For assistance or additional information
• Phone: 216-664-1100
• Web: www.jurinnov.com
• Email: eric.vanderburg@jurinnov.com
• Twitter: @evanderburg
• Facebook: www.facebook.com/VanderburgE
• Linkedin: www.linkedin.com/in/evanderburg
• Youtube: www.youtube.com/user/evanderburg
JurInnov Ltd.
The Idea Center
1375 Euclid Avenue, Suite 400
Cleveland, Ohio 44115