Traditional endpoint protection solutions have become the punching bag of security. And for good reason. Traditional solutions, including blacklisting and signature-based antivirus, have not kept pace in combating advanced threats and zero-day attacks. Organizations are left defenseless.
A new approach is needed that understands the lifecycle of today’s advanced attacks, providing capabilities to assess devices, prevent attacks, detect compromise, investigate the incident and finally remediate the environment.
View the full on-demand webcast: https://www.youtube.com/watch?v=Xyw-SV9v9dg
3. About Securosis
• Independent analysts with backgrounds on
both the user and vendor side.
• Focused on deep technical and industry
expertise.
• We like pragmatic.
• We are security guys – that’s all we do.
4.
5. How customers view
Endpoint Protection
• Compliance is the main driver
for endpoint protection
• Whether it works or not is not
the issue.
• And to be clear, traditional
anti-malware technology
doesn’t work anymore.
http://flic.kr/p/9kC2Q1
8. Prevention
Next you try to stop an attack from being successful. This
is where most of the effort in security has gone for the
past decade, with mixed (okay, lousy) results. A number
of new tactics and techniques are modestly increasing
effectiveness, but the simple fact is that you cannot
prevent every attack. It has become a question of
reducing your attack surface as much as practical. If you
can stop the simplistic attacks you can focus on more
advanced ones.
9. Adversaries:
Better and Better
Advanced Malware
Polymorphism
Sophisticated targeting
Professional Processes
http://www.flickr.com/photos/dzingeek/4587871752/
11. Traditional AV
But detection of advanced attacks is still problematic if detection is restricted
to matching files at runtime. You have no chance to detect zero-day or
polymorphic malware attacks
12. You don’t know what malware is
going to look like...
But you DO know what software
should and should not do.
This calls for Advanced Heuristics
13. Advanced Heuristics
Heuristics have evolved to recognize normal application behavior. This
dramatically improves accuracy because rules are built
and maintained at a specific application-level.
14. Look for what?
• Executables/dependencies
• Injected threads
• Process creation
• System file/configuration/registry changes
• File system changes
• OS level functions including print screen,
network stack changes, key logging, etc.
• Turning off protections
• Account creation and privilege escalation
http://flic.kr/p/6Yz7MB
15. Application Control
• Define a set of authorized
executables that can run on a
device, and block everything else.
• Flexible “trust” model to offer
“grace” period to install s/w
• Authorized publishers, trusted
employees, etc.
• Though more flexible trust models
weaken security…
http://flic.kr/p/97Kqk8
17. Isolation
Spin up a walled garden to run applications. If app is compromised (detected
using advanced heuristics), the sandbox prevents the application from
accessing core device features such as the file system and memory, and
prevents the attacker from loading additional malware.
18. Old concept, New
Packaging
• Isolation is not new. VM’s in use by sophisticated users
for years.
• Isolation still needs to use some O/S level services,
which provides attack surface.
• VM (or isolation) aware malware stays dormant
• Sophisticated sophisticated evasion techniques
emerging: human interaction, timers, process hiding,
etc…
19. Choosing Prevention
• What kind of adversaries do you face?
• Which applications are most frequently used?
• How disruptive will employees allow the protection to
be?
• What percentage of devices have been replaced in
the past year?
20. Understanding Effectiveness
• Hype, religion and snake oil
will be common as vendors
look to establish their
approach as “best.”
• Comparative tests frequently
gamed. Provide one data
point.
• Look for testing outliers and
go on from there.
http://flic.kr/p/7SrgR3
21. Summary
• Advanced Protection requires a
broader view of threat management
• Innovation on endpoint/server
prevention will accelerate
• Shift investment from ineffective
legacy prevention to more effective
advanced prevention, detection and
investigation.
http://www.flickr.com/photos/74571262@N08/6710953053/
22. Read our stuff
• Blog
• http://securosis.com/blog
• Research
• http://securosis.com/research
• We publish (almost) everything for free
• Contribute. Make it better.
35. Disclaimer
Please Note:
IBM’s statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product
direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment,
promise, or legal obligation to deliver any material, code or functionality. Information about
potential future products may not be incorporated into any contract. The development,
release, and timing of any future features or functionality described
for our products remains at our sole discretion.