Ogren Group Whitepaper: Tenets Of Endpoint Security

Post on 05-Nov-2014

937 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

description

Whitepaper Abstract This special report presents the critical Tenets of Endpoint Control to IT architects with recommended actions for enterprise security officers. Information in this report derives from Ogren Group research and interviews with enterprise security officers of global organizations. Traditional security measures are simply not effective in the modern attack climate. Endpoint control, driven by application whitelisting, now offers an attractive alternative to security suites comprised of recycled security components. The Tenets of Endpoint Control are introduced in this special report. Organizations adopting these tenets and deploying endpoint control solutions are realizing benefits in more effective defenses against attacks, greater end-user satisfaction with performance gains, and lower operating costs due to reductions in the value of attack signature streams.

Transcript of Ogren Group Whitepaper: Tenets Of Endpoint Security

TheTenetsofEndpointControl

AnOgrenGroupSpecialReport

April2008

Copyright2008,TheOgrenGroup.Allrightsreserved. Page2

EnterpriseITispayingoutlargechunksofitssecuritybudgetforsignature–orientedendpointsecurityproductsknowingthatthoseapproachescannotprotectthebusinessagainstlostdatafrommalicious

attacks.Thequestionisnotbest‐of‐breedversussecuritysuites,thequestioniswhybasetheprimarydefenseofendpointassetsontechnologythatisdecadesoldandisproventimeandagaintobeineffective.Attackersdeveloptargetedattacks,ormodifywellknownattacksthathaveproventobe

effectiveforyears,thatsignatureapproacheshavenochanceofdetecting,blocking,orremoving.

EndpointcontrolisacriticalnewapproachforITtomanagetheintegrityofendpointsandtoprotectconfidentialdata.Traditionalsecuritymeasures,currentlyofferedassecuritysuitesofcommoditizedcomponents,aresimplynoteffectiveinthemodernattackclimate.SecurityfunctionswithinIT

organizationsareoftencaughtupinthreatmyopia,aconditionwhereeverythreattothetechnicalinfrastructureneedstobeanalyzed,understood,andblockedattheedgeofthenetworkandagainattheendpoint.Securityhasalwaysbeenabest‐of‐breedindustry.Nobodywantstopayforathird‐rate

securityproductorpayforsecurityproductsthatdonotwork.Endpointcontrol,drivenbyapplicationwhitelisting,nowoffersanattractivealternativetosecuritysuitescomprisedofrecycledsecuritycomponents.

EndpointcontrolfocusesontheITrequirementstocontrolendpointconfigurations.Anyunauthorized

modificationoftheconfigurationisautomaticallyblocked.Thiseffectivelythwartsattacksthatneedahosttoexecute,storagesystemstohide,andnetworkaccesstopropagate.Bycontrollingtheendpoint,ITefficientlydeniesattacksaccesstokeyelementsontheendpoint.Thecriticalabilitytocontrol

executablesandnetworkaccessisamodelthatscalesstronglytoenterpriselevelsandiseffectiveatstoppingmosttypesofattacks.

TheTenetsofEndpointControlareintroducedinthisspecialreport.ThetenetsthatITisfollowingare:

• Controlwhatyouknow.Itismucheasiertocontrolconfigurationsandacceptableusepolicies;

itisimpossibletocontrolwhatanattackermighttry.• Controlatthelowestpossiblelevel.Endpointcontrolsolutionsneedtooperateinthekernel

wheretheycannotbeeasilysubvertedandhavevisibilitytoallnetwork,file,andprocessor

operations.• Controltransparently.Endpointcontrolsolutionsneedtogiveperformancebacktotheuser,

andallowthemtodotheirjobswithoutinterruptionsfromtheendpointsecuritysoftware.

Organizationsadoptingthesetenetsanddeployingendpointcontrolsolutionsarerealizingbenefitsin

moreeffectivedefensesagainstattacks,greaterend‐usersatisfactionwithperformancegains,andloweroperatingcostsduetoreductionsinthevalueofattacksignaturestreams.Theheightenedresistancetoexecutionofunauthorizedprograms,theprimesymptomofanattackthatneedsto

executetostealconfidentialdataorcausedamage,alsoreducestheamountofpanicpatchoperationsandhelpdeskcallsthatITmustmanage.

Copyright2008,TheOgrenGroup.Allrightsreserved. Page3

Whybaseendpointdefenseonoldtechnologythatisprovenineffective?

Thisspecialreport,commissionedbyCoreTrace,presentsthecriticalTenetsofEndpointControlstoITarchitectswithrecommendedactionsforenterprisesecurityofficers.Informationinthisreportderives

fromOgrenGroupresearchandinterviewswithenterprisesecurityofficersofglobalorganizations.

TheProblemswithSecuritySuites

Thesecurityindustryisdrivingtowardsendpointcontrolsolutions.ITislearningthatitismucheasiertocontrolwhattheyknowandunderstandthanitistotrytocontrolunknownattacks.Traditionalsecurityvendorspushsignature‐basedsecuritysuitestomarkettoprotectsubscriptionrevenuestreamsandto

givecustomersa“defenseindepth”solution.However,thesesuitesdonotintroducenewsecuritycapabilities;therearenosynergisticbenefits.

However,thesecollectionsofcommoditizeddefensesdonoteffectivelydetectandblockattacks.Exhibit1showsthreeattacks,NetSky,Bagle,andMydoomthat

allplaceexecutableimagesontheendpoint,andlaunchingtheseexecutableslaunchestheattack.Thefutilityofsignature‐basedapproachesisshownbythefactthatNetSkyand

Mydoomhavebeenaroundsince2004,yettheyarethrivingasmembersofthetop10ofattacksinthewildasofMarch2008.

Exhibit1:Attackscansucceedwithoutendpointcontrol

Theproblemswithsecuritysuitesarewellunderstoodandinclude:

• Attackschangefasterthansignaturefiles.Attackersdevelopnewattacks,orcreatevariantsofexistingattacksfasterthansecurityvendorscancreatesignaturesandantidotes;fasterthanITcandistributethemtothecommunityofendpoints.Thisleavesenterprisesdefenselessagainst

newtargetedattacks.Nomatterhowfastthesecurityvendoris,theycanneverthwartanattackbeforeitisalreadyinthewild.

Copyright2008,TheOgrenGroup.Allrightsreserved. Page4

Itiseasiertocontrolwhatisknownthantrytocontrolunknownattacks.

• Thelargerthelistofattackstoscan,themoreperformancedegrades.Theblacklistofattacksisincreasingatasteadyrate.Eachdaythesecuritysuiteofsignatureswilltakelongertoscan

objectsor,worse,omitagedsignaturecheckstomaintainperformanceontheendpoint.Thereisnoendtothedemandsofsignatureapproaches.

• Enterprisespaylargesumsofmoneyforsecuritysuitesubscriptions.Subscriptionservicesfor

receivingupdatestosecuritysuitesignaturefilesareoneofthelargerexpensesinthecorporatesecuritybudget,andtheyareanongoingannualexpense.

ITisimplementingendpointcontrolsolutionsasamorescalableapproachtopreventingmalwarefromexecutingwithinthetechnicalinfrastructure.Configurationsthatarelockeddownhavenoallowances

forunauthorizedsoftware.Withendpointcontrolmalicioussoftwarecannotexecutetostealconfidentialdataordisruptbusinessprocesses.

Tenet#1:Controlwhatyouknow

ITknowswhatapplicationseachendpointshouldbeexecutingandwhatnetworkaccessesshouldbeallowedtoabidewithcorporateusepolicies.Ratherthan

embarkingonthehopelesstaskofdelineatingallofthenegativeactionsthatmightoccur,itismucheasiertodescribewhatyouknowandtodefineacceptableuse

policies.EndpointcontroltechnologyallowsITtodefineitsrequirementswiththeknowledgethatactionsnotcomplyingwithITcontrolpolicy,suchasmaliciousattacks,willbeautomaticallyblocked.

• Identifytheacceptabletechnicalenvironment.Positivewhitelistapproachesarefundamental

toendpointcontrolarchitectures.ApplicationwhitelistsallowITtodescribedesiredconfigurationandacceptableusepoliciesfortheendpoint.Anyoperationnotalignedwiththispolicy–evenday0attacksthatarenotwellunderstood–areautomaticallyblockedbefore

damagecanoccur.Therearenofalsepositives;iftheoperationhasnotbeenapproveditisnotallowedtocomplete.Thisisthebenefitofsecuritywithoutsignaturesinpreventinglossofconfidentialdatafrommaliciousattacks.

• Allowfordifferencesamongendpoints.Endpointcontrolsolutionsmusttakeintoaccountthatanytwoendpointdevicesareseldomidenticalinconfiguration.Forinstance,adifferenceinendpointmanufacturingdatesmaybereflectedinslightvariationsinhardware,andresultant

versionsofdevicedrivers.Endpointcontrolneedstoresideoneachendpoint,inspectthedevicetounderstanditsspecificconfiguration,andthenlockdowntheendpointaccordingtothedictatesofITcontrol.

• Audittheend‐userandtheendpoint.EndpointcontrolprovidesITtheabilitytoauditactivityinordertoreplayactionsleadinguptoapolicyviolation,proactivelyhelpusersinneedofassistance,andtodocumentcompliancewithgovernmentandindustryregulations.Theaudit

featuresofendpointcontrolallowITtokeepthesystemintune,andtocorrectissuesbeforetheybecomeproblems.

Copyright2008,TheOgrenGroup.Allrightsreserved. Page5

OnlysecuritysoftwarethatfunctionsinthekernelcanreliablydeliverthecontrolsthatITrequires.

Tenet#2:Controlatthelowestlevelpossible

Endpointcontrolsolutionsmustoperateatthelowestpossiblelevel.Positioningendpointcontrolsolutionsinthekerneloftheoperatingsystemprovidesoperatingbenefitsthatcannotbeachievedwhenoperatinginuser‐mode.Thearchitecturalpositioning,asshowninExhibit2,ofendpointcontrolinthekernelallowsthesecuritysoftwaretoblockexecutionofunauthorizedprogramsoruseofthenetworkthatviolatessecuritypolicies.Thisisacriticalimplementationdecision.

Exhibit2:Endpointcontrolexecutesatthelowestpossiblelevel

OnlysecuritysoftwarethatfunctionsinthekernelcanreliablydeliverthecontrolsthatITrequires.

• Inspectalloperations.Onlyendpointcontrolsoftwareoperatinginthekernelcaninspectandcorrelatestorage,network,andprocessorfunctions.Kernel‐modesecuritysoftwareisgrantedvisibilityoftheentireendpointallowingthesolutiontoinspectalloperationstomakeoptimal

decisionsonbehalfofIT.• Isolatesecurityfromapplications.ITcanonlycontroltheendpointifthesecuritysoftware

executeswithoutinterferenceofapplications.Thiscanonlybeachievedinthekernel,where

anyoperationtosubvertITcontrolsfromuser‐modeapplicationscanbedetectedandblocked.Attacksoftwareexecutinginusermodecannotsubvertthelowerlevelendpointcontrolsolutionsthatareexecutinginthekernel.

• Blockinappropriateactivityfromreachingapplications.Theonlywaytopreventinappropriateexecutesfromoperating,orpreventI/Orequestsfromviolatingcorporatepolicy,istointercedebetweentheapplicationandtheoperatingsystem.Endpointcontrolsoftwarecanblock

nefariousactivityinthekernel–beforethatactivitycanaffecttheendpointorworkitswayintothekernel.

Copyright2008,TheOgrenGroup.Allrightsreserved. Page6

Securitymustbetransparenttoend‐users,andnotcreateadministrativeburdenstooperationalstaff.

Tenet#3:Controltransparently

Theacceptanceofend‐usersiscriticaltothesuccessofanendpointcontrolprogram,whetherthatendpointisadesktoporaserver.Controlsthatintrudeupontheuserexperiencewillberejected.Securitymustbetransparenttotheend‐users,andnotcreateadministrativeburdenstooperationsstaff.

• Preservetheuserexperiences.Endpointcontrolsolutionsarerequiredtomakeallow/denydecisionswithoutinterruptingtheusersoftheendpoint.TheusersmustnotevenknowthatITiscontrollingtheirendpointconfigurations.Prompts,questions,andnotificationsshouldbekepttoaminimum.

• Insistonnoperformancedegradation.Endpointcontrol,becauseitoperatesonthemuchshorterwhitelistthanattacksignatureapproaches,returnsprocessingpowerandmemorytobusinessapplications.End‐usersareapttodisengagesecuritysuitestogaintime.Endpointcontroltechnologyneedstooperateatbetterthan10timestheperformancelevelsofsignatureapproaches.ThatgivesITgreatereffectivenessatstoppingattackswhilefreeingmoreperformanceforbusinessapplications.

• Keepadministrativeactionsconfidential.ThesecurityofcommunicationsbetweenadministrativeconsolesandendpointsisanimportantingredientinallowingITtocontroltransparently.Mutualauthentication,encryptedcommunications,andsecuredeliveryofauditinformationallowITtocontrolcorporateendpointswithoutrequiringend‐userparticipationinthemanagementofthedevice.

Conclusions

Traditionalsuitesofsoftwarepackagedbysecurityvendorsfallfarshortoftherequirementsforprotectingcorporateendpoints.Thisisdemonstratedeverydaybythefailureofsignature‐based

securitytoprotectthebusinessagainstdatalossordisruptionofservicesduetomaliciouscodeexecutingonendpoints.Signature‐basedapproaches,commoninsuitesofproductssuchasanti‐virus,anti‐spyware,intrusionprevention,dataleakageprevention,andpersonalfirewalls,cannotkeepup

withthepaceofnewattacksnorhaveanychanceofrecognizinganewvariantofahistoricallyeffectiveattack.

ITwouldbebetterservedbycontrollingtheirdesktopandserverinfrastructuretodetectandblockinappropriateactionsbeforedamagecanbedone.ThetoolsareavailabletodayforITtocontrol

endpointsbasedonwhatpeopleneedtodotheirjobs.Thesetoolsareisolatedfromuser‐modeapplicationsbyintegratingintothekernel.

Copyright2008,TheOgrenGroup.Allrightsreserved. Page7

Thetenetsofendpointcontrolbearrepeating:

• Controlwhatyouknow• Controlatthelowestlevelpossible

• Controltransparently

Investigateendpointcontroltechnologyinacontrolleddatacenterenvironment.Deploytheproductsonserversthatrequireresistancetoattacks,butcannotaffordtheperformancepenaltiesofsignaturesuites.Onceyoubecomecomfortablewiththeeffectivenessofendpointcontrol,plantoextendthe

deploymenttodesktopsandlaptops.

Youwillfindthatthesetenetsofendpointcontrolseffectivelyprotectagainstmaliciouscodeattacks,allowITresourcestoconcentrateonaligningthetechnicalinfrastructurewithdynamicbusinessrequirements,andenhanceend‐userexperiencesviaincreasedperformance.Increasedcontrolalso

meansthatsomedayyouwillneverhavetopayforsecuritysignaturesagain.

TheOgrenGroupSpecialReportispublishedforthesoleuseofOgrenGroupclients.Itmaynotbeduplicated,reproduced,ortransmittedinwholeorinpartwithouttheexpresspermissionoftheOgrenGroup,92RobertRoad,Stow,MA01775.Formoreinformation,contacttheOgrenGroup:info@ogrengroup.com.Allrightsreserved.Allopinionsandestimatehereinconstituteourjudgmentasofthisdateandaresubjecttochangewithoutnotice.

Top related

Precious Garland of Tenets
 Documents
Enterprise Endpoint Protection - Performance Benchmarkseval.symantec.com/.../downloads/Passmark_Enterprise... · Enterprise Endpoint Protection Performance Benchmarks ... Endpoint
 Documents
SUFI EDUCATIONAL TENETS - journal.walisongo.ac.id
 Documents
Tenets of faith
 Education
Operational Tenets of Patton
 Documents
Fast and Effective Endpoint Security for Business …...Kaspersky Endpoint Security McAfee Total Protection for Endpoint Microsoft System Center 2012 Endpoint Protection Symantec Endpoint
 Documents
Endpoint Security, Endpoint Management
 Documents
Delray On Display · in Delray Beach, Samuel Ogren Sr., also known as the “Father of Delray Beach Architecture”. Mr. Ogren is known for many of his designs throughout historic
 Documents
Why magic is an effective teaching strategy by Kevin Ogren ...
 Documents
KEY TENETS OF NRMP POLICY - Association of Program ...apds.org/arcs/ARCS 2009 Presentations/Key Tenets of... · KEY TENETS OF NRMP POLICY: Expectations for Match-Participating Programs
 Documents
Tomorrow’s Endpoint Protection Platforms...TOMORROW’S ENDPOINT PROTECTION PLATFORMS 3 The Technology Behind Endpoint Protection Platforms Endpoint protection platforms (EPPs) detect
 Documents
Basic Tenets Of Islam
 Spiritual
Webroot SecureAnywhere Business Endpoint …Sophos Cloud 43 McAfee Complete Endpoint Protection – Business 40 Webroot SecureAnywhere Endpoint Protection vs. Seven Endpoint Security
 Documents
The Tenets of faith
 Documents
Endpoint Protection Endpoint Protection Plusresources.pandasecurity.com/enterprise/solutions/endpoint... · Guía para el administrador Endpoint Protection Endpoint Protection Plus
 Documents
Day 2-The Major Tenets of Dispensationalism Today’s Objectives · Day 2-The Major Tenets of Dispensationalism Today’s Objectives: What are the major tenets of Dispensationalism?
 Documents
12 Tenets of Tweeting
 Business
10 Leadership Tenets
 Government & Nonprofit
Endpoint Protection Solutions – TotalDefense Endpoint r12
 Documents
Ivanti Endpoint Manager, Endpoint Security for Endpoint ...
 Documents

Copyright © 2022 FDOCUMENTS