Delivering Security with the MAX RemoteManagement Platform - Paul Fenwick
58
Delivering Security with GFI MAX Paul Fenwick, Sales Engineer GFI MAX
description
Security is every customers top concern and can be a real worry for MSPs - unless they use the MAX RemoteManagement Platform of course. Here we’ll look at how to provide the most comprehensive and robust security solution for your customers covering all aspect of security from Web Protection and Antivirus to Server and Workstation Monitoring and of course Patch Management. Soon you’ll stop worrying about security on each and every device you manage - and start to relax while MAX takes care of the work for you. For this we’ll look at: Web Protection Managed Antivirus Hacker Checks Patching Deployments.
Transcript of Delivering Security with the MAX RemoteManagement Platform - Paul Fenwick
Delivering Security with GFI MAX
Paul Fenwick, Sales Engineer
GFI MAX
Intro
» Security is essential. Period.
» Lock down access at every level.
» Multi-layer approach offers the best protection.
An example from 2012
» Cutting Sword of Justice launches cyber attack on Saudi Aramco, 15th August 2012» Estimated 30,000 workstations infected, three-quarters of Aramco’s corporate PCs » Virus erased data - documents, spreadsheets, emails, files » Replaced all with an image of a burning American flag» Estimated $630 Million USD loss
» We are not Saudi Aramco – we are not important enough to attract an attack» True… if you have no employees, no customers, no trade secrets and no money!» Everyone else… is a target
» Hacking has been around for years!!» The IT industry did not collapse!
» Acts of vandalism have evolved» Steal, demolish or monetize data…
Some examples from 2014
» Montana State Health Department» May 2014, details of a data breach that affects over 1 million patients announced» Breach actually happened in July 2013, but not discovered for almost a year» Identity of intruders and extent of breach still unclear
» CodeSpaces.com» June 2014, codespaces.com closes its doors» Started as a Distributed Denial of Service attack» Ended with an attempt to extort money from company
» P.F. Chang (Restaurant Chain)» Data breach compromised customer payment information» June 2014, thousands of newly stolen credit and debit cards offered for sale online
» Target’s Q4 ‘13 earnings fell 46% due to $450m USD loss from theft of customer data» In May 2014, hackers announce theft of 233 million users’ personal records from eBay» Dominos Pizza held to ransom over 600,000 Belgian and French customer records» Evernote was taken down with a DDoS attack
The Bad News
» Estimated cost of Cyber Crime and Cyber Espionage » $100 billion USD per year in US alone» $425 billion USD per year worldwide
» Advanced Persistent Threats (APT):» Coordinated cyber activities of criminals and state level entities» Objective of stealing information, compromising information systems*» Criminal organizations monetise all aspects of illicit access» Foreign Intelligence Services gather Intellectual Property» APT tries to stay embedded for as long as possible» APT generally only resorts to destruction upon detection
* regular users are sometimes the most adept at this!
The Good News
» “Managed Security Services Market” by Transparency Market Research» $9 billion USD in 2012, could be worth £24 billion USD by 2019» Predicted market will expand at CAGR of 15.4% between 2013 and 2019
» Gartner» Security spending gets boost from mobile, social and cloud» Worldwide spending on information security will top $71 billion USD this year
• Almost 8% increase over 2013» Data loss prevention segment recording the fastest growth at 18.9 percent» In 2015, 10% of overall IT security capabilities will be delivered as a cloud service» SMBs will become event more reliant on hosted security services
Unfortunately, many organizations continue to lack staff with the appropriate security skills. To keep up with hackers, more than half of organizations will by 2018 rely on security services firms that specialize in data protection, risk and infrastructure management
The Really Good News
At least 85% of the targeted cyber intrusions that Defence Signals Directorate (DSD) responds to could be prevented by following the Top 4 mitigation strategies listed in the Strategies to Mitigate Targeted Cyber Intrusions:
» Use application whitelisting to help prevent malicious software and other unapproved programs from running
» Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers
» Patch operating system vulnerabilities
» Minimise the number of users with administrative privileges
Lock down access at every level
» Control access to the device
» Patch Operating System and Program Vulnerabilities
» Protect against Virus and Malware
» Stay safe online
Device Security
Device Security
» Check access to machine
» Lock machines when not in use
» Password security• Strong passwords to secure access• Do not have post-its with passwords written down
» Can you account for all user accounts on machine or domain?
» Review failed login attempts to check no malicious access of machines
» User rights on PC, do they have Admin rights to Operating System?
Operating System & Program Security
Operating System & Program Security
Close loopholes and resolve potential vulnerabilities through regular and effective installation of software patches and updates…
» Microsoft released 106 important or critical security bulletins in 2013» 2445 total bulletins of low importance and above for Windows, Office etc
» Adobe Acrobat updated from v 10.1.90 in January 2013 to v11.0.06 in January 2014» 7 versions updates in 12 months in just one program
» Java updated from v7 Update 11 to v7 Update 51 in same timeframe
Virus & Malware Protection
Virus & Malware Protection
» Don’t let those cute little guys fool you! Know your enemy!
» Trojan» Generally non replicating» Often enter system through freeware (scareware)» Then act as a backdoor to gain access to personal data. » May also corrupt or encrypt data... Cryptolocker
» Virus» Needs carrier (e.g. macro)» Infect system and then replicate» Can disable the device / connected network devices» Consume system and network resources for potential spamming / replication» Can also log keystrokes, identifying passwords and sensitive user information
» Worm» Unlike virus, does not need a program to carry infection» Standalone program that self-replicates to spread across networks» Again, consume system and network resources» Carry out DoS attacks… MyDoom
Virus & Malware Protection
New malware of the last 24 months!!
AV Test institute which registers over 220,000 new malicious programs every day!!
Virus & Malware Protection
» Microsoft Security Essentials (now Windows Defender) integrated into OS to offer some protection
» End-point products that include a Firewall can be problematic by blocking too many programs, restricting outbound access etc.
» Combined Internet Security suite products can be bloated
Internet Access Protection
Internet Access Protection
» Internet Society online survey in 2012 (10,789 respondents)» Access to the Internet should be considered a basic human right)
• 83% somewhat or strongly agree• 14% somewhat or strongly disagree• 3% don't know
» The Internet should be governed in some form to protect the community from harm.• 82% somewhat or strongly agree• 15% somewhat or strongly disagree• 3% don't know
» When you are logged in to a service or application do you use privacy protections?• 27% all the time• 36% most of the time• 29% sometimes• 9% never
» Network Perimeter / Gateway / Firewall devices only work for LAN» What about remote workers?
Multiple Layers = Multiple Problems??
Multi-layers? No problem!
GFI MAX
Single pane of glass
Asset Tracking
Pro-active monitoring (Failed login check)
Patch Management
Managed Antivirus
Web Protection
& More
Asset Tracking
Asset Tracking
» FREE of charge
» View Software details per device
» Run Modification Report to check on installed software since initial build
» Create Software License groups to blacklist known bad programs
Pro-active Monitoring
New and much improved “Failed Login Check”
» #1 customer request on ideas.gfi.com
» More informative: Event IDs, failure reason, IP address, username
» Respond quickly and decisively to security concerns
Active Directory Users Report
Patch Management
Vulnerability Scanning and Patch Management
» What exactly is it?» Uses GFI LANGuard 2012 Agent» Vulnerability Check (DSC) runs daily» Lists missing patches and discovered vulnerabilities
» Check can run in Alert mode or report mode» Included in Client Daily and Weekly Reports
» Set and forget?» Auto-approve patches (by severity)» Schedule installation of approved patches daily, weekly or ad-hoc
» Or, manually approve and install patches from Dashboard (now or later)
» Patch Overview Report shows missing/installed patches at client(s)
» Client Monthly Report lists patches installed that month
Schedule regular installation of approved patches
Schedule ad-hoc installation of approved patches
Suports All Microsoft Updates
» Security Updates» Critical» Important» Moderate» Low
» Update roll-ups» Service Packs» Critical Updates» Updates» Tools» Drivers
Vendor Support
» Apple:» QuickTime» iTunes» Safari
» Adobe:» Reader» Acrobat» Flash» Shockwave» Air
» Mozilla» Firefox» Thunderbird» SeaMonkey
» Instant Messaging Clients
» Skype» Yahoo
» Browsers» Google Chrome » Opera
» Zip tools» 7-Zip » WinRAR
» Oracle Java
» And more…
Update Release Cycle
» We aim to support Microsoft updates within hours of Patch Tuesday
» Out of band patches (Microsoft and non-Microsoft) within one working day
» LANGuard checks for updates between 1am and 5am GMT and at DSC
» Incremental differences for non-Microsoft update databases
» Download Microsoft update database direct from microsoft.com
» Patches are downloaded directly from vendors’ web-sites
» Patches are downloaded when they need to be installed
» Use Site Concentrator to cache patches once per site
» Switch off Windows Updates?
Patch Approval Lifecycle
» ALL patches must be approved before they can be scheduled for installation» Approval can be manual or automatic based on severity
» We only report updates as missing if they are required» We report all updates installed, even if we didn’t install them
» If there is no install date/time listed, it was not installed by us
Identifying Patches
1. Microsoft release a Security Bulletin…
2. Knowledge Base articles describe which update is required for each OS…
Identifying Patches
3. Search Approval Dialog for Knowledge Base article to approve patch…
4. View Patch Overview report (Group by patch) to see its status on devices
More information
» Supported Microsoft Products
http://www.gfi.com/lannetscan/msappfullreport.htm
» Supported Microsoft Patches
http://www.gfi.com/lannetscan/msfullreport.htm
» Supported non-Microsoft Products
http://kb.gfi.com/articles/SkyNet_Article/KBID003469
» Supported non-Microsoft Patches
http://www.gfi.com/lannetscan/3pfullreport.htm
Managed AntiVirus
Managed AntiVirus
Managed Antivirus
» Deployed from Dashboard» Installs automatically if no other Antivirus software present» Can remove other Antivirus software with no user interaction
» Policy based configuration with operating system specific file exclusions » Automatic update definitions if detected as out-of-date» Use Protection Report to ensure all end-points protected
Manage Quarantine
» Reports menu, Managed Antivirus, Quarantine Report
Stay in-control during virus outbreak
» Reports menu, Managed Antivirus, Threat Report
Web Protection
Web Protection
» Web Security» Stop users from visiting malicious sites» Both network and remote workers
» Web Filtering» Web-site categorization based on BrightCloud (WebRoot)» Implement browsing policies for the workplace, set allowed schedules etc» Whitelist / Blacklist specific URLs
» Web Bandwidth Monitoring» Alerts when downloads exceeds threshold (you define)
» Reporting» Overview report
• Monitor trends • Spot exceptions
» Report Builder• Drill-down and understand cause
Web Security
»Restrict access to known sites that can harm your customers
Web Filtering
» All websites are categorized. If in multiple categories, most restrictive wins» Use schedules to allow access to social media etc out of office hours
Bandwidth Monitoring
» Receive an alert when downloads exceed threshold
Overview Report
» Weekly overview of Web Security, Filtering, and Bandwidth at client» Ratio of allowed to blocked requests» Top blocked categories» Top visited sites» Noisiest devices
» Monitor trends and spot exceptions
Report Builder
» If overview report shows an increase in blocked requests to category or site» Show me requests to specific category or site from all devices at client
» If irregular activity is suspected» Show me all requests from specific device
Internet Usage Policy
Employing an internet usage policy for customers will need them to ensure they have made their employees aware.
http://www.gfi.com/pages/sample-internet-usage-policy
Citizens Advice - Your employer can legally monitor your use of the phone, internet, e-mail or fax in the workplace if:
• the monitoring relates to the business• the equipment being monitored is provided partly or
wholly for work• your employer has made all reasonable efforts to inform
you that your communications will be monitored.
As long as your employer sticks to these rules, they don't need to get your consent before they monitor your electronic communications
Additional Protection
Managed Online Backup
Managed Online Backup allows you to easily backup customers data
• Disk to Disk (via LocalSpeedVault) to Cloud (D2D2C)
• True Delta technology ensures only changed file blocks are backed-up
• All data encrypted with 128 bit AES encryption before sending
With Cryptolocker, it is likely that the only way to recover data is from a backup
Mobile Device Management
Protect against business critical data being being compromised via loss or theft of company or employee owned mobile device
• Set Passcode• Locate device• Lock device• Remote Wipe
Email Security
Mail Protection offers the ability to not just filter out spam but also ensure that viruses and other email threats do not impact your client.
» Employs a unique combination of Antivirus technologies• Traditional signature-based anti-virus engine• Zero-hour virus detection • Virtualization-based malware detection
» Reduces risk of attack on customer network through setting trusted connection incoming and outgoing
» Continuity so no missed messages as will be queued, even if unable to contact the specified server
Additionally you can also use Mail Archive to securely store a copy of every emails for quick retrieval and in case of disaster
Dashboard considerations
» Ensure all dashboard users have specific logon» Do not use the Primary Access Key to access Dashboard
» Restrict access via IP Address
» Two Factor Authentication
Questions?
You are the last line of defence
Conferences.gfimax.com/app
Thank You
