Why magic is an effective teaching strategy by Kevin Ogren ...
Ogren Group Whitepaper: Tenets Of Endpoint Security
-
Upload
coretrace-corporation -
Category
Technology
-
view
935 -
download
0
description
Transcript of Ogren Group Whitepaper: Tenets Of Endpoint Security
TheTenetsofEndpointControl
AnOgrenGroupSpecialReport
April2008
Copyright2008,TheOgrenGroup.Allrightsreserved. Page2
EnterpriseITispayingoutlargechunksofitssecuritybudgetforsignature–orientedendpointsecurityproductsknowingthatthoseapproachescannotprotectthebusinessagainstlostdatafrommalicious
attacks.Thequestionisnotbest‐of‐breedversussecuritysuites,thequestioniswhybasetheprimarydefenseofendpointassetsontechnologythatisdecadesoldandisproventimeandagaintobeineffective.Attackersdeveloptargetedattacks,ormodifywellknownattacksthathaveproventobe
effectiveforyears,thatsignatureapproacheshavenochanceofdetecting,blocking,orremoving.
EndpointcontrolisacriticalnewapproachforITtomanagetheintegrityofendpointsandtoprotectconfidentialdata.Traditionalsecuritymeasures,currentlyofferedassecuritysuitesofcommoditizedcomponents,aresimplynoteffectiveinthemodernattackclimate.SecurityfunctionswithinIT
organizationsareoftencaughtupinthreatmyopia,aconditionwhereeverythreattothetechnicalinfrastructureneedstobeanalyzed,understood,andblockedattheedgeofthenetworkandagainattheendpoint.Securityhasalwaysbeenabest‐of‐breedindustry.Nobodywantstopayforathird‐rate
securityproductorpayforsecurityproductsthatdonotwork.Endpointcontrol,drivenbyapplicationwhitelisting,nowoffersanattractivealternativetosecuritysuitescomprisedofrecycledsecuritycomponents.
EndpointcontrolfocusesontheITrequirementstocontrolendpointconfigurations.Anyunauthorized
modificationoftheconfigurationisautomaticallyblocked.Thiseffectivelythwartsattacksthatneedahosttoexecute,storagesystemstohide,andnetworkaccesstopropagate.Bycontrollingtheendpoint,ITefficientlydeniesattacksaccesstokeyelementsontheendpoint.Thecriticalabilitytocontrol
executablesandnetworkaccessisamodelthatscalesstronglytoenterpriselevelsandiseffectiveatstoppingmosttypesofattacks.
TheTenetsofEndpointControlareintroducedinthisspecialreport.ThetenetsthatITisfollowingare:
• Controlwhatyouknow.Itismucheasiertocontrolconfigurationsandacceptableusepolicies;
itisimpossibletocontrolwhatanattackermighttry.• Controlatthelowestpossiblelevel.Endpointcontrolsolutionsneedtooperateinthekernel
wheretheycannotbeeasilysubvertedandhavevisibilitytoallnetwork,file,andprocessor
operations.• Controltransparently.Endpointcontrolsolutionsneedtogiveperformancebacktotheuser,
andallowthemtodotheirjobswithoutinterruptionsfromtheendpointsecuritysoftware.
Organizationsadoptingthesetenetsanddeployingendpointcontrolsolutionsarerealizingbenefitsin
moreeffectivedefensesagainstattacks,greaterend‐usersatisfactionwithperformancegains,andloweroperatingcostsduetoreductionsinthevalueofattacksignaturestreams.Theheightenedresistancetoexecutionofunauthorizedprograms,theprimesymptomofanattackthatneedsto
executetostealconfidentialdataorcausedamage,alsoreducestheamountofpanicpatchoperationsandhelpdeskcallsthatITmustmanage.
Copyright2008,TheOgrenGroup.Allrightsreserved. Page3
Whybaseendpointdefenseonoldtechnologythatisprovenineffective?
Thisspecialreport,commissionedbyCoreTrace,presentsthecriticalTenetsofEndpointControlstoITarchitectswithrecommendedactionsforenterprisesecurityofficers.Informationinthisreportderives
fromOgrenGroupresearchandinterviewswithenterprisesecurityofficersofglobalorganizations.
TheProblemswithSecuritySuites
Thesecurityindustryisdrivingtowardsendpointcontrolsolutions.ITislearningthatitismucheasiertocontrolwhattheyknowandunderstandthanitistotrytocontrolunknownattacks.Traditionalsecurityvendorspushsignature‐basedsecuritysuitestomarkettoprotectsubscriptionrevenuestreamsandto
givecustomersa“defenseindepth”solution.However,thesesuitesdonotintroducenewsecuritycapabilities;therearenosynergisticbenefits.
However,thesecollectionsofcommoditizeddefensesdonoteffectivelydetectandblockattacks.Exhibit1showsthreeattacks,NetSky,Bagle,andMydoomthat
allplaceexecutableimagesontheendpoint,andlaunchingtheseexecutableslaunchestheattack.Thefutilityofsignature‐basedapproachesisshownbythefactthatNetSkyand
Mydoomhavebeenaroundsince2004,yettheyarethrivingasmembersofthetop10ofattacksinthewildasofMarch2008.
Exhibit1:Attackscansucceedwithoutendpointcontrol
Theproblemswithsecuritysuitesarewellunderstoodandinclude:
• Attackschangefasterthansignaturefiles.Attackersdevelopnewattacks,orcreatevariantsofexistingattacksfasterthansecurityvendorscancreatesignaturesandantidotes;fasterthanITcandistributethemtothecommunityofendpoints.Thisleavesenterprisesdefenselessagainst
newtargetedattacks.Nomatterhowfastthesecurityvendoris,theycanneverthwartanattackbeforeitisalreadyinthewild.
Copyright2008,TheOgrenGroup.Allrightsreserved. Page4
Itiseasiertocontrolwhatisknownthantrytocontrolunknownattacks.
• Thelargerthelistofattackstoscan,themoreperformancedegrades.Theblacklistofattacksisincreasingatasteadyrate.Eachdaythesecuritysuiteofsignatureswilltakelongertoscan
objectsor,worse,omitagedsignaturecheckstomaintainperformanceontheendpoint.Thereisnoendtothedemandsofsignatureapproaches.
• Enterprisespaylargesumsofmoneyforsecuritysuitesubscriptions.Subscriptionservicesfor
receivingupdatestosecuritysuitesignaturefilesareoneofthelargerexpensesinthecorporatesecuritybudget,andtheyareanongoingannualexpense.
ITisimplementingendpointcontrolsolutionsasamorescalableapproachtopreventingmalwarefromexecutingwithinthetechnicalinfrastructure.Configurationsthatarelockeddownhavenoallowances
forunauthorizedsoftware.Withendpointcontrolmalicioussoftwarecannotexecutetostealconfidentialdataordisruptbusinessprocesses.
Tenet#1:Controlwhatyouknow
ITknowswhatapplicationseachendpointshouldbeexecutingandwhatnetworkaccessesshouldbeallowedtoabidewithcorporateusepolicies.Ratherthan
embarkingonthehopelesstaskofdelineatingallofthenegativeactionsthatmightoccur,itismucheasiertodescribewhatyouknowandtodefineacceptableuse
policies.EndpointcontroltechnologyallowsITtodefineitsrequirementswiththeknowledgethatactionsnotcomplyingwithITcontrolpolicy,suchasmaliciousattacks,willbeautomaticallyblocked.
• Identifytheacceptabletechnicalenvironment.Positivewhitelistapproachesarefundamental
toendpointcontrolarchitectures.ApplicationwhitelistsallowITtodescribedesiredconfigurationandacceptableusepoliciesfortheendpoint.Anyoperationnotalignedwiththispolicy–evenday0attacksthatarenotwellunderstood–areautomaticallyblockedbefore
damagecanoccur.Therearenofalsepositives;iftheoperationhasnotbeenapproveditisnotallowedtocomplete.Thisisthebenefitofsecuritywithoutsignaturesinpreventinglossofconfidentialdatafrommaliciousattacks.
• Allowfordifferencesamongendpoints.Endpointcontrolsolutionsmusttakeintoaccountthatanytwoendpointdevicesareseldomidenticalinconfiguration.Forinstance,adifferenceinendpointmanufacturingdatesmaybereflectedinslightvariationsinhardware,andresultant
versionsofdevicedrivers.Endpointcontrolneedstoresideoneachendpoint,inspectthedevicetounderstanditsspecificconfiguration,andthenlockdowntheendpointaccordingtothedictatesofITcontrol.
• Audittheend‐userandtheendpoint.EndpointcontrolprovidesITtheabilitytoauditactivityinordertoreplayactionsleadinguptoapolicyviolation,proactivelyhelpusersinneedofassistance,andtodocumentcompliancewithgovernmentandindustryregulations.Theaudit
featuresofendpointcontrolallowITtokeepthesystemintune,andtocorrectissuesbeforetheybecomeproblems.
Copyright2008,TheOgrenGroup.Allrightsreserved. Page5
OnlysecuritysoftwarethatfunctionsinthekernelcanreliablydeliverthecontrolsthatITrequires.
Tenet#2:Controlatthelowestlevelpossible
Endpointcontrolsolutionsmustoperateatthelowestpossiblelevel.Positioningendpointcontrolsolutionsinthekerneloftheoperatingsystemprovidesoperatingbenefitsthatcannotbeachievedwhenoperatinginuser‐mode.Thearchitecturalpositioning,asshowninExhibit2,ofendpointcontrolinthekernelallowsthesecuritysoftwaretoblockexecutionofunauthorizedprogramsoruseofthenetworkthatviolatessecuritypolicies.Thisisacriticalimplementationdecision.
Exhibit2:Endpointcontrolexecutesatthelowestpossiblelevel
OnlysecuritysoftwarethatfunctionsinthekernelcanreliablydeliverthecontrolsthatITrequires.
• Inspectalloperations.Onlyendpointcontrolsoftwareoperatinginthekernelcaninspectandcorrelatestorage,network,andprocessorfunctions.Kernel‐modesecuritysoftwareisgrantedvisibilityoftheentireendpointallowingthesolutiontoinspectalloperationstomakeoptimal
decisionsonbehalfofIT.• Isolatesecurityfromapplications.ITcanonlycontroltheendpointifthesecuritysoftware
executeswithoutinterferenceofapplications.Thiscanonlybeachievedinthekernel,where
anyoperationtosubvertITcontrolsfromuser‐modeapplicationscanbedetectedandblocked.Attacksoftwareexecutinginusermodecannotsubvertthelowerlevelendpointcontrolsolutionsthatareexecutinginthekernel.
• Blockinappropriateactivityfromreachingapplications.Theonlywaytopreventinappropriateexecutesfromoperating,orpreventI/Orequestsfromviolatingcorporatepolicy,istointercedebetweentheapplicationandtheoperatingsystem.Endpointcontrolsoftwarecanblock
nefariousactivityinthekernel–beforethatactivitycanaffecttheendpointorworkitswayintothekernel.
Copyright2008,TheOgrenGroup.Allrightsreserved. Page6
Securitymustbetransparenttoend‐users,andnotcreateadministrativeburdenstooperationalstaff.
Tenet#3:Controltransparently
Theacceptanceofend‐usersiscriticaltothesuccessofanendpointcontrolprogram,whetherthatendpointisadesktoporaserver.Controlsthatintrudeupontheuserexperiencewillberejected.Securitymustbetransparenttotheend‐users,andnotcreateadministrativeburdenstooperationsstaff.
• Preservetheuserexperiences.Endpointcontrolsolutionsarerequiredtomakeallow/denydecisionswithoutinterruptingtheusersoftheendpoint.TheusersmustnotevenknowthatITiscontrollingtheirendpointconfigurations.Prompts,questions,andnotificationsshouldbekepttoaminimum.
• Insistonnoperformancedegradation.Endpointcontrol,becauseitoperatesonthemuchshorterwhitelistthanattacksignatureapproaches,returnsprocessingpowerandmemorytobusinessapplications.End‐usersareapttodisengagesecuritysuitestogaintime.Endpointcontroltechnologyneedstooperateatbetterthan10timestheperformancelevelsofsignatureapproaches.ThatgivesITgreatereffectivenessatstoppingattackswhilefreeingmoreperformanceforbusinessapplications.
• Keepadministrativeactionsconfidential.ThesecurityofcommunicationsbetweenadministrativeconsolesandendpointsisanimportantingredientinallowingITtocontroltransparently.Mutualauthentication,encryptedcommunications,andsecuredeliveryofauditinformationallowITtocontrolcorporateendpointswithoutrequiringend‐userparticipationinthemanagementofthedevice.
Conclusions
Traditionalsuitesofsoftwarepackagedbysecurityvendorsfallfarshortoftherequirementsforprotectingcorporateendpoints.Thisisdemonstratedeverydaybythefailureofsignature‐based
securitytoprotectthebusinessagainstdatalossordisruptionofservicesduetomaliciouscodeexecutingonendpoints.Signature‐basedapproaches,commoninsuitesofproductssuchasanti‐virus,anti‐spyware,intrusionprevention,dataleakageprevention,andpersonalfirewalls,cannotkeepup
withthepaceofnewattacksnorhaveanychanceofrecognizinganewvariantofahistoricallyeffectiveattack.
ITwouldbebetterservedbycontrollingtheirdesktopandserverinfrastructuretodetectandblockinappropriateactionsbeforedamagecanbedone.ThetoolsareavailabletodayforITtocontrol
endpointsbasedonwhatpeopleneedtodotheirjobs.Thesetoolsareisolatedfromuser‐modeapplicationsbyintegratingintothekernel.
Copyright2008,TheOgrenGroup.Allrightsreserved. Page7
Thetenetsofendpointcontrolbearrepeating:
• Controlwhatyouknow• Controlatthelowestlevelpossible
• Controltransparently
Investigateendpointcontroltechnologyinacontrolleddatacenterenvironment.Deploytheproductsonserversthatrequireresistancetoattacks,butcannotaffordtheperformancepenaltiesofsignaturesuites.Onceyoubecomecomfortablewiththeeffectivenessofendpointcontrol,plantoextendthe
deploymenttodesktopsandlaptops.
Youwillfindthatthesetenetsofendpointcontrolseffectivelyprotectagainstmaliciouscodeattacks,allowITresourcestoconcentrateonaligningthetechnicalinfrastructurewithdynamicbusinessrequirements,andenhanceend‐userexperiencesviaincreasedperformance.Increasedcontrolalso
meansthatsomedayyouwillneverhavetopayforsecuritysignaturesagain.
TheOgrenGroupSpecialReportispublishedforthesoleuseofOgrenGroupclients.Itmaynotbeduplicated,reproduced,ortransmittedinwholeorinpartwithouttheexpresspermissionoftheOgrenGroup,92RobertRoad,Stow,MA01775.Formoreinformation,contacttheOgrenGroup:info@ogrengroup.com.Allrightsreserved.Allopinionsandestimatehereinconstituteourjudgmentasofthisdateandaresubjecttochangewithoutnotice.