Next Generation Endpoint Security

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 7 months ago)

68 views

Next Generation Endpoint Security

Jason Brown

Enterprise
Solution Architect

McAfee

May
23, 2013


Agenda


Threat landscape and current approach


The anatomy of an attack


Next generation endpoint security



THREAT LANDSCAPE AND CURRENT
APPROACH

Recapping the Problem

Q2 2012
:

>
8 million new
malware samples

Up to 200,000 new
samples received
and processed daily
by McAfee Labs

Recapping the Problem

>99.9% of malware samples
received in
2012 were

T
argeted
at Windows

The Traditional Approach


works to a point

Signatures

The Traditional Approach


works to a point

Generics

The Traditional Approach


works to a point

Heuristics and
Sandboxing

Two fundamental problems with todays
approach…


Detection


1 new threat each second versus 1 signature update per day


New signature updates could be produced more frequently but
cannot be consumed more quickly


The cloud helps, but we cannot check each file with the cloud


Signatures don’t help against APTs and Zero
-
day attacks


Performance


Scanning all files for all things takes time


As the number of threats multiply, the impact of scanning multiplies

THE ANATOMY OF AN ATTACK

Four Phases of an Attack

First Contact

Physical Access

Unsolicited
Message

Network Access

Malicious Website
or URL

Local Execution

Social
Engineering

Configuration
Error

Exploit

Establish Presence

Download
Malware

Escalate Privilege

Self
-
Preservation

Persist on System

Malicious Activity

Propagation

Bot Activities

Identity &

Financial Fraud

Tampering

Adware &
Scareware

How the attacker first
crosses path with
target

How the attacker gets
code running

How code persists code
on the system, to survive
reboot

The business logic, what
the attacker wants to
accomplish

Four Phases of an Attack, e.g. Fake AV

First Contact

Physical Access

Unsolicited
Message

Network Access

Malicious Website
or URL

Local Execution

Social
Engineering

Configuration
Error

Exploit

Establish Presence

Download
Malware

Escalate Privilege

Self
-
Preservation

Persist on System

Malicious Activity

Propagation

Bot Activities

Identity &

Financial Fraud

Tampering

Adware &
Scareware

Adware &
Scareware

Persist on System

Exploit

Malicious Website
or URL

How the attacker first
crosses path with
target

How the attacker gets
code running

How code persists code
on the system, to survive
reboot

The business logic, what
the attacker wants to
accomplish

A generic approach to protection

First Contact

Physical Access

Unsolicited
Message

Network Access

Malicious Website
or URL

Local Execution

Social
Engineering

Configuration
Error

Exploit

Establish Presence

Download
Malware

Escalate Privilege

Self
-
Preservation

Persist on System

Malicious Activity

Propagation

Bot Activities

Identity &

Financial Fraud

Tampering

Adware &
Scareware

Device control


Hard disk encryption

Web filtering

Host firewall


Net睯rk a捣ess
control

Email filtering

Memory & kernel protection


Database monitoring

On
-
access scanning


A捣ess
protection rules


Appli捡tion
whitelisting

Auditing


A捣ess prote捴ion
rules

Web filtering


Host fire睡ll

Memory & kernel prote捴ion


Database monitoring


Auditing

A捣css prote捴ion rules

A捣css prote捴ion rules


Kernel
protection

On
-
access scanning


Appli捡tion
whitelisting

Web filtering


Host fire睡ll


-
a捣ess s捡cning


Appli捡cion
whitelisting

On
-
access scanning


A捣ess
protection rules


Appli捡tion
whitelisting


-
a捣css s捡nning


Appli捡tion
whitelisting

Integrity monitoring

How the attacker first
crosses path with
target

How the attacker gets
code running

How code persists code
on the system, to survive
reboot

The business logic, what
the attacker wants to
accomplish




Does this approach work?

Source: Aberdeen Group, March 2012

NEXT GENERATION ENDPOINT
SECURITY

Context
-
Aware Endpoint Platform

Next
-
Generation Endpoint Security

NEXT
-
GENERATION ENDPOINT SECURITY

Cloud

Application

Database

OS

Chip

Unified Security

Operations

Security Information

and Events

Risk and Compliance

Real
-
time information

FIRST
-
GENERATION

Desktop/Laptop

Blacklist Files

Focus on Devices

Windows Only

Static Device Policy

Disparate,

Disconnected Management

Desktop

Laptop

Mobile

Server

Virtual

Embedded

Data Center

Next Generation Anti
-
Malware Core:

Technology Overview

Flexible

Multiple content streams |

Updateable components

Reputation enabled


File, IP, site, domain |
Prevalence

Resilient

Advanced repair |
Built
-
in
false
prevention logic |
Centralized quarantine

Signature
-
less detection

Shell code & script exploits |
Reputation and trust based
process
restrictions | Environmental
heuristics | Process profiling

High performance

Adaptive scanning and
dynamic
scan avoidance
using trust logic | Static and
dynamic whitelisting

Context awareness

OS | Application | Network |
File | Registry | Memory |
Process execution

Adaptive scanning and false avoidance

Is a scan
necessary?

Scan
according to
file state

False cloud
check

Traditional combined with reputation

Global Threat
Intelligence

Cloud lookups for
file, URL
,
domain, IP reputation, and

metadata

Traditional

signatures

Generics and
heuristics

What
do you
do
about the remaining items, with
various levels of suspiciousness?

Intelligent Trust and Selective Scanning

Normal

Low

High

Define multiple scanning states, providing
differing levels of monitoring, hooking different
kernel activity etc.:


Trusted
-

limited
set of their events monitored


Normal


intermediate set of events monitored


Suspicious
-

full
set of their events
monitored

Categorise file based on knowledge:


Where did it come from (Internet, USB, local net, …)?


How did it arrive, (trusted process, user, …)?


What else is known about it?

Processes inherit the trust of their binary image file


Monitor processes based on scanning state

Adaptive Scanning based on behavior


Malware families follow certain behavioral
patterns


Observe what grey files and processes do,
looking for suspicious behavior


Keep track of events in a local database

Normal

Low

High


Change state based on behaviours, e.g.


If something suspicious seen, increase event monitoring for that process:


Connects to known bad IP or URL: More suspicious


Signed by known trusted certificate: Less suspicious


Get aggressive, but in a highly targeted way!


Summary


First gen endpoint solutions scan with signatures once and if no
infection found allow any action


I
ncreased malware volume means this technique will impact on
performance


Increased speed of propagation renders this approach ineffective against
new malware, zero
-
day attacks and APTs


Next gen
endpoint solutions
need


Light scan to minimise performance impact


Heavy scan to detect new malware


An adaptive approach is the only way to improve detection whilst
reducing performance impact

THANK YOU