3. Enforcers
Download
Report
Transcript 3. Enforcers
Securing a Free and Open University
Environment
Brian Foster, Symantec Corporatoin
April 12, 2017
People Are The Perimeter
Employees
Email, Spreadsheets, IP
Customers
Credit, Deposits, Health, Safety
Partners
Deals, Delivery, Service
Investors
Trust, brand, market cap
The typical financial services enterprise aggregates customer
“trust” from thousands of partnerships – 50 to 200 new each
year. Cybercriminals depend on this.
Copyright © Symantec Corporation 2008
2
Changes in the Threat Landscape
From Hackers…
To Thieves
Fame motivated
Financially motivated
Noisy and highly visible
Silent
Indiscriminate
Highly targeted
Few named variants
Overwhelming variants
Copyright © Symantec Corporation 2008
3
It is about the Data!
Mar. 29, 2008
Department of Human
Resources
(Atlanta, GA)
Mar. 29, 2008
San Quentin State Prison
(San Quentin, CA)
Mar. 31, 2008
Advance Auto Parts
(Roanoke, VA)
April 1, 2008
Okemo Mountain Resort
(Ludlow, VT)
(866) 756-5366
A thief has stolen computer records containing identifying
information on current and former employees of the state
Department of Human Resources, including names,
Social Security numbers, birth dates and home contact
information. An external hard drive that stored a database
was removed by an unauthorized person.
A flash memory drive containing names, birth dates and
driver's license numbers of people who either volunteered
or visited San Quentin State Prison in a group tour has
been lost.
The retailer reported that a "network intrusion" had
exposed financial information and was the subject of a
criminal investigation. Fourteen of the retailer's stores,
including locations in Georgia, Ohio, Louisiana,
Tennessee, Mississippi, Indiana, Virginia and New York,
are believed to have been affected.
The Ludlow ski area announced that its computer
network was breached in by an intruder who gained
access to credit card data including cardholder names,
account numbers and expiration dates.
Unknown
3,500
56,000
28,168
Total number of records containing sensitive personal
information involved in security breaches: 233,418,945
(source: PrivacyRights.org)
Copyright © Symantec Corporation 2008
4
Attack Trends
Data Breaches by Cause
• Information on data breaches that could lead to identity theft. Data
collected is not Symantec data.
• Theft and loss still remain the top cause of data leakage for overall
data breaches and identities exposed – may be tied to shrink
wrapped devices.
Copyright © Symantec Corporation 2008
5
Attack Trends
Data Breaches by Sector
• Information on data breaches that could lead to identity theft. Data collected is not
Symantec data.
• The Education sector accounted for the majority of data breaches with 24%, followed
by Government (20%) and Healthcare (16%) – more than half of breaches (57%) were
due to theft or loss with insecure policy accounting for 21%.
Copyright © Symantec Corporation 2008
6
Where does the data go?
• In order to take advantage of economic efficiencies and entice buyers,
sellers will offer reduced prices on larger volumes of goods for sale.
• A mature, consolidated economy is characterized by the development
and implementation of specific business models that are suitable to the
prevailing influences within the economy.
Copyright © Symantec Corporation 2008
7
Significant Increase in # of Threats
• The significant increase in new threats over the past year is indicative of
the work of specialized malicious code authors and the existence of
organizations that employ programmers dedicated to the production of
these threats.
Copyright © Symantec Corporation 2008
8
Malicious Code Trends
Propagation Vectors
• Sharing of executable files is the number one propagation
mechanism at 40%
• While email file attachments were second, the percentage of
threats propagating this way increased to 32% this period.
• Increase in executable file sharing and CIFS vectors largely due
to increase in viruses.
Copyright © Symantec Corporation 2008
9
Temple University
Organization Profile
• Industry
– Education
• Overview
– Located in Philadelphia
– Comprehensive public research
university; 26th largest in U.S.
– Distinguished faculty in 17 schools and
colleges
– Schools of Law, Medicine, Pharmacy,
Podiatry, and Dentistry; renowned
Health Sciences Center
– 75,000-sq. ft. TECH Center is nation’s
largest facility of its kind
Copyright © Symantec Corporation 2008
Temple University
Business Drivers
• Provide computing
resources in support of the
university’s academic goals
• Avoid lawsuits, outages,
and other negative publicity
that could damage
Temple’s reputation
• Minimize overhead costs of
managing IT infrastructure
Copyright © Symantec Corporation 2008
Temple University
Technology Challenges
• Enforce security policies at network endpoints, including
residence halls and home offices
• Respond quickly and effectively to security incidents
• Make compliance seamless for students and staff
Copyright © Symantec Corporation 2008
Temple University
Challenge Begins in Residence Halls
• Each fall, thousands arrive on
campus…
– Students, not the university, own the
computers
• Inconsistent security solutions from machine to
machine
• University networks threatened by unmanaged
endpoints
• Yet the university has little control over the
machines
– Culture of openness must be supported
• Academic environment requires full access and
few restrictions
Copyright © Symantec Corporation 2008
Temple University
Problems with P2P File Sharing
• Letters alleging copyright violations from
– Recording Industry Association of America
– Motion Picture Association of America
– Software Business Association
– Online Gamers' Association
• Remediation required
– Investigation of the complaint
– If complaint is valid
• Certify removal of offending content
“Every week or
so, we used to
get a letter . . .
claiming that a
particular student
was violating
copyright laws
through filesharing.”
• Certify removal of file-sharing software
• This often requires rebuilding the computer
Copyright © Symantec Corporation 2008
Temple University
Getting Serious About Security
2002: Implemented first
comprehensive security policy
•
Free copy of Symantec AntiVirus™ Corporate Edition for
each user
○ Comprehensive protection against viruses, spyware, worms,
and other malware
•
Established guidelines for updating Windows
•
Launched a security awareness campaign
Copyright © Symantec Corporation 2008
Dealing w/ Increasingly Complex
Threats
2003 & 2004: Blaster and W32 hit hard
•
Blaster infects 600 machines in 4 hours
○
•
Response: Symantec AntiVirus mandated throughout the university
W32 bot/worm spread through file-sharing networks
○
Response: Rethinking of security strategy
○ Research showed the sequence of events:
• Spyware/adware slows a system down
• Student rebuilds system from original disks, without
patches, updates, or Symantec AntiVirus
“We mandated
Symantec
AntiVirus
throughout the
university. It
provided a high
level of
protection
against viruses
and worms, and
it’s still doing
that today.”
Copyright © Symantec Corporation 2008
Selection of Symantec Sygate
Enterprise Protection
2004: Evaluated competitive
endpoint security solutions
• Criteria
– Complete compliance checks at every login
– Compatibility with a variety of systems
• Why Symantec?
– Integrated solution featuring
“We need to
ensure that
student computers
are in compliance
with our security
policies every time
they connect to
the network.”
• Desktop firewall
• Host-based intrusion prevention
• Adaptive protection
– Compatible with all Temple systems
– 802.1X for finer-grained control
Copyright © Symantec Corporation 2008
How Symantec Endpoint Compliance
Works
Compliance checks
performed at Temple:
•
Symantec AntiVirus
running
•
Threat definition files and
patches up to date
•
Windows automatic
update enabled
Adaptive Protection feature
blocks file sharing programs
Copyright © Symantec Corporation 2008
Deployment
• “Get Connected” Registration Process
• Deploys Symantec Av and End Point
Agent as part of registration process
• Policy Acceptance
• MAC Address Registration
Copyright © Symantec Corporation 2008
Get Connected
Copyright © Symantec Corporation 2008
Smooth Implementation Facilitates
Student Move-in
2005: Initial deployment
facilitated by Symantec
Consulting Services
“Symantec
Consulting is
awesome. The
team supported
us all the way
from installation
through
deployment, and
beyond.”
• Performed a security analysis
• Recommended best practices
• Designed policy
• Implemented infrastructure
• Onsite during fall student move-in, which
went very smoothly
Copyright © Symantec Corporation 2008
Temple University
Business Value and Technical Benefits
Business
Area
Copyright
Compliance
Threat
Protection
Value Metric
73% reduction in alleged copyright violations (from
41 to 11)
Reduced risk to damage to university reputation
due to lawsuit or adverse publicity
Eliminated bot-based DDOS attacks completely in
most recent year, down from five the previous year
100% compliance with security measures enforced
by policy-based endpoint compliance tools
Copyright © Symantec Corporation 2008
Temple University
Business Value and Technical Benefits
Business
Area
Time
Savings
Return on
Investment
Value Metric
Saved 240 hours of staff time ($18,000 worth) in
investigating and remediating alleged copyright
violations
Saved 4,000 hours of staff time needed previously
to control outbreaks and re-mediate infected
computers
100% payback within 12 months for all Symantec
solutions
Copyright © Symantec Corporation 2008
Temple University
Final Perspectives
Lessons learned
• Policy based end point compliance works
• Top Level Management buy in is essential
• Building a multi disciplinary team is critical
• Building the deployment into our “get connected” process
ensures compliance
• Review of successes and revision of processes is an ongoing
event
Copyright © Symantec Corporation 2008
Is Endpoint Protection Enough
Protection?
“What Are The Most Common Sources Of Automated Internet Worm Attacks ?”
43%
Employee Laptop
39%
Internet Through Firewall
34%
Non-Employee Laptop
27%
VPN Home System
Don’t Know
8%
Other
8%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Source: Enterprise Strategy Group, January 2005 ESG Research Report, Network Security And Intrusion Prevention
Copyright © Symantec Corporation 2008
25
Symantec Network Access Control
3 Key Components
1. Central Management Console
2. Endpoint Evaluation Technology
3. Enforcer
Copyright © Symantec Corporation 2008
26
1. Central Management Console
Symantec Endpoint Protection Manager
• Policy Management
• Web-based GUI
• Enterprise class/scale
• Role-based access
• Hierarchical views
• Integration with Active Directory
Same Management Console used for
Symantec Endpoint Protection 11.0
Copyright © Symantec Corporation 2008
27
2. Endpoint Evaluation Technologies
Remote Scanner
Good
Dissolvable Agents
Better
‘Unmanagable’ Endpoints
‘Unmanaged’ Endpoints
Persistent Agents
Best
‘Managed’ Endpoints
Symantec Endpoint Protection 11.0 agent
is SNAC ready
Copyright © Symantec Corporation 2008
28
Host-based
3. Enforcers
Symantec Self-Enforcement
Good
Network-based
(optional)
Symantec Gateway Enforcer
Better
Symantec DHCP Enforcer
Symantec LAN Enforcer-802.1X
Best
Copyright © Symantec Corporation 2008
29
Symantec NAC Self-Enforcement:
How It Works
Symantec
Endpoint
Protection
Manager
Persistent Agent
Protected
Network
Onsite or
Remote
Laptop
Quarantine
Remediation
Resources
Host Integrity Rule
Client
connects to
network and
validates
policy
Persistent
Agent
performs
selfcompliance
checks
Compliance pass:
Apply “Office” firewall
policy
Compliance fail: Apply
“Quarantine” firewall
policy
Status
Anti-Virus On
Anti-Virus Updated
Personal Firewall On
Service Pack
Updated
Copyright © Symantec Corporation
2008
Patch Updated
Questions
Brian Foster
Seth Shestack
[email protected]
[email protected]
(310) 200-8065
(215) 204-5884
Copyright © 2008 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or
implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Copyright © Symantec Corporation 2008
31