Mitigating Risk at the Endpoint
Download
Report
Transcript Mitigating Risk at the Endpoint
Mitigating Risk at the Endpoint
端點防護與風險管理
Harry Wong
Symantec
Agenda
1
端點防護概覽
2
Symantec Endpoint Protection (SEP)
2
Top Endpoint Concerns for IT
Are my endpoints protected?
How do I prevent data loss?
How do I reduce time managing endpoints?
How do I demonstrate compliance?
3
Secure & Manage All Your Endpoints
Endpoint Security
Keep the bad things out
端點保安
Data Loss Prevention
Keep the good things in
資料加密與保護
Endpoint Management
Effectively manage while
reducing cost
端點管理與備份
IT Compliance
Reduce your risks
故障響應
/ 系統審計
4
As Threat Landscape Changes,
Technology Must as Well
• From Hackers & Spies… To Thieves
Noisy & Visible
Silent
Indiscriminate
Highly Targeted
Few, Named Variants
Overwhelming Variants
Moving from Disrupting Operations To Damaging Trust and Reputations
Today’s Endpoint Problems Addressed by
Too Many Technologies…
Protection
Technology
Endpoint
Exposures
Always on,
always up-todate
Host integrity
& remediation
Zero-hour attacks, Malware,
Trojans, application injection
Applications
Anti
crimeware
Slurping, IP theft, malware
I/O Devices
Device
controls
Buffer Overflow, process
injection, key logging
Memory/
Processes
Buffer overflow &
exploit protection
Malware, Rootkits, day-zero
vulnerabilities
Operating
System
O/S Protection
Network
Connection
Network IPS
Worms, exploits & attacks
Viruses, Trojans, malware
& spyware
Client Firewall
AntiVirus
Data & File
System
Anti-spyware
…even from Symantec
Protection
Technology
Symantec
Solution
Endpoint
Exposures
Always on,
always up-todate
Host integrity
& remediation
Symantec
Network
Access Control
Zero-hour attacks, Malware,
Trojans, application injection
Applications
Anti
crimeware
Symantec
Confidence
Online
Slurping, IP theft, malware
I/O Devices
Device
controls
Buffer Overflow, process
injection, key logging
Memory/
Processes
Buffer overflow &
exploit protection
Malware, Rootkits, day-zero
vulnerabilities
Operating
System
O/S Protection
Network
Connection
Network IPS
Worms, exploits & attacks
Viruses, Trojans, malware
& spyware
Client Firewall
AntiVirus
Data & File
System
Symantec
Sygate
Enterprise
Protection
Anti-spyware
Symantec
AntiVirus
Introducing…
Network Access
Control
Device Control
Intrusion
Prevention
Firewall
Antispyware
Symantec Endpoint
Protection 11.0
AntiVirus
Symantec Network
Access Control 11.0
Ingredients for Endpoint Protection
AntiVirus
• Worlds leading AV solution
• Most (30) consecutive VB100 Awards
Virus Bulletin – Feb 2007
AntiVirus
Symantec™ Global Intelligence Network
4 Symantec SOCs
80 Symantec Monitored
Countries
40,000+ Registered Sensors
in 180+ Countries
11 Symantec Security
Response Centers
> 7,000 Managed Security Devices + 120 Million Systems Worldwide + 2Million Probe Network + Advanced Honeypot Network
Dublin, Ireland
Tokyo, Japan
Calgary, Canada
San Francisco, CA
Mountain View, CA
Chengdu, China
Reading, England
Culver City, CA
Austin, TX
Alexandria, VA
Pune, India
Taipei, Taiwan
Chennai, India
Sydney, Australia
10
Ingredients for Endpoint Protection
Antispyware
• Best rootkit detection and removal
• Raw Disk Scan (VxMS) = superior Rootkit
protection
Antispyware
AntiVirus
Source: Thompson Cyber Security Labs, August 2006
Improved Detection and Removal
– Not dependant on new releases
• Enhancements in SEP 11
– Lower level rootkit detection
– Admin specified homepage restore
– Surgical cookie cleanup
ERASER Today
– Improvements are ongoing
Direct Volume Access
• Repair engine (Eraser) is extensible
ERASER
MS File System API
User Mode
Kernel Mode
Windows File
System
Reboot
Volume Manager
Physical
Disk
Source: Thompson Cyber Security Labs, August 2006
Rootkit Hook Points
Improved Detection and Removal
Ingredients for Endpoint Protection
Firewall
• Industry leading endpoint firewall technology
• Gartner MQ “Leader” – 4 consecutive years
• Rules based FW can dynamically adjust port
settings to block threats from spreading
Firewall
Antispyware
AntiVirus
Ingredients for Endpoint Protection
Intrusion Prevention
• Combines NIPS (network) and HIPS (host)
• Generic Exploit Blocking (GEB) – one signature
to proactively protect against all variants
Intrusion
Prevention
Firewall
• Granular application access control
• Proactive Threat Scans (SONAR) - Very low
(0.002%) false positive rate
No False
Alarm
16M Installations
Antispyware
False
Alarms
AntiVirus
Only 20 False Positives
for every 1 Million PC’s
Intrusion Prevention System (IPS)
Combined technologies offer best defense
Intrusion
Prevention
(IPS)
(N)IPS
Network IPS
(H)IPS
Host IPS
Generic Exploit Blocking
Vulnerability-based
(Sigs for vulnerability)
Deep packet inspection
Signature–based
(Can create custom
sigs, SNORT-like)
Proactive Threat Scan
Application Control
Behavior-based
(Whole Security
– SONAR)
Rules-based
(System lockdown by
controlling an
application’s ability to
read, write, execute and
network connections)
A New Approach –
Behavioral Detection Engine
• Each Engine has two sets of detection modules:
–
Pro-valid = evidence of valid application behavior
–
Pro-malicious = evidence of malicious application behavior
• Each Detection Module has a weight
–
The weight indicates the importance of the behavioral trait
• Each process gets 2 scores:
–
Valid Score = measure of how valid the process is
–
a2
a3the process
a4
ais5
Malicious Score = measure ofahow
malicious
1
N
Trojan Score =
S aT
i=1
i i
M
Valid Score =
S bV
i=1
i i
a6
aN
T1
T2
T3
T4
T5
T6
TN
b1
b2
b3
b4
b5
b6
bM
V1
V2
V3
V4
V5
V6
VM
** Caveat: It’s not as simple as this - detection Modules are cooperative
A good engine will create separation
between Valid Applications & Malicious
Code
Valid
applications
Adjust Scores
(Sensitivity Settings)
to reduce FP’s
Malicious
Code
Intrusion Prevention System
rule tcp, tcp_flag&ack, daddr=$LOCALHOST, msg="[182.1] RPC DCOM buffer
overflow attempt detected", content="\x05\x00\x00\x03\x10\x00\x00\x00"(0,8)
SSH
HTTP
FTP
IM
Custom Sig Engine
GEB
SMTP
Signature IDS
RCP
SMTP
RCP
SSH
HTTP
FTP
IM
Intrusion Prevention Features
• Combines Generic Exploit Blocking (GEB) and SCS IDS with Sygate IDS
• Deep packet inspection
• Sygate IDS engine allows admins to create their own signatures
• Uses signature format similar to SNORT™
• Regex support
• Signatures applied only to vulnerable applications
• Resistant to common and advanced evasion techniques
Ingredients for Endpoint Protection
Device Control
• Prevents data leakage
Device Control
Intrusion
Prevention
Firewall
Antispyware
AntiVirus
• Restrict Access to devices (USB keys, Backup drives)
• W32.SillyFDC (May 2007)
New features and improvements:
Granular Device Control
• Devices can now be identified by any means
– Type, Brand, Model, Serial Number
• Tool provided on CD3 to verify Device IDs
(DevViewer)
• Some Device ID examples:
– SanDisk Micro Cruzer -
USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_2033\0002071406&0
– Apple iPod -
USBSTOR\DiskApple___iPod____________1.62\4&3656B0&0
– Hitachi IDE Hard Drive -
IDE\DISKHTS541060G9SA00_________________________MB3IC60H\4&14AA9DA8&0&0.0.0
21
New features and improvements:
Granular Device Control
22
Device Control on Application
Application
Behavior Analysis
Monitors behavior or
applications
Process
Execution Control
File Access
Control
Blocks unwanted
programs from running
Blocks unwanted access to
files or folders
Registry
Access Control
Controls access and
writing to registry keys
Module & DLL
Loading Control
Blocks applications from
loading modules
Introducing…
Network Access
Control
Device Control
Intrusion
Prevention
Firewall
Antispyware
Symantec Endpoint
Protection 11.0
AntiVirus
Symantec Network
Access Control 11.0
Thank You
Name Harry Wong
Email [email protected]
Phone 2820 1302
Copyright © 2008 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,
are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Symantec Endpoint Solutions
Greater Security, Visibility, & Control
Most reliable global security network
Protecting over 100 million endpoints
Proven scale at the largest organizations
Integrated, industry-leading technologies
Leader in Security & Management
26
FY10: Strategic Priorities &
Enterprise Solutions
STRATEGIC
PRIORITIES:
Enterprise Security &
Management
Data Center
Optimization
SOLUTIONS:
Endpoint
Management
Security
Management
IT
Compliance
IT Service
Management
Endpoint
Security
Discovery &
Retention
Management
Endpoint
Virtualization
Messaging
Security
Web
Security
Data Loss
Prevention
Storage
Management
Disaster
Recovery
Archiving
High
Availability
Data
Protection
Virtualization
Management
Green IT