next generation endpoint security jason brown enterprise solution architect mcafee may 23, 2013

Next Generation Endpoint Security

Jason Brown

Enterprise Solution Architect

McAfee

May 23, 2013

Agenda

• Threat landscape and current approach

• The anatomy of an attack

• Next generation endpoint security

THREAT LANDSCAPE AND CURRENT APPROACH

Recapping the Problem

Q2 2012:>8 million new

malware samples

Up to 200,000 new samples received

and processed daily by McAfee Labs

Recapping the Problem

>99.9% of malware samples received in 2012 were

Targeted at Windows

The Traditional Approach – works to a point

Signatures


Generics


Heuristics and Sandboxing

Two fundamental problems with todays approach…

• Detection

– 1 new threat each second versus 1 signature update per day

– New signature updates could be produced more frequently but

cannot be consumed more quickly

– The cloud helps, but we cannot check each file with the cloud

– Signatures don’t help against APTs and Zero-day attacks

• Performance

– Scanning all files for all things takes time

– As the number of threats multiply, the impact of scanning multiplies

THE ANATOMY OF AN ATTACK

Four Phases of an Attack

First Contact

Physical Access

Unsolicited Message

Network Access

Malicious Website or URL

Local Execution

Social Engineering

Configuration Error

Exploit

Establish Presence

Download Malware

Escalate Privilege

Self-Preservation

Persist on System

Malicious Activity

Propagation

Bot Activities

Identity &Financial Fraud

Tampering

Adware & Scareware

How the attacker first crosses path with target

How the attacker gets code running

How code persists code on the system, to survive

reboot

The business logic, what the attacker wants to

accomplish

Four Phases of an Attack, e.g. Fake AV

First Contact

Physical Access

Unsolicited Message

Network Access


Local Execution

Social Engineering

Configuration Error

Exploit

Establish Presence

Download Malware

Escalate Privilege

Self-Preservation

Persist on System

Malicious Activity

Propagation

Bot Activities


Tampering

Adware & ScarewareAdware & Scareware

Persist on System

Exploit





reboot


accomplish

A generic approach to protection

First Contact

Physical Access

Unsolicited Message

Network Access


Local Execution

Social Engineering

Configuration Error

Exploit

Establish Presence

Download Malware

Escalate Privilege

Self-Preservation

Persist on System

Malicious Activity

Propagation

Bot Activities


Tampering

Adware & Scareware

Device control Hard disk encryption

Web filtering

Host firewall Network access control

Email filtering

Memory & kernel protection Database monitoring

On-access scanning Access protection rules Application

whitelisting

Auditing Access protection rules

Web filtering Host firewall

Memory & kernel protection Database monitoring Auditing

Access protection rules

Access protection rules Kernel protection

On-access scanning Application whitelisting

Web filtering Host firewall


On-access scanning Access protection rules Application

whitelisting


Integrity monitoring




reboot


accomplish

Does this approach work?

Source: Aberdeen Group, March 2012

NEXT GENERATION ENDPOINT SECURITY

Context-Aware Endpoint PlatformNext-Generation Endpoint Security

NEXT-GENERATION ENDPOINT SECURITY

Cloud

Application

Database

OS

Chip

Unified Security Operations

Security Information and Events

Risk and Compliance

Real-time information

FIRST-GENERATION

Desktop/Laptop

Blacklist Files

Focus on Devices

Windows Only

Static Device Policy

Disparate, Disconnected Management

Desktop

Laptop

Mobile

Server

Virtual

Em

bedded

Data C

enter

Adaptive scanning and false avoidance

Is a scan necessary?

Scan according to

file state

False cloud check

Traditional combined with reputation

Global Threat Intelligence

Cloud lookups for file, URL, domain, IP reputation, and

metadata

Traditionalsignatures

Generics and heuristics

What do you do about the remaining items, with various levels of suspiciousness?

Intelligent Trust and Selective Scanning

Normal

Low High

Define multiple scanning states, providing differing levels of monitoring, hooking different kernel activity etc.:

• Trusted - limited set of their events monitored

• Normal – intermediate set of events monitored

• Suspicious - full set of their events monitored

Categorise file based on knowledge:• Where did it come from (Internet, USB, local net, …)?• How did it arrive, (trusted process, user, …)?• What else is known about it?

Processes inherit the trust of their binary image file• Monitor processes based on scanning state

Adaptive Scanning based on behavior

• Malware families follow certain behavioral

patterns

• Observe what grey files and processes do,

looking for suspicious behavior

• Keep track of events in a local database

Normal

Low High

• Change state based on behaviours, e.g.

– If something suspicious seen, increase event monitoring for that process:

• Connects to known bad IP or URL: More suspicious

• Signed by known trusted certificate: Less suspicious

– Get aggressive, but in a highly targeted way!

Summary

• First gen endpoint solutions scan with signatures once and if no

infection found allow any action

– Increased malware volume means this technique will impact on

performance

– Increased speed of propagation renders this approach ineffective against

new malware, zero-day attacks and APTs

• Next gen endpoint solutions need

– Light scan to minimise performance impact

– Heavy scan to detect new malware

• An adaptive approach is the only way to improve detection whilst

reducing performance impact

THANK YOU

next generation endpoint security jason brown enterprise solution architect mcafee may 23, 2013

Documents

attack slide

current approach slide

sandboxing slide

problem slide

windows slide

traditional approach

generic approach

impact of scanning