![Critical Infrastructure
FERC Critical Infrastructure Protection Requirements -- CIP-007-2
R3. Security Patch Management — establish, document and implement a security patch
management program for tracking, evaluating, testing, and installing applicable cyber
security software patches for all Cyber
Assets within the Electronic Security Perimeter(s).
R3.1. document the assessment of security patches and security upgrades
R3.2. document the implementation of security patches.
R4. Malicious Software Prevention — use anti-virus software and other malicious
software (“malware”) prevention [and removal] tools
R4.1. implement anti-virus and malware prevention tools.
R4.2. implement a process for the update of anti-virus and malware prevention
“signatures.”
Similar requirements in other CIP documents.](https://image.slidesharecdn.com/endpointsecurityshiftingparadigms5-12494239825947-phpapp01/85/Endpoint-Security-Shifting-Paradigms-5-13-320.jpg)
Endpoint Security Shifting Paradigms 5
- 1. Endpoint Security Shifting Paradigms
- 3. Malware Outbreaks Growing • Constant morphing ● Constant attacks ● No target is too small ● Damage to victims goes far beyond money ● Government (and trial lawyers) growing interest ● Everyone is at risk
- 4. Today's Paradigm ● We know what malware looks like; ● Our users won't accept changes that impact the way they work; ● We can train our users so well they'll never make a mistake; ● And, our techs and SysAdmins; ● With just a little more effort we can deploy all patches to all devices on time every time, without fail; ● We've always used blacklists; they work; ● We're smarter than the bad guys; and, ● We just got breached.
- 5. A New Paradigm ● We can't recognize everything that's bad; ● Users can accept reasonable changes because they all know an identity-theft victim; ● We can know what is permitted on each computer; ● Whitelisting works because ✔ We now do it at the executable level (executables and shared libraries); ✔ White lists can be updated each time a patch or update is deployed; ✔ White list maintenance is mostly automated; ✔ Whitelisting is augmented with other endpoint controls. ● No matter what kind of malware gets in because of user errors, misconfigurations, or missing patches, it can't execute.
- 7. Security Assistant ● Stops everything not on white list ● Deploys patches, automates whitelist maintenance ● Audits endpoints by opening each file on all drives ● Semi-NAC ●Console window for every endpoint with schedule-capable commands
- 8. Full Stop ● Stops everything not on white list ✔ Monitors hard drive writes (including browser cache) ✔ Quarantines if executable/shared library & not on white list ✔ Monitors process starts ✔ Blocks if starting program not on white list ✔ Monitors removable media ✔ Blocks execution if not on white list
- 9. Integrated Patch/Whitelist Maintenance ● Deploys patches, automates whitelist maintenance ✔ Provisional whitelist includes pre- and post-patch file information, as well as the patch itself; ✔ Post-patch whitelist removes information for pre-patch conditions and the patch; ✔ ADDED VALUE – Endpoint restored to pre-patch restore point is immediately obvious; no more unknown lost patches.
- 10. Full System Audit Audits endpoints by opening each file on all drives ● ✔ Maps results to FDCC patch requirements Vulnerabilities Identified ✔ Maps results to CVE-type patchable vulnerabilities ✔ Can map to any similar standard or requirement ✔ Shows authorized software Consensus Audit Guidelines Critical Control #2 ✔ Shows unauthorized software ✔ "Click-to-Remove" builds script to remove unwanted files/applications, runs when initiated from GUI
- 11. Network-Related ● Semi-NAC ✔ Monitor network traffic ✔ Each node "knows" other devices on same subnet ✔ Reports and refuses to communicate with unknown devices on same subnet ✔ Early 2010, not limited to same subnet
- 12. Command Window ● Window into every node ✔ Do anything you could if you were at the node ✔ Schedule console commands; no commands excepted ✔ Highly secure and very mature interface ✔ Gives complete control of each node, realtime and/or scheduled
- 13. Critical Infrastructure FERC Critical Infrastructure Protection Requirements -- CIP-007-2 R3. Security Patch Management — establish, document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). R3.1. document the assessment of security patches and security upgrades R3.2. document the implementation of security patches. R4. Malicious Software Prevention — use anti-virus software and other malicious software (“malware”) prevention [and removal] tools R4.1. implement anti-virus and malware prevention tools. R4.2. implement a process for the update of anti-virus and malware prevention “signatures.” Similar requirements in other CIP documents.
- 14. Consensus Audit Guidelines ● Critical Control 2: Know all authorized and unauthorized software; enforce whitelist – FULL ● Critical Control 10: Continuous Vulnerability Testing and Remediation – PARTIAL (no H/W configuration checking) ● Critical Control 12: Anti-Malware Defenses – FULL ● Critical Control 15: Data Leakage Protection – PARTIAL (log each USB drive inserted; write-to-removable media can be prevented; block execution of malware which steals data/information)
- 15. What Makes Us Different? ● Whitelisting with integrated Patch Management, making possible ● Automated whitelist maintenance ● Patch Compliance reporting without false positives (FDCC, CVE, others) ● Event scheduling Shut down apps, change user mode, ● Command console on target node schedule & execute any console command ● Network Access Control Detect/report newcomers on network Each node has its own white list, updated as patches, updates, and applications are deployed. Command console gives you a console window on the target node, and event scheduling lets you schedule any input that the target node's console will accept, as if you were there. Network Access Control discriminates between new authorized and new unauthorized devices, although both are initially unknown.
- 16. End-User Impacts ● Can't run "non-business" applications ● Can't install off-whitelist software ● Can't download software from the web ● Can't run file-sharing and IM applications ● Can't get infected by web browsing or opening infected email or attachments Once users understand the importance of culture changes, they go along Approved "Add To Whitelist" policy and procedure must be published to all
- 17. Organization Impacts ● No malware infections ● No patchable vulnerabilities ● No unauthorized software ● "Proof of Compliance" endpoint audits ● More orderly use of IT staff (fewer fire drills) Increased security at all endpoints makes your organization a less attractive target.
- 18. Demo ● Insert removable media – detected, reported, logged ● Execute file on removable media – blocked, reported, logged ● Copy executable from removable media to hard drive – quarantined, reported, logged ● Browse infected web site (assist malware download as necessary) – download quarantined ● Repeat at other infected web sites – quarantined Shouldn't your organization be so well protected?
- 19. Naknan Corporate Contacts • Noklek Finley, President & CEO - Doug Finley, Vice President 281-990-0030, Ext. 12 1300-A Bay Area Blvd., Suite 233 Houston, TX 77058 281-990-0030 www.naknan.com Business Development Team: Romani Perera, Business Development Romani_Perera@naknan.com Timi Finley John, Director-Support Services Timi_Finley@naknan.com