SlideShare a Scribd company logo

Re-defining Endpoint Protection: Preventing Compromise in the Face of Advanced Attacks

Download as PPT, PDF
IBM Security, profile picture
IBM Security

The document discusses the need for advanced endpoint protection in light of increasingly sophisticated threats, highlighting that traditional anti-malware solutions are no longer sufficient. It outlines the importance of adopting new tactics such as application control, advanced heuristics, and threat management strategies to enhance security. Additionally, it presents IBM's Trusteer Apex as a multi-layered defense solution designed to address these advanced threats effectively.

TechnologyBusiness
Related topics:
Cyber ThreatsFraud Prevention Insights
1 of 36
Downloaded 62 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
© 2014 IBM Corporation IBM Security 1© 2014 IBM Corporation Re-defining Endpoint Protection Mike Rothman, Securosis Andy Land, IBM
Re-defining Endpoint Protection Mike Rothman, President mrothman@securosis.com Twitter: @securityincite Advanced Endpoint and Server Protection: Tactics and Techniques
About Securosis • Independent analysts with backgrounds on both the user and vendor side. • Focused on deep technical and industry expertise. • We like pragmatic. • We are security guys – that’s all we do.
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advanced Attacks
How customers view Endpoint Protection • Compliance is the main driver for endpoint protection • Whether it works or not is not the issue. • And to be clear, traditional anti-malware technology doesn’t work anymore. http://flic.kr/p/9kC2Q1
Milking the AV Cash Cow • Add incremental functions: • HIPS/Heuristics • “Crowd-sourcing” threats • File reputation • Endpoint hygiene
Threat Management Reimagined
Prevention Next you try to stop an attack from being successful. This is where most of the effort in security has gone for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It has become a question of reducing your attack surface as much as practical. If you can stop the simplistic attacks you can focus on more advanced ones.
Adversaries: Better and Better Advanced Malware Polymorphism Sophisticated targeting Professional Processes http://www.flickr.com/photos/dzingeek/4587871752/
The Negative Security Model http://www.despair.com/tradition.html
Traditional AV But detection of advanced attacks is still problematic if detection is restricted to matching files at runtime. You have no chance to detect zero-day or polymorphic malware attacks
You don’t know what malware is going to look like... But you DO know what software should and should not do. This calls for Advanced Heuristics
Advanced Heuristics Heuristics have evolved to recognize normal application behavior. This dramatically improves accuracy because rules are built and maintained at a specific application-level.
Look for what? • Executables/dependencies • Injected threads • Process creation • System file/configuration/registry changes • File system changes • OS level functions including print screen, network stack changes, key logging, etc. • Turning off protections • Account creation and privilege escalation http://flic.kr/p/6Yz7MB
Application Control • Define a set of authorized executables that can run on a device, and block everything else. • Flexible “trust” model to offer “grace” period to install s/w • Authorized publishers, trusted employees, etc. • Though more flexible trust models weaken security… http://flic.kr/p/97Kqk8
Application Control Use Cases • Servers • Fixed function devices • High value endpoints
Isolation Spin up a walled garden to run applications. If app is compromised (detected using advanced heuristics), the sandbox prevents the application from accessing core device features such as the file system and memory, and prevents the attacker from loading additional malware.
Old concept, New Packaging • Isolation is not new. VM’s in use by sophisticated users for years. • Isolation still needs to use some O/S level services, which provides attack surface. • VM (or isolation) aware malware stays dormant • Sophisticated sophisticated evasion techniques emerging: human interaction, timers, process hiding, etc…
Choosing Prevention • What kind of adversaries do you face? • Which applications are most frequently used? • How disruptive will employees allow the protection to be? • What percentage of devices have been replaced in the past year?
Understanding Effectiveness • Hype, religion and snake oil will be common as vendors look to establish their approach as “best.” • Comparative tests frequently gamed. Provide one data point. • Look for testing outliers and go on from there. http://flic.kr/p/7SrgR3
Summary • Advanced Protection requires a broader view of threat management • Innovation on endpoint/server prevention will accelerate • Shift investment from ineffective legacy prevention to more effective advanced prevention, detection and investigation. http://www.flickr.com/photos/74571262@N08/6710953053/
Read our stuff • Blog • http://securosis.com/blog • Research • http://securosis.com/research • We publish (almost) everything for free • Contribute. Make it better.
Mike Rothman Securosis LLC mrothman@securosis.com http://securosis.com/blog Twitter: @securityincite
© 2014 IBM Corporation IBM Security 24© 2014 IBM Corporation Trusteer Apex
© 2014 IBM Corporation IBM Security 25 Are you fighting a losing battle? IBM Internal Use Only • Humans will always make mistakes • System and application vulnerabilities continue to emerge • Malware detection will always lag
© 2014 IBM Corporation IBM Security 26 Do you have the right weapons? IBM Confidential until May XY, 2014 Fragmented market with point products • Endpoint protection market is highly fragmented with many point solutions - e.g., Sandboxing, application control, whitelisting Major security control gaps • Existing products offer no controls for major attack vectors - e.g., Zero-day exploits, applicative Java attacks Challenging manageability and operations • Advanced threat solutions are difficult and costly to operate • Difficult to scale manual remediation processes to thousands of enterprise endpoints • High false positive rates • Whitelisting processes on endpoints non-manageable
© 2014 IBM Corporation IBM Security 27 Trusteer Apex Preemptive, low-impact defense for enterprise endpoints IBM Confidential until May XY, 2014 ADVANCED MULTI-LAYERED DEFENSE Comprehensive endpoint defense against advanced threats DYNAMIC INTELLIGENCE Advanced threat intelligence collected from tens of millions of endpoints LOW OPERATIONAL IMPACT Low overhead on IT / security teams, transparent to end users Trusteer Apex
© 2014 IBM Corporation IBM Security 28 Apex multi-layered defense architecture IBM Confidential until May XY, 2014 KB to create icon Threat and Risk Reporting Vulnerability Mapping and Critical Event Reporting Advanced Threat Analysis and Turnkey Service Credential Protection Exploit Chain Disruption Cloud Based File Inspection Malicious Communication Prevention Lockdown for Java Global Threat Research and Intelligence Global threat intelligence delivered in near-real time from the cloud NEW NEW NEW • Alert and prevent phishing and reuse on non- corporate sites • Prevent infections via exploits • Zero-day defense by controlling exploit-chain choke point • Legacy protection against known viruses • Consolidates over 20 AV engines for maximal efficacy and operational simplicity • Block malware communication • Disrupt C&C control • Prevent data exfiltration • Prevent high-risk actions by malicious Java applications
© 2014 IBM Corporation IBM Security 29 No.ofTypes Attack Progression Data exfiltrationExploit Delivery of weaponized content Exploitation of app vulnerability Malware delivery Malware persistency Execution and malicious access to content Establish communication channels Data exfiltration Controlling exploit-chain chokepoints IBM Confidential until May XY, 2014 Pre-exploit 0011100101 1101000010 1111000110 0011001101 Strategic Chokepoint Strategic Chokepoint Strategic Chokepoint File Inspection Endpoint Vulnerability Reporting Credential Protection Destinations (C&C traffic detection) Endless Unpatched and zero-day vulnerabilities (patching) Many Weaponized content (IPS, sandbox) Endless Malicious files (antivirus, whitelisting) Endless Many Malicious behavior activities (HIPs) Exploit Chain Disruption Lockdown for Java Malicious Communication Blocking
© 2014 IBM Corporation IBM Security 30 Low operational impact Advanced threat analysis and turnkey service IBM Confidential until May XY, 2014 Eliminate the traditional security team approach (detect, notify, and manually resolve) Low-footprint threat prevention Exceptional turnkey service Low impact to IT security team Minimize impact by blocking only the most sensitive actions Centralized risk assessment service Directly update endpoint users
© 2014 IBM Corporation IBM Security 31 Dynamic intelligence Crowd-sourced expertise in threat research and dynamic intelligence Global Threat Research and Intelligence • Combines the renowned expertise of X-Force with Trusteer malware research • Catalog of 70K+ vulnerabilities,17B+ web pages, and data from 100M+ endpoints • Intelligence databases dynamically updated on a minute-by-minute basis Real-time sharing of Trusteer intelligence NEW Phishing Sites URL/Web Categories IP/Domain Reputation Exploit Triage Malware Tracking Zero-day Research IBM Confidential until May XY, 2014
© 2014 IBM Corporation IBM Security 32 Client example: Major heavy equipment manufacturer Protecting endpoints against advanced threats and malware IBM Confidential until May XY, 2014 Business challenge  Protect 10,000 endpoints in multiple international locations  Provide Remote Access to Suppliers, Contractors and Employees  Prevent IP and Technology Data Theft IBM Security Solution: Trusteer Apex Trusteer Apex protects endpoints throughout the threat lifecycle by applying an integrated, multi- layered defense to prevent endpoint compromise for both managed and remote endpoints. Threats are continually analyzed and protections provided by Trusteer’s turnkey service. Discovered 32 threats and 100 suspicious activities within weeks of deployment despite other security products Advanced Threat Protection
© 2014 IBM Corporation IBM Security 33 Apex is essential to the IBM Threat Protection System IBM Confidential - NDA until May 5, 2014 Open Integrations Ready for IBM Security Intelligence Ecosystem Trusteer Apex Endpoint Exploit Chain Disruption IBM Security Network Protection XGS Smarter Prevention IBM Security QRadar Security Intelligence Security Intelligence IBM Emergency Response Services IBM Security QRadar Incident Forensics Continuous Response IBM X-Force Threat Intelligence New real-time sharing of Trusteer threat intelligence from 100M+ endpoints with X- Force Global Threat Intelligence 1 2 3 5 4 Java Lockdown Protection - granular control of untrusted code, cloud-based file inspection, and QRadar integration NEW Advanced Threat Quarantine integration from QRadar and third-party products, inclusion of Trusteer intelligence into XGS NEW Data Node appliance, new flow and event APIs, and QRadar Vulnerability Manager scanning improvements NEW Integrated forensics module with full packet search and visual reconstruction of relationships NEW NEWNEW Increased global coverage and expertise related to malware analysis and forensics NEW New functionality from partners including FireEye, TrendMicro, Damballa and other protection vendors
© 2014 IBM Corporation IBM Security 34 Introducing IBM Trusteer Apex Re-defining endpoint protection for the advanced threat landscape Trusteer Fast Facts: Acquired by IBM August 2013 Adds endpoint protection capabilities to the IBM Security Portfolio Unique Integrations Integrated into IBM Threat Protection System Advanced Threat Defense Leaders Analyzing and preventing APT’s for the last 8 years
Disclaimer Please Note: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

More Related Content

PPTX
Gartner technologies for Infosec 2014-2015
Samuel Kamuli
 
PPTX
Post Wannacry Update
Thomas Springer
 
PDF
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
IBM Security
 
PDF
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
PDF
Controlling Access to IBM i Systems and Data
Precisely
 
PDF
3 Enablers of Successful Cyber Attacks and How to Thwart Them
IBM Security
 
PPT
MDM is not Enough - Parmelee
Prolifics
 
PDF
Common WebApp Vulnerabilities and What to Do About Them
Eoin Woods
 
Gartner technologies for Infosec 2014-2015
Samuel Kamuli
 
Post Wannacry Update
Thomas Springer
 
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
IBM Security
 
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Controlling Access to IBM i Systems and Data
Precisely
 
3 Enablers of Successful Cyber Attacks and How to Thwart Them
IBM Security
 
MDM is not Enough - Parmelee
Prolifics
 
Common WebApp Vulnerabilities and What to Do About Them
Eoin Woods
 

What's hot (20)

KEY
Application Security Done Right
pvanwoud
 
PDF
AusCERT - Developing Secure iOS Applications
eightbit
 
PDF
Don’t Drown in a Sea of Cyberthreats: Mitigate Attacks with IBM BigFix & QRadar
IBM Security
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
PDF
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
PDF
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
PDF
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
PDF
Vulnerability threat and attack
newbie2019
 
PPTX
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
PPTX
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
Anton Chuvakin
 
PDF
Threat Modeling for the Internet of Things
Eric Vétillard
 
PDF
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
PDF
MSP Mastering the Secrets to Succuss in Managed Security
David Castro
 
PPTX
SDL: Secure design principles
sluge
 
PDF
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
PDF
Smart Phones Dumb Apps
Denim Group
 
PPTX
Fortify On Demand and ShadowLabs
jasonhaddix
 
PDF
Vulnerability Management In An Application Security World
Denim Group
 
PDF
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
PPT
Secure by design and secure software development
Bill Ross
 
Application Security Done Right
pvanwoud
 
AusCERT - Developing Secure iOS Applications
eightbit
 
Don’t Drown in a Sea of Cyberthreats: Mitigate Attacks with IBM BigFix & QRadar
IBM Security
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Vulnerability threat and attack
newbie2019
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
Anton Chuvakin
 
Threat Modeling for the Internet of Things
Eric Vétillard
 
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
MSP Mastering the Secrets to Succuss in Managed Security
David Castro
 
SDL: Secure design principles
sluge
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
Smart Phones Dumb Apps
Denim Group
 
Fortify On Demand and ShadowLabs
jasonhaddix
 
Vulnerability Management In An Application Security World
Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
Secure by design and secure software development
Bill Ross
 
Ad

Similar to Re-defining Endpoint Protection: Preventing Compromise in the Face of Advanced Attacks (20)

PPTX
Building a Multi-Layered Defense for Your IBM i Security
Precisely
 
PDF
Scalar Security Roadshow April 2015
Scalar Decisions
 
PDF
IBM BigFix: Closing the Endpoint Gap Between IT Ops and Security
IBM Security
 
PDF
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM Security
 
PPTX
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
PPTX
IBM Security Portfolio - 2015
IBM Thailand Co Ltd
 
PDF
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
PPTX
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce
 
PDF
Beyond security testing
Cu Nguyen
 
PPTX
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
PPTX
Defending Your IBM i Against Malware
Precisely
 
PPTX
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
PDF
Complete Endpoint protection
xband
 
PPTX
A Closer Look at Isolation: Hype or Next Gen Security?
MenloSecurity
 
PDF
Threat_Modelling.pdf
MarlboroAbyad
 
PPTX
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
IBM Security
 
PPTX
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
IBM Security
 
PDF
Many products-no-security (1)
SecPod Technologies
 
PPTX
IBM Relay 2015: Securing the Future
IBM
 
PDF
Cisco Security Presentation
Simplex
 
Building a Multi-Layered Defense for Your IBM i Security
Precisely
 
Scalar Security Roadshow April 2015
Scalar Decisions
 
IBM BigFix: Closing the Endpoint Gap Between IT Ops and Security
IBM Security
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM Security
 
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
IBM Security Portfolio - 2015
IBM Thailand Co Ltd
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce
 
Beyond security testing
Cu Nguyen
 
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Defending Your IBM i Against Malware
Precisely
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
Complete Endpoint protection
xband
 
A Closer Look at Isolation: Hype or Next Gen Security?
MenloSecurity
 
Threat_Modelling.pdf
MarlboroAbyad
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
IBM Security
 
Stopping Advanced Attacks on their Onset: A Practical Look at Modern Day Prev...
IBM Security
 
Many products-no-security (1)
SecPod Technologies
 
IBM Relay 2015: Securing the Future
IBM
 
Cisco Security Presentation
Simplex
 
Ad

More from IBM Security (20)

PPTX
Automation: Embracing the Future of SecOps
IBM Security
 
PDF
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
PDF
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 
PPTX
Integrated Response with v32 of IBM Resilient
IBM Security
 
PDF
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
IBM Security
 
PDF
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
IBM Security
 
PDF
Accelerating SOC Transformation with IBM Resilient and Carbon Black
IBM Security
 
PDF
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
IBM Security
 
PPTX
Are You Ready to Move Your IAM to the Cloud?
IBM Security
 
PPTX
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
PPTX
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
PPTX
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
PPTX
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
PDF
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
PPTX
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
PPTX
IBM QRadar UBA
IBM Security
 
PDF
Mobile Vision 2020
IBM Security
 
PDF
Retail Mobility, Productivity and Security
IBM Security
 
PDF
Close the Loop on Incident Response
IBM Security
 
PDF
Orchestrate Your Security Defenses; Protect Against Insider Threats
IBM Security
 
Automation: Embracing the Future of SecOps
IBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 
Integrated Response with v32 of IBM Resilient
IBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
IBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
IBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
IBM Security
 
Are You Ready to Move Your IAM to the Cloud?
IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
IBM QRadar UBA
IBM Security
 
Mobile Vision 2020
IBM Security
 
Retail Mobility, Productivity and Security
IBM Security
 
Close the Loop on Incident Response
IBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
IBM Security
 

Recently uploaded (20)

PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Encapsulation theory and applications.pdf
gurumoop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

Re-defining Endpoint Protection: Preventing Compromise in the Face of Advanced Attacks

  • 1. © 2014 IBM Corporation IBM Security 1© 2014 IBM Corporation Re-defining Endpoint Protection Mike Rothman, Securosis Andy Land, IBM
  • 2. Re-defining Endpoint Protection Mike Rothman, President mrothman@securosis.com Twitter: @securityincite Advanced Endpoint and Server Protection: Tactics and Techniques
  • 3. About Securosis • Independent analysts with backgrounds on both the user and vendor side. • Focused on deep technical and industry expertise. • We like pragmatic. • We are security guys – that’s all we do.
  • 5. How customers view Endpoint Protection • Compliance is the main driver for endpoint protection • Whether it works or not is not the issue. • And to be clear, traditional anti-malware technology doesn’t work anymore. http://flic.kr/p/9kC2Q1
  • 6. Milking the AV Cash Cow • Add incremental functions: • HIPS/Heuristics • “Crowd-sourcing” threats • File reputation • Endpoint hygiene
  • 8. Prevention Next you try to stop an attack from being successful. This is where most of the effort in security has gone for the past decade, with mixed (okay, lousy) results. A number of new tactics and techniques are modestly increasing effectiveness, but the simple fact is that you cannot prevent every attack. It has become a question of reducing your attack surface as much as practical. If you can stop the simplistic attacks you can focus on more advanced ones.
  • 9. Adversaries: Better and Better Advanced Malware Polymorphism Sophisticated targeting Professional Processes http://www.flickr.com/photos/dzingeek/4587871752/
  • 10. The Negative Security Model http://www.despair.com/tradition.html
  • 11. Traditional AV But detection of advanced attacks is still problematic if detection is restricted to matching files at runtime. You have no chance to detect zero-day or polymorphic malware attacks
  • 12. You don’t know what malware is going to look like... But you DO know what software should and should not do. This calls for Advanced Heuristics
  • 13. Advanced Heuristics Heuristics have evolved to recognize normal application behavior. This dramatically improves accuracy because rules are built and maintained at a specific application-level.
  • 14. Look for what? • Executables/dependencies • Injected threads • Process creation • System file/configuration/registry changes • File system changes • OS level functions including print screen, network stack changes, key logging, etc. • Turning off protections • Account creation and privilege escalation http://flic.kr/p/6Yz7MB
  • 15. Application Control • Define a set of authorized executables that can run on a device, and block everything else. • Flexible “trust” model to offer “grace” period to install s/w • Authorized publishers, trusted employees, etc. • Though more flexible trust models weaken security… http://flic.kr/p/97Kqk8
  • 16. Application Control Use Cases • Servers • Fixed function devices • High value endpoints
  • 17. Isolation Spin up a walled garden to run applications. If app is compromised (detected using advanced heuristics), the sandbox prevents the application from accessing core device features such as the file system and memory, and prevents the attacker from loading additional malware.
  • 18. Old concept, New Packaging • Isolation is not new. VM’s in use by sophisticated users for years. • Isolation still needs to use some O/S level services, which provides attack surface. • VM (or isolation) aware malware stays dormant • Sophisticated sophisticated evasion techniques emerging: human interaction, timers, process hiding, etc…
  • 19. Choosing Prevention • What kind of adversaries do you face? • Which applications are most frequently used? • How disruptive will employees allow the protection to be? • What percentage of devices have been replaced in the past year?
  • 20. Understanding Effectiveness • Hype, religion and snake oil will be common as vendors look to establish their approach as “best.” • Comparative tests frequently gamed. Provide one data point. • Look for testing outliers and go on from there. http://flic.kr/p/7SrgR3
  • 21. Summary • Advanced Protection requires a broader view of threat management • Innovation on endpoint/server prevention will accelerate • Shift investment from ineffective legacy prevention to more effective advanced prevention, detection and investigation. http://www.flickr.com/photos/74571262@N08/6710953053/
  • 22. Read our stuff • Blog • http://securosis.com/blog • Research • http://securosis.com/research • We publish (almost) everything for free • Contribute. Make it better.
  • 24. © 2014 IBM Corporation IBM Security 24© 2014 IBM Corporation Trusteer Apex
  • 25. © 2014 IBM Corporation IBM Security 25 Are you fighting a losing battle? IBM Internal Use Only • Humans will always make mistakes • System and application vulnerabilities continue to emerge • Malware detection will always lag
  • 26. © 2014 IBM Corporation IBM Security 26 Do you have the right weapons? IBM Confidential until May XY, 2014 Fragmented market with point products • Endpoint protection market is highly fragmented with many point solutions - e.g., Sandboxing, application control, whitelisting Major security control gaps • Existing products offer no controls for major attack vectors - e.g., Zero-day exploits, applicative Java attacks Challenging manageability and operations • Advanced threat solutions are difficult and costly to operate • Difficult to scale manual remediation processes to thousands of enterprise endpoints • High false positive rates • Whitelisting processes on endpoints non-manageable
  • 27. © 2014 IBM Corporation IBM Security 27 Trusteer Apex Preemptive, low-impact defense for enterprise endpoints IBM Confidential until May XY, 2014 ADVANCED MULTI-LAYERED DEFENSE Comprehensive endpoint defense against advanced threats DYNAMIC INTELLIGENCE Advanced threat intelligence collected from tens of millions of endpoints LOW OPERATIONAL IMPACT Low overhead on IT / security teams, transparent to end users Trusteer Apex
  • 28. © 2014 IBM Corporation IBM Security 28 Apex multi-layered defense architecture IBM Confidential until May XY, 2014 KB to create icon Threat and Risk Reporting Vulnerability Mapping and Critical Event Reporting Advanced Threat Analysis and Turnkey Service Credential Protection Exploit Chain Disruption Cloud Based File Inspection Malicious Communication Prevention Lockdown for Java Global Threat Research and Intelligence Global threat intelligence delivered in near-real time from the cloud NEW NEW NEW • Alert and prevent phishing and reuse on non- corporate sites • Prevent infections via exploits • Zero-day defense by controlling exploit-chain choke point • Legacy protection against known viruses • Consolidates over 20 AV engines for maximal efficacy and operational simplicity • Block malware communication • Disrupt C&C control • Prevent data exfiltration • Prevent high-risk actions by malicious Java applications
  • 29. © 2014 IBM Corporation IBM Security 29 No.ofTypes Attack Progression Data exfiltrationExploit Delivery of weaponized content Exploitation of app vulnerability Malware delivery Malware persistency Execution and malicious access to content Establish communication channels Data exfiltration Controlling exploit-chain chokepoints IBM Confidential until May XY, 2014 Pre-exploit 0011100101 1101000010 1111000110 0011001101 Strategic Chokepoint Strategic Chokepoint Strategic Chokepoint File Inspection Endpoint Vulnerability Reporting Credential Protection Destinations (C&C traffic detection) Endless Unpatched and zero-day vulnerabilities (patching) Many Weaponized content (IPS, sandbox) Endless Malicious files (antivirus, whitelisting) Endless Many Malicious behavior activities (HIPs) Exploit Chain Disruption Lockdown for Java Malicious Communication Blocking
  • 30. © 2014 IBM Corporation IBM Security 30 Low operational impact Advanced threat analysis and turnkey service IBM Confidential until May XY, 2014 Eliminate the traditional security team approach (detect, notify, and manually resolve) Low-footprint threat prevention Exceptional turnkey service Low impact to IT security team Minimize impact by blocking only the most sensitive actions Centralized risk assessment service Directly update endpoint users
  • 31. © 2014 IBM Corporation IBM Security 31 Dynamic intelligence Crowd-sourced expertise in threat research and dynamic intelligence Global Threat Research and Intelligence • Combines the renowned expertise of X-Force with Trusteer malware research • Catalog of 70K+ vulnerabilities,17B+ web pages, and data from 100M+ endpoints • Intelligence databases dynamically updated on a minute-by-minute basis Real-time sharing of Trusteer intelligence NEW Phishing Sites URL/Web Categories IP/Domain Reputation Exploit Triage Malware Tracking Zero-day Research IBM Confidential until May XY, 2014
  • 32. © 2014 IBM Corporation IBM Security 32 Client example: Major heavy equipment manufacturer Protecting endpoints against advanced threats and malware IBM Confidential until May XY, 2014 Business challenge  Protect 10,000 endpoints in multiple international locations  Provide Remote Access to Suppliers, Contractors and Employees  Prevent IP and Technology Data Theft IBM Security Solution: Trusteer Apex Trusteer Apex protects endpoints throughout the threat lifecycle by applying an integrated, multi- layered defense to prevent endpoint compromise for both managed and remote endpoints. Threats are continually analyzed and protections provided by Trusteer’s turnkey service. Discovered 32 threats and 100 suspicious activities within weeks of deployment despite other security products Advanced Threat Protection
  • 33. © 2014 IBM Corporation IBM Security 33 Apex is essential to the IBM Threat Protection System IBM Confidential - NDA until May 5, 2014 Open Integrations Ready for IBM Security Intelligence Ecosystem Trusteer Apex Endpoint Exploit Chain Disruption IBM Security Network Protection XGS Smarter Prevention IBM Security QRadar Security Intelligence Security Intelligence IBM Emergency Response Services IBM Security QRadar Incident Forensics Continuous Response IBM X-Force Threat Intelligence New real-time sharing of Trusteer threat intelligence from 100M+ endpoints with X- Force Global Threat Intelligence 1 2 3 5 4 Java Lockdown Protection - granular control of untrusted code, cloud-based file inspection, and QRadar integration NEW Advanced Threat Quarantine integration from QRadar and third-party products, inclusion of Trusteer intelligence into XGS NEW Data Node appliance, new flow and event APIs, and QRadar Vulnerability Manager scanning improvements NEW Integrated forensics module with full packet search and visual reconstruction of relationships NEW NEWNEW Increased global coverage and expertise related to malware analysis and forensics NEW New functionality from partners including FireEye, TrendMicro, Damballa and other protection vendors
  • 34. © 2014 IBM Corporation IBM Security 34 Introducing IBM Trusteer Apex Re-defining endpoint protection for the advanced threat landscape Trusteer Fast Facts: Acquired by IBM August 2013 Adds endpoint protection capabilities to the IBM Security Portfolio Unique Integrations Integrated into IBM Threat Protection System Advanced Threat Defense Leaders Analyzing and preventing APT’s for the last 8 years
  • 35. Disclaimer Please Note: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
  • 36. www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.