6. Recent Example: WMF Vulnerability NO Patch Available Patch fully deployed *Wipro, Ltd 2005, “The Total Cost of Security Patch Management” Day 14 : December 14: Sites first post WMF Exploits Day 35 : January 5 th : Microsoft Releases Patch Average exploit window: 25 days* before patches deployed Vulnerable w/no Official Patch 35 Days Vulnerability Made Public Total exploit window for average organization: 60 days Day 27: December 27: Initial Disclosure of Vulnerability Day 28 : December 28: MS Announces Awareness…No Patch for Issue Day 29: December 29: 50+ variants, 1000+ sites reported: Thursday 12/29 Day 31: December 31: Instant messaging,Trojan horses & botnets begin exploiting WMF and Unofficial patch released by Ilfak Guilfanov Day 33: January 3rd: 1,000,000+ WMF exploited downloads reported from just 1 site Day 0 : December 1: Vulnerability Discovered 1 and Exploit Code Being Sold for $4000 Shortly Afterward 1 Computerworld.com, “Russian hackers sold WMF exploit, analyst says” Patch issued by MS Determina 0-day protection active before vulnerability is known Zero-days
17. How Program Shepherding Work? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Restricted Control Transfer: Is it legal to go from here to there? Restricted Code Origins: Is this code came from a code page? Program Run-time System Code Cache Program Counter: Executes the Program Instruction by Instruction Never Let go of the Program Counter Restricted Code Origins: Is this code came from a code page? jmp call br ret call jmp br
21. Technique 2: Restricted Control Transfers context switch indirect branch lookup trace branch taken? BASIC BLOCK CACHE TRACE CACHE non-control-flow instructions non-control-flow instructions Restrict based on source address, destination address, and/or transfer type
22.
23.
24.
25.
26. Memory protection R R Application code RW RW Application data RW R Code cache RW R MPEE data R R MPEE code MPEE Privileges Application Privileges Page type
27. Memory protection R R Application code RW RW Application data RW RE Code cache RW R MPEE data RE R MPEE code MPEE Privileges Application Privileges Page type
28.
29.
30.
31.
32.
33. Different Levels of Updates Power of a Patch, Operates like a DAT Administration can be fully automated Minutes Within a day Hours Weeks to Months Months Months to never Typical time from release to deployment Easy to undo Patch update Detect Protect LiveShield DAT file update Dot upgrade Major upgrade Manageable at a fine granularity Will not change current behavior No need to reboot or restart app No need to upgrade hardware or other programs
34.
35.
36.
37.
38. LiveShield Development Operations Flow POC Exploit Released Acquire the exploit Identify vulnerability Patch Released Diff the patched version against previous version Attack Released Trace the exploit activity Acquire the attack Trace the attack’s activity Develop a Shield Port it to multiple versions Test the Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N best case is 24 hours, Cannot take more than 7 days Minimal QA a. la. DAT update
39. LiveShield Flow Read - only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date dll cache Mode information Status information Events Controller - Node Manager Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded dll ’ s Read - only memory Read - only memory DLL load eventlog Determina Web site Controller @ Customer Site Node Manager Core Files available MP - v3 - 011604.xml const - v3base.dll const - v3a.dll const - v3b.dll … . const - v3u.dll const - v3v.dll Internet xml file per host Up - to - date dll cache Mode information Status information Events Controller - Node Manager Communication Interface Per processor policy data structure with mode info dll cache Stats Events Policy data structure with mode info Loaded dll ’ s
40.
41.
42.
43.
44.
45. 4. Coverage: No partial band-aid solutions please! % of vulnerabilities Source: CVE, Microsoft Security Bulletins, 2003-2004
46. 5. Proactivity: Should be ready to protect when attacked! Application Released With a bug Vulnerability announced Patch released Attack Released Good guys Patch like crazy Bad guys analyze patch & create attack 17 Previously Unknown Vulnerability 2 26 Previously Unknown Vulnerability 46 31 06/01 03/02 04/02 07/02 07/02 03/03 07/03 03/04 04/04 11/04 Code Red Digispid Spida Slammer Slapper WebDAV Blaster Witty Sasser Mydoom.ag 185 # of days from the Publication of the Vulnerability (availability of a patch) to Attack 77 34
51. VPS impact on the Project Managed Program Execution Engine Memory Firewall LiveShield Client Interface Injected code detection Patch Generation and Deployment Constraint Leaning and Monitoring Data Structure Consistency Checking Application State Probing Repair Generation, Evaluation and Filtering
52.
53.
54.
55. LiveShiled Constraint Creation Framework POC Exploit Released Acquire the exploit Identify vulnerability Patch Released Diff the patched version against previous version Attack Released Trace the exploit activity Acquire the attack Trace the attack’s activity Develop a Shield Port it to multiple versions Test the Shield Release to customers Receive LiveShield Push the Shield in detect mode No triggering in 24 hours Put into protect mode Put in a full QA System in protect mode No problems in 24 hours Report the problems to Determina Y Y N N best case is 24 hours, Cannot take more than 7 days Minimal QA a. la. DAT update
56.
57.
58.
59.
60.
61.
Hinweis der Redaktion
Published analyst reports consistent – more vulnerabilities, attack motives changing from fame to fortune. Symantec Internet Security Threat Report marks a shift in the threat landscape. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Whereas traditional attack activity has been motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud
Another specific instance. This is even more illustrative that using patching for securing systems is a losing battle because in this case there was no patch available until 30 days after the exploits were 1 st released. Lots of ways to get hurt, costing millions of dollars waiting for a patch and for the patch to be deployed. Recent example – the critical IE vulnerability in late March. Determina issued a stand-alone fix for download, for free, to highlight our capabilities. VPS was the only solution that protected the IE vulnerability. VPS customers were protected without taking any additional actions. No other solution did this! Over 90% of security exploits are carried out through vulnerabilities for which there are known patches (Gartner)
What is the basis of the threat? Vulnerabilities are the root cause. In OS, server apps, desktop apps. Look at the stats, share these with your customers. How to protect vulnerabilities against these attacks and exploits?
Days Until Mass Exploit: --- Means no mass exploit 0-Day?: --- means MS announced the vulnerability with the patch Some examples of recent vulnerabilities to illustrate the protections provided by MF and LS, as well as the threat and window of attacks without the protection.
What is a customer looking for in a Host IPS/endpoint security solution? Stress here that it “just works.” Many solutions out there don’t live up to their claims or simply don’t work properly (crashes, conflicts, etc.). Stress here that while Determina is a young company, VPS is based on mature, proven technology going back over 8 years in development.
2:48
2:48
2:50
3:00
3:03
3:06
3:09
3:12
3:15
3:16 Ask problems with False positives
3:17
3:18
3:20
3:22
3:23 Ask Should we give up? Ask about Crypto fool-proof?