Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

NextGen Endpoint Security for Dummies

1.082 Aufrufe

Veröffentlicht am

From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered:
• What do i actually need?
• Real-world framework to categorize endpoint capabilities
• Map vendors into buckets within the framework
• Housekeeping, what's needed before you even start?
• Cheat sheet of probing questions to ask vendors
• Best practices of deploying best of breed solutions

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

NextGen Endpoint Security for Dummies

  1. 1. NextGen Endpoint For Dummies: Tech Survey & Decision Guide Atif Ghauri, CISSP CTO & SVP at Herjavec Group
  2. 2. Live Survey – Show of Hands a) Are you currently using an NextGen Endpoint Solution? b) Are you looking for NextGen Endpoint Solution? c) Are you ripping out your NextGen Endpoint Solution?
  3. 3. Today’s Agenda 1. What is NextGen Endpoint and why care? 2. What to look for and how to evaluate the clutter? 3. Give me specific details! • Vendor Deep-Dive Analysis
  4. 4. Why Are We Talking Endpoint Today? 4 Your users are the #1 threat vector • Phishing • Malware • Social Engineering • Inside Threat • URL Redirection • Unpatched Systems • Zero Day 70%+of attacks occur on the endpoint
  5. 5. Why is NextGen Endpoint So Hot? » Industry is failing to kill bad code » Failure of the current solution • 47% legacy AV customers have been successfully compromised (Gartner) • Hackers write real-time evasion code against legacy AV » Customer Needs Multiple Protection Schemes • Signature based, Behavior Based, Real-time Updates (Cloud) » Consolidation » Audit Compliance 5
  6. 6. When in doubt, follow the money…
  7. 7. Investment Community Frenzy 7 » Google invests in Crowdstrike » Digital Guardian raises $66M » McAfee developed Active Response » Tanium raised $262M on $3.5B Valuation » Cylance gets $100M with $1B Valuation » Carbon Black acquires Confer in $100M deal » McAfee went Private with $3.1B
  8. 8. Today’s Agenda 1. What is NextGen Endpoint and why care? 2. What to look for and how to evaluate the clutter? 3. Give me specific details! • Vendor Deep-Dive Analysis
  9. 9. Long List Of Wants – Focus On Your Needs  Ability to perform forensics  Cloud based solutions an alternative  Infection analysis capability  Mobile integration roadmap  Virtualized footprint and performance capability  Vulnerability management, patch management, app control  Process Attestation – Known vs Unknown  Malware analysis capability  Scalability from 1k to 100k users  Operation System Coverage  BYOD Impact  Integration with existing NG or APT Network technologies  Unified Policy for both Network and End Point  Sandboxing with cloud support  Ability to perform forensics  Cloud based solutions an alternative  Infection analysis capability  Mobile integration roadmap  Virtualized footprint and performance capability  Vulnerability management, patch management, app control  Process Attestation – Known vs Unknown  Malware analysis capability  Scalability from 1k to 100k users  Operation System Coverage  BYOD Impact  Integration with existing NG or APT Network technologies  Unified Policy for both Network and End Point  Sandboxing with cloud support
  10. 10. Let’s Simplify with a Framework 10 1 - Prevent 2 - Detect 3 – IR & Remediation  24/7 Real-time Monitoring  System Baselining, and Hardening  Process and App Whitelisting  User Behavior Analysis  IP/URL Lookup  Sandboxing  IoC Integration for Rapid Detection  Incident Identification and Notification  Triage and Confirmation  Containment  Dwell Time Reduction  Enriched Alerts for Remediation • Process Hunting for Unknown vs Known • Design and Model Changes • Unleash Forensics • Capturing Lessons Learned • Configuration Management • Vulnerability Assessments
  11. 11. What’s influencing your peers when buying? » Flexible Licensing Models » Attractive Admin Interface and Ease of Use » Ambidextrous Vendor Integration » Performance » OS Coverage » Reference Customers 11
  12. 12. Structured POC Scorecard 12 Vendor A Vendor B Vendor C Cost (1 year) 1M 400K $354K Cost (3 years) $1.3M $940k $790k Flexible Licensing 9.9 9.4 6.2 Ease of Use 6.4 8.0 8.0 Integration 3.1 2.7 2.2 Performance 4.4 4.3 3.6 OS Coverage 8.4 6.5 5.5 Reference Customers 9.1 7.1 6.5 Buy Criteria
  13. 13. Do’s and Don’ts » Don’t just kill your AV » Do measure twice but cut once » Don’t forget to consider desktop support » Do multiple bake-off POCs » Don’t forget about user compliance » Do buy a solution you can actually manage
  14. 14. Today’s Agenda 1. What is NextGen Endpoint and why should I care? 2. What should I look for and how do I evaluate the clutter? 3. Give me details! • Vendor Deep-Dive Evaluation Notes
  15. 15. 5 Protection Techniques for Dummies 1. Signature Based Anti-Virus 2. Isolation or Sandboxing 3. Behavior Based Anomaly Detection 4. Whitelisting 5. IR and Remediation
  16. 16. How does it work? LegacyAV » Compare signatures from bit patterns of known threats » AV scans file before user interaction detecting known threats » Yes it’s legacy but has evolved to handle near zero day threats » Smart AV uses cloud to phone home ‘real-time’ for detection » Remediation techniques: Clean and Quarantine
  17. 17. How does it work? Isolation FACT: An average workstation is capable of hosting hundreds of tiny disposable computers concurrently THEREFORE: Why not create a container (or Sandbox, microVM) to allow threats execute with minimal resources » Work on a “need to know” basis with OS • Leverages hardware based isolation to defeat both known and unknown threats • CPU bound hypervisor (aka microVisor) » microVM’s are isolated from both OS and each other -> kills risk of lateral movements attacks • Uses microVM capability enabled in modern operating systems • microVM containers pawn off new applications or suspected threats in a secure environment • Threat is allowed to run and if dangerous the process is stopped and the container trashed » Desired Results • Safe environment to play • Capture detailed threat information which can be used for forensic analysis
  18. 18. Bromium – How does it work? » All user actions are disposable • Task based isolation at a hardware level is unprecedented! » Controls all access to files systems, registry, communications and auth » Works on virtualization technology and does not use signatures » Isolates suspect file into a microVM to allow the file to execute » Only needed resources are visible and all trusted resources are visible » Converts printing files to a trustworthy format » Can be CPU and memory intensive at times 18
  19. 19. How does it work? Behavior-Based Anomaly Detection » Monitor process and memory execution for anomalies » In theory there’s a finite number of ways to attack a system and most commonly known attack vectors. • Accordingly intercept the process and watch for known attack vectors and stop the process when it occurs. • Simultaneously report it and kickoff forensic analysis and for remediation before too late » Differs from Sandboxing • Triggers as process is invoked, so does not need to containerize  increases speed
  20. 20. CrowdStrike – How does it work? » Works like a high-definition surveillance camera • Want to know what happened and how blow by blow • Pattern bad behavior and make money off of this knowledge » Cloud based with detection and a prevention philosophy • Small kernel driver and no hardware required Heavy process monitoring and cloud based analysis real-time • Protects when Internet is down using custom protection and exploit blocking • Uses known attack vectors to analyze the suspected threat and will block the processes » Now also provide VirusTotals, SO both behavior and signature-based
  21. 21. CrowdStrike – Details » CS has a deep understanding of hacker trade craft • Adversary focus enables visibility into who is attacking and how • Extensive IoA and IoC library in a cloud database • Forensic data is extensive - follows the infection and traces origin » Big on Indicator of Attack (IOA) which is modeled and recorded as patterns • User established network connection, Process is executed, registry edited, memory called » Tech Notes • When you deploy CS the agent doesn’t require a reboot • Kernel mode driver - records all patterns of memory call, io operations, network connections, etc • 1.5MB agent, very small compared to 50MB other agents • Uses on ~5MBs of day per user per agent • Locally caches events when offline
  22. 22. PANTraps - Overview » Behavior Based (Cyvera Acquisition 2014) • Monitors for known illegal activities at process level, kills process upon detection • Looks for a common set of tools or techniques used in all known exploits to detect threats » Uses small driver enabled with behavioral techniques to detect threats • Monitor the process and analyse the behaviour of the application • Triggers Wildfire Cloud system to check the Hash of the file. • Compares to user policies governing what software is allowed to run and from what directories as well as Java apps and external media » Tech Notes • Runs on approximately 50MB of RAM with average of .1% CPU utilization • Sends in-depth data to endpoint server for forensic analysis and reporting • Local server caches Wildfire verdicts and provides a responses locally to other victims
  23. 23. Cylance – Overview » Solve the problem of ‘Malware Identification’ at Scale • Uses statically analyzing features found in the binary itself • Use machine learning through math models » Do “File Genome” - Similar attribute mapping scoring as biologists do with human genome » Avoid Patent 0 or Sacrificial Lamb » Tech Notes • Never see the file execute, quarantine prior to execution in bits/bytes from the binary on host • Strong coverage across operating systems • No infrastructure to install, all cloud based management • Cylance Footprint vs Traditional AV - 1/10 of CPU - 1/40 of IO - 1/3 of network usage - 20-40 MBs large 23
  24. 24. Tanium - Overview » It’s fast » Query thousands of endpoints in real time and report • Software versions an in-depth inventories • User processes and activities • Current software being run by users with history » Perform single touch software patching, updates, and deployments » Provides real-time monitoring of all endpoints » Incident response: mark desktops for re-imaging and kill switches if a threat is detected » Analysts use Tanium to delete files that were identified as threats by other systems » Forensic information is detailed and can be reported in many different ways or queries.
  25. 25. Thank You Atif Ghauri CTO & SVP Herjavec Group aghauri@herjavecgroup.com 26

×