How To Defeat Advanced Malware. New Tools for Protection and Forensics

Section 1: Productivity vs SecurityHow To Defeat Advanced Malware: New Tools for Protection and Forensics
This online continuing education course is available
through a professional courtesy provided by: How To Defeat Advanced Malware:
Bromium HQ
20813 Stevens Creek Blvd
Cupertino, CA 95014
Phone: 855-625-2683
info@bromium.com
© Concise Courses USA. The material contained in this course was research, assembled, and produced by Concise
Courses USA and remains their property. Questions or concerns about the content of this course should be directed to
the program instructor.
New Tools for Protection and Forensics

Productivity vs Security

Productivity vs. Security
The internet enables unprecedented increases in efficiency, productivity and cre-
ativity, while posing the greatest risk of damage and loss to digitally enabled or-
ganizations of all forms and sizes.

The internet enables unprecedented increases in efficiency, productivity and creativity, while posing the greatest risk of damage and loss
to digitally enabled organizations of all forms and sizes.
End-users demand free access to, and unrestricted use of, the web’s information to maximize their ability to get their jobs done effectively.
The Empowered Consumer
Search
Social Networking Mobile Apps
Mobility
Internet Services: Social media,
SaaS, collaboration, storage etc
Personal equipment:
Home pcs, laptops, tablet smartphones

One approach – Lock’em all
At the same time, organizations have been forced to impose restrictions
and cumbersome procedures to try and secure their information and
resources from attack.

False sense of security…
Today’s end-user computing environment has expanded beyond the traditional con-
trol of the inner walls of the enterprise and as such, a solution must be created that
provides effective end-point security for the enterprise, as well as a high perfor-
mance interface for the user.

The Fundamental Problem
The fundamental problem with security today is the
legacy computing architecture inherited from a much
simpler time when computers were isolated systems that
were only accessible to IT staff and corporate employees.
The operating systems and many applications we use to-
day were developed with little concern about the poten-
tial for introduction of hostile or “untrustworthy” applica-
tions or data.
Unfortunately these systems have NOT kept pace with
the growth in connectivity, and our computer systems still
have no way to decide whether a document or an applica-
tion is trustworthy or hostile.
Malware continues to exploit the interaction between and within the software installed on a system to achieve its
goals with little protection provided by the system itself.

Section 2: Current IT Security ProductsHow To Defeat Advanced Malware: New Tools for Protection and Forensics
Current IT Security Products

XXXXNetwork Firewalls and Anti-Virus Programs
Current IT security products have evolved in response to the earliest cyber-attacks
of the 1980s.
Network firewalls were developed to foil attacks originating across network links
and isolate the entire network.
Anti-virus programs were developed to address the new phenomenon of “infected”
files being shared via floppy disks, and attempted to isolate individual computers
from harm.
Simply put, over time, new security products have been continually “layered on” as
new attack vectors, such as the Internet, have become available.

Is the data or the application trustworthy?
Each layer tries to solve the same problem: Is the data or the application trustworthy?
Untrustworthy content is detected and blocked, and
trustworthy content is allowed, but if an incorrect deci-
sion is made, the malware is free to interact with, and
compromise all the other parts of the system.

Malware is now designed to evade detection
Furthermore, Malware is now designed to evade detection.
By leveraging zero day exploits, polymorphism and the
rapid evolution of web technology, malware evades
“detection” based security solutions and infiltrates the
organization by exploiting the inherent trust between
operating system components.
It may be weeks or months before a successful attack
is discovered.
Meanwhile valuable information can be stolen or criti-
cal infrastructure can be disrupted by the attackers.

Section 3: End Users Have Emerged As The Weak LinkHow To Defeat Advanced Malware: New Tools for Protection and Forensics
End Users Have Emerged As The Weak Link

Users Are One Click Away From Compromising Their Desktop
With the proliferation of web, email and social media, users are one click away from compromising their desktop.
No one is immune to social engineering techniques that trick users into clicking on links, opening email attachments, or plugging in USB devices.
End-users have emerged as the weak link in enterprise security.
Social Media Landscape

BYOD
Whether users are at home, on an airplane, in a coffee shop, or in an international hotel, with a malicious DNS server, they cannot be easily protected
by traditional network-centric security devices simply because they are working outside the network perimeter and communicating directly with an
untrusted network.

Backhauling
The standard option today is to backhaul the connection back to the corporate network gateway, then forward it out to the Internet. But that can have
significant impact on end user experience, performance, and productivity for mobile workers.
Backhaul Station
Internet
Base Station
WiFi Remote User

C-Suite Executives
Executives are the least restricted yet most targeted class of users.
They are highly mobile and often choose devices that are not sanctioned by IT to get their jobs done.
As frequent targets of spear phishing campaigns, due to their level of access to sensitive data, executive support staff must make daily decisions to
open external email attachments and click on unknown URLs.

End User Hardware
Attackers view laptops and desktops as attack vectors – effectively launching pads – into the enterprises that they
seek to penetrate.

Patch Tuesday
Hackers exploit vulnerabilities in operating systems, browsers, and third-party software such as Java and Flash.
Unfortunately, with more than a hundred million lines of code on any given laptop or desktop, vulnerabilities are of-
ten discovered faster than patches can be created and applied to these vulnerable machines.
It’s a losing proposition to rely on "Patch Tuesday" or any other carefully planned schedule to keep systems properly
patched or to detect exploits or vulnerabilities.

SaaS and Cloud Based Applications
Today's targeted malware seeks to use compromised PCs as a way to not only access the enterprise network, but also to access critical SaaS and cloud
applications.
Corporate security policies will often disallow ac-
cess to these Internet-hosted applications and
storage assets unless users are connected to the
corporate network or using a corporate device.
However, if a corporate PC is compromised, attack-
ers are able to masquerade as a legitimate user
and then extract sensitive data from these online
repositories.

VDI Empowerment
Local User
Offshore user
Teleworker
Not long ago virtual desktops were considered more secure than physical desktops because VDI OS partitions are regularly re-built from a gold image.
However, attackers have since learned to easily bypass this control by adding malware into the user’s profile. When virtual desktops are deployed in
the same datacenter as sensitive information, VDI could actually increase the enterprise attack surface.
Keep your data and applications secure
• Reduce vulnerabilities
• Use centralized policies
• Data storage process that is virtualized and centralized
Address dynamic requirements
• Workforce mobility
• Connectivity with partners
• New employee onboarding

Security Spending
Enterprises have spent billions of dollars on security but can’t stop all of today’s attacks.

Blacklisting
The blacklisting approach can only detect known threats and fails to stop sophisticated malware that is used for
today’s targeted attacks.

Whitelisting
And the whitelisting approach, i.e. allowing only trusted applications, such as a corporate browser or pdf readers, is
ineffective because attackers take advantage of the fact that enterprises are slow to update their software, and use
malicious content and documents to exploit supposedly trustworthy applications.

Section 4: All Software Is Inherently InsecureHow To Defeat Advanced Malware: New Tools for Protection and Forensics
All Software Is Inherently Insecure

Vast Attacks Surfaces
Modern desktops and apps offer rich feature sets that offer a huge target to attackers.
For example, Microsoft Windows now has more than 60 million lines of code, and
Adobe® Acrobat more than 1 million, leaving many loopholes that can or have been
exploited by attackers.
This vast “attack surface” is responsible for the enormous number of ongoing vulner-
abilities and exploits we see in the news every day.

Tabbed Browsing
Efforts have been made to increase productivity and decrease resource consumption by allowing users to perform
multiple instances of a programs function using a single instance of the application such as “tabbed” browsing.
These multiple instances or “tasks” make security more difficult, as compromising the parent application automati-
cally compromises all the tasks being performed by the application.

‘Whack-A-Mole!’
The “whack a mole” approach to creating a new signature or patch to detect and block the latest attack, or develop-
ing a new security product for a new kind of vulnerability is unsustainable.
The security industry needs to address the fundamental shortcom-
ings of the current approach, and adopt a new architecture that
transforms computer systems into trustworthy endpoints that are
protected by design.

Introducing Micro-Virtualization
Micro-virtualization addresses the fundamental shortcomings of the legacy computing model by executing each vulnerable task in a tiny, hardware-
isolated micro-virtual machine (Micro-VM).
Tasks are isolated, along with all the associated resources that a task needs, all the way down to the security hardware (Intel VT) layer, including any
resources that interact directly or indirectly with the task.

Need To Know
Protected tasks have only “need to know” access to data, networks and local hardware devices, so if a task is compromised, the system still protects
the enterprise and the user.
Micro-VM’s are created and destroyed in milliseconds automatically discarding malware and ensuring that the desktop always remains in a “golden”
state.
These capabilities are implemented automatically, unseen by the user, and with minimal impact on the user experience.

Micro-VM’s
Micro-virtualization has profound consequences for system architecture, and applies to both server and client sys-
tems.
Its application in endpoint protection transforms the resilience of enterprise clients and will massively increase the
cost and complexity of system penetration.

Introducing Bromium’s vSentry
Bromium’s vSentry uses Micro-Virtualization to isolate malware delivered via Internet Explorer or untrustworthy
documents and e-mail attachments.
Malware isolated by vSentry is unable to steal data or access either the Windows system or corporate network
and is automatically discarded when the web session or document is closed by the user.

Micro-VM’s
Each micro-VM is optimized and provisioned for the specific task at hand and is hardened against the installation of
malicious code.
Micro-VM’s deliver significant attack-surface reduction thereby delivering an inherently more secure platform for
running risky tasks.
If unknown malware does manage to exploit the application performing the protected task, only a single browser
tab or a single instance of the document handler (for example, Acrobat, Word, etc) will be compromised.

Defeating Malware Every Time
Malware cannot gain access to other applications or tasks, for example, the Windows system itself, the protected file
system, the enterprise network, or trusted SaaS applications.
Since each web page or document is run in a hardware-isolated, hardened and independent container within the Win-
dows environment, threats can’t propagate and compromised sessions can’t be used for surveillance or to launch at-
tacks on other systems in the network.
Malware is not allowed to persist and is automatically removed on clos-
ing the web browser tab, document or attachment.

vSentry Automation
vSentry automatically isolates vulnerable tasks, such as opening an unknown web page in a new browser tab, or an
email attachment or document from an unknown sender.
Users are not prompted to “allow” or “deny” actions and can focus on getting the most from their system without
worrying about the chance of compromise.

The Microvisor
The Microvisor on which vSentry is based
integrates directly with Intel VT ad-
vanced hardware virtualization tech-
nology, which is built into every CPU, to
ensure that malware can’t break out of
the micro-VM to compromise the rest of
the Windows operating system, other ap-
plications or tasks.

Section 5: Micro-Virtualization vs Traditional Endpoint Security ProductsMicro-Virtualization: A New Approach To Endpoint Security
Micro-Virtualization vs Traditional Endpoint Security Products

Anti-Virus systems detect malware by using signatures that are developed from samples of attacks that have suc-
cessfully compromised other users.
The addition of heuristics and cloud based lookups has decreased the time needed for Anti-Virus systems to detect
known attacks, but with over 3 billion unique pieces of malware discovered in 2011 alone, today’s attackers have lit-
tle problem avoiding these systems.
In contrast, Micro-Virtualization does not rely on detecting malware to protect against its malicious intentions. The
granular isolation and “need to know” access model for each task ensures that malware cannot gain access to any
data, persist the attack, or penetrate deeper into the network.
Micro-Virtualization vs Anti-Virus Systems

Micro-Virtualization vs Host Intrusion Prevention Systems
Host Intrusion Prevention Systems attempt to detect and block malicious attacks by comparing the behavior of vul-
nerable applications, with a pattern that could indicate “malicious behavior”.
The shortcomings of this technology are that malicious and benign code can perform the same types of operations
within an endpoint and singling out the behavior of a single piece of software can be challenging.
A Host Intrusion Prevention System that is tuned to be effective against unknown malware will also block many un-
known but benign software functions leading to user dissatisfaction and an avalanche of corporate help desk calls.
A Host Intrusion Prevention System is often disabled or tuned to the point that malware is no longer blocked in reac-
tion to these problems.
In contrast, Micro-Virtualization does not interfere with the execution of the vulnerable application or the pro-
ductivity of the user, while ensuring that critical enterprise resources are protected at all times.

Micro-Virtualization vs Desktop Firewalls
Desktop Firewalls protect the host system by blocking low level network requests to specific processes within the
the endpoint.
Desktop Firewalls do not provide any protection for the most risky applications like the web browser or opening files
and attachments as these processes must be able to communicate with the outside world to function.
In contrast, vSentry implements a per micro-VM, task-specific, granular isolation or task “firewall” capability by
intelligently isolating, filtering and enforcing the communications between each task and the rest of the Win-
dows environment.

Micro-Virtualization vs Desktop Virtualization Systems
Desktop Virtualization Systems provide a mechanism for running multiple operating systems on a single desktop or laptop com-
puter.
Migrating computing resources to a virtualized environment has little or no effect on most of the resources’ vulnerabilities and
threats.
While running, these solutions provide no protection beyond that provided by standard desktops and the monolithic nature of tra-
ditional hypervisors lend themselves to the execution of multiple applications within the virtual machine.
Attempting to run multiple virtual machines often incurs a heavy performance penalty and restricts the granularity and effective-
ness of this approach.
In contrast, vSentry represents the next generation of virtualization technology that hardware virtualizes each vulnerable task
without the performance penalty incurred by legacy virtualization solutions.
Micro-Virtualization works at the task
level within the Windows environment
and provides full code level visibility
and extremely granular control for all
interactions between the active task,
Windows, system devices, the file sys-
tem, storage and networks.

Micro-Virtualization vs Application Whitelisting Solutions
Application Whitelisting Solutions restrict end users from using “non-approved” programs on their systems.
This approach typically has a large impact on user productivity which often results in users finding “workarounds”
such as performing critical tasks on mobile or home products.
Application whitelists provide no protection from attacks targeted at the “approved” programs which remain vulner-
able to zero day or targeted attacks routinely delivered within the content the applications are tasked with process-
ing.
In contrast, vSentry does not impact user productivity and enables them to use their key productivity applica-
tions safely and with no risk to the critical information contained within their systems or on the corporate net-
work.

Micro-Virtualization vs Patch Management Solutions
Patch Management Solutions attempt to address the root cause of security exploits by providing fixes or ”patches”
to the underlying vulnerabilities in the programs that are at risk.
Unfortunately, the sheer scale and attack surface of today’s operating systems and application suites provides end-
less vulnerabilities.
Organizations spend huge amounts of time and money testing and deploying patches in an endless attempt to keep
their systems secure with little impact on the number or frequency of successful attacks.
In contrast, Micro-Virtualization protects PCs from being compromised, even if they have not been patched.
This enables organizations to schedule patches for the lowest impact on the organization.

Bromium’s vSentry
vSentry focuses on protection, and is able to defeat both known and unknown attacks using micro-virtualization
combined with hardware-enforced, task-level isolation.
If a micro-VM is penetrated by any advanced targeted attack, it remains completely isolated. The APT is unable to
attack the desktop, persist any malware, steal any data, or penetrate the enterprise network.

Bromium’s LAVA (Live Attack Visualization and Analysis)
When malware strikes, the entire attack is automatically recorded and delivered to Bromi-
um’s LAVA (Live Attack Visualization and Analysis) console.
LAVA provides a depth and breadth of information that arms security operations centers with
critical threat intelligence and a stronger defense-in-depth strategy.

By extending the isolation and protection of hardware virtualization into the operating sys-
tem, microvisor technology adds a new hardware-protected execution mode for Java applica-
tions.
These micro-VMs are automatically created in milliseconds to isolate any task that processes
untrusted data or interpreted code.
In addition, Bromium’s LAVA provides introspection of these micro-VMs and gives security op-
eration teams the ability to capture and analyze threats, including Java exploits.
Protection Against JAVA Exploits

Protects Mobile And Roaming Users Against Exploits In The Wild
vSentry endpoint security software lets users safely surf the internet, open email attachments, download docu-
ments, and plug-in USB device regardless of their physical location.
It automatically and proactively protects mobile and roaming users against exploits in the
wild by confining each website and document within a hardware-enforced container that
is completely transparent to the user.

Happy Enterprise Network Security Administrators
As a result, enterprise security administrators can worry less about continuously patching Windows vulnerabilities
which can be a challenge for workers that spend days, or weeks away from the office.
No longer is there a tug-of-war between the need for end users to have an op-
timal computing experience and the need for the IT security team to safeguard
the enterprise.
No longer do users need to circumvent or disable the traditional controls that
hinder them from “doing their job”.

vSentry
vSentry delivers endpoint security against advanced targeted attacks, while removing restrictions on Internet freedom.
It ensures that a compromised task (such as rendering a web page or opening an email attachment), cannot access enterprise infrastructure or infor-
mation, because the attacker is contained within the hardware-isolated micro-VM with highly restricted need-to-know access to the OS, the underlying
file system or the enterprise network.
This level of continuous, granular protection applies to end users re-
gardless of location and as a result, users are empowered to do what-
ever they need to do to be productive, browse the internet, with-
out risk to themselves or the enterprise.
IT no longer needs to waste countless hours trying to keep blacklists
and whitelists as updated as possible, and users will no longer attempt
to circumvent or disable these restrictive controls.

vSentry
vSentry assumes that all tasks performed on content originating outside of the corporate network – such as checking email, visiting
Web pages, downloading documents, etc. – should be treated as untrusted. And each tasks is secured in its own private container
using micro-virtualization software in combination with hardware-enforced isolation.
If a malware attack occurs, it remains bounded within the isolated container and has
no access to any network or system resources. Furthermore, it is automatically dis-
carded when the user closes the document or Web page, thereby making it impos-
sible for the malware to persist on the system or gain access to the network.
If malware cannot persist on the end user device, the device cannot be infected. If
there is no infection, there is no longer any need for remediation.
Instead, remediation is in essence automatic – when the task is ended the malware
is destroyed. This can save enterprises thousands – and sometimes millions of dol-
lars.

vSentry
vSentry effectively enables multi-tenancy on endpoint devices, so that each individual task (and all related data) is truly isolated
from the trusted machine.
This architecture provides significant peace-of-mind for those tasked with securing an enterprise, and saves time for those who pre-
viously had been spending countless man-hours trying to reverse engineer malware attacks.
Furthermore, because endpoints are no longer infected as a result of unpatched vulnerabilities, organizations save significant costs
because they no longer need to re-image infected devices.

vSentry
When running vSentry on these endpoints, an executive or a privileged user may still fall prey to attacks from social networking
vectors, enabling the malware to run on their machines.
However, with vSentry, malware’s access is limited to
a hardware-isolated virtual container, a "throwaway
cache" that looks and feels like an empty desktop to
the attacker.
The Microvisor enforces the concept of “least privi-
lege” or “need to know” to each and every document
and website, so that there is never any sensitive data
to steal within the micro-VM.

vSentry
Best of all, anything that the spear-phishing malware does within the micro-VM is automati-
cally and instantly recorded and reported via LAVA, so that security analysts can use this
comprehensive threat intelligence to protect the rest of the users and systems across the
enterprise.
Information security teams gain assurance that these high profile targets can click on un-
safe links and open unsafe attachments without risk to their devices or to the enterprise.

vSentry
vSentry makes each SaaS and cloud application invisible to, and inaccessible by, every other untrusted website and document running on the endpoint
device.
And it applies the principle of least-privilege (a.k.a. "need-to-know") to each task so that each micro-VM is isolated from the rest of the system – re-
gardless of whether or not malware is present. This hardware boundary running on the CPU automatically disables access to any cloud and SaaS sites
containing sensitive enterprise data.
As a result, vSentry protects against cloud data exfiltration, as well as XSS, CSRF, and other
MitB attacks.
Even if a drive-by-download from a compromised site installs a keylogger in one browser
tab, and the user logs into a SaaS site in the adjacent browser tab, credentials and data re-
main isolated and not accessible to the malware running in any other micro-VM.
These online applications and data repositories are centrally configured by IT and have no
impact on user experience with enterprise hosted, SaaS or cloud applications.
vSentry automatically protects the desktop from these applications, but it also protects the
applications from all other untrusted tasks, including attacks on themselves or each other,
such as in the event of a service provider compromise.

Drive-By-Download
Even if a drive-by-download from a compromised site installs a keylogger in one browser tab, and the user logs into a SaaS site in the adjacent browser
tab, credentials and data remain isolated and not accessible to the malware running in any other micro-VM.
These online applications and data repositories are centrally configured by IT and have no impact on user experience with enterprise hosted, SaaS or
cloud applications.
vSentry automatically protects the desktop from these applications, but it also protects the applications from all other untrusted tasks, including at-
tacks on themselves or each other, such as in the event of a service provider compromise.

Section 6: ConclusionHow To Defeat Advanced Malware: New Tools for Protection and Forensics
In Conclusion
Micro-virtualization addresses the two fundamental challenges of today’s computer systems:
1. Users will make mistakes, and
2. Software will have vulnerabilities
Key benefits to Micro-virtualization include:
• Automatically defeating undetectable malware, so security teams stay focused on business needs, not costly
and time consuming forensics or remediation
• Providing real-time insights into every type of attack
• Protecting users even if they click on malicious links, so they can access any website and open any attachment
or document, thereby, allowing them to safely embrace mobility and empower your users

How To Defeat Advanced Malware. New Tools for Protection and Forensics

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (19)

Ähnlich wie How To Defeat Advanced Malware. New Tools for Protection and Forensics

Ähnlich wie How To Defeat Advanced Malware. New Tools for Protection and Forensics (20)

Mehr von London School of Cyber Security

Mehr von London School of Cyber Security (17)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

How To Defeat Advanced Malware. New Tools for Protection and Forensics