This document summarizes a presentation given by Jason Shupp of Invincea, Inc. on the topic of endpoint security evasion. It discusses current challenges with antivirus software, including its reliance on known threats and the hundreds of thousands of new malware variants seen daily. The presentation then outlines how Invincea's FreeSpace product works to contain applications in an isolated environment to prevent compromise, using behavioral detection rather than signatures. It concludes with a demonstration of FreeSpace protecting against weaponized documents while traditional defenses are bypassed.
2. Meet the Presenter
Jason Shupp is a Senior Systems
Engineer at Invincea, Inc. located in
Fairfax, Virginia. Jason is a cyber-
security expert with 14 years’
experience in the industry. His career
started in the United States Marine
Corps as a Tactical Network
Specialist. Since that time, he has
worked for various companies including
Symantec, ArcSight and
HP. Jason enjoys spending time with
his family, sports and most outdoor
activities.
Jason
Shupp
3. Agenda
1. Endpoint Security Evasion
2. Current Endpoint Security Challenges
3. Invincea FreeSpace™ – How it Works
4. Endpoint Security Portrayed in “Real Life”
5. Demonstration
5. Endpoint Security Evasion
• Hundreds of thousands of variants daily
– It only takes one…
• There is no safe – no barriers
– Failed detection = compromise
• Malware running with elevated privileges
– Stop running processes
– Stop/disable services
• Install more malware!
• Tampering protection
• It sounds all so easy
– And you’re right, it is…
7. Antivirus Software
• Created in the late 1980’s
• Prevent, detect and remove malicious software
• Detection methodology
1. Signature – known bad file
2. Heuristic – characteristics of known bad
3. Behavioral – actions at run-time
• Protection built solely upon “known” threats
• 450K new variants per day
– (McAfee Labs Threats Report: November 2014)
• Have you read the media?
8. Other Solutions
• Whitelisting Solutions
– Trust Java.exe – right?
– CNN.com is not compromised today
• Network Based Endpoint Security
– HUH?
– Not at work – secure your computer and turn it off
• Continuous Monitoring Solutions
– SIEM’s have been doing this for years
– There is a needle in that haystack
• Usability, scalability, resource consumption, false
positives, etc.
10. Invincea FreeSpace™
Endpoint Innovation
Protect the User
Enterprise Endpoint Application & Data Collection
Application Requirements:
<90 MB RAM, 150 MB free disk
space, Intel/AMD x-86 chipset
Supported Operating Systems:
Windows XP,
Windows 7 32 and 64-bit
Windows 8.1
Invincea Management Server
• Threat Data Server Module
• Optional integration to other
technologies
• Config Management Module
• Track deployments
• Manage groups
• Maintain audit trail
• Schedule software updates
• Reporting
• Multiple deployment options
• Virtual appliance
• Physical appliance
(1u rack-mounted)
• Cloud hosted
Invincea FreeSpace™
• Endpoint application
• Priced per seat
• Subscription license
Protection options:
• Browsers (IE, Firefox,
Chrome)
• PDF
• Office Suite
• PPT
• XLS
• DOC
11. - Leverages detection
- Automatic termination of suspect activity
Detection
- Automatically created on user login
- Isolated environment to run applications
How it Works
Containment
- No signatures
- Patented behavioral-based detection
Prevention
- Collection upon detection
- File system, process, registry, network…
Intelligence
17. Recap
• Front Door = Vulnerable Applications
– Entry point to the Endpoint
• Vulnerable Applications
– Web browsers, Office applications, PDF, Media
players, ZIP
• We’re all running them!
• And the bad guys know it!
• These applications are all vulnerable
– Have been breached
– Will continue to be breached
• So how is Invincea any different?
18. Invincea Difference
• Traditional security applications are installed side by side
to the vulnerable applications
– They can be broken, disabled or simply not working
• Invincea forces vulnerable applications inside the
product
– Container is the first layer of security
• Breaching the vulnerable application is no longer a
breach
• There will always be vulnerabilities
• Vulnerabilities leading to compromise is thwarted
22. Thank you!
Invincea @Invincea
Jason Shupp
@JasonShuppLearn more about Invincea’s solutions or visit our website at www.invincea.com
Contact us at 1-855-511-5967
Hinweis der Redaktion
The Antivirus technology was created in the late 80’s after a concept was proven to create malicious applications. It’s sole purpose then and today is to prevent, detect and remove malicious software. The very first version of Antivirus included only signature based detection which is still widely in use today in these technologies. The 3 common detection methodologies in use today include this same signature based detection with the addition of heuristic and behavioral detection.
Signature based detection simply leverages the fingerprint of a known bad file. The file has been analyzed and know to be malicious. Scan every file and identify this file if it exists. Over the years, as more and more malicious files were created – heuristic detection was born. Researches noticed that malware authors were reusing code over and over to perform malicious activity. For example, code that accessed and recorded keystrokes could be identified with heuristic detection since this type of behavior is mostly - always malicious. Heuristic detection basically includes characteristics of known bad. Behavioral detection includes monitoring for actions of the file or application as it runs. A legitimate windows application will most always register in Windows Add/Remove programs. A good example of behavior detection is if a program installs and doesn’t register in Add/Remove programs – it could be considered malicious. There are different levels of both behavior and heuristic detection and if these levels arent tightly controlled a considerable amount of false positives could be generated.
Antivirus technology has expanded and most vendors will include this technology with a suite of applications such as a firewall or host IDS/IPS. This suite of applications provide protection based only on the known. If it’s a new exploit or brand new variant of a threat – there is a very high probability that the threat will not be detected or stopped.
NEED MORE
There are 2 core products that make up the current Invincea platform. First, on the left is Invincea FreeSpace. This is the endpoint application that provides protection for the most vulnerable applications running on Windows endpoints today. These applications include the major web browsers (IE, Firefox & Chrome), PDF documents and the Office suite of document applications. The applications requirements for Invincea are key and FreeSpace utilizes less than 90MB of RAM during peak performance. Invincea’s streamlined and lightweight approach does not require hardware acceleration which means there are no hardware dependencies. FreeSpace will run on your legacy systems. The supported operating systems, as you can see, include XP through Windows 8.1 to include virtual instances of these operating systems.
On the right is the Invincea Management Server. There are 2 core modules and functions of this server. First, the Threat Data Server module is responsible for receiving and processing the detection or forensic data collected by the FreeSpace client. This forensic data can then be integrated with your existing security controls. The Configuration Management Module is responsible for managing the FreeSpace client after the initial deployment. Customers will leverage their existing software distribution technologies to deploy the agent - the agent then immediately connects to the Server where it is centrally managed. This server is offered as a prepackaged virtual machine and the module design allows us to scale to the largest environments – which we’ve proven.
Here is how the FreeSpace client works. These are the 4 core features of the product.
First, when the user logs into their system, in the background the Containment environment is created on the endpoint. There is no cloud environment or server infrastructure required – it’s all running on the endpoint. This is known as a Secure Virtual Container and is used to seamlessly run the vulnerable applications I previously mentioned. For example, when the user clicks on IE to go to the internet, Invincea forces IE to run from inside this Secure Virtual Container where it is protected and if compromised changes are made only to the container and not the underlying host.
Inside of the Secure Virtual Container, we’ve instrumented a patented behavioral based Detection engine which constantly monitors the container for suspect activity. The detection engine is completely signature-less and only monitors the known good transactions of the supported applications. The detection engine has no prior knowledge of what malware is. Invincea understands how applications were designed to function to include what portions of the disk and registry are accessed along with inter process communication between applications. This approach has enabled Invincea to truly detect the unknown without any type of updates.
Prevention leverages the detection engine which are both unique to Invincea. Simply put, when suspect activity is detected Invincea immediately shuts it down. We firmly believe that there are no good use cases for a production user to ever run malware on their endpoint. Allowing malware to run, despite it’s crippled ability to persist on the endpoint, it still allows for data loss and doesn’t prevent lateral movement on the network.
And finally, during an infection attempt on the endpoint, think of Invincea hitting the record button inside the secure virtual container. All transactions are recorded in real-time to include file system modifications, process creation/deletion/injection, registry changes, network activity and more. All of this collected data is securely transmitted to the Invincea Management Server or cached locally if the server connection is unavailable and later processed when the connection to the server is reestablished.
The next section is going to cover traditional Endpoint Security in real life. And in about 15 seconds when I transition to the next you’re going to see why I’m in the Cyber Security field and not a graphic designer or art major. My wish is that you enjoy my elementary pictures and animations which I enjoyed putting together to tell this story.
I couldn’t think of a much better way to depict security in real every day life. We all live somewhere and everyday we practice security in homes.
[click]
We have windows – which have locks and unless you have a crazy 5 year old boy like me trying to get out, those locks are meant to keep the bad guys out. So we lock them and will generally keep them locked.
[click]
We have doors which also have locks for the same reasons and a majority of us will ensure the doors are locked when leaving. The thought of “did I lock the door” is not uncommon.
[click]
If you’re borderline crazy concerned like I am, you’ll also install cameras outside (sometimes inside) so you can record and go back and see who it was that broke into your home!
[click]
And then it’s very common to have electronic monitoring of these same entry points into your home. So we install a security system which monitors the opening and closing of windows and doors and also to track movement in your home while you’re sleeping or away.
[click]
So what’s left? It looks like the only way a bad guy is getting into this home is through the chimney. And there is a really good chance that if it’s not a baby or Santa Claus trying to access your home, they are not going to get in.
[click]
But there is still an issue of concern. And that is the homeowner – or with a computer it’s the user. Most break-ins occur when the user is at home. Most of these criminals walk right through the front door. Why? Well because the homeowner is home, it’s in the middle of the day and the door is unlocked. But don’t worry – you’re continuously monitoring so you’re sure to figure out who stole all of your stuff!
[click]
And now we’re inside the home. Again, another Picaso picture here for you. And look there, right there is the homeowner with their hand on their hip, hanging out and relaxing like nothing is wrong.
[click]
They’re just standing around staring at all of their valuables – which is merely represented by the safe, which I’ll add is a pretty good picture.
[click]
Next thing you know, here comes Joe Robber strolling right in through the front door. He puts his hands in his pocket, thinks for a minute and then bounces out of your house with all of your stuff.
[click]
But wait, let’s back up for one minute. Clearly if you’re home and you see someone in your house that’s not supposed to be there – something is going to happen. You’re not just going to say “hey how are you Joe Robber, I hope you enjoy all of my stuff” and let them leave. So, in real life you’re going to recognize the intruder and take some sort of action. Traditional Endpoint Security doesn’t do this today. In this example, if the homeowner doesn’t recognize the intruder…
[click]
They will go on about their business and ignore the threat – because they don’t know the threat is there.
[click]
Or maybe they are not even home but regardless all of their stuff has now been stolen. This is what happens today with Endpoint Security. The application deployed to your systems to protect you from threats doesn’t have the ability to recognize a new threat. This means that you’re always going to be vulnerable and always going to be compromised. This doesn’t make sense in real life security – and it certainly doesn’t make sense to let it happen in the cyber world.
And now we’re back inside the house only this time the house is protected by Invincea. You know this because of the Invincea icon at the top the house. I know… hopefully my artistic ability does NOT proceed me. So anyway, Invincea has changed things a bit.
[click]
The safe is now a representation of our Secure Virtual Container.
[click]
And the valuables represented by money are no longer in the safe – it is just in the house. Kind of like the way your data is on your endpoint.
[click]
And there is the homeowner (or the user), just hanging out upstairs in an empty room and again doing absolutely nothing. I kind of wanted them downstairs but they wouldn’t fit with the large stack of money on the floor – you know, because we all have large stacks of money just lying around.
[click]
So in walks Joe Robber again. Only this time it’s different. The entry point (on an endpoint, it is your computer) but the entry point is no longer the doors and windows, well they are but in the Invincea protected house, the only way to access them is through the container – or the safe as its represented in the picture.
[click]
So, we’re going to stick Joe Robber in the safe and now he has to bust himself out of this container in order to access the goods. He knows about the money laying on the floor and he’s motivated to get it. And as he tries to get out…
[click]
He’s terminated and the session is gone. The only thing he can do is try again.
[click]
He does with the same outcome.
To recap the childish pictures, the front door is the same as the vulnerable applications on our endpoint. These applications are the gateway or the entry point into your system and networks.