Today more than 2 million malware signatures are identified each month and traditional anti-virus defenses simply can’t keep up. Even the major anti-virus vendors have concluded that stand-alone anti-virus no longer provides an effective defense and that additional layers of security technology are needed to address the rising volume and sophistication of threats. View this presentation to learn:
• Why you can’t forget about older vulnerabilities
• How to reduce exposure from both OS and 3rd party application vulnerabilities
• The challenges with reliance upon “free” patching tools and native updaters
• Why you should consider patch management as the core of an effective depth-in-defense endpoint security approach
2. Today’s Speaker Paul Henry Security & Forensics Analyst MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE SANS Institute Instructor 2
3. Today’s Agenda More Vulnerabilities – Beyond Just Microsoft Increased Sophistication of Attacks Patch Management Challenges The Best First Line of Defense Q&A
12. Web Applications are the Leading Attack Path The applications we use today for productivity Collaborative / Browser-based / Open Source Source: Verizon, 2010 Data Breach Investigations Report Social Communities, Gadgets,Blogging and Widgets open up our networks to increasing risk everyday. 9
19. Common Denominator In a recent data breach study of 500 breaches….. 90% of the exploits used for entry had patches available for 6 months or longer. The same study went on to point out that 50% of systems have 10 or more vulnerabilities for which patches are currently available for. 16
21. Minimize Your True Endpoint Risk Areas of Risk at the Endpoint Patch and configuration analysis and delivery are needed across all systems; operating systems and applications. Unmanaged endpoints on the network are unknown and unprotected. Application and operating system patching is not benchmarked or continuously enforced. Standard configurations are not assessed or enforced. Un-patched browsers represent the highest risk for web-borne malware. 5% Zero-Day 30% Missing Patches 65% Misconfigurations Source: John Pescatore Vice President, Gartner Fellow 18
22.
23. The Old Approach Doesn’t Work Fragmented approach to vulnerability management Tools do not consolidate or centralize the management of heterogeneous environments High management overhead & cost Lack of visibility of the overall security posture Don’t discover blind spots or hidden devices Disparate reporting 20
25. Patching Client Side Apps Now #1 Priority The problem of un-patched client-side vulnerabilities is one of the two most pressing priorities organizations need to address to mitigate cyber security risks. Most organizations today take at least twice as long to patch third-party application vulnerabilities than they do to patch operating system vulnerabilities. SANS Institute, Top Cyber Security Risks, September 2009 22
26. Managing Vulnerabilities: Best Practices Source: Aberdeen Group, Managing Vulnerabilities and Threats (No, Anti-Virus is Not Enough), December 2010 23
27. Comprehensive and Actionable IT Risk Mitigation Lumension® Endpoint Management & Security Suite: Patch & Remediation Discovers: Ensures complete visibility of all IT assets, both managed and unmanaged. Assesses: Performs a deep analysis and thorough OS, application and security configuration vulnerability assessments. Prioritizes: Focuses on your most critical security risks first. Remediates: Automatically deploys patches to an entire network per defined policy to support all OS’s and applications – to both online AND offline machines. Reports: Provides operational and management reports that consolidate discovery, assessment and remediation information on a single management console. 24
32. Patch is Core Component of Defense-in-Depth AntiVirus Emerging Endpoint Security Stack Device Control Device Control Traditional Endpoint Security Application Control Application Control BlacklistingAs The Core Patch & Configuration Mgmt. Defense-N-Depth Consumerizationof IT Zero Day MalwareAs a Service 3rd Party Application Risk 26
34. Next Steps Overview of Lumension® Patch and Remediation http://www.lumension.com/Resources/Demo-Center/Overview-Vulnerability-Management-Solution.aspx Vulnerability Scanner Tool http://www.lumension.com/Resources/Security-Tools/Vulnerability-Scanner.aspx Third Party Analysis Forrester Wave: Vulnerability Management 2010 http://www.lumension.com/Resources/Reports/Forrester-Wave---Vulnerability-Management-Q2-2010.aspx Tolly Report: TCO Comparison - Lumension® vs. Microsoft ® WSUS http://www.lumension.com/Resources/WhitePapers/Lumension-Vulnerability-Management-Microsoft-WSUS.aspx 28
35. Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 info@lumension.com
Hinweis der Redaktion
browser is delivering unprecedented levels of business productivity and IT risk everyday to your endpoint environment. Most organizations can’t stop it business productivityyounger workforce blends social-business-personal communications together as oneSocial networking applications are in use in 95% of businesses today 78% of these applications support file transfers, many are known to be propagators of malware and have vulnerabilities associated with them.Same in industries like Fin Services and healthcare-95% usage of social network across the boardCybercriminals are targeting these social applications greatest opportunities for them is the amount of trust end users put into these social applications. Once in they can replicate their malware with amazing speed and devastating impact.browser based risk we then are in reality starting to talk about cloud computing. isn’t anyone in IT today who hasn’t heard or discussed cloud computing.
The web continues to be a common path of infection. Among web-based malware, we distinguish auto-executed “drive-bydownloads” from those involving user interaction. Many of the latter incorporate a social engineering aspect (“click to cleanyour system”). The web installation vector is more opportunistic in nature than the “installed by attacker” variety that usuallytargets a pre-selected victim. Once the system is infected, the malware alerts an external agent who will then initiate furtherattacks. The web is a popular vector for the simple reason of that’s where the users are. Overly-trusting browsers and usersoperating with administrative privileges only add to this popularity.While not extremely common, we did observe several cases in which malware was coded directly into an existing programor script. This, of course, requires access to the system but also knowledge of how the code works. Not surprisingly, theseoften involve malicious insiders who developed the code or administer the system on which it runs. However, a few veryinteresting cases of this type were committed by outsiders. One of these involved an external agent that had access to thesystem for over six months. During this time, he studied the input/output process and developed a custom script to siphondata when new accounts were created.
The flow of the trojan installation processWhen users open the MS Word file xxx1.doc, the MS Access file xxx2.doc is loaded through the data link properties. Then the shellcode in the xxx2.doc file runs (triggered by the MS Jet exploit in the same file) and decodes itself in typical fashion. The shell code launches WinWord.exe to open the innocent Word file embedded in “xxx1.doc”.While the shellcode opens the Word file, it also decodes the executable file embedded in xxx1.doc. The decoding includes the simple XOR with a mask of 0xFF, and to deobfuscate the first 8 bytes of MZ header which is masked with XOR mask 0xAF.You may see the data link aspect of xxx1.doc by placing the xxx2.doc file in a different folder than xxx1.doc. When users open xxx1.doc, the “Data Link Properties” window appears. The specified database name is a the path containing xxx2.doc and the password is empty. Because of this data link, xxx2.doc is typically loaded silently.
Today, an amateur can get a complete malware toolkit for $200 that has capability of making damages worth Millions. Story doesn’t en here, just like SaaS – Software as a service, you can rent Big Botnets for less than a grand that could take a Complete network of computers down and/or infect them to leave it in paralysis for several days. The damage is un-countable.
Your environment also has all sorts of risk added everyday and in different waysSoftware and OS lifecycle assumes new bugs; design flaws will be discovered as technology is adopted and deployed.On average, 15 new vulnerabilities are released per dayAnd over 90% of vulnerabilities could be exploited remotely. Software vulnerabilities grow daily. Understanding these risks is critical in your ability to address risk efficiently.
Network and endpoint resources are taxed as bandwidth, storage and processing affect the bottom lineIT organizations have less personnel resources to manage endpoint operations and security withLack of visibility and coordination between functional areas of IT operations and security impact ability to efficiently and effectively manage organizational compliance and IT risk
The old approach of managing vulnerabilities with disparate products and processes is expensive and requires high management overhead.Without centralized management and reporting across your distributed systems, platforms, and applications, you can’t achieve the operational efficiency and cost savings required in today’s economy.
Lumension Patch and Remediation’s automated workflow follows the Aberdeen recommendations and is now a module on the Lumension Endpoint Management and Security Suite, which consolidates endpoint operations, security, compliance, and IT risk management workflows for enhanced visibility & controlSingle-agent, single-console architecture reduces complexity and total cost of ownershipProvides end-to-end visibilityImproves productivityEnhances securityOptimizes compliance and IT risk managementReduces IT EnvironmentComplexity»»Reduces Endpoint Total Costof Ownership»» Provides Greater VisibilityInto and Control Over YourNetwork’s Endpoints»» Elevates Security andCompliance Posture»» Optimizes ExistingResources for Reduction ofIT Risk»»Supports Your ITEnvironment Withina Dynamic BusinessEnvironmentKey Features»»Integrated Endpoint ManagementConsole»»Modularly Licensed ProductCapabilities»»Scalable and Agile Architecture»»Single Promotable Agent»