Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013

Agenda Threat landscape and current approach The anatomy of an attack Next generation endpoint security

THREAT LANDSCAPE AND CURRENT APPROACH

Recapping the Problem

>99.9% of malware samples received in 2012 were Targeted at Windows

The Traditional Approach – works to a point Signatures

The Traditional Approach – works to a point Generics

The Traditional Approach – works to a point Heuristics and Sandboxing

Two fundamental problems with todays approach… Detection –1 new threat each second versus 1 signature update per day –New signature updates could be produced more frequently but cannot be consumed more quickly –The cloud helps, but we cannot check each file with the cloud –Signatures don’t help against APTs and Zero-day attacks Performance –Scanning all files for all things takes time –As the number of threats multiply, the impact of scanning multiplies

THE ANATOMY OF AN ATTACK

Four Phases of an Attack First Contact Physical Access Unsolicited Message Network Access Malicious Website or URL Local Execution Social Engineering Configuration Error Exploit Establish Presence Download Malware Escalate Privilege Self-Preservation Persist on System Malicious Activity Propagation Bot Activities Identity & Financial Fraud Tampering Adware & Scareware How the attacker first crosses path with target How the attacker gets code running How code persists code on the system, to survive reboot The business logic, what the attacker wants to accomplish

Four Phases of an Attack, e.g. Fake AV First Contact Physical Access Unsolicited Message Network Access Malicious Website or URL Local Execution Social Engineering Configuration Error Exploit Establish Presence Download Malware Escalate Privilege Self-Preservation Persist on System Malicious Activity Propagation Bot Activities Identity & Financial Fraud Tampering Adware & Scareware Persist on System Exploit Malicious Website or URL How the attacker first crosses path with target How the attacker gets code running How code persists code on the system, to survive reboot The business logic, what the attacker wants to accomplish

A generic approach to protection First Contact Physical Access Unsolicited Message Network Access Malicious Website or URL Local Execution Social Engineering Configuration Error Exploit Establish Presence Download Malware Escalate Privilege Self-Preservation Persist on System Malicious Activity Propagation Bot Activities Identity & Financial Fraud Tampering Adware & Scareware Device control  Hard disk encryption Web filtering Host firewall  Network access control filtering Memory & kernel protection  Database monitoring On-access scanning  Access protection rules  Application whitelisting Auditing  Access protection rules Web filtering  Host firewall Memory & kernel protection  Database monitoring  Auditing Access protection rules Access protection rules  Kernel protection On-access scanning  Application whitelisting Web filtering  Host firewall On-access scanning  Application whitelisting On-access scanning  Access protection rules  Application whitelisting On-access scanning  Application whitelisting Integrity monitoring How the attacker first crosses path with target How the attacker gets code running How code persists code on the system, to survive reboot The business logic, what the attacker wants to accomplish

Does this approach work? Source: Aberdeen Group, March 2012

NEXT GENERATION ENDPOINT SECURITY

Context-Aware Endpoint Platform Next-Generation Endpoint Security NEXT-GENERATION ENDPOINT SECURITY Cloud Application Database OS Chip Unified Security Operations Security Information and Events Risk and Compliance Real-time information FIRST-GENERATION Desktop/Laptop Blacklist Files Focus on Devices Windows Only Static Device Policy Disparate, Disconnected Management DesktopLaptopMobileServerVirtualEmbedded Data Center

Next Generation Anti-Malware Core: Technology Overview Flexible Multiple content streams | Updateable components Reputation enabled File, IP, site, domain | Prevalence Resilient Advanced repair | Built-in false prevention logic | Centralized quarantine Signature-less detection Shell code & script exploits | Reputation and trust based process restrictions | Environmental heuristics | Process profiling High performance Adaptive scanning and dynamic scan avoidance using trust logic | Static and dynamic whitelisting Context awareness OS | Application | Network | File | Registry | Memory | Process execution

Adaptive scanning and false avoidance

Traditional combined with reputation Global Threat Intelligence Cloud lookups for file, URL, domain, IP reputation, and metadata Traditional signatures Generics and heuristics What do you do about the remaining items, with various levels of suspiciousness?

Intelligent Trust and Selective Scanning Normal Low High Define multiple scanning states, providing differing levels of monitoring, hooking different kernel activity etc.: Trusted - limited set of their events monitored Normal – intermediate set of events monitored Suspicious - full set of their events monitored Categorise file based on knowledge: Where did it come from (Internet, USB, local net, …)? How did it arrive, (trusted process, user, …)? What else is known about it? Processes inherit the trust of their binary image file Monitor processes based on scanning state

Adaptive Scanning based on behavior Malware families follow certain behavioral patterns Observe what grey files and processes do, looking for suspicious behavior Keep track of events in a local database Normal Low High Change state based on behaviours, e.g. –If something suspicious seen, increase event monitoring for that process: Connects to known bad IP or URL: More suspicious Signed by known trusted certificate: Less suspicious –Get aggressive, but in a highly targeted way!

Summary First gen endpoint solutions scan with signatures once and if no infection found allow any action –Increased malware volume means this technique will impact on performance –Increased speed of propagation renders this approach ineffective against new malware, zero-day attacks and APTs Next gen endpoint solutions need –Light scan to minimise performance impact –Heavy scan to detect new malware An adaptive approach is the only way to improve detection whilst reducing performance impact

THANK YOU