McAfee Web Gateway CxO presentation

Report
Next Generation Endpoint Security
Jason Brown
Enterprise Solution Architect
McAfee
May 23, 2013
Agenda
• Threat landscape and current approach
• The anatomy of an attack
• Next generation endpoint security
THREAT LANDSCAPE AND CURRENT
APPROACH
Recapping the Problem
Q2 2012:
>8 million new
malware samples
Up to 200,000 new
samples received
and processed daily
by McAfee Labs
Recapping the Problem
>99.9% of malware samples
received in 2012 were
Targeted at Windows
The Traditional Approach – works to a point
Signatures
The Traditional Approach – works to a point
Generics
The Traditional Approach – works to a point
Heuristics and Sandboxing
Two fundamental problems with todays
approach…
• Detection
– 1 new threat each second versus 1 signature update per day
– New signature updates could be produced more frequently but
cannot be consumed more quickly
– The cloud helps, but we cannot check each file with the cloud
– Signatures don’t help against APTs and Zero-day attacks
• Performance
– Scanning all files for all things takes time
– As the number of threats multiply, the impact of scanning multiplies
THE ANATOMY OF AN ATTACK
Four Phases of an Attack
First Contact
Physical Access
Unsolicited
Message
Malicious Website
or URL
Local Execution
Establish Presence
Malicious Activity
Propagation
Exploit
Download
Malware
Bot Activities
Escalate Privilege
Social
Engineering
Adware &
Scareware
Persist on System
Network Access
Configuration
Error
How the attacker first
crosses path with target
How the attacker gets
code running
Self-Preservation
How code persists code
on the system, to survive
reboot
Identity &
Financial Fraud
Tampering
The business logic, what
the attacker wants to
accomplish
Four Phases of an Attack, e.g. Fake AV
First Contact
Physical Access
Unsolicited
Message
Malicious Website
or URL
Local Execution
Establish Presence
Malicious Activity
Propagation
Exploit
Download
Malware
Bot Activities
Escalate Privilege
Social
Engineering
Adware &
Scareware
Persist on System
Network Access
Configuration
Error
How the attacker first
crosses path with target
How the attacker gets
code running
Self-Preservation
How code persists code
on the system, to survive
reboot
Identity &
Financial Fraud
Tampering
The business logic, what
the attacker wants to
accomplish
A generic approach to protection
First Contact
Device control 
Physical
Access
Hard disk encryption
Unsolicited
Email filtering
Message
Malicious
Website
Web filtering
or URL
Host firewall  Network access
control
Network Access
How the attacker first
crosses path with target
Local Execution
Establish Presence
Malicious Activity
Memory & kernel protection 
Database monitoring
Web filtering  Host firewall
Download
Malware
On-access scanning  Application
whitelisting
Exploit
Propagation
Bot Activities
Web filtering  Host firewall
Memory & kernel protection 
Database monitoring  Auditing
Escalate Privilege
On-access scanning  Access
protection rules  Application
whitelisting
Social
Engineering
Adware &
Scareware
On-access scanning  Application
whitelisting
Access protection
rules
Persist
on System
Configuration
Error
Auditing  Access protection
rules
How the attacker gets
code running
Access protection rules  Kernel
Identity &
Financial Fraud
On-access scanning  Access
protection rules  Application
whitelisting
Self-Preservation
protection
On-access scanning  Application
whitelisting
Integrity monitoring
How code persists code
on the system, to survive
reboot
The business logic, what
the attacker wants to
accomplish
Tampering
Does this approach work?
Source: Aberdeen Group, March 2012
NEXT GENERATION ENDPOINT
SECURITY
Context-Aware Endpoint Platform
Next-Generation Endpoint Security
Data Center
Embedded
Virtual
Server
Mobile
Laptop
Desktop
Desktop/Laptop
Blacklist Files
Focus on Devices
Windows Only
Static Device Policy
Disparate,
Disconnected Management
Unified Security
Operations
Real-time information
Cloud
Security Information
and Events
Application
Risk and Compliance
Database
OS
Chip
FIRST-GENERATION
NEXT-GENERATION ENDPOINT SECURITY
Next Generation Anti-Malware Core:
Technology Overview
High performance
Adaptive scanning and
dynamic scan avoidance
using trust logic | Static and
dynamic whitelisting
Context awareness
OS | Application | Network |
File | Registry | Memory |
Process execution
Signature-less detection
Shell code & script exploits |
Reputation and trust based process
restrictions | Environmental
heuristics | Process profiling
Reputation enabled
File, IP, site, domain |
Prevalence
Resilient
Advanced repair | Built-in
false prevention logic |
Centralized quarantine
Flexible
Multiple content streams |
Updateable components
Adaptive scanning and false avoidance
Is a scan
necessary?
Scan
according to
file state
False cloud
check
Traditional combined with reputation
Global Threat
Intelligence
Traditional
signatures
Cloud lookups for file, URL,
domain, IP reputation, and
metadata
Generics and
heuristics
What do you do about the remaining items, with
various levels of suspiciousness?
Intelligent Trust and Selective Scanning
Define multiple scanning states, providing
differing levels of monitoring, hooking different
kernel activity etc.:
•
Trusted - limited set of their events monitored
•
Normal – intermediate set of events monitored
•
Suspicious - full set of their events monitored
Normal
Low
Categorise file based on knowledge:
• Where did it come from (Internet, USB, local net, …)?
• How did it arrive, (trusted process, user, …)?
• What else is known about it?
Processes inherit the trust of their binary image file
• Monitor processes based on scanning state
High
Adaptive Scanning based on behavior
• Malware families follow certain behavioral
Normal
patterns
• Observe what grey files and processes do,
looking for suspicious behavior
• Keep track of events in a local database
Low
High
• Change state based on behaviours, e.g.
– If something suspicious seen, increase event monitoring for that process:
• Connects to known bad IP or URL: More suspicious
• Signed by known trusted certificate: Less suspicious
– Get aggressive, but in a highly targeted way!
Summary
• First gen endpoint solutions scan with signatures once and if no
infection found allow any action
– Increased malware volume means this technique will impact on
performance
– Increased speed of propagation renders this approach ineffective against
new malware, zero-day attacks and APTs
• Next gen endpoint solutions need
– Light scan to minimise performance impact
– Heavy scan to detect new malware
• An adaptive approach is the only way to improve detection whilst
reducing performance impact
THANK YOU

similar documents