View
216
Download
0
Category
Tags:
Preview:
Citation preview
Protect Your Desktops from Malware and Unauthorized Software
2 04/19/23
3 04/19/23
4 04/19/23
20 Years of Chasing Malicious Software
• Tries to keep a list of all bad software
• Tries to identify bad behavior
• Lets unrecognized executables run
Using the most popular antivirus applications … 8 out of 10 pieces of malicious code are going to get in”.
AusCERT
Using the most popular antivirus applications … 8 out of 10 pieces of malicious code are going to get in”.
AusCERT
Blacklisting
Challenges
Security
New threats continually outsmart existing defenses
Computers polluted with illegal and unauthorized software
Compliance
Manageability
Disruptive software causing down time and unnecessary support calls
Known Malware
Patches
CentrallyDistributedApplications
ProvisionedBase Image
BotnetsBotnets
SpywareSpyware
UnlicensedUnlicensed
RootkitsRootkits
GamesGames
InstantMessenger
InstantMessenger
SkypeSkype
UnknownMalware
UnknownMalware
Unmanaged Software:• Invisible• Untraceable• Uncontrollable• Unpatched• Vulnerable
The Endpoint Protection Gap
ManagedSoftware
ManagedMalware
Addressing The Gap
Mainstream approaches have proven unsuccessful
The need …
Manageable and effective approach to controlling all unauthorized software.
Ineffective against new threats
IT always has to get involved
Impossible to manage
Overwhelming false positives
Annoying and unscalable
Antivirus (Existing)
Remove Admin Rights
Restriction Policies
Behavioral HIPS
Vista UAC
Time
Co
mp
lex
ity
of
Ad
min
istr
ati
on Blacklisting
New TypesOf Attacks
SignatureFile Size
TargetedAttacks
AgentBloating
FalsePositives
SpywareLegitimacy
Security at an Inflection Point
Whitelisting
FirstExecution
BlockFlexiblePolicies
AutomatedSoftwareApproval Software
Identification
PolicySimulation
ApplicationGrouping
SoftwareReputation
Service
Application Whitelisting In The Press
Symantec
Mark Bregman, CTO
“Eventually, a comprehensive whitelist of legitimate software may be as close to a silver bullet as one can hope to find – one that best serves the evolving security needs of the growing cybercommunity.
John Thompson, CEO
“I'll be chasing my tail forever trying to block every one of those things. ”
Microsoft
David Cross, Product Unit Manager
April, 2008
“Microsoft wants to make better use of things such as application whitelisting, which prevents any application from running other than those explicitly allowed by the user.”
Cisco
John Stewart, CSO
May, 2008
"I am not so sure that we can get to a place of feeling confident in our infrastructure without doing whitelisting“.
“Whitelisting is the next generation of defense“
McAfee
Dave DeWalt, CEO
June 13
“Blacklisting — where vendors compile lists of known malware — has become technically unfeasible.”
“As blacklisting becomes increasingly difficult, whitelisting holds promise.”
Today’s Endpoint Management
Trends
• Suites/Platforms emerge for both Security & Ops
• MSFT/OS increasing functionality (AV, AS, PF, Encr …)
Trends
• Suites/Platforms emerge for both Security & Ops
• MSFT/OS increasing functionality (AV, AS, PF, Encr …)
Future of Endpoint Management
Endpoint Mgmt
Control
Trends
• Endpoint Control increasing more important
• MSFT commoditizes AV, AS, PF, Encr, SD, PM
Trends
• Endpoint Control increasing more important
• MSFT commoditizes AV, AS, PF, Encr, SD, PM
Introducing Bit9
Bit9 ensures that only
approved software runs.
Visibility Knowledge Control
Bit9 Parity
Bit9 ParityCenter
Bit9 Architecture
Bit9 Clients
ServersDesktops Laptops
External Data Sources
Internet
Web-enabled Console
Bit9 Parity Server
File HashesEvents
Policies
File Hashes
Active Directory
Customer Premises Bit9’s Hosted Web Service
CrawlingPartnershipsPhysical MediaHoney potsThird-party metadata
Threats, Attributes
PublisherProductSourceThreat LevelTrust Factor
Bit9 ParityCenter
6B+ File Records
Commercial SoftwareOpenSourceSharewareMalware
InternetInternet
??
? ??
?
Lockdown
Monitor
Block & Ask
Lockdown
Lockdown
Lockdown
Bit9 ParityCenter
How Bit9’s Application Control WorksDeploy and Enforce Policy
Software Identification, Authentication & Trust
Bit9 ParityCenter6B+ records
Multi-Scanner Risk Assessment
Automated Software
Categorization
Automated Vista Compatibility
Requires and Adaptive Whitelist
• Trust Software Distribution
• Trust Patch Management
• Trust Self-Updating Products
• Trust Publishers
• Trust Directories
• Trust Privileged Users
• …
Case Studies
Ritz CameraRetail ElectronicsCompliance
Before Bit9:• Compliance
unauthorized software on kiosks
• Hundreds of stores with non-networked PCs
After Bit9: Antivirus replaced Kiosks controlled
General DynamicsDefense ContractorControl
Before Bit9:• Unauthorized software
used by outsourcer cost $$• Sensitive data not
protected when transferred to devices
After Bit9: Eliminated costs Data protected
Fox InteractiveMedia ConglomerateVisibility
Before Bit9:• Creative culture required
that users can install new apps
• Known vulnerabilities were uncontrollable
After Bit9: Most apps pre-
approved Zero-day threats
blocked
Closing the Endpoint Protection Gap
Known Malware
Patches
CentrallyDistributedApplications
ProvisionedBase Image
BotnetsBotnets
SpywareSpyware
RootkitsRootkits
GamesGames
InstantMessenger
InstantMessenger
SkypeSkype
UnknownMalware
UnknownMalware
ManagedSoftware
ManagedMalware
Whitelist
Blacklist
Blacklist• Not approved• Not allowed to run
Whitelist• Trusted Software• Allowed to Run
Bit9 Parity
The easiest way to control what can and can’t run on your Windows computers.
3 Year Cost to Maintain a Desktop
Well-Managed Average Managed Poorly Managed
$3,300
$4,300
$5,300
Key Application Whitelisting Takeaways …
• Default Deny on Unrecognized Software
• Custom By Company / Organization
• Adaptive to Include New Software
Regain Control with App Whitelisting!
Security– Only trusted software is allowed to run
Compliance– Visibility and control over endpoints
Manageability– Drastic reduction in support costs
Recommended