Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Speaker nameTitleGroupMicrosoft Corporation
Defense-in-Depth Against Malicious Software
Agenda
Understanding the Characteristics of Malicious Software
Malware Defense-in-Depth
Malware Defense for Client Computers
Malware Defense for Servers
Network-Based Malware Defense
Solutions to implement Malware Defense-in-Depth
November 2006 2
Understanding Characteristics of malicious software
November 2006 3
Malicious Software: Identifying Challenges to an Organization
Malware: A collection of software developed to intentionally perform malicious tasks on a computer system
Feedback from IT and security professionals includes:
“The users executed the attachment from their e-mail even though we’ve told them again and again that they aren’t supposed to.”
“The antivirus software should have caught this, but the signature for this virus hadn’t been installed yet.”
“We didn’t know our servers needed to be updated.”
“This never should have made it through our firewall; we didn’t even realize those ports could be attacked.”
Understanding Malware Attack Techniques
Common malware attack techniques include:
Social engineering
Backdoor creation
E-mail address theft
Embedded e-mail engines
Exploiting product vulnerabilities
Exploiting new Internet technologies
Understanding the Vulnerability Timeline
Product shipped
Vulnerabilitydiscovered
Update made available
Update deployedby customer
Vulnerabilitydisclosed
Most attacks occur here
Understanding the Exploit Timeline
Product shipped
Vulnerabilitydiscovered
Update made available
Update deployedby customer
Vulnerabilitydisclosed
Exploit
Days between update and exploit have decreased
Malware AttackDays between update
and exploit
Nimda 331
SQL Slammer 180
Welchia/Nachi 151
Blaster 25
Sasser 14
Identifying Common Malware Defense Methods
Malware Attack Defense Method
MydoomBlock port 1034 Update antivirus signatures Implement application security
SasserBlock ports 445, 5554, and 9996Install the latest security update
Blaster
Install the latest security update Block TCP ports 135, 139, 445, and 593 and UDP ports 135, 137, and 138, and also block UDP ports 69 (TFTP) and TCP 4444 for remote command shell. Update antivirus signatures
SQL SlammerInstall the latest security update Block UDP port 1434
Download.Ject Install the latest security update Increase security on the Local Machine zone in Internet ExplorerClean any infections related to IIS
What Is Defense-in-Depth?
Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success
Security policies, procedures, and educationPolicies, procedures, and awareness
Guards, locks, tracking devicesPhysical security
Application hardeningApplication
OS hardening, authentication, update management, antivirus updates, auditing
Host
Network segments, IPSec, NIDSInternal network
Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter
Strong passwords, ACLs, encryption, EFS, backup and restore strategyData
Applying Defense-in-Depth to Malware Defense
Policies, procedures, and awareness
Physical security
Perimeter
Internal network
Network defenses
Host
Application
Data
Client defenses Server defenses
Host
Application
Data
Implementing Host Protection Policies, Procedures, and Awareness
Recommended policies and procedures include:
Host protection defense policies:Scanning policySignature update policyAllowed application policy
Network defense policies:Change controlNetwork monitoringAttack detectionHome computer accessVisitor accessWireless network policySecurity update policy:
1. Assess environment to be updated
2. Identify new updates3. Evaluate and plan update
deployment4. Deploy the updates
Implementing Physical Security and Antivirus Defense
Elements of an effective physical defense plan include:
Server computers
Network access points
Premises security
Personnel security
Mobile computers and devices
Workstation computers
Protecting Client Computers: What Are the Challenges?
Challenges related to protecting client computers include:
• Implementing data storage policies• Implementing data security• Regulatory compliance
Data challenges
• Controlling application usage• Secure application configuration settings• Maintaining application security updates
Application challenges
• Maintaining security updates• Maintaining antivirus software• Implementing a personal firewall
Host challenges
Implementing Client-Based Malware Defense
Steps to implement a client-based defense include:
Reduce the attack surface1
Install antivirus software4
Enable a host-based firewall 3
Test with configuration scanners5
Use least-privilege policies6
Apply security updates2
Restrict unauthorized applications7
Configuring Applications to Protect Client Computers
Applications that may be malware targets include:
E-mail client applications
Desktop applications
Instant messaging applications
Web browsers
Peer-to-peer applications
Managing Internet Explorer Browser Security
Security feature Description
MIME security improvements
Consistency checksStricter rules
Better security management
Add-on control and management featuresBetter promptsNew script-initiated windows restrictions
Local Machine zoneAbility to control security in the local machine zone
Feature Control Security Zone settings
MIME sniffingSecurity elevationWindows restriction
Group Policy settingsAdministrative control for feature control security zones
Protecting Client Computers: Best Practices
Identify threats within the host, application, and data layers of the defense-in-depth strategy
Implement software restriction policies to control applications
Implement an effective security update management policy
Implement an effective antivirus management policy
Use Active Directory Group Policy to manage application security requirements
What Is Server-Based Malware Defense?
Basic steps to defend servers against malware include:
Reduce the attack surface
Analyze using configuration scanners
Enable a host-based firewall
Apply security updates
Analyze port information
Protecting Servers: Best Practices
Consider each server role implemented in your organization to implement specific host protection solutions
Stage all updates through a test environment before releasing into production
Deploy regular security and antivirus updates as required
Implement a self-managed host protection solution to decrease management costs
Protecting the Network: What Are the Challenges?
Challenges related to protecting the network layer include:
Balance between security and usability
Lack of network-based detection or monitoring for attacks
Implementing Network-Based Intrusion-Detection Systems
Important points to note:
Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected
ISA Server 2006 provides network-based intrusion-detection abilities
Provides rapid detection and reporting of external malware attacks
Network-based intrusion-detection system
Implementing Application Layer Filtering
Application layer filtering includes the following:
Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data
Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol
Protecting the Network: Best Practices
Have a proactive antivirus response team monitoring early warning sites such as antivirus vendor Web sites
Have an incident response plan
Implement automated monitoring and report policies
Implement ISA Server 2006 to provide intrusion- detection capabilities
More advanced
More frequent
Profit motivated
Application-oriented
Too many point products
Poor interoperability
Lack of integration
Multiple consoles
Uncoordinated event reporting & analysis
Cost and complexity
November 2006 24
Protect Information and Control Access at
Operating system
Server applications
Network “edge”
Content
Heterogeneity
Third-party products
Secure custom apps
24/7 security research and response
Unified view and analytics
Reduced number of management consoles
Simplified deployment
Appliances and appliance-like experience
Technical and industry guidance
Simplified licensing
Cross-product integration
MSFT security products
MSFT server applications
Integration with Microsoft IT infrastructure
Active Directory®, SQL Server™, Operations Manager, etc.
Integration with ecosystem partners and custom apps
November 2006 25
One solution for spyware and virus protection
Built on protection technology used by millions worldwide
Effective threat response
One console for simplified security administration
Define one policy to manage client protection agent settings
Integrates with your existing infrastructure
One dashboard for visibility into threats and vulnerabilities
View insightful reports
Stay informed with state assessment scans and security alerts
Unified malware protection for business desktops,
laptops and server operating systems that is easy
to manage and control
November 2006 27
Security SummarySecurity Summary
User Account Control
IE7 with Protected Mode
Randomize Address Space Layout
Advanced Desktop Firewall
Kernel Patch Protection (64bit)
Unified Virus & Spyware Protection
Central Management
Reporting, Alerting and State Assessment
Infrastructure Software Integration
Policy Based Network Segmentation
Restrict-To-Trusted Net Communications
Server and Domain Isolation (SD&I) Combined
SolutionWindows Vista™ Forefront™
Client Security
Guidance
Developer Tools
SystemsManagementActive Directory
Federation Services (ADFS)
IdentityManagement
Services
Information Protection
Client and Server OS
Server Applications
Edge
November 2006 30
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.