PS4E- White Paper 2 - Panda Securityresources.downloads.pandasecurity.com/pro/02dwn_wp... · 2008-10-14 · Secondly, auditing the presence of various attributes such as enabled antivirus

Index Introduction .......................................................................................................................................................... 3 Corporate Network Security Management Challenge ......................................................................................... 5

Multi-layers and heterogeneous network ........................................................................................................ 5 Roaming Clients .............................................................................................................................................. 5 Control of unproductive and restricted applications ........................................................................................ 5 Securing networks from the risks of unmanaged endpoints ........................................................................... 6 Centrally Managed Network Security.............................................................................................................. 6 Malware Audits ................................................................................................................................................ 7

EndPoint protection Challenge ............................................................................................................................ 8 Understanding what is a Host Intrusion Prevention System (HIPS) ............................................................... 8 Panda Security Host Intrusion Prevention System (HIPS) ............................................................................. 8 � Deep Packet Inspection Firewall. ........................................................................................................... 9 � TruPrevent

TM Behavior Blocking............................................................................................................. 9

� TruPreventTM

Behavior Analysis. .......................................................................................................... 10 � Genetic Heuristic Engine. ..................................................................................................................... 10 � Anti-malware......................................................................................................................................... 10 Endpoint protection effectiveness in the real world....................................................................................... 11

Panda Security Collective Intelligence .............................................................................................................. 12

The Challenge of a Comprehensive Network Protection

Revision 1.01 2008 © Panda Security 2008 Page 3 of 13

Introduction All organizations need to protect their critical and sensitive information from data leaks, targeted attacks and unknown malware, especially in recent years, when there has been more malware than ever released in the wild. The vast amounts of threats in circulation and the change in threats’ objectives are rendering traditional antivirus solutions ineffective. Complementary approaches and technologies must be developed and implemented in order to raise effectiveness to adequate levels. On January 25, 2007, in the Gartner Teleconference "Host-Based Intrusion Prevention Systems (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren't Enough

i", the author claims that the

objectives started as pure experimentation and are now developing towards information warfare.

Figure 1. This chart examines the impact and frequency of malware from Gartner Group’s ‘Host-based Intrusion Prevention System (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren’t Enough.’ (Source: Gartner, 2007)

Figure 1 illustrates the impact of different kinds of attacks and their frequency. The frequency of cyber-crime attacks is forecast to increase dramatically until 2010. Cyber-crime refers to hackers who work in an organized and specific manner to steal money, business information, or other assets essential to companies.

The Challenge for Endpoint protection requires that security solutions provide not only advanced capability for protecting them, but a perfect combination of the following capabilities:

1. Protection against the huge and growing number of known and unknown malware and targeted attacks by the most advanced and complete set of maximized capabilities of host-based intrusion prevention.

2. Protection of and from endpoints that are inside the organization network infrastructure, but also managing security of roaming clients that move continually from network to network.

3. Secure network from unmanaged endpoints, which although not under the control of network administrators, can access sensitive information.

4. Device control that allows detecting and securing external devices such as USBs.



5. Help increase employee productivity by controlling the use of unproductive or restricted applications and eliminating undesired content.

6. Periodic in-depth malware audits that can detect and disinfect hidden threats such as identity theft Trojans, targeted attacks, rootkits and other malware not detected by permanent protection.

7. Protection at all infrastructure layers, covering everything from endpoints to email and gateway platforms.

8. Endpoints and multi-tier protection must be part of a comprehensive architecture provided by a single solution. It is necessary for this architecture to be extensible and flexible, so new protection layers can be deployed and managed from the same solution and it does not require separate products to be integrated in the existing solution.

9. Entire network security must be managed by a single, centralized administration role-based console. From here, entire network policies, security deployment, updates, monitoring, alerting, reporting and event logging must all be easily managed. Operational characteristics must be considered to reduce operation complexity and operating cost.

10. At the same time, minimizing the resource and bandwidth consumption of protected systems.

The scope of this paper is to consider network security critical aspects that a solution must cover in order to protect the entire network and to reduce operation complexity and cost.

Second, the aim of this paper is also to describe the range of approaches and technologies for effective endpoint protection. It is essential that network security solutions offer -in a single product- all endpoint protection approaches to protect critical and sensitive information from data leaks, targeted attacks and unknown malware.

And third, we will describe advance concepts that complement Panda’s integrated desktop, server, and gateway protection to take the battle against today’s malware dynamic head-on and provide the final complement to Panda’s ideal protection model.



Corporate Network Security Management Challenge Due to the fact that endpoint security protection is the last line of defense against increasingly sophisticated threats, having a complete endpoint protection with a range of approaches and technologies is not sufficient, a network security solution should also exhibit the following beneficial characteristics:

1. Corporate networks have different infrastructure layers that must be protected, such as perimeter or email gateways. Network security solutions must provide these layers with proactive protection, because the sooner malware is detected, the less damaging it will be.

2. Manage endpoints that are inside the organization network infrastructure, but also manage security of roaming clients that move continually from network to network.

3. Secure network from unmanaged endpoints, which even if not under the control of network administrators, can still access sensitive information.

4. Help increase employee productivity by controlling the use of unproductive or restricted

applications and eliminating undesired content.

5. Help reduce operation complexity and operating costs through a centrally management system for both managed and unmanaged endpoints and for the entire heterogeneous network. This system allows integrated policy development, role-based administration, monitoring and alerting and also allows immediate action to secure the network, consolidated logging and reporting from a single point.

Multi-layers and heterogeneous network

For businesses that manage email traffic through Microsoft Exchange Server, Panda Security for Business with Exchange adds complete and straightforward protection for private mailboxes and public folders against known and unknown malware. It also includes a best of breed anti-spam solution that reduces network operating costs, saves administrator time and avoids lost productivity. Anti-spam and content filtering protection in Panda Security for Business with Exchange and Panda Security for Enterprise also follows the multi-layer approach, eliminating undesired email at email server layer and at endpoint layer. In addition, Panda Security for Enterprise also ensures that other layers of the corporate infrastructure are secure, allowing protection to be deployed and updated in all network systems, regardless of their location or platform: workstations (Windows and Linux), file servers (Windows and Novel NetWare Servers), Exchange and Domino mail servers, Sendmail, QMail and Postfix server, ISA server. This modular, flexible, and scalable architecture meets complex, heterogeneous network needs with advance configuration.

Roaming Clients

Organizations must deal with a growing number of roaming clients, and their security is also the remit of administrators. Panda Security for Business and Panda Security for Enterprise allow, through bi-directional communication called Roaming, clients’ protection to inform the administrator about events that occur outside the office so entire organization security is managed centrally independently of endpoint locations.

Control of unproductive and restricted applications

Panda Security for Business and Panda Security for Enterprise include a rule-based application control feature that allows administrators to have complete control over endpoint and network resources, such as



access to files, network traffic, access to operating system components (registry, COM, users, etc.) and apply those rules on a per user or group basis. With this functionality, administrators are able to determine, for example, the applications that can or cannot be used by employees. Thanks to this feature administrators can apply granular control options for applications (Word, Excel, Outlook, Internet Explorer, Games, iTunes, Desktop utilities, etc.) and network usage (such as blocking P2P, instant messaging, or VoIP traffic).

Securing networks from the risks of unmanaged endpoints

Enterprise security solutions must provide protection for both managed and unmanaged endpoints, within the network and for roaming clients. Unmanaged endpoints are those that are not under the administrator’s control, but they do in fact have access to the network, for example, onsite guest access. It is necessary for the administrator to control this situation in order to avoid security problems. Securing networks from the risks posed by these endpoints involves, firstly, to centrally notify administrators that unmanaged endpoints are in the network in order to decide what action to take. Secondly, auditing the presence of various attributes such as enabled antivirus software, signature file updated, and specific patches applied, etc. These functionalities are both implemented in Panda Security for Business and Panda Security for Enterprise thanks to the centrally managed console where unmanaged endpoints are shown in real-time and by Cisco NAC integration, as Panda Security for Business and Panda Security for Enterprise do, but our solutions also implement a unique technology called NetWorkSecure. The NetworkSecure unit allows the network connections of a computer to be secured by checking the security status of the computer before allowing it to connect to the corporate network. The task in the computer that connects to the corporate network is called the Validation Phase. During this phase, the checks configured by the administrator are carried out to determine whether or not the computer is secure. If the policies are not fulfilled, the computer will be disconnected from the network and isolated. Integration in Cisco NAC and the development of NetworkSecure ensures that security policies are complied with across the network – even in computers that are not managed through AdminSecure – as the operation of the security software installed on these computers is validated before allowing it to access shared network resources. Integration with Microsoft NAP (Network Access Protection) provides a solution for evaluating the security status of a client trying to connect or communicate with a private network and restricts access until the client has complied with the established security policy. The technology includes a client side component and a server side so the administrator can define security policies that will restrict access to those clients that don’t comply with them. This new technology has been included in Windows Server 2008, Windows Vista and Windows XP SP3.

Centrally Managed Network Security

The entire network security should be administrated via a single, centralized management system. It must include integrated policy development, both push and pull update capabilities, role-based administration, monitoring and alerting, integration within corporate organization. AdminSecure offers manageability and administration features, for efficient, effective security management:



• All-in-one Management Console. One interface supports all technologies and multi-layer protections.

• Easy Deployment. AdminSecure has a mechanism to easily deploy communication agents and protection. Integration of the protection in the company infrastructure is fast, because it can be deployed through login script, packages, or direct installation.

• Flexible architecture. Through its modular, flexible, layered, preventive protection philosophy and scalable architecture Panda Security for Business and Panda Security for Enterprise meet complex, heterogeneous network needs and facilitates complete point-to-point, anti-malware protection in every layer of your organization. In addition, the centralizing of information and management of all network nodes with Panda AdminSecure, allows maximum control of resources administered remotely, even computers belonging to external staff, and cause-and effect-analysis when an infection has occurred

• Improved Supervision. In order to guarantee effective protection of all the IT systems in your company, it is essential to protect all network components and have a dashboard containing metrics, customizable organization views, and graphic reports that allow you to closely monitor the protection status.

Malware Audits

Panda Security for Business and Panda Security for Enterprise is also the only solution in the market for small businesses that includes a complementary in-depth malware audit and disinfection service that is able to uncover advanced hidden threats such as identity theft Trojans, targeted attacks, rootkits and other malware not detected by traditional means.



EndPoint protection Challenge As Panda Security has been able to prove in a recent research study

ii, even users protected with antivirus

and security solutions with the latest signature database can be infected by active malware. Dealing with the malware evolution using a traditional signature approach has not been valid for some years now.

Understanding what is a Host Intrusion Prevention System (HIPS)

Traditional antivirus and personal firewall solutions are no longer sufficient to protect endpoint against targeted attacks

iii, and it is not possible to patch an entire network as quickly as new vulnerabilities are

announced. As a result, a complete Host Intrusion Prevention System (HIPS) which provides protection before malware enters endpoint (at network layer), once it is present on the endpoint but not yet executing (at application layer) and when it is executing (behavior layer), is an absolute must for any security solution. These three layers of protection that must be covered by a complete Intrusion Prevention System, must be efficient not only in detecting known malware and attacks, its real value is when it is efficient against unknown ones for which advanced technologies must be implemented. Even though many security solutions add some kind of Intrusion Prevention, the sad reality is that about half the solutions on the market do not have any of these types of technologies yet or have only part of them that is still not sufficient for dealing with the present malware situation. Even if some vendors provide some kind of intrusion prevention in their portfolio, their security solutions do not provide this protection included in the box, even though assessing new types of malware and attacks requires the most advance and complete Host Intrusion Prevention System at the earliest opportunity.

Panda Security Host Intrusion Prevention System (HIPS)

Panda Security’s complete HIPS follows a defense-in-depth philosophy, which could be summarized as integrating different protection technologies layers at different infrastructure layers. Panda Security Host Intrusion Prevention System implementation is modular and therefore can be applied both to endpoint desktop and servers. Let’s take a look at each of these technologies that makes Panda Security Host Intrusion Prevention System a complete HIPS.



Figure 2. Panda Security’s integrated endpoint security

� Deep Packet Inspection Firewall.

This technology indentifies and prevents threats in the network traffic stream before they have a chance to reach the computer. The network traffic stream is examined for the signatures of known bad traffic. It performs pattern detection and removal of known threats by using signatures of known attacks (for example, worms, port-scanning, malformed protocols, etc.). But this technology also examines the network traffic stream for unknown malicious code but doesn't rely on attack-facing signature for detection. For example, rather than look for every variant of the Sasser worm using signatures, by inspecting network traffic for specific buffer overflow techniques, the capability of vulnerability-facing filters detects all attacks, known and unknown, aimed at exploiting the Local Security Authority Service (LSASS.EXE).

� TruPreventTM

Behavior Blocking.

This technology is composed of a set of rules which are defined by rules describing allowed and denied actions for a particular application. Despite offering a high degree of granularity to administrators for creating custom policies, this application control and system hardening module is shipped with a set of default configuration policies with are managed and updated by PandaLabs.



� TruPreventTM

Behavior Analysis.

It acts as a true last line of defense against new malware executing on a computer that manages to bypass signatures, heuristics and behavior blocking. This technology exhaustively analyzes the behavior and is designed to block malware as soon as it starts acting. Unlike other behavior technologies, TruPrevent

TM behavior analysis is autonomous and does not present technical

questions to the end user. Panda Security’s internal statistics show that these technologies are capable of detecting over 80% of the malware in the wild without signatures and without false positives. Two-thirds of the new variants received at PandaLabs from our customers’ managed quarantines have been submitted automatically by the TruPrevent

TM behavior analysis.

Behavioral analysis in real-time detects new and unknown malware threats and zero-day attacks such as malicious specially-crafted PDFs and Office files without requiring signature updates

� Genetic Heuristic Engine.

While our signature-based engine acts as the application level protection for known malware and it benefits from the unique automated and enhanced malware collection, classification and remediation of Panda Security Collective Intelligence, GHE correlates the genetic traits of files by using proprietary algorithms. The genetic traits define the potential of the software to carry out either malicious or harmless actions when executed on a computer. GHE can be set to low, medium or high sensitivity in order to apply to different environments depending on the probability of malware in each environment. Panda Security endpoint protection has the capability of scanning HTTP protocol, real-time email protocols and Instant Messaging with the GHE set to high sensitivity due to the fact that the likelihood of an executable file being malware is very high at this network layer. However for storage (or application) layers where the vast majority of executable code is from legitimate applications, GHE is set to medium sensitivity. One third of the new variants received at PandaLabs from our customers’ managed quarantines have been submitted automatically by the GHE.

� Anti-malware

At Panda Security we research and develop 100% of our core anti-malware technologies for detecting known malware and the huge varieties of known malware. All Panda Security solutions benefit from the latest generation of security technologies by Panda Security, called Collective Intelligence. Collective Intelligence represents an approach to security radically different to the current models. One of the benefits of this approach, described below in the document, is the automation of the entire malware detection and protection cycle (collection, analysis, classification and remediation). Collective Intelligence offers visibility of large volumes of malware and targeted attacks that came from computers and networks world-wide in real-time. Thanks to the visibility of malware and targeted attacks through Collective Intelligence and automation of detection and disinfection of malware, each network protected by Panda Security’s solutions benefit from the knowledge gained by the entire community in real-time.

Panda Security’s HIPS is the most advanced proactive technology available in the market according to Gartner

i. In addition to intrusion prevention and proactive detection available in other solutions, Panda

also integrates behavioral analysis, real-time protection to detect new and unknown malware threats and zero-day attacks.



Endpoint protection effectiveness in the real world

As said before, given the new, sophisticated and vast amounts of threats in circulation and the change in their objectives, endpoint security solutions must protect against known and zero-days attacks. Here we present a comparative result of some solutions’ performance assessed by independent third parties against real world threats, which demonstrates the capabilities of each solution in protecting endpoints and networks against the dynamic landscape of IT threats.

Panda

Security McAfee Symantec Trend

Micro Microsoft

2007 WildList Proactive detection *

94% 69% 65% 65% 57%

Behavioral Analysis Detection **

++ + + + -

Rootkit Detection **

++ + ++ ++ 0

*Andreas Marx AV-Test. WildList Proactive Detection and Response Time Testing for 2007 http://research.pandasecurity.com/archive/2007-WildList-Proactive-Detection.aspx

** AV-test.



Panda Security Collective Intelligence

As shown before, Panda Security has developed a robust, defense-in-depth philosophy for endpoint security by providing an advanced Host Intrusion Prevention System. It adds to this comprehensive level of protection by leveraging the concept of Collective Intelligence

1 (CI). The CI concept complements Panda’s integrated

desktop, server, and gateway protection to take the battle against today’s malware dynamic head-on and provide the final complement to Panda’s ideal protection model. Collective Intelligence offers a radically different approach to security. This approach is based on exhaustive remote, centralized, and real-time knowledge about malware and non-malicious applications maintained through the automatic processing of all scanned elements. CI provides the ability to maximize malware detection capabilities, while at the same time, minimizing resource and bandwidth consumption of protected systems. Panda Security’s Collective Intelligence approach provides tremendous value to all enterprises by benefiting from community knowledge, as soon as a malicious process is detected in a user’s PC by Panda Security’s Collective Intelligence servers, Panda Security for Business and Panda Security for Enterprise customers worldwide automatically benefit from that detection, by means of a new signature or by means of the automatic management of their quarantine items.

1 Collective intelligence is a form of intelligence that emerges from the collaboration and competition of many individuals.



References

i Gartner: “Host-Based Intrusion Prevention Systems (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren't Enough”

http://www.gartner.com/teleconferences/attributes/attr_165281_115.pdf

ii Reserch study: Active Infection in Systems Protected by Updated AntiMalware Solutions. Panda Reseach.

August 2.007. http://research.pandasecurity.com

iii Gartner: “Understanding Strengths and Weaknesses of Host-Based Intrusion Prevention Style”.

Documents

PS4E- White Paper 2 - Panda Securityresources.downloads.pandasecurity.com/pro/02dwn_wp... · 2008-10-14 · Secondly, auditing the presence of various attributes such as enabled antivirus