Upload
isinsu-akcetin
View
827
Download
3
Tags:
Embed Size (px)
Citation preview
McAfee EmbeddedOptimized Security Solutions for Embedded Systems
Intel Intelligent Systems Event – Istanbul, Turkey
Kathryn Martin – McAfee, OEM Account Manager
April 2012
Agenda
McAfee – Security Trends & Threat Landscape
McAfee Embedded Security Solution
McAfee Software Development Kits for Embedded Systems
McAfee Global Threat Intelligence (GTI)
McAfee Centralized Embedded Security Management
Global Threat Intelligence
• File Reputation
• Web Reputation
• Web Categorization
• Message Reputation
• Network Connection Reputation
Network Security
• Next Generation Firewall
• Network Intrusion Prevention
• NAC Gateway
• Network User Behavior Analysis
• Network Threat Behavior Analysis
• Network Threat Response
Content Security
• Email Gateway
• Web Gateway
• Data Loss Prevention
• Encryption
• Policy Management
• Security Reporting
• Mobile Management
• Vulnerability Management
• Risk Management
• Compliance
Security Management
Endpoint Security
• Anti-Virus & Anti-Spyware
• Host Intrusion Prevention
• Endpoint Encryption
• Application Whitelisting
• Desktop Firewall
• Device Control
• Policy Auditing
• NAC Endpoint
• Email Server AV & Anti-Spam
• SharePoint Protection
• Mobile Protection
• Virtual Desktop & Server
Security Trends
Threat Landscape
The Multi-Million Business
Increasing Embedded Device Security Threats
April
10,
201
55
CumulativeMalware Threats
The MALWARE Explosion
20M
40M
JAN.
2010 FEB.
2010
MAR.
2010 APRIL
2010
MAY
2010 JUNE
2010
JULY
2010 AUG.
2010
SEPT.
2010 OCT.
2010
NOV.
2010 DEC.
2010
JAN.
2011 FEB.
2011
MAR.
2011 APRIL
2011
MAY
2011 JUNE
2011
10M
30M
50M
60M
70M
Threat LandscapeGlobal Malware Vision 2011
* 2
01
1 *
+2,800,000
+8,600,000
+14,400,000
+4,600,000
+75,200,000
+7,320,000
+662,900Malware (families)(DAT related)
Autorun(Collection)
Exploits(Collection)
FakeAV, Scareware(Collection)
PassWord Stealers(Collection)
Rootkits(Collection)
Malware Zoo(Collection)
+7,320,000
+662,900Malware (families)(DAT related)
Autorun(Collection)
HOW
• First worm developed with ―nation-state‖ support—targeted at sabotaging Iran’s nuclear enrichment facility
• 60% infected machines in Iran—Iran confirmed damage to nuclear program in Fall 2010
WHAT
• Highly sophisticated development—used 6 new zero-day vulnerabilities and worked flawlessly on all Windows versions down to Windows 95
• Digitally signed software
• Attacked SCADA systems running specific controllers — deep knowledge of control systems
• Stealth attack, operated from 2008–2010—infected variable frequency drives with slight adjustment, enough to impact centrifuges
Stuxnet: The Anatomy of an Attack
DEVICES
CONNECTED DEVICES
Explosion of IP Devices in a Connected World
Embedded Systems Are Changing
Proprietary OS
High Development Cost Low Development Cost
Patching Rare * Patching Common *
Limited Security Risk * Standard Security Risk *
Past Today
Low Support Cost Higher Support Cost
Isolated Network Internet Connected
Windows, Linux
Embedded Development
Effects of Change: Higher Support Costs
Development
Support
Cost
Time
Embedded Development
Goal: Keep Support Costs Low, Increase Revenue
Development
Support
Cost
Time
Device Manufacturer Distributor/Dealer Device Owner
Security, Control, & Compliance
Embedded System Challenges Maintaining Security and Control Across the Lifecycle
Additional Focus Products for Embedded
Key Focus Products for Embedded
McAfee Embedded Security Solutions
Removable Device Security
(McAfee Device Control)
Application Control and
Change Control
(McAfee Embedded Control)
Content Security
(McAfee Embedded Reputation SDK)
Data Security
(McAfee Endpoint Encryption)
Host Network Security
(McAfee Host Intrusion Prevention)
Security Management
(McAfee ePolicy Orchestrator)
Virus Detection & Remediation
(McAfee Embedded Anti-Virus SDK)
Database Security
(McAfee Activity Monitor/Virtual
Patching/Vulnerability Manager)
McAfee Embedded
Security
Protect your device
effectively
MAC
NetBook
Consumer PC
Black White
Medical Devices
SCADA
Servers
Point of Sale
ATMs
Kiosks
Smart Meter
Printer
Dynamic Static
Web Servers
Email/Web Gateway
Firewall
Grey
REPUTATION-BASED
McAfee Embedded SecurityThe right security solution for your solutions
Challenges
- for Embedded Device/System Manufactures
Unauthorized applications
System
downtime
Patching
and updates
Rise in
support costs
Traditional
AV overhead
Zero day
threats
Device
management
Secure
content
Compliance
drift
Security
Control
Compliance
McAfee Embedded SecuritySingle Solution for Challenge Resolution
18
Security Control
Compliance
• Dynamic whitelisting
• No signatures to update
• Only approved software
and applications run
Prevention of Known &
Zero-Day Attacks
• What can change
• Who can change it
• When it can change
• How it can change
• Patch on your schedule
Accountability &
Device Longevity
• PCI
• HIPAA
• NERC
• Fed. Regulations
Compliance Ready
The Embedded Security ProductMcAfee Embedded Control
1. Application control• Controls what software installs and runs
• Prevents malware
• Memory Protection
• Reduces patching frequency
• Image deviation reporting
2. Change control• Enforces software change policy
• Prevents out-of-policy changes
• File integrity monitoring for compliance
GainControl
McAfee Embedded ControlHow it works: Build the Inventory
20
Preparation Stage Production Stage
Create
Inventory
Automated
inventory creation
0Enable
McAfee
Establish gold or
audited image
1Solidified
Disk Image
Gold or audited
image
2Solidified
Production Mode
Real-time continuous
solidification
3
The solidification process requires no user intervention, and
copies of solidified images can be distributed to other devices.
Authorized
Update Mode
Authorized
Admin.
Secure Signed
Updates
McAfee Embedded ControlHow it works: Maintain State With Trusted Change
AuthorizedU
pdaters
Solidified
Production Mode
Update
Windows
Returned to
Solidified Mode
21
McAfee Embedded ControlQuick and Simple Setup
• Once deployed, no re-configuration required
• Nearly zero performance overhead
• Small footprint 8-12MB RAM, ~25 MB HDD
• Supports software distribution mechanisms
• Broad platform support:
• Microsoft OS since NT4 – Windows 8 (2012)
• Multiple Linux Distributions (RHLE, SLES, etc.)
• Solaris 8, 9, 10 (SPARC)
• HPUX 11.11, .23, .31,
• AIX 5.3, 6.1
• Wind River Linux
22
Blacklisting versus Whitelisting
• Currently
80 Million Signatures of
Malware known to McAfee
• Every Day more than 60.000
unique threats newly identified
• No protection against Rootkits
• No protection against
Exploitation
• No Signatures Required
• Only Approved applications
allowed to execute
• Protection against known
threats and unknown threats
(Zero-Day Exploits)
• Protection against rootkits
• Whitelist is dynamically
evolving during lifetime
Dynamic Static
McAfee Embedded SecurityTo secure solution for your solution
MAC
NetBook
Consumer PC
Black White
Medical Devices
SCADA
Servers
Point of Sale
ATMs
Kiosks
Smart Meter
Printer
Web Servers
Email/Web Gateway
Firewall
Grey
REPUTATION-BASED
McAfee Embedded Anti-Virus SDK ReviewKey Features, Functions, and Benefits
Scan Engine SDK
– Comprehensive detection so threats are isolated before they can spread
– Removal of viruses, worms, and other malicious code
– Reliable and accurate detection, without a costly false-alarm problem
– Effective scanning of compressed, archived, and packed files
– Support for a wide range of platforms
– Scan engine SDK for easy integration into third-party applications
Dynamic Static
McAfee Embedded SecurityTo secure solution for your solution
MAC
NetBook
Consumer PC
Black White
Medical Devices
SCADA
Servers
Point of Sale
ATMs
Kiosks
Smart Meter
Printer
Web Servers
Email/Web Gateway
Firewall
Grey
REPUTATION-BASED
McAfee Security
Connected
McAfee Global Threat
Intelligence (GTI)
McAfee Global Threat Intelligence (GTI)
• 75 Billion Malware Reputation Queries/Month
• 20 Billion Email Reputation Queries/Month
• 2 Billion IP Population Queries/Month
• 300 Million IPS Attacks/Month
• 100 Million IP Port Reputation Queries/Month
• 100+ BILLION QUERIES
Volume
Breadthand
Depth
• Malware: 60 Million Endpoints
• Email: 30 Million Nodes
• Web: 45 Million Endpoint and Gateway Users
• Intrusions: 4 Million Nodes
• 100+ MILLION NODES, 120 COUNTRIES
What It Takes to Make An Organization SafeGlobal Threat Intelligence
.
Threat
Reputation
Network
IPSFirewall
Web Gateway Host AV
Mail Gateway Host IPS 3rd Party
Feed
Why McAfee Is Best Positioned to Deliver GTI360˚ Correlation Across All Threat Vectors
• Mail/spam sending activity• Intrusion attacks launched• IP addresses of attackers• Web hosting/phishing activity• Botnet/DDoS activity
• Mail/spam sending activity• Web access/referer activity• Malware hosting activity• Hosted files• Popups• Affiliations• DNS hosting activity
• Botnet/DDoS activity• Mail/spam sending activity• Web access activity• Malware hosting activity• Network probing activity• Presence of malware• DNS hosting activity• Intrusion attacks launched
• IP addresses distributing• URLs hosting malware• Mail/spam including it• Botnet affiliation• IPS attacks caused
Web Reputation
Network Connection Reputation Message Reputation
File Reputation
Reputation SDK Web Security• URL Categorization
• Web Reputation
Reputation SDK Email and Network Protection• IP Reputation (anti-spam)
• Message Reputation (anti-spam)
• Connection Reputation
Embedded Reputation SDK Real-time Lookups via
our GTI cloud service
Supported Platforms• Windows, Solaris, Linux and BSD (specific x86 versions)
The McAfee Embedded Reputation SDK is a software library that
provides an API for obtaining reputations and categories from
McAfee’s GTI Cloud.
McAfee Embedded Reputation SDK ReviewKey Features, Functions, and Benefits
McAfee Embedded Security
Management
McAfee ePolicy
Orchestrator (ePO)
33
McAfee ePolicy OrchestratorCentralized Security Management
McAfee ePolicy Orchestrator
• Automate solutions
with open API
• Leverage
ecosystem
• Connect to your IT
infrastructure
• Streamline
processes
• Speed incident
responses
• Reduce audit
fatigue
• Central point of
reference
• Enterprise-wide
visibility
• Reduce
management
complexity
• Distributed
architecture
supports
deployments of
any size
• Flexible reference
architecture
Extensible Automated Unified Enterprise-ready
34
McAfee ePolicy Orchestrator Key Feature Overview
McAfee ePolicy Orchestor
• End-to-End Visibility
– Unified point of reference across security solutions
• Personalized Command Center
– Tune work environment to optimize efficiencies
• Drag-and-Drop Dashboards and Actionable Reports
– Immediate insight to action slashes response times
• Role-based Access Control
– Distribute administration and information
• Rogue System Detection
– Identify and manage all networked assets to lower risk
• Powerful Workflows
– Automate common routines, streamline processes across systems
• Enterprise-ready
– Flexible, scalable architecture minimizes CAPex and OPex
• Extensible Framework
– Increase value of existing security assets, optimize for future needs
Use Cases
McAfee Technologies
Global leader in assisted and self-service retail and financial systems, shipping 60,000+ ATMs/year with McAfee Embedded Security
―With this technology and compliance-ready ATMs, our bank customers don’t have to worry about security issues affecting their business or their consumer.‖
• Problem Definition
• Lack of zero-day security
• Unauthorized software changes on production ATMs
• What NCR Needed
• Provide zero-day comprehensive security
• Transparent, small footprint & no overhead
• Deploy and forget, without ongoing updates
• Cost effective
• Why Embedded Security
• Insider threat mitigation, no unauthorized changes
• Complete ATM channel change control for PCI compliance
• Standardized on NCR APTRA platform
• How They Did It
• Utilizing process and certificate-based updaters for secure change control
• Built a repeatable process for specific application and OS auditing
OEM Case StudyNCR Financial Solutions
Confidential McAfee Internal Use Only36
NEC Infrontia is a leading developer of point-of-sale systems, and currently ships more than 15,000 POS systems in Japan with McAfee Embedded Security
―Embedding McAfee gives us complete control and certainty
over what changes on each device.‖
• Problem Definition
• High partner support costs related to security problems
• Frequent OS patching
• Minimal to no PCI compliance
• What NEC Needed
• Reduce patching on Windows XP Embedded OS
• No performance draining security
• Need for service provider partners to make changes
• Compliance
• Why Embedded Security
• Prevents unapproved installs to reduce in-field breakage
• Reduces number of touch points to the device
• Minimizes the need to frequently patch the OS
• Change control provides tight control over what is installed
• Delivers PCI compliant device to retailers
OEM Case StudyNEC Infrontia POS
Confidential McAfee Internal Use Only37
Merge Healthcare’s CADstream™, the standard in CAD for magnetic
resonance imaging (MRI), ships with McAfee Embedded Security
―Integrating McAfee Embedded Security into CADstream improved
CADstream security, availability, and support.‖
• Problem Definition
• Unavailability caused by unauthorized changes
• Rampant field maintenance from unauthorized software modifications
• Current security solution resource intensive
• No Compliance
• What Merge Healthcare Needed
• Blocking unapproved installs to reduce in-hospital breakage
• Less frequent OS patching cycles
• Low overhead keeps system running smooth at hospitals
• Provides zero-day protection for sustainable FDA compliance
• Change control dictates what can be changed or installed
• Why Embedded Security
• Minimal overhead required
• Protection in a standalone mode
• Code protection from unwanted and unauthorized change
OEM Case StudyMerge Healthcare MRI
Confidential McAfee Internal Use Only
Global leader in developing integrated business solutions, shipping more than 15,000 MX-series MFPs in Japan with McAfee Embedded Security
―McAfee locks-down our office automation printers and multifunction peripherals
by preventing unauthorized access and software changes.‖
• Problem Definition
• Lack of control and minimal device security
• High field maintenance costs tied to unauthorized changes
• No PCI compliance or zero-day protection
• What Sharp Needed
• Single solution for security and compliance
• Minimal device overhead
• Why Embedded Security
• Prevents zero-day attacks and unnecessary field maintenance
• Allows for controlled configuration changes
• Improved service availability
• Helps ensure PCI compliance
• How They Did It
• Created template policies for configuration and system protection
• Trusted only the processes they wanted for application updates
OEM Case StudySharp MFPs
Confidential McAfee Internal Use Only39
TECHNOLOGY
EXPERTISE
PARTNERSHIP
NEXT STEPS Identify &
evaluate
needs
Scope and
conduct proof
of concept
OEM
partnership
agreement
McAfee Embedded Security
McAfee
Trusted Security Partner for Embedded Developers
• Whitelisting approach provides complete malware protection without need for updates
Section 5
Use and regularly update anti-virus software
• Zero-day protection and change reconciliation with change management systems
Section 6
Develop and maintain secure systems and apps
• File change tracking on cardholder data, user activity, and unauthorized change attempts
Section 10
Track and monitor all access to cardholder data
• Comprehensive file integrity monitoring and malware protection
Section 11
Regularly test security systems and processes
McAfee Embedded SecurityCompliance: PCI DSS Requirements
42
• Application control protects the state of systems and keeps security controls pristine, while change control tracks changes specified in the requirement and during an audit
CIP-007-1-R1
Ensure cyber assets and changes to assets do not adversly affect
cyber security controls
• Application control maintains the state of the system and prevents configuration changes to standards set by the ―responsible entity‖
CIP-007-1-R2
Ensure ports and services required for normal
operations are enabled
• Application control provides a compensating measure to mitigate risk exposure when the security patch or patch management program cannot be accomplished
CIP-007-1-R3
Security patch management for tracking, evaluating, testing, and installing cyber security patches
• Application control and whitelisting-based approach provides complete proactive malware protection without need for updates or signatures
CIP-007-1-R4
Use anti-virus and malware prevention to detect, prevent, deter, and mitigate malware
• Change control provides file integrity monitoring, system alerts, and login attempts, while application control can lock the system
CIP-007-1-R6
Ensure Cyber Assets implement automated tools or process
controls to monitor system events
McAfee Embedded Security Compliance: NERC CIP-007 Guidelines
43