Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013 Agenda • Threat landscape and current approach • The anatomy of an attack • Next generation endpoint security THREAT LANDSCAPE AND CURRENT APPROACH Recapping the Problem Q2 2012: >8 million new malware samples Up to 200,000 new samples received and processed daily by McAfee Labs Recapping the Problem >99.9% of malware samples received in 2012 were Targeted at Windows The Traditional Approach – works to a point Signatures The Traditional Approach – works to a point Generics The Traditional Approach – works to a point Heuristics and Sandboxing Two fundamental problems with todays approach… • Detection – 1 new threat each second versus 1 signature update per day – New signature updates could be produced more frequently but cannot be consumed more quickly – The cloud helps, but we cannot check each file with the cloud – Signatures don’t help against APTs and Zero-day attacks • Performance – Scanning all files for all things takes time – As the number of threats multiply, the impact of scanning multiplies THE ANATOMY OF AN ATTACK Four Phases of an Attack First Contact Physical Access Unsolicited Message Malicious Website or URL Local Execution Establish Presence Malicious Activity Propagation Exploit Download Malware Bot Activities Escalate Privilege Social Engineering Adware & Scareware Persist on System Network Access Configuration Error How the attacker first crosses path with target How the attacker gets code running Self-Preservation How code persists code on the system, to survive reboot Identity & Financial Fraud Tampering The business logic, what the attacker wants to accomplish Four Phases of an Attack, e.g. Fake AV First Contact Physical Access Unsolicited Message Malicious Website or URL Local Execution Establish Presence Malicious Activity Propagation Exploit Download Malware Bot Activities Escalate Privilege Social Engineering Adware & Scareware Persist on System Network Access Configuration Error How the attacker first crosses path with target How the attacker gets code running Self-Preservation How code persists code on the system, to survive reboot Identity & Financial Fraud Tampering The business logic, what the attacker wants to accomplish A generic approach to protection First Contact Device control Physical Access Hard disk encryption Unsolicited Email filtering Message Malicious Website Web filtering or URL Host firewall Network access control Network Access How the attacker first crosses path with target Local Execution Establish Presence Malicious Activity Memory & kernel protection Database monitoring Web filtering Host firewall Download Malware On-access scanning Application whitelisting Exploit Propagation Bot Activities Web filtering Host firewall Memory & kernel protection Database monitoring Auditing Escalate Privilege On-access scanning Access protection rules Application whitelisting Social Engineering Adware & Scareware On-access scanning Application whitelisting Access protection rules Persist on System Configuration Error Auditing Access protection rules How the attacker gets code running Access protection rules Kernel Identity & Financial Fraud On-access scanning Access protection rules Application whitelisting Self-Preservation protection On-access scanning Application whitelisting Integrity monitoring How code persists code on the system, to survive reboot The business logic, what the attacker wants to accomplish Tampering Does this approach work? Source: Aberdeen Group, March 2012 NEXT GENERATION ENDPOINT SECURITY Context-Aware Endpoint Platform Next-Generation Endpoint Security Data Center Embedded Virtual Server Mobile Laptop Desktop Desktop/Laptop Blacklist Files Focus on Devices Windows Only Static Device Policy Disparate, Disconnected Management Unified Security Operations Real-time information Cloud Security Information and Events Application Risk and Compliance Database OS Chip FIRST-GENERATION NEXT-GENERATION ENDPOINT SECURITY Next Generation Anti-Malware Core: Technology Overview High performance Adaptive scanning and dynamic scan avoidance using trust logic | Static and dynamic whitelisting Context awareness OS | Application | Network | File | Registry | Memory | Process execution Signature-less detection Shell code & script exploits | Reputation and trust based process restrictions | Environmental heuristics | Process profiling Reputation enabled File, IP, site, domain | Prevalence Resilient Advanced repair | Built-in false prevention logic | Centralized quarantine Flexible Multiple content streams | Updateable components Adaptive scanning and false avoidance Is a scan necessary? Scan according to file state False cloud check Traditional combined with reputation Global Threat Intelligence Traditional signatures Cloud lookups for file, URL, domain, IP reputation, and metadata Generics and heuristics What do you do about the remaining items, with various levels of suspiciousness? Intelligent Trust and Selective Scanning Define multiple scanning states, providing differing levels of monitoring, hooking different kernel activity etc.: • Trusted - limited set of their events monitored • Normal – intermediate set of events monitored • Suspicious - full set of their events monitored Normal Low Categorise file based on knowledge: • Where did it come from (Internet, USB, local net, …)? • How did it arrive, (trusted process, user, …)? • What else is known about it? Processes inherit the trust of their binary image file • Monitor processes based on scanning state High Adaptive Scanning based on behavior • Malware families follow certain behavioral Normal patterns • Observe what grey files and processes do, looking for suspicious behavior • Keep track of events in a local database Low High • Change state based on behaviours, e.g. – If something suspicious seen, increase event monitoring for that process: • Connects to known bad IP or URL: More suspicious • Signed by known trusted certificate: Less suspicious – Get aggressive, but in a highly targeted way! Summary • First gen endpoint solutions scan with signatures once and if no infection found allow any action – Increased malware volume means this technique will impact on performance – Increased speed of propagation renders this approach ineffective against new malware, zero-day attacks and APTs • Next gen endpoint solutions need – Light scan to minimise performance impact – Heavy scan to detect new malware • An adaptive approach is the only way to improve detection whilst reducing performance impact THANK YOU