The Challenge of a Comprehensive Network Protection. Introduction

Transcription

1

2 Index Introduction...3 Corporate Network Security Management Challenge...5 Multi-layers and heterogeneous network...5 Roaming Clients...5 Control of unproductive and restricted applications...5 Securing networks from the risks of unmanaged endpoints...6 Centrally Managed Network Security...6 Malware Audits...7 EndPoint protection Challenge...8 Understanding what is a Host Intrusion Prevention System (HIPS)...8 Panda Security Host Intrusion Prevention System (HIPS)...8 Deep Packet Inspection Firewall....9 TruPrevent TM Behavior Blocking...9 TruPrevent TM Behavior Analysis...10 Genetic Heuristic Engine Anti-malware...10 Endpoint protection effectiveness in the real world...11 Panda Security Collective Intelligence...12

3 Introduction All organizations need to protect their critical and sensitive information from data leaks, targeted attacks and unknown malware, especially in recent years, when there has been more malware than ever released in the wild. The vast amounts of threats in circulation and the change in threats objectives are rendering traditional antivirus solutions ineffective. Complementary approaches and technologies must be developed and implemented in order to raise effectiveness to adequate levels. On January 25, 2007, in the Gartner Teleconference "Host-Based Intrusion Prevention Systems (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren't Enough i ", the author claims that the objectives started as pure experimentation and are now developing towards information warfare. Figure 1. This chart examines the impact and frequency of malware from Gartner Group s Host-based Intrusion Prevention System (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren t Enough. (Source: Gartner, 2007) Figure 1 illustrates the impact of different kinds of attacks and their frequency. The frequency of cyber-crime attacks is forecast to increase dramatically until Cyber-crime refers to hackers who work in an organized and specific manner to steal money, business information, or other assets essential to companies. The Challenge for Endpoint protection requires that security solutions provide not only advanced capability for protecting them, but a perfect combination of the following capabilities: 1. Protection against the huge and growing number of known and unknown malware and targeted attacks by the most advanced and complete set of maximized capabilities of host-based intrusion prevention. 2. Protection of and from endpoints that are inside the organization network infrastructure, but also managing security of roaming clients that move continually from network to network. 3. Secure network from unmanaged endpoints, which although not under the control of network administrators, can access sensitive information. 4. Device control that allows detecting and securing external devices such as USBs. Revision Panda Security 2008 Page 3 of 13

4 5. Help increase employee productivity by controlling the use of unproductive or restricted applications and eliminating undesired content. 6. Periodic in-depth malware audits that can detect and disinfect hidden threats such as identity theft Trojans, targeted attacks, rootkits and other malware not detected by permanent protection. 7. Protection at all infrastructure layers, covering everything from endpoints to and gateway platforms. 8. Endpoints and multi-tier protection must be part of a comprehensive architecture provided by a single solution. It is necessary for this architecture to be extensible and flexible, so new protection layers can be deployed and managed from the same solution and it does not require separate products to be integrated in the existing solution. 9. Entire network security must be managed by a single, centralized administration role-based console. From here, entire network policies, security deployment, updates, monitoring, alerting, reporting and event logging must all be easily managed. Operational characteristics must be considered to reduce operation complexity and operating cost. 10. At the same time, minimizing the resource and bandwidth consumption of protected systems. The scope of this paper is to consider network security critical aspects that a solution must cover in order to protect the entire network and to reduce operation complexity and cost. Second, the aim of this paper is also to describe the range of approaches and technologies for effective endpoint protection. It is essential that network security solutions offer -in a single product- all endpoint protection approaches to protect critical and sensitive information from data leaks, targeted attacks and unknown malware. And third, we will describe advance concepts that complement Panda s integrated desktop, server, and gateway protection to take the battle against today s malware dynamic head-on and provide the final complement to Panda s ideal protection model. Revision Panda Security 2008 Page 4 of 13

5 Corporate Network Security Management Challenge Due to the fact that endpoint security protection is the last line of defense against increasingly sophisticated threats, having a complete endpoint protection with a range of approaches and technologies is not sufficient, a network security solution should also exhibit the following beneficial characteristics: 1. Corporate networks have different infrastructure layers that must be protected, such as perimeter or gateways. Network security solutions must provide these layers with proactive protection, because the sooner malware is detected, the less damaging it will be. 2. Manage endpoints that are inside the organization network infrastructure, but also manage security of roaming clients that move continually from network to network. 3. Secure network from unmanaged endpoints, which even if not under the control of network administrators, can still access sensitive information. 4. Help increase employee productivity by controlling the use of unproductive or restricted applications and eliminating undesired content. 5. Help reduce operation complexity and operating costs through a centrally management system for both managed and unmanaged endpoints and for the entire heterogeneous network. This system allows integrated policy development, role-based administration, monitoring and alerting and also allows immediate action to secure the network, consolidated logging and reporting from a single point. Multi-layers and heterogeneous network For businesses that manage traffic through Microsoft Exchange Server, Panda Security for Business with Exchange adds complete and straightforward protection for private mailboxes and public folders against known and unknown malware. It also includes a best of breed anti-spam solution that reduces network operating costs, saves administrator time and avoids lost productivity. Anti-spam and content filtering protection in Panda Security for Business with Exchange and Panda Security for Enterprise also follows the multi-layer approach, eliminating undesired at server layer and at endpoint layer. In addition, Panda Security for Enterprise also ensures that other layers of the corporate infrastructure are secure, allowing protection to be deployed and updated in all network systems, regardless of their location or platform: workstations (Windows and Linux), file servers (Windows and Novel NetWare Servers), Exchange and Domino mail servers, Sendmail, QMail and Postfix server, ISA server. This modular, flexible, and scalable architecture meets complex, heterogeneous network needs with advance configuration. Roaming Clients Organizations must deal with a growing number of roaming clients, and their security is also the remit of administrators. Panda Security for Business and Panda Security for Enterprise allow, through bidirectional communication called Roaming, clients protection to inform the administrator about events that occur outside the office so entire organization security is managed centrally independently of endpoint locations. Control of unproductive and restricted applications Panda Security for Business and Panda Security for Enterprise include a rule-based application control feature that allows administrators to have complete control over endpoint and network resources, such as Revision Panda Security 2008 Page 5 of 13

6 access to files, network traffic, access to operating system components (registry, COM, users, etc.) and apply those rules on a per user or group basis. With this functionality, administrators are able to determine, for example, the applications that can or cannot be used by employees. Thanks to this feature administrators can apply granular control options for applications (Word, Excel, Outlook, Internet Explorer, Games, itunes, Desktop utilities, etc.) and network usage (such as blocking P2P, instant messaging, or VoIP traffic). Securing networks from the risks of unmanaged endpoints Enterprise security solutions must provide protection for both managed and unmanaged endpoints, within the network and for roaming clients. Unmanaged endpoints are those that are not under the administrator s control, but they do in fact have access to the network, for example, onsite guest access. It is necessary for the administrator to control this situation in order to avoid security problems. Securing networks from the risks posed by these endpoints involves, firstly, to centrally notify administrators that unmanaged endpoints are in the network in order to decide what action to take. Secondly, auditing the presence of various attributes such as enabled antivirus software, signature file updated, and specific patches applied, etc. These functionalities are both implemented in Panda Security for Business and Panda Security for Enterprise thanks to the centrally managed console where unmanaged endpoints are shown in real-time and by Cisco NAC integration, as Panda Security for Business and Panda Security for Enterprise do, but our solutions also implement a unique technology called NetWorkSecure. The NetworkSecure unit allows the network connections of a computer to be secured by checking the security status of the computer before allowing it to connect to the corporate network. The task in the computer that connects to the corporate network is called the Validation Phase. During this phase, the checks configured by the administrator are carried out to determine whether or not the computer is secure. If the policies are not fulfilled, the computer will be disconnected from the network and isolated. Integration in Cisco NAC and the development of NetworkSecure ensures that security policies are complied with across the network even in computers that are not managed through AdminSecure as the operation of the security software installed on these computers is validated before allowing it to access shared network resources. Integration with Microsoft NAP (Network Access Protection) provides a solution for evaluating the security status of a client trying to connect or communicate with a private network and restricts access until the client has complied with the established security policy. The technology includes a client side component and a server side so the administrator can define security policies that will restrict access to those clients that don t comply with them. This new technology has been included in Windows Server 2008, Windows Vista and Windows XP SP3. Centrally Managed Network Security The entire network security should be administrated via a single, centralized management system. It must include integrated policy development, both push and pull update capabilities, role-based administration, monitoring and alerting, integration within corporate organization. AdminSecure offers manageability and administration features, for efficient, effective security management: Revision Panda Security 2008 Page 6 of 13

7 All-in-one Management Console. One interface supports all technologies and multi-layer protections. Easy Deployment. AdminSecure has a mechanism to easily deploy communication agents and protection. Integration of the protection in the company infrastructure is fast, because it can be deployed through login script, packages, or direct installation. Flexible architecture. Through its modular, flexible, layered, preventive protection philosophy and scalable architecture Panda Security for Business and Panda Security for Enterprise meet complex, heterogeneous network needs and facilitates complete point-topoint, anti-malware protection in every layer of your organization. In addition, the centralizing of information and management of all network nodes with Panda AdminSecure, allows maximum control of resources administered remotely, even computers belonging to external staff, and cause-and effect-analysis when an infection has occurred Improved Supervision. In order to guarantee effective protection of all the IT systems in your company, it is essential to protect all network components and have a dashboard containing metrics, customizable organization views, and graphic reports that allow you to closely monitor the protection status. Malware Audits Panda Security for Business and Panda Security for Enterprise is also the only solution in the market for small businesses that includes a complementary in-depth malware audit and disinfection service that is able to uncover advanced hidden threats such as identity theft Trojans, targeted attacks, rootkits and other malware not detected by traditional means. Revision Panda Security 2008 Page 7 of 13

8 EndPoint protection Challenge As Panda Security has been able to prove in a recent research study ii, even users protected with antivirus and security solutions with the latest signature database can be infected by active malware. Dealing with the malware evolution using a traditional signature approach has not been valid for some years now. Understanding what is a Host Intrusion Prevention System (HIPS) Traditional antivirus and personal firewall solutions are no longer sufficient to protect endpoint against targeted attacks iii, and it is not possible to patch an entire network as quickly as new vulnerabilities are announced. As a result, a complete Host Intrusion Prevention System (HIPS) which provides protection before malware enters endpoint (at network layer), once it is present on the endpoint but not yet executing (at application layer) and when it is executing (behavior layer), is an absolute must for any security solution. These three layers of protection that must be covered by a complete Intrusion Prevention System, must be efficient not only in detecting known malware and attacks, its real value is when it is efficient against unknown ones for which advanced technologies must be implemented. Even though many security solutions add some kind of Intrusion Prevention, the sad reality is that about half the solutions on the market do not have any of these types of technologies yet or have only part of them that is still not sufficient for dealing with the present malware situation. Even if some vendors provide some kind of intrusion prevention in their portfolio, their security solutions do not provide this protection included in the box, even though assessing new types of malware and attacks requires the most advance and complete Host Intrusion Prevention System at the earliest opportunity. Panda Security Host Intrusion Prevention System (HIPS) Panda Security s complete HIPS follows a defense-in-depth philosophy, which could be summarized as integrating different protection technologies layers at different infrastructure layers. Panda Security Host Intrusion Prevention System implementation is modular and therefore can be applied both to endpoint desktop and servers. Let s take a look at each of these technologies that makes Panda Security Host Intrusion Prevention System a complete HIPS. Revision Panda Security 2008 Page 8 of 13

9 Figure 2. Panda Security s integrated endpoint security Deep Packet Inspection Firewall. This technology indentifies and prevents threats in the network traffic stream before they have a chance to reach the computer. The network traffic stream is examined for the signatures of known bad traffic. It performs pattern detection and removal of known threats by using signatures of known attacks (for example, worms, port-scanning, malformed protocols, etc.). But this technology also examines the network traffic stream for unknown malicious code but doesn't rely on attack-facing signature for detection. For example, rather than look for every variant of the Sasser worm using signatures, by inspecting network traffic for specific buffer overflow techniques, the capability of vulnerability-facing filters detects all attacks, known and unknown, aimed at exploiting the Local Security Authority Service (LSASS.EXE). TruPrevent TM Behavior Blocking. This technology is composed of a set of rules which are defined by rules describing allowed and denied actions for a particular application. Despite offering a high degree of granularity to administrators for creating custom policies, this application control and system hardening module is shipped with a set of default configuration policies with are managed and updated by PandaLabs. Revision Panda Security 2008 Page 9 of 13

10 TruPrevent TM Behavior Analysis. It acts as a true last line of defense against new malware executing on a computer that manages to bypass signatures, heuristics and behavior blocking. This technology exhaustively analyzes the behavior and is designed to block malware as soon as it starts acting. Unlike other behavior technologies, TruPrevent TM behavior analysis is autonomous and does not present technical questions to the end user. Panda Security s internal statistics show that these technologies are capable of detecting over 80% of the malware in the wild without signatures and without false positives. Two-thirds of the new variants received at PandaLabs from our customers managed quarantines have been submitted automatically by the TruPrevent TM behavior analysis. Behavioral analysis in real-time detects new and unknown malware threats and zero-day attacks such as malicious specially-crafted PDFs and Office files without requiring signature updates Genetic Heuristic Engine. While our signature-based engine acts as the application level protection for known malware and it benefits from the unique automated and enhanced malware collection, classification and remediation of Panda Security Collective Intelligence, GHE correlates the genetic traits of files by using proprietary algorithms. The genetic traits define the potential of the software to carry out either malicious or harmless actions when executed on a computer. GHE can be set to low, medium or high sensitivity in order to apply to different environments depending on the probability of malware in each environment. Panda Security endpoint protection has the capability of scanning HTTP protocol, real-time protocols and Instant Messaging with the GHE set to high sensitivity due to the fact that the likelihood of an executable file being malware is very high at this network layer. However for storage (or application) layers where the vast majority of executable code is from legitimate applications, GHE is set to medium sensitivity. One third of the new variants received at PandaLabs from our customers managed quarantines have been submitted automatically by the GHE. Anti-malware At Panda Security we research and develop 100% of our core anti-malware technologies for detecting known malware and the huge varieties of known malware. All Panda Security solutions benefit from the latest generation of security technologies by Panda Security, called Collective Intelligence. Collective Intelligence represents an approach to security radically different to the current models. One of the benefits of this approach, described below in the document, is the automation of the entire malware detection and protection cycle (collection, analysis, classification and remediation). Collective Intelligence offers visibility of large volumes of malware and targeted attacks that came from computers and networks world-wide in real-time. Thanks to the visibility of malware and targeted attacks through Collective Intelligence and automation of detection and disinfection of malware, each network protected by Panda Security s solutions benefit from the knowledge gained by the entire community in real-time. Panda Security s HIPS is the most advanced proactive technology available in the market according to Gartner i. In addition to intrusion prevention and proactive detection available in other solutions, Panda also integrates behavioral analysis, real-time protection to detect new and unknown malware threats and zero-day attacks. Revision Panda Security 2008 Page 10 of 13

11 Endpoint protection effectiveness in the real world As said before, given the new, sophisticated and vast amounts of threats in circulation and the change in their objectives, endpoint security solutions must protect against known and zero-days attacks. Here we present a comparative result of some solutions performance assessed by independent third parties against real world threats, which demonstrates the capabilities of each solution in protecting endpoints and networks against the dynamic landscape of IT threats WildList Proactive detection * Behavioral Analysis Detection ** Rootkit Detection ** Panda Security McAfee Symantec Trend Micro Microsoft 94% 69% 65% 65% 57% *Andreas Marx AV-Test. WildList Proactive Detection and Response Time Testing for ** AV-test. Revision Panda Security 2008 Page 11 of 13

12 Panda Security Collective Intelligence As shown before, Panda Security has developed a robust, defense-in-depth philosophy for endpoint security by providing an advanced Host Intrusion Prevention System. It adds to this comprehensive level of protection by leveraging the concept of Collective Intelligence 1 (CI). The CI concept complements Panda s integrated desktop, server, and gateway protection to take the battle against today s malware dynamic head-on and provide the final complement to Panda s ideal protection model. Collective Intelligence offers a radically different approach to security. This approach is based on exhaustive remote, centralized, and real-time knowledge about malware and non-malicious applications maintained through the automatic processing of all scanned elements. CI provides the ability to maximize malware detection capabilities, while at the same time, minimizing resource and bandwidth consumption of protected systems. Panda Security s Collective Intelligence approach provides tremendous value to all enterprises by benefiting from community knowledge, as soon as a malicious process is detected in a user s PC by Panda Security s Collective Intelligence servers, Panda Security for Business and Panda Security for Enterprise customers worldwide automatically benefit from that detection, by means of a new signature or by means of the automatic management of their quarantine items. 1 Collective intelligence is a form of intelligence that emerges from the collaboration and competition of many individuals. Revision Panda Security 2008 Page 12 of 13

13 References i Gartner: Host-Based Intrusion Prevention Systems (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren't Enough ii Reserch study: Active Infection in Systems Protected by Updated AntiMalware Solutions. Panda Reseach. August iii Gartner: Understanding Strengths and Weaknesses of Host-Based Intrusion Prevention Style. Revision Panda Security 2008 Page 13 of 13