McAfee Deep Safe Security beyond the OS Kai-Ping Seidenschnur Senior Security Engineer October 16, 2012
Intel/McAfee Initiatives: epo Deep Command and Deep Defender McAfee epo Deep Command Security Management Beyond the OS McAfee Deep Defender Endpoint Security Beyond the OS
McAfee Deep Defender October 16, 2012
Threats Continue to Move Down the Stack Attack and disable security products and hence all protection Compromise virtual machine and hence all guest machines within Applications/RDBMS AV HIPS Operating System Virtual Machine I/O Memory Disk Network Display Traditional attacks and defenses focused primarily on the application layer Infect OS with APT s resulting in threats hidden from security products Rogue peripherals & firmware bypassing all other security measures Ultimate APT s compromise devices below OS, either before or after shipment BIOS CPU Malware/rootkits target Storage Devices gain Unauthorized control
Introducing McAfee DeepSAFE Technology: Next-Generation Security Beyond the OS Applications Anti-Virus Data Loss Prevention Intrusion Prevention System Firewall Deep Defender Operating System DeepSAFE Central Processing Unit Input/Output Memory Disk Network Display 5 October 16, 2012
Deep Defender Problems with Today s Solutions 1. Traditional AV product do not see rootkit kernel access 2. Rely on heuristic file or behavior analysis 3. Zero day detection difficult, requires pre-knowledge of the threat or threat type Deep Defender Real-time monitoring for malicious memory access Day zero protection against rootkits and APTs Monitor, block and removal Minimal performance impact GTI Integrated: Feeds Rootkit detection back to GTI Enhances time to rootkit protection across all McAfee products 6 October 16, 2012
Deep Defender: Stopping a Stealthy Rootkit Real-time kernel-level monitor of memory Identifies kernel-mode rootkits in real-time Prevents the drivers from loading DeepSAFE technology loads before the OS DeepSAFE technology informs Deep Defender of suspicious behavior McAfee DeepSAFE Intel i3/i5/i7 CPU (BIOS VT-x Enabled) OS Loader DeepSAFE Loader/Agent Boot Driver Rootkit Boot Driver Driver AV Driver Rootkit Driver Driver Deep Defender Agent Application Application Malware Application DeepSAFE Loaded Beyond the OS OS Initialization Boot Drivers Other Drivers Services and Applications 7 October 16, 2012
McAfee Confidential Internal Use Only
McAfee epo Deep Command October 16, 2012
McAfee epo Deep Command McAfee epo Deep Command utilizes Intel vpro Active Management Technology (AMT) to deliver beyond-the-operating system management, reducing security operations costs while enhancing your security posture. epo Deep Command lets you control powered-off endpoints to execute security updates, deployment, and scan tasks as well as perform remote remediation of security issues. 10 October 16, 2012
McAfee epo Deep Command Security Management Beyond the OS epo Agent Handler Apps McAfee Security McAfee Agent OS Preboot Intel vpro Utilizes Intel vpro technology (AMT) Local and remote AMT connections Permits remote assistance, policy control, and remediation epo-class scalability Value Reduce cost of security operations Improve security to powered-off PCs Maintain security access while lowering energy use 11
McAfee epo Deep Command Dashboards 12
Identifying vpro AMT-Enabled Endpoints 13
epo Deep Command Use Cases Business Challenge McAfee epo Deep Command Compromised systems or system failures force physical access to the endpoint to remediate epo Deep Command enables the administrator to boot the compromised system from a remote remediation disk image, allowing full cleaning/repair of the system disk Can t deploy updated security ahead of an attack if endpoints are powered off epo Deep Command can contact and apply updated security policies to all AMT-enabled systems before a potential threat outbreak regardless of their power state Organizations have to reduce power consumption, yet still meet security & compliance regulations epo Deep Command can apply security updates, patches, and new products or policies to systems by leveraging the Intel AMT Alarm and remote wake up capabilities Policy or system misconfigurations that cause connectivity issues epo Deep Command connects to the system at the AMTlevel and allows remote reconfiguration of the faulty policy to re-establish normal traffic flows to/from the operating system environment 14
Recovering Compromised Systems Goals (a) Remediate compromised or corrupt systems from epo (b) Perform forensics on boot disk epolicy Orchestrator 1. End users notifies administrator of disabled system either via call or via Remote Call for Help function 2. epo administrator access disabled endpoint via AMT at hardware level Connection to AMT Remote Boot from.iso 3. Administrator instructs endpoint to boot from another network disk image 4. Once booted, administrator deploys remediation steps to restore endpoint or collect forensic evidence 15
Deploying Security Ahead of the Attack Goals (a) Ensure all endpoints, even powered off, have up-to-date security 1. IT Security team sees threats spreading throughout environment 2. epo administrator connects via AMT to turn on powered-off PCs Alternately sets AMT Alarm to wake systems at specific time epolicy Orchestrator Connection to AMT Task: Update DAT now 3. On Wake-up, epo Deep Command executes series of tasks to update security profile e.g. update anti-malware signatures, deploy additional security, run scan 4. After tasks execute, system powers off 16
epo Deep Command Wake & Execute epo will send tasks to the McAfee Agent, e.g. Intel upgrade AMT will VSE, power update DAT, computer run ODS, and McAfee send Agent will start events, and shutdown check for open tasks Apps McAfee VirusScan Wake Up Computer AMT Alarm or Power-on! McAfee Agent OS Preboot Intel AMT
Integration with upcomming EEPC V7 - Remote Unlock - Reset User Password - Location Aware Preboot - Remote Remediation https://community.mcafee.com/videos/1380 https://community.mcafee.com/videos/1381 October 16, 2012