Symantec Critical System Protection (SCSP) Overview February 2010
Agenda What are the challenges? What is Critical System Protection? How does CSP work? How does CSP work with other Symantec products? Why Symantec Critical System Protection? 2
Pain Points for Server Security Mission-critical systems with minimal downtime for patching Maintain high availability and high performance Meet compliance requirements for systems with sensitive data Protect against abuses of privileged accesses Many OS platforms (Windows, Unix, Linux) General Purpose File & Print Servers DMZ Web Servers Data Center Application, Database, Mail Servers Varies Varies Varies 3
Internal Threats External Threats Server Protection Challenges: System and Threat Complexity User / Admin Account hacking Database Server Application exploits Back door attacks File Server Mail Server Application Server O/S Exploits Authorized User exploits Web Server Print Server Auditing tampering Configuration changes User rights escalation Point Of Sales Terminals Legacy Server Symantec Critical System Protection 4
Agenda What are the challenges? What is Critical System Protection? How does CSP work? How does CSP work with other Symantec products? Why Symantec Critical System Protection? 5
SCSP for Server Security Patch Mitigation for missioncritical systems with minimal downtime Protect while maintaining high availability and high performance (no scanning) Meet compliance requirements for systems with sensitive data Protect against abuses of privileged accesses Support many OS platforms (Windows, Unix, Linux) General Purpose File & Print Servers DMZ Web Servers Data Center Application, Database, Mail Servers 6
What is Critical System Protection? Security Known/Unknown Threat Protection Insider Abuse Prevention Patch Mitigation Compliance Real-time Monitoring and Auditing Logging and Event Reporting Real-time Compliance Enforcement Policy-based approach Proactive enforcement High availability and performance Symantec Critical System Protection 7
Multi-layer protection with SCSP IIS Exchange Symantec Critical System Protection
Symantec Critical System Protection Multi-layer protection for critical systems Close back doors (block ports) Limit network connectivity by application Restrict traffic flow inbound and outbound Network Protection (Host IPS) Exploit Prevention (Host IPS) Restrict apps & O/S behaviors Protect systems from buffer overflow Intrusion prevention for day-zero attacks Application control Symantec Critical System Protection 5.2 Lock down configuration & settings Enforce security policy De-escalate user privileges Prevent removable media use System Controls (Host IPS) Auditing & Alerting (Host IDS) Monitor logs and security events Consolidate & forward logs for archives and reporting Smart event response for quick action SCSP Product Overview 9
SCSP Agent Platform Support (Jan. 10) Platform Microsoft Windows Client Edition Windows XP Windows 2000 Prevention Windows 2000, 2003 and 2008, including 64-bit versions, Windows 2008 SP2 and R2 Windows NT Solaris Not Applicable Solaris 8, 9, 10* *includes x86, x86 VM, 64-bit & Global Zones Linux SuSE Linux Professional SuSE Linux Enterprise Server 8, 9,10 RedHat Enterprise Linux 3**, 4**, 5 includes 32-bit & 64-bit support VMWare ESX 3.5 Host Server Edition Detection Windows 2000, 2003 and 2008, including 64-bit versions, Windows 2008 SP2 and R2 Windows NT Solaris 8, 9, 10* *includes x86, x86 VM, 64-bit & Local Zones SuSE Linux Enterprise Server 8, 9,10 RedHat Enterprise Linux 3**, 4**, 5 includes 32-bit & 64-bit support VMWare ESX 3.5 Host AIX Not Applicable Future release AIX 5L (5.1, 5.2, and 5.3) HP-UX Not Applicable Future release HP-UX 11i v1 (11.11)**, v2 (11.23)** and v3 (11.31)** HP Tru64 Unix V5.1B ** Also includes IDS support for Itanium 2 Detection in v5.2 can monitor unsupported platforms via the Remote Edition Virtual Agents - i.e. zlinux, Vista, AS400, Debian, Ubuntu, etc. SCSP agents also support use within VMWare guest operating systems running via VMWare Server, VMWare Workstation and VMWare ESX 3.x SCSP 5.2.4 supports VMWare ESX 3.5 Host for IDS including HIDS policy pack and HIPS driver is included without HIPS policy pack. SCSP Product Overview 10
SCSP Architecture Symantec Critical System Protection Architecture Event Logging Servers SCSP Agents HTTPS SCSP Agents Desktops & Laptops Scalability = 5K-8K agents/server Policy Management Agent Registration Asset Data Agent Management Policy Configuration Policies Real-time Monitoring Event Logging Operational State Users and Roles HTTPS JDBC Event Data Management Console Reporting Management Server SQL Data Store SCSP Product Overview 11
Agenda What are the challenges? What is Critical System Protection? How does CSP work? How does CSP work with other Symantec products? Why Symantec Critical System Protection? 12
SCSP s Roles in PCI Compliance Monitor Audit System and Application File, Configuration and Registry Monitoring (PCI Req 10) System and Application Event and Text Log Monitoring (PCI Req 10) Host based Real-time Detection and Prevention Broad OS and application coverage Secure Respond Network Protection Server Host Firewall (PCI Req 1) System and Application Exploit Prevention & System Controls (PCI Req 7 & 11) Block changes from unauthorized users/apps Run actions in response to events (PCI Req 7 & 11) SCSP Product Overview 13
Event Detection (IDS) Layer Host System System Operations How it Works Core OS Daemons crond RPC LPD Printer Application Daemons Web Mail Email Client Office IE Browser System, Application & Security Events Settings Files 1. 2. 3. 1. 2. 3. System & Text Logs Create/Modify/Delete Settings Create/Modify/Delete Files Symantec collectors gather events & compare them to IDS rule sets (custom or library) Send alert to mgmt console Interactive Programs Upon a match, take action Record event in local SCSP log SCSP Product Overview 14
Pre-Configured Windows Detection (IDS) Policies SCSP Product Overview 15
Phased approach to trusting IDS & IPS Install SCSP with IPS off and IDS monitoring for security events and user auditing Enable IPS policy in IDS/log only mode Configure as desired using Event Wizard Incrementally enable portions of IPS policy in enforcement mode for Maximum protection from day zero threats SCSP Product Overview 16
Vulnerability Trends Zero-day Key Definition: A zero-day vulnerability is one for which there is sufficient public evidence to indicate that the vulnerability has been exploited in the wild prior to being publicly known. From July 1st - December 31st 2006, Symantec documented 12 zero-day vulnerabilities, a significant increase over the previous two reporting periods. 2007 1H dropped to 6 documented zero-day vulnerability attacks - but these are still risks Attacks with no protection No patches No Anti-virus signatures No pre-built Firewall rules No attack (Network IPS) signatures SCSP Product Overview 17
Network protection technologies are insufficient to stop attacks Unknown threat exploiting published vulnerability Enterprise Perimeter Datacenter Perimeter Host FW Sasser INFECTED Network Firewall Welchia Blaster Conficker Windows vulnerabilities on unpatched systems Appliance with packet filtering (Network IPS) COMPROMISED Host N-IPS INFECTED Malicious Insider Standard security solutions protect against known attacks and protect known vulnerabilities, missing New threats New vulnerabilities Insiders SCSP Product Overview 18
Exploits Across Your Network Targeting Critical Servers Database Server Disgruntled Employee/ Insider Attack Intentional Misconfiguration or Back Door Attack Corporate Server Infrastructure Email Servers Exploit Toolkit Zero-Day Worm Outside Attacker Ignorant Employee Unintentional misconfiguration Application Server Regular Employee Copied data or Infected files File Server Corporate Network Web Server Internet Targeted Hacking Attacks Hacker 19
Sample Day-zero Exploit: RPC Vulnerability by Blaster RPC Service RPC Service RPC Service Inbound Connect (Port 135) Create Outbound Connect (Port 4444) Run Script to Download File Insert File into Root Directory Open Backdoor for Remote Access Modify Registry Keys Open Connections to Infect Others Files Memory (Buffer Overflow) Registry (Win only) Named Pipes Network Control OS Calls Devices Windows 2000/XP/2003 Kernel CSP Protected System with Out-of-the-box Strict Policy SCSP Product Overview 20
Hacker Attacks Application Servers Hacker Targeted Hacking Attacks Web Server SCSP Security Features Prevents inappropriate inbound connections Identifies multiple failed login attempts Blocks installation of unapproved executables Detects and blocks access to locked down files/directories Benefits Automatically secures against inappropriate access Improves protection against data loss Easily provides detailed forensic data reports Symantec Critical System Protection 21
Insider Abuse SCSP Security Features Disgruntled Employee/ Insider Attack Monitors/audits changes by administrators Prevents unauthorized network communication Intentional Misconfiguration or Back Door Attack Identifies system user rights changes Prevents unauthorized application installation Benefits Reduces risk of inappropriate access Database Server Minimizes overhead in tracking breach activities Increases effectiveness of policy enforcement Symantec Critical System Protection 22
Outside Attacks SCSP Security Features Servers OS/Application Exploit Toolkit Email Servers Outside Attacker Zero-Day Worm Blocks inbound network worm attacks Buffer overflow detection identifies/prevents vulnerability attacks Prevents file downloads Mitigates registry and program changes Benefits Dramatically reduces worm damage and cleanup Reduces network performance impact Improves protection against data loss Symantec Critical System Protection 23
Mis-configured Systems SCSP Security Features Ignorant Employee Unintentional misconfiguration Audits for new application installations Monitors key files and configurations for changes Identifies Active Directory changes Blocks attacks on known/unknown vulnerabilities Benefits Minimizes application failures Reduces patching requirements Application Server Eliminates accidental and unintentional configuration problems Symantec Critical System Protection 24
Enforcing Policy SCSP Security Features Prevents use of USB devices on key systems Regular Employee Copied data or Infected files via System Devices Locks down and monitors system and application configurations Identifies changes to user rights Blocks access to restricted files by unauthorized applications and/or users Benefits Proactively prevents critical security or compliance violations before they occur File Server Automates corrective actions to policy violations Cost savings via single solution for both realtime and bulk event logging Symantec Critical System Protection 25
Exploit prevention (HIPS) layer Host Programs Normal Resource Access Core OS Daemons crond Application Daemons How it Works Files Read/Write Data Files RPC LPD Printer Mail Web Email Client Office Browser Symantec Critical System Protection creates a shell around each program and daemon/service that defines acceptable behavior Registry Network Read Only Configuration Information Usage of Selected Ports and Devices Interactive Programs Devices SCSP Product Overview 26
Out of the box HIPS protection for the most commonly attacked applications OS Protection RedHat & SuSE Linux core OS protection Solaris core OS protection Microsoft Windows core OS protection Web & Application servers Apache web server Microsoft SQL Server Microsoft Internet Information Server Mail servers Postfix email server Sendmail email server Microsoft Exchange Desktop Applications Microsoft Outlook & Outlook Express Microsoft Office applications All others -> Default standard daemon/service Default standard desktop application policies SCSP Product Overview 27
VMWare ESX 3.5 Host Protection Challenges VMWare ESX Host is a RHEL kernel and increasingly subjected to vulnerabilities and attacks. A malware can potentially use the host as launching pad for attacks to the guest OS. Host Guest Guest Guest SCSP Benefits Provides Host IDS to monitor user, system and resource activities and report on realtime intrusions Protects ESX host with its IPS policies to provide firewall protection, device control, configuration and system lock down, admin access control and file system protection Provides protection so you can comfortably put PCI Server in virtualization Symantec Critical System Protection 28
What s new in SCSP 5.2.4? GA: Feb 3, 2010 FEATURE DESCRIPTION BENEFIT Expanded Platform Support Interoperability with Storage Foundation High Availability File Monitoring Enhancements Agent: Win2008 R2, Win2008 SP2, unified Windows agent install, VMWare ESX 3.5 IDS and IPS Manager: Win2008 R2 and SP2, SQL2008 32-bit and 64-bit Pre-defined Policy Pack for use in Storage Foundation HA deployments Increased ability to track changes to a user definable value above the 100K file size limit Add ability to monitor subdirectories with wildcard option Monitor Windows Extended File Attributes and alternative data streams Additional platform support for broader and more effective protection in the environment Enhanced high availability support for critical systems by protecting clustered hosts against configuration drift Reduce unplanned downtime due to security vulnerabilities and patches Increased effectiveness in monitoring potentially harmful or inappropriate file changes for PCI compliance VMWare ESX 3.5 Host Protection WebUI for Management A new HIDS policy pack based on VMWare hardening guide is provided HIPS support through custom RHEL policies until next release SCSP Management Console can now be accessed from a web browser Advanced protection across virtualized environments Provides flexibility for administrative access Enables integration into central web portal for Symantec SCSP Product Overview 29
Agenda What are the challenges? What is Critical System Protection? How does CSP work? How does CSP work with other Symantec products? Why Symantec Critical System Protection? 30
Complete Server Infrastructure Protection: SCSP + SEP Compliance Prevention Detection Remediation Establish protection policies Report on policy violations Real time monitoring of configuration and access controls Block known malware Reduce unknown vulnerability exploits Lock down file systems Enforce user/admin access controls Limit device access Based on: Signature Behavioral Reputation Policy File changes Configuration changes Buffer Overflow Thread Injection Malware removal Recommended actions Real-time event log aggregation Real-time data correlation Critical System Protection 31
Complete Server Infrastructure Protection SCSP + SEP Servers Device and Application Control Host Intrusion Prevention Network Protection System Lockdown & Hardening Monitoring, Auditing, and Alerting Antispyware Antivirus Symantec Protection Suite Server Edition Performance Risk Mitigation Policy-based Protection Insider Abuse Prevention Workflow Compliance & Enforcement Multi-OS VALUE Single Console, Increased Visibility, Protection, Control, and Manageability Reduced Cost, Complexity, & Risk Exposure Multiple Technologies Optimized for a variety of Scenarios and Platforms 32
SCSP - SEP Server Compatibility Java Based Consoles - Policy Management - Agent Management - Roles and Administration - Launch Reports -View Alerts Separate SEP and SCSP consoles with similar Symantec look & feel HTTPS to Apache HTTP to IIS for Reports SEPM Apache Tomcat SSL Port 8443 or Port 443 JDBC & ODBC SQL Data base JDBC SCSP Manager Apache Tomcat SSL Port 4443, 8006 and 8081 SQL Data Store - Policies - Events & Logs - Security Content - Reporting Data* - State Information - Updates and Patches* *SEPM only Separate databases, no overlap or conflicts for either embedded or external SQL SEP and SCSP management servers can coexist on the same server systems Clients retrieve all policies, content, and packages and submit all state information to IIS Servers IIS port 80 (or SSL) Desktops Apache Tomcat SSL Port 443 Clients retrieve all policies and submit all state information to Tomcat Laptops Symantec Endpoint Protection and Critical System Protection Clients If using SSL for SEP serveragent communications, then change either the SCSP or SEP agent port to a new value (before deploying) No Installation or port changes required for agents unless SSL is used by both deployments. SCSP Product Overview 33
Protection + Intelligence = Value Critical System Protection Security Information Manager VALUE Host Intrusion Prevention Network Protection Aggregate Normalize Prioritize Increased Protection, Control, and Manageability System, Device, Application Control Auditing and Alerting Correlate Remediate Reduced Cost, Complexity, and Risk Exposure 34
Viewing SCSP events on SSIM SSIM has a collector for SCSP SSIM Event Tab Pre defined out of the box queries for CSP Maps across multiple buckets Including compliance queries Create custom queries 35
Correlate SCSP Events with SSIM Rules Pre defined out of the box rules CSP events map to EMR Custom rules based on CSP data Cross correlate rules of different type 36
Data Center High Availability Challenges and Solutions Challenges Configuration drift causes downtime Configuration inconsistencies (hosts) can cause failover errors Solutions with SCSP Lock Down and Monitor Configurations Monitor and alert on configuration changes Lock down systems from inadvertent admin accesses Avoid Unplanned Downtime Vulnerability exploits and attacks can lead to unplanned patching downtimes Untested emergency patches may cause failures and impact availability Provide Zero-Day Vulnerability Protection Lock down critical resources before patches are available or applied More time to test and deploy patches during planned downtimes Tested for interoperability between SFHA and SCSP by Symantec SCSP Product Overview 37
SCSP Enhances High Availability Systems Reliable Availability Ensures reliable failover Restrict operational disruptions Facilitate risk mitigation Minimize system downtime Comprehensive Protection Protect against mis-configurations Mitigate confidentiality breaches Monitor system policy compliance Dependable Asset Integrity Monitor configuration changes Block access to restricted files Restrict infrastructure exploits Intro to Storage Foundation & High Availability Solutions for Windows 38
SCSP 5.2.4: Interoperability with Symantec Storage Foundation HA SFHA is installed in a large number of database servers for storage management and optimization. SCSP is used to protect database servers which processes mission-critical data. Includes SCSP IPS policy pack to monitor critical configuration files of SFHA and to enforce configuration lockdown, access control, and other protection policies without interfering with SFHA. Tested on Solaris 10 with SFRAC for Oracle HRAC database. SCSP Product Roadmap 39
Control Compliance Suite (CCS) and CSP Attach Plays CSP Protects critical servers from external and internal threats Provides real-time monitoring, auditing and enforcement to meet compliance CCS Identifies critical host systems not yet patched Provides reports as auditable evidence of compliance CCS DPE bundle available today! Data integration on roadmap Exceed your Security Quota with CCS - Internal Use Only
Agenda What are the challenges? What is Critical System Protection? How does CSP work? How does CSP work with other Symantec products? Why Symantec Critical System Protection? 41
SCSP Summary Host-based protection of critical assets Host Intrusion Prevention & Host Intrusion Detection High performance, low-latency agent Proactive protection protects against 0-day attacks Comprehensive OS and application log monitoring Lowers cost of administering asset protection through simple, centralized policy creation and management Symantec supplied, customizable policies Intuitive, clean interface Adds protection to systems that are difficult to lock down or cannot have patches immediately applied Prevent vulnerability exploits even without a patch Ensure applications only access intended resources Prevent and report unauthorized administrator actions SCSP Product Overview 42
Symantec Critical System Protection Top Advantages Broadest platform coverage with a single console Highly effective protection with minimal performance impact Comprehensive out-of-the-box policies and templates Superior ease of use and stability over other solutions Complementary layer of protection to other Symantec solutions Backed by World Class Service and Sales Support Symantec Critical System Protection 43
Thank you! Ivy Lui Ivy_Lui@symantec.com
Backup slides Screenshots and Details SCSP Product Overview 45
SCSP Master Dashboard SCSP Product Overview 46
SCSP Detection Dashboard SCSP Product Overview 47
SCSP HIDS Policies SCSP Product Overview 48
SCSP HIPS Policies SCSP Product Overview 49
SCSP Real-time Event Monitoring SCSP Product Overview 50
SCSP Top 10 Event Report SCSP Product Overview 51
SCSP Recent Event Summary Report SCSP Product Overview 52
Windows Out-of-the-Box Prevention Policies A starting point for customers. Each policy is built on the same core components (BCDs, PBR, macros, etc). The only difference is which options are defined by default. Easily move from policy one to another by just adjusting options. Core Strict Core OS protection with maximum application compatibility Instant hardening of commonly attacked processes/applications + Buffer Overflow (BO) protection All unspecified programs* are treated as safe, except for BO protection and inbound network controls Recommended policy for server deployments Strict OS and application control BO & Network lockdown no inbound access, outbound limited to ports 80, 135, 389 & 443 Unspecified programs* are confined (cannot write critical system files nor system executables) Limited Execution Limits execution of non-server applications Same functions as Strict, except all interactive processes are denied except those in whitelist * Unspecified programs are handled by Default process sets 53
HIPS Configuration Comparison System Process Traditional IPS/Firewall Monolithic Policy Priority Denies System Process SCSP Modular Policy Global Policies/rules are in a sequential list, with each system call being checked against the whole policy list. Allows Denies Processes are assigned to a Process Set; then only the corresponding Process Set rules are scanned Process Set X General Services Application X Actual response is dependent on rule order. To add to a policy, the user must understand exactly how resulting rule sequence will execute To control a new application, the user need only be concerned with the new process (rule) set SCSP Product Overview 54
HIPS Operational Comparison Traditional IPS/Firewall Monolithic Policy System Process Priority Denies Priority Denies System Process SCSP Modular Policy Global Every process call check starts at the top and work sequentially down the entire list Allows Denies Allows As a process starts, it is assigned to a Process Set. From that point on, process calls are checked against a limited set of policies Process Set X #3 #2 #1 General Services Application X As the policy is customized, the list grows leading to slower and slower performance. Denies As the policy is customized, performance impact is small - only affected with changes to call related rules in Global, General or the app specific process sets New app, but unrelated Network IPS policies work the same way, adding extra impact reassembling & scanning every packet into/out of the system SCSP Product Overview 55
PCI Firewall Requirement (Req. 1) Primarily focused on network firewall features SCSP augments network firewalls with host based protection, so not all features are required on the host SCSP protects against additional attacks from within the network security perimeter and ensures inappropriate application communications are controlled SCSP Product Overview 56
PCI Monitoring Requirements (Req. 10) SCSP provides both host lockdown (IPS) and monitoring to audit all of these items SCSP s host based prevention capabilities can monitor and control access to audit tools and data. This includes locking audit data to access/use by only authorized users and applications Real-time IPS lockdown limits access and changes to system audit logs not possible with log collection tools IPS events provide immediate notification about abnormal system behavior and access. Events can trigger e-mail, SNMP and/or log based alerting SCSP Product Overview 57
PCI Data Restriction Requirements (Req. 7) SCSP can limit user access to files and registry keys based on application and user/group SCSP IPS policies can block access to files/registry keys by any user include root or administrator accounts, but allow specific applications to still access and/or modify files SCSP s default IPS policies block changes to applications and system files. Customers can specify acceptable patch/system management tools (and users), as well as lock down their implementations of sensitive applications/content SCSP Product Overview 58
PCI Data Restriction Requirements (Req. 11) SCSP s IPS feature includes a firewall to control application traffic SCSP s behavioral IPS can detect and block threats that network technologies can miss including insider abuse or abuse of insider accounts Host based protection is needed to detect all changes Note: once a week may meet PCI, but is not enough to prevent hacking SCSP s IDS and IPS policies protect and monitor key system and application files SCSP meets and exceeds the minimum PCI recommendations by providing exploit prevention and configurable auditing to monitor access and usage on the system in real-time SCSP can identify which users and applications were used to modify files using either IPS or IDS file auditing policies SCSP Product Overview 59