Symantec

Editor's Notes

1. There are several vendors that offers products to help mitigate and prevent server compromise from occurring. These types of products are usually referred to as Host Intrusion Protection (HIPS) or Host Intrusion Detection (HIDS). HIPS products can take different approach to protection systems. One approach is locking down the system to prevent unauthorized applications from getting installed (white listing). Some white listing products will only control what applications can run on the system, but does not control what the trusted application can do on the system. If the trusted application is exploited then the hacker has rights to the system. Some HIPS products monitor the wire looking for attacks targeting the system and blocking them. These products perform deep packet inspection of every packet that is coming in looking for a signature match. These types of HIPS products can only block what they know and tend to be resource hogs.HIDS products perform analysis of logs on the system looking for strings or patterns to match on. These strings and patterns are usually written to look for suspicious behavior. Some HIDS products only perform file integrity monitoring . They will monitor files on the system looking for tampering and will alert when a file has changed The vendors that are out in the market that provide these products will usually only provide one piece or they will require multiple products to provide the full range of protection Bit 9 - White listing (No Application Control) and File Integrity Monitoring only McAfee – Requires several products or licenses to perform White listing, Application Control, Configuration Monitoring and File Integrity Monitoring Trend – Provides FIM, Log Inspection and network protection CA – Provides FIM, White listing, Application Control
2. CSP is one of the only products on the market that offers the best set of features to provide real time visibility and maximum control on your servers. When we break down the main features that CSP provides we can place them into several buckets (Prevention and Detection)Application Control (Prevention)When we discuss with customers the capabilities that CSP provides from a protection and prevention point of view it is important to understand how these components work. The Application Control capability of CSP uses polices to control bad behavior on the system as well as which applications can run. These polices are written to control good behavior of the applications and services that are running on the system. If an exploit occurs CSP will detect that the exploit is trying to access a resource or execute a command or modify a executable and prevent that from occurring. If I trust an application to run on the system I do not want someone to use the trust of that application to make modifications to the system. This is much different then applications that only provide white listing capabilities. White listing will control if an application can start, but once the application is started it does not control its behavior. System Control (Prevention)CSP prevention capability can also be used to lock down configuration files as well as intellectual property. This help prevent configuration drift or changes to the configuration that could result in a weaker system. CSP can also control user privileges. Even if a user has admin rights, CSP intercepts everything at the kernel level and makes a call on rather to grant that action. CSP can control access to registry, files and directories on the system as well as prevent removable drive use. Network Protection (Prevention)The network protection side of prevention can control access to and from the system based on IP and Port. The firewall does not provide deep packet inspection and does not look at any other protocols then TCP and UDP. Firewall rules can be written to control what applications are allowed to communicate and to where. Firewall rules can also be used to control when an application is communicating under what user is it allowed to make those connections. Auditing and Alerting (Detection) CSP provides file and log inspection. In Real-time CSP will monitor files for changes and will inspect log files for strings and patterns. If CSP detects a change or pattern it will send an event to the CSP MGR for logging, reporting and alerting. CSP can send out alerts via SMTP and SNMP. CSP provides out of the box queries that can be placed in reports for reporting against the data stored in the database. CSP provides a monitor tab that can be used to view and search on events in real-time.
3. In most of the breaches that Verizon investigated hackers where able to infiltrate the environment hack a system and then plant a malware or malicious application on the system. When a system is hacked it is usually from a vulnerable application or brute force password attack. In either case the hacker now has privileged access to the system and can now plant a rootkit, sniffer or keylogger on the system. In all of these cases the traditional defenses (AV, IPS, Firewalls, etc) did not stop the attack. Either because these systems were looking for a specific known attack or because the hacker had a privileged user account the defense did not stop it. In other cases where breaches occurred these happened from an insider. This could either be from a disgruntled insider who knows they are about to be laid off and installs a RAT on the system or creates a privileged user account to use at a later time. Once the employee is laid off they use this to gain access back into the enviornment
4. There are several products in the market place that do traditional white listing. White listing will control what applications can run but do not prevent a trusted application from doing something malicious on the system. CSP prevention policies provides least privilege application control (LPAC) to all applications running on the system. LPAC controls what applications are allowed and not allowed to do on the system. If an application attempts to access part of the system that it is not suppose to, the attempt is blocked. Certain applications will run on the system under the system or root account and will have more privileges then what is required. When these applications are exploited the hacker now has root or system access to the system and is able to make changes or install malicious applications. CSP will sandbox (confine) any sort of bad behavior from an application. If a exploit occurs against a vulnerable application and that exploit tries to access a resource or launch a command shell, LPAC will sandbox that request. CSP wraps a shim around each application and service. The shim has a set of rules that govern the behavior of that application or service. CSP can be used as a method of patch mitigation. Patches are usually installed to mitigate a vulnerability found within an application or service. These are the vulnerabilities that allow remote execution or access to resources on the system. CSP LPAC prevents application bad behavior so eliminates a vulnerable application from execution or accessing a system resource
5. CSP is one of the only products on the market that offers the best set of features to provide real time visibility and maximum control on your servers. When we break down the main features that CSP provides we can place them into several buckets (Prevention and Detection)Application Control (Prevention)When we discuss with customers the capabilities that CSP provides from a protection and prevention point of view it is important to understand how these components work. The Application Control capability of CSP uses polices to control bad behavior on the system as well as which applications can run. These polices are written to control good behavior of the applications and services that are running on the system. If an exploit occurs CSP will detect that the exploit is trying to access a resource or execute a command or modify a executable and prevent that from occurring. If I trust an application to run on the system I do not want someone to use the trust of that application to make modifications to the system. This is much different then applications that only provide white listing capabilities. White listing will control if an application can start, but once the application is started it does not control its behavior. System Control (Prevention)CSP prevention capability can also be used to lock down configuration files as well as intellectual property. This help prevent configuration drift or changes to the configuration that could result in a weaker system. CSP can also control user privileges. Even if a user has admin rights, CSP intercepts everything at the kernel level and makes a call on rather to grant that action. CSP can control access to registry, files and directories on the system as well as prevent removable drive use. Network Protection (Prevention)The network protection side of prevention can control access to and from the system based on IP and Port. The firewall does not provide deep packet inspection and does not look at any other protocols then TCP and UDP. Firewall rules can be written to control what applications are allowed to communicate and to where. Firewall rules can also be used to control when an application is communicating under what user is it allowed to make those connections. Auditing and Alerting (Detection) CSP provides file and log inspection. In Real-time CSP will monitor files for changes and will inspect log files for strings and patterns. If CSP detects a change or pattern it will send an event to the CSP MGR for logging, reporting and alerting. CSP can send out alerts via SMTP and SNMP. CSP provides out of the box queries that can be placed in reports for reporting against the data stored in the database. CSP provides a monitor tab that can be used to view and search on events in real-time.
6. Hackers want privileged access to a system and will either try and brute force password attack an account that is a privileged user or try and elevate a compromised user account. Once on the system hackers will attempt to make changes to the system to weaken the security, install backdoors. Resources (file, directory, network connections )are servers should be protected from unauthorized changes. Resources are the primary target of APT’s. APT will target resources in attempt to make changes to them to steal or to make use of for spreading to other systems. Over the past few years we have seen a number of malware (confiker, stuxnet, Flamer) that would use USB drives as infection points to then move from one system to another. Removable drives have also been a method that IT Ops or Service techs use to perform software updates on systems espcially systems that are not connected to the internet like ATM, POS or Plant Control systems.
7. CSP prevention policy provides full control over the resources on the system. This prevents inappropriate user activity like installation unauthorized applications to someone accidently sticking an infected USB drive into the system.
8. CSP is one of the only products on the market that offers the best set of features to provide real time visibility and maximum control on your servers. When we break down the main features that CSP provides we can place them into several buckets (Prevention and Detection)Application Control (Prevention)When we discuss with customers the capabilities that CSP provides from a protection and prevention point of view it is important to understand how these components work. The Application Control capability of CSP uses polices to control bad behavior on the system as well as which applications can run. These polices are written to control good behavior of the applications and services that are running on the system. If an exploit occurs CSP will detect that the exploit is trying to access a resource or execute a command or modify a executable and prevent that from occurring. If I trust an application to run on the system I do not want someone to use the trust of that application to make modifications to the system. This is much different then applications that only provide white listing capabilities. White listing will control if an application can start, but once the application is started it does not control its behavior. System Control (Prevention)CSP prevention capability can also be used to lock down configuration files as well as intellectual property. This help prevent configuration drift or changes to the configuration that could result in a weaker system. CSP can also control user privileges. Even if a user has admin rights, CSP intercepts everything at the kernel level and makes a call on rather to grant that action. CSP can control access to registry, files and directories on the system as well as prevent removable drive use. Network Protection (Prevention)The network protection side of prevention can control access to and from the system based on IP and Port. The firewall does not provide deep packet inspection and does not look at any other protocols then TCP and UDP. Firewall rules can be written to control what applications are allowed to communicate and to where. Firewall rules can also be used to control when an application is communicating under what user is it allowed to make those connections. Auditing and Alerting (Detection) CSP provides file and log inspection. In Real-time CSP will monitor files for changes and will inspect log files for strings and patterns. If CSP detects a change or pattern it will send an event to the CSP MGR for logging, reporting and alerting. CSP can send out alerts via SMTP and SNMP. CSP provides out of the box queries that can be placed in reports for reporting against the data stored in the database. CSP provides a monitor tab that can be used to view and search on events in real-time.
9. Many breaches have occurred over the past because of misconfigurations on the firewall that allowed unauthorized traffic to get into the network or servers not properly being segmented. Many cases once the compromise occurred or a malware infects a system data is lifted from that system back to the hacker or to other systems. Many times servers are allowed to communicate not only on the internal network but to external systems as well without any control of who they can talk to. Many times FTP is allowed to and from these systems which allows for each extract of data.
10. We have seen a lot of PCI breaches over the past few years. Where companies that are suppose to be in compliant with the digital dozen are still compromised. In many cases the system that were compromised were either not segmented from the rest of the network or allowed FTP traffic from that system to the outside world. CSP network protection can be used to segment traffic from these servers to only other authorized systems in the network as well as prevent FTP or other applications to send data to the outside world.
11. Once recent use case that CSP was able to help with was a DOD customer that was breached by a malware that started sending data back to China. The customer was able to push out a policy telling the servers that they should only be talking to other systems in the same Local Subnet. This stopped the communication from these internal servers to other systems that were not on the same local subnet.
12. CSP is one of the only products on the market that offers the best set of features to provide real time visibility and maximum control on your servers. When we break down the main features that CSP provides we can place them into several buckets (Prevention and Detection)Application Control (Prevention)When we discuss with customers the capabilities that CSP provides from a protection and prevention point of view it is important to understand how these components work. The Application Control capability of CSP uses polices to control bad behavior on the system as well as which applications can run. These polices are written to control good behavior of the applications and services that are running on the system. If an exploit occurs CSP will detect that the exploit is trying to access a resource or execute a command or modify a executable and prevent that from occurring. If I trust an application to run on the system I do not want someone to use the trust of that application to make modifications to the system. This is much different then applications that only provide white listing capabilities. White listing will control if an application can start, but once the application is started it does not control its behavior. System Control (Prevention)CSP prevention capability can also be used to lock down configuration files as well as intellectual property. This help prevent configuration drift or changes to the configuration that could result in a weaker system. CSP can also control user privileges. Even if a user has admin rights, CSP intercepts everything at the kernel level and makes a call on rather to grant that action. CSP can control access to registry, files and directories on the system as well as prevent removable drive use. Network Protection (Prevention)The network protection side of prevention can control access to and from the system based on IP and Port. The firewall does not provide deep packet inspection and does not look at any other protocols then TCP and UDP. Firewall rules can be written to control what applications are allowed to communicate and to where. Firewall rules can also be used to control when an application is communicating under what user is it allowed to make those connections. Auditing and Alerting (Detection) CSP provides file and log inspection. In Real-time CSP will monitor files for changes and will inspect log files for strings and patterns. If CSP detects a change or pattern it will send an event to the CSP MGR for logging, reporting and alerting. CSP can send out alerts via SMTP and SNMP. CSP provides out of the box queries that can be placed in reports for reporting against the data stored in the database. CSP provides a monitor tab that can be used to view and search on events in real-time.
13. The CSP agent takes up very little memory, cpu utilization or resources on a system. The agent provides a lot of prevention and detection under a small footprint.
14. Slide Objective: Demonstrate customer/industry successKey to this slide is OUT of the BOX policies!JPMC have been brought up on Whitelisting…(Cigna Cert, app signing, Bit 9….etc.)SCSP is much easier to manage than those products.Recently at the BlackHat Technical Security Conference, the Critical System Protection team set up a test allowing anyone to try their luck at retrieving a ‘flag’ hidden on an un-patched XP workstation. The goal was to have security professionals and hackers help Symantec improve the Critical System Protection product by pointing out existing gaps. The flag was secured using Critical System Protection’s out-of-the box strict prevention policies on XP un-patched workstation. The XP workstation, which had 10 known OS vulnerabilities reported by Rapid 7®, was vulnerable to attacks and had open shares that allowed external access. Hackers and pen testers from various renowned groups like the National Security Agency, Department of Defense, Defense Information Systems Agency and people who claimed to be from the Anonymous hacker group tried but failed to capture the flag.
15. Because the unexpected happens in business. Change control and application control reduces the “control gap” and gets you in control of your IT infrastructure to run your business
16. Because the unexpected happens in business. Change control and application control reduces the “control gap” and gets you in control of your IT infrastructure to run your business
17. Because the unexpected happens in business. Change control and application control reduces the “control gap” and gets you in control of your IT infrastructure to run your business
18. Because the unexpected happens in business. Change control and application control reduces the “control gap” and gets you in control of your IT infrastructure to run your business