A Holistic Approach to Malware Defense Bruce Cowper Senior Program Manager; Security Initiative...

A Holistic Approach toA Holistic Approach toMalware DefenseMalware Defense

Bruce CowperBruce CowperSenior Program Manager; Security Senior Program Manager; Security InitiativeInitiativeMicrosoft CanadaMicrosoft Canada

Understanding Malware Attack Understanding Malware Attack TechniquesTechniques

Common malware attack techniques include:Common malware attack techniques include:

Social engineering

Backdoor creation

E-mail address theft

Embedded e-mail engines

Exploiting product vulnerabilities

Exploiting new Internet technologies

Social engineering

Backdoor creation

E-mail address theft

Embedded e-mail engines

Exploiting product vulnerabilities

Exploiting new Internet technologies

What Is Defense-in-Depth?What Is Defense-in-Depth?

Using a layered approach:Using a layered approach: Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of successReduces an attacker’s chance of success

Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness

Guards, locks, tracking devicesPhysical securityPhysical security

Application hardeningApplication

OS hardening, authentication, update management, antivirus updates, auditing

Host

Network segments, IPSec, NIDSInternal network

Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter

Strong passwords, ACLs, encryption, EFS, backup and restore strategy

Data

Malware Defense at the Perimeter

Using application layer firewalls to detect and block malware at the perimeter

Leveraging a layered approach to AntiVirus and Spam Filtering

Protecting all of the Assets.

Application Layer Content:?????????????????????????????????????????????????????????????????????????????????????????????

A Traditional View of a A Traditional View of a PacketPacketOnly packet headers are inspectedOnly packet headers are inspected

Application layer content appears as “black box”Application layer content appears as “black box”

IP Header:

Source Address,Dest. Address,

TTL, Checksum

TCP Header:Sequence Number

Source Port,Destination Port,

Checksum

Forwarding decisions based on port numbersForwarding decisions based on port numbers– Legitimate traffic and application layer attacks use Legitimate traffic and application layer attacks use

identical portsidentical ports

Internet

Expected HTTP Traffic

Unexpected HTTP Traffic

Attacks

Non-HTTP Traffic Corporate NetworkCorporate Network

Application Layer Content:<html><head><meta http-equiv="content-type"

content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"

Application Layer View of a Application Layer View of a PacketPacketPacket headers and application content are Packet headers and application content are

inspectedinspectedIP Header:

Source Address,Dest. Address,

TTL, Checksum

TCP Header:Sequence Number

Source Port,Destination Port,

Checksum

Forwarding decisions based on contentForwarding decisions based on content– Only legitimate and allowed traffic is processedOnly legitimate and allowed traffic is processed

Internet

Allowed HTTP Traffic

Prohibited HTTP Traffic

Attacks

Non-HTTP TrafficCorporate NetworkCorporate Network

Example: Example: Blocking Apps Over HTTPBlocking Apps Over HTTP

ApplicationApplication Search inSearch in HTTP HTTP headerheader

SignatureSignature

MSN MessengerMSN Messenger Request Request headersheaders

User-User-Agent:Agent:

MSN MSN MessengeMessengerr

Windows Windows MessengerMessenger

Request Request headersheaders


MSMSGSMSMSGS

AOL Messenger AOL Messenger (and Gecko (and Gecko browsers)browsers)



Gecko/Gecko/

Yahoo Yahoo MessengerMessenger


HostHost msg.yahoo.msg.yahoo.comcom

KazaaKazaa Request Request headersheaders

P2P-AgentP2P-Agent Kazaa Kazaa KazaaclieKazaaclientnt::



KazaaClient KazaaClient


X-Kazaa-X-Kazaa-NetworkNetwork::

KaZaAKaZaA

GnutellaGnutella Request Request headersheaders


Gnutella Gnutella GnucleusGnucleus

EdonkeyEdonkey Request Request headersheaders


e2dke2dk

MorpheusMorpheus Response Response headerheader

ServerServer MorpheusMorpheus

Layered AntiVirus & AntiSpamLayered AntiVirus & AntiSpam

Live Live Communications Communications

ServerServer

SharePoint SharePoint ServerServer

Exchange ServersExchange Servers

ISA ISA ServerServer

Windows SMTP Windows SMTP ServerServer

VirusesViruses

WormsWorms

IM and IM and DocumentsDocuments

AntigeAntigenn

AntigeAntigenn

AntigeAntigenn

AntigeAntigenn

E-E-mailmail

AntigeAntigenn

Multiple Scan Engine Management

• Manage up to 9 scan enginesManage up to 9 scan engines

• Eliminate single point of failureEliminate single point of failure

• Minimize window of exposure Minimize window of exposure during outbreaks during outbreaks

Scan Engine 1Scan Engine 1



Scan Engine 3Scan Engine 3QuarantineQuarantine

AntigenAntigen

Malware Defense at the client

Service Hardening

Windows Service HardeningDefense in depth

Services run with reduced privilege compared to Windows XP

Windows services are profiled for allowed actions to the network, file system, and registry

Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile

Activeprotection

File system

Registry

Network

Social Engineering Protections

Phishing Filter and Colored Address BarDangerous Settings NotificationSecure defaults for IDN

Protection from ExploitsUnified URL ParsingCode quality improvements (SDLC)ActiveX Opt-inProtected Mode to prevent malicious software

Internet Explorer 7

Phishing FilterDynamic Protection Against Fraudulent Websites

3 “checks” to protect users from phishing scams:

1.Compares web site with local list of known legitimate sites

2.Scans the web site for characteristics common to phishing sites

3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour

Level 1: Warn Suspicious Website

Signaled

Level 2: Block Confirmed Phishing Site

Signaled and Blocked

Two Levels of Warning and Protection Two Levels of Warning and Protection in IE7 Security Status Barin IE7 Security Status Bar

Windows Defender

Improved Detection and Removal

Redesigned and Simplified User Interface

Protection for all users

Windows Vista FirewallCombined firewall and IPsec management

New management tools – Windows Firewall with Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies

Firewall rules become more intelligent

Specify security requirements such as authentication and encryptionSpecify Active Directory computer or user groups

Outbound filteringEnterprise management feature – not for consumers

Simplified protection policy reduces management overhead

Network Access ProtectionNetwork Access Protection

11

RestrictedRestrictedNetworkNetworkMSFTMSFT

NetworkNetworkPolicy Server Policy Server

33

Policy ServersPolicy Serverse.g. MSFT Security e.g. MSFT Security

Center, SMS, AntigenCenter, SMS, Antigenor 3or 3rd rd party party

Policy Policy compliantcompliantDHCP, VPNDHCP, VPN

Switch/Router Switch/Router

22

WindowsWindowsVista ClientVista Client

Fix UpFix UpServersServers

e.g. MSFT WSUS, e.g. MSFT WSUS, SMS & 3SMS & 3rdrd party party

Corporate NetworkCorporate Network55

Not policy Not policy compliantcompliant 44

Enhanced Security

All communications are authenticated, authorized & healthyAll communications are authenticated, authorized & healthy

Defense-in-depth on your terms with DHCP, VPN, IPsec, Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X802.1X

Policy-based access that IT Pros can set and controlPolicy-based access that IT Pros can set and control

Device Group PolicyDevice Group Policy

Device installation restrictionsDevice installation restrictions

Determine what devices can be Determine what devices can be installed on computers.installed on computers.

Prevent installation of driversPrevent installation of drivers

Prevent installation of devicesPrevent installation of devices

http://www.luxist.com/2006/03/02/gold-and-diamond-usb-stick/

Goal: Allow businesses to move to a better-managed desktop and consumers to use parental controls

Make the system work well for standard usersAllow standard users to change time zone and power management settings, add printers, and connect to secure wireless networksHigh application compatibilityMake it clear when elevation to admin is required and allow that to happen in-place without logging offHigh application compatibility with file/registry virtualization

Administrators use full privilege only for administrative tasks or applications

User provides explicit consent before using elevated privilege

User Account Control

A Holistic Approach to Malware Defense Bruce Cowper Senior Program Manager; Security Initiative...

Documents

Transcript of A Holistic Approach to Malware Defense Bruce Cowper Senior Program Manager; Security Initiative...