A Holistic Approach to Malware Defense Bruce Cowper Senior Program Manager; Security Initiative...
-
Upload
lynette-glenn -
Category
Documents
-
view
224 -
download
1
Transcript of A Holistic Approach to Malware Defense Bruce Cowper Senior Program Manager; Security Initiative...
A Holistic Approach toA Holistic Approach toMalware DefenseMalware Defense
Bruce CowperBruce CowperSenior Program Manager; Security Senior Program Manager; Security InitiativeInitiativeMicrosoft CanadaMicrosoft Canada
Understanding Malware Attack Understanding Malware Attack TechniquesTechniques
Common malware attack techniques include:Common malware attack techniques include:
Social engineering
Backdoor creation
E-mail address theft
Embedded e-mail engines
Exploiting product vulnerabilities
Exploiting new Internet technologies
Social engineering
Backdoor creation
E-mail address theft
Embedded e-mail engines
Exploiting product vulnerabilities
Exploiting new Internet technologies
What Is Defense-in-Depth?What Is Defense-in-Depth?
Using a layered approach:Using a layered approach: Increases an attacker’s risk of detection Increases an attacker’s risk of detection Reduces an attacker’s chance of successReduces an attacker’s chance of success
Security policies, procedures, and educationPolicies, procedures, and awarenessPolicies, procedures, and awareness
Guards, locks, tracking devicesPhysical securityPhysical security
Application hardeningApplication
OS hardening, authentication, update management, antivirus updates, auditing
Host
Network segments, IPSec, NIDSInternal network
Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter
Strong passwords, ACLs, encryption, EFS, backup and restore strategy
Data
Malware Defense at the Perimeter
Using application layer firewalls to detect and block malware at the perimeter
Leveraging a layered approach to AntiVirus and Spam Filtering
Protecting all of the Assets.
Application Layer Content:?????????????????????????????????????????????????????????????????????????????????????????????
A Traditional View of a A Traditional View of a PacketPacketOnly packet headers are inspectedOnly packet headers are inspected
Application layer content appears as “black box”Application layer content appears as “black box”
IP Header:
Source Address,Dest. Address,
TTL, Checksum
TCP Header:Sequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on port numbersForwarding decisions based on port numbers– Legitimate traffic and application layer attacks use Legitimate traffic and application layer attacks use
identical portsidentical ports
Internet
Expected HTTP Traffic
Unexpected HTTP Traffic
Attacks
Non-HTTP Traffic Corporate NetworkCorporate Network
Application Layer Content:<html><head><meta http-equiv="content-type"
content="text/html; charset=UTF-8"><title>MSNBC - MSNBC Front Page</title><link rel="stylesheet"
Application Layer View of a Application Layer View of a PacketPacketPacket headers and application content are Packet headers and application content are
inspectedinspectedIP Header:
Source Address,Dest. Address,
TTL, Checksum
TCP Header:Sequence Number
Source Port,Destination Port,
Checksum
Forwarding decisions based on contentForwarding decisions based on content– Only legitimate and allowed traffic is processedOnly legitimate and allowed traffic is processed
Internet
Allowed HTTP Traffic
Prohibited HTTP Traffic
Attacks
Non-HTTP TrafficCorporate NetworkCorporate Network
Example: Example: Blocking Apps Over HTTPBlocking Apps Over HTTP
ApplicationApplication Search inSearch in HTTP HTTP headerheader
SignatureSignature
MSN MessengerMSN Messenger Request Request headersheaders
User-User-Agent:Agent:
MSN MSN MessengeMessengerr
Windows Windows MessengerMessenger
Request Request headersheaders
User-User-Agent:Agent:
MSMSGSMSMSGS
AOL Messenger AOL Messenger (and Gecko (and Gecko browsers)browsers)
Request Request headersheaders
User-User-Agent:Agent:
Gecko/Gecko/
Yahoo Yahoo MessengerMessenger
Request Request headersheaders
HostHost msg.yahoo.msg.yahoo.comcom
KazaaKazaa Request Request headersheaders
P2P-AgentP2P-Agent Kazaa Kazaa KazaaclieKazaaclientnt::
KazaaKazaa Request Request headersheaders
User-User-Agent:Agent:
KazaaClient KazaaClient
KazaaKazaa Request Request headersheaders
X-Kazaa-X-Kazaa-NetworkNetwork::
KaZaAKaZaA
GnutellaGnutella Request Request headersheaders
User-User-Agent:Agent:
Gnutella Gnutella GnucleusGnucleus
EdonkeyEdonkey Request Request headersheaders
User-User-Agent:Agent:
e2dke2dk
MorpheusMorpheus Response Response headerheader
ServerServer MorpheusMorpheus
Layered AntiVirus & AntiSpamLayered AntiVirus & AntiSpam
Live Live Communications Communications
ServerServer
SharePoint SharePoint ServerServer
Exchange ServersExchange Servers
ISA ISA ServerServer
Windows SMTP Windows SMTP ServerServer
VirusesViruses
WormsWorms
IM and IM and DocumentsDocuments
AntigeAntigenn
AntigeAntigenn
AntigeAntigenn
AntigeAntigenn
E-E-mailmail
AntigeAntigenn
Multiple Scan Engine Management
• Manage up to 9 scan enginesManage up to 9 scan engines
• Eliminate single point of failureEliminate single point of failure
• Minimize window of exposure Minimize window of exposure during outbreaks during outbreaks
Scan Engine 1Scan Engine 1
Scan Engine 4Scan Engine 4
Scan Engine 2Scan Engine 2
Scan Engine 3Scan Engine 3QuarantineQuarantine
AntigenAntigen
Malware Defense at the client
Service Hardening
Windows Service HardeningDefense in depth
Services run with reduced privilege compared to Windows XP
Windows services are profiled for allowed actions to the network, file system, and registry
Designed to block attempts by malicious software to make a Windows service write to an area of the network, file system, or registry that isn’t part of that service’s profile
Activeprotection
File system
Registry
Network
Social Engineering Protections
Phishing Filter and Colored Address BarDangerous Settings NotificationSecure defaults for IDN
Protection from ExploitsUnified URL ParsingCode quality improvements (SDLC)ActiveX Opt-inProtected Mode to prevent malicious software
Internet Explorer 7
Phishing FilterDynamic Protection Against Fraudulent Websites
3 “checks” to protect users from phishing scams:
1.Compares web site with local list of known legitimate sites
2.Scans the web site for characteristics common to phishing sites
3.Double checks site with online Microsoft service of reported phishing sites updated several times every hour
Level 1: Warn Suspicious Website
Signaled
Level 2: Block Confirmed Phishing Site
Signaled and Blocked
Two Levels of Warning and Protection Two Levels of Warning and Protection in IE7 Security Status Barin IE7 Security Status Bar
Windows Defender
Improved Detection and Removal
Redesigned and Simplified User Interface
Protection for all users
Windows Vista FirewallCombined firewall and IPsec management
New management tools – Windows Firewall with Advanced Security MMC snap-in Reduces conflicts and coordination overhead between technologies
Firewall rules become more intelligent
Specify security requirements such as authentication and encryptionSpecify Active Directory computer or user groups
Outbound filteringEnterprise management feature – not for consumers
Simplified protection policy reduces management overhead
Network Access ProtectionNetwork Access Protection
11
RestrictedRestrictedNetworkNetworkMSFTMSFT
NetworkNetworkPolicy Server Policy Server
33
Policy ServersPolicy Serverse.g. MSFT Security e.g. MSFT Security
Center, SMS, AntigenCenter, SMS, Antigenor 3or 3rd rd party party
Policy Policy compliantcompliantDHCP, VPNDHCP, VPN
Switch/Router Switch/Router
22
WindowsWindowsVista ClientVista Client
Fix UpFix UpServersServers
e.g. MSFT WSUS, e.g. MSFT WSUS, SMS & 3SMS & 3rdrd party party
Corporate NetworkCorporate Network55
Not policy Not policy compliantcompliant 44
Enhanced Security
All communications are authenticated, authorized & healthyAll communications are authenticated, authorized & healthy
Defense-in-depth on your terms with DHCP, VPN, IPsec, Defense-in-depth on your terms with DHCP, VPN, IPsec, 802.1X802.1X
Policy-based access that IT Pros can set and controlPolicy-based access that IT Pros can set and control
Device Group PolicyDevice Group Policy
Device installation restrictionsDevice installation restrictions
Determine what devices can be Determine what devices can be installed on computers.installed on computers.
Prevent installation of driversPrevent installation of drivers
Prevent installation of devicesPrevent installation of devices
Goal: Allow businesses to move to a better-managed desktop and consumers to use parental controls
Make the system work well for standard usersAllow standard users to change time zone and power management settings, add printers, and connect to secure wireless networksHigh application compatibilityMake it clear when elevation to admin is required and allow that to happen in-place without logging offHigh application compatibility with file/registry virtualization
Administrators use full privilege only for administrative tasks or applications
User provides explicit consent before using elevated privilege
User Account Control
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.