Best Practices for Security in - ISIN Practices for Security in ... Best practices for patch...
-
Upload
vuonghuong -
Category
Documents
-
view
219 -
download
3
Transcript of Best Practices for Security in - ISIN Practices for Security in ... Best practices for patch...
1Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 1Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Best Practices for Security in
today’s Modern Threat
Landscape
John Mc Laughlin – Channel Account Manager, EMEA
2Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 2Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Agenda
1. A look at today’s threat landscape
– Signature based technology can’t keep up, Ineffective remediation
2. Zeus deployed malware, Encrypting Ransomware & Poweliks
3. Social engineering tactics with Rogues
4. Security Best Practices to prevent the effects of ransomware
5. Patch management is still essential
– Best practices for solid patch management
6. Belt & braces – backup is still vital
– What to backup, when and how
7. Security Solutions to complete the puzzle
– AV & filtering, the backbone of your security solutions
3Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 3Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
1. A look at today’s threat
landscape
4Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 4Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
A look at today’s threat landscape
» Micro release cycles overwhelm and defeat signature based technology
– Signatures require samples for analysis
– Research shows most malware variants infect < 50 PCs
– New malware 142M for 2014 58% increase over previous year
» Traditional antivirus programs struggle with remediation
– Tied to the research process
– Malware behaves differently in the wild
– Randomized
» Signature-based antivirus lacks necessary visibility
– 62% of breaches go unidentified for months or years
– Platform specific solutions provide inconsistent protection
– Average time to detection is 209 days
5Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 5Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Signature based technology can’t keep up
• “Antivirus is dead” – Brian Dye, Symantec Senior Vice President, The Wall Street Journal May 2014
• “Signature-based malware detection has been limping along on life support for years” - Gartner, July 2011
• “Signature-based tools are only effective against 30–50 percent of current security threats” - IDC, Jan 2013
• “We are seeing about 150,000 new pieces of malware every day… we’re purely on the defensive.”- Simon Hunt, McAfee CTO Endpoint Solutions, May 2013
• “Signature-Based Endpoint Security on Its Way Out” - CIO Magazine, May 2013
2013-06-10 triumfant.com
6Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 6Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
2. Zeus and it’s deployment of
malware
How the fraud works
7Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 7Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
How the Zeus fraud works
8Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 8Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Cridex & Dridex
Criminal improvements to the Zeus model
9Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 9Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Dridex
» Dridex is a newer version of the similar (and earlier) Cridex
trojan
» Heir to the Zeus throne
» Mostly a banking Trojan (mainly targets banks)
» Has taken £20 million from UK banks
» Distributed through spam, emails. Propagates through Macros.
10Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 10Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Dridex – Law enforcement
» It was announced in October of this year that the
botnet it relies on has been killed
» Moldovan Andrey Ghinkul has been charged by
the US with multiple related offences
» However as of print it still exists
11Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 11Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Encrypting Ransomware
Tactics
Constant improvement to the landscape
12Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 12Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
CoinVault
13Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 13Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
TeslaCrypt
14Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 14Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
TeslaCrypt
15Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 15Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Decrypt Cryptolocker
16Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 16Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Remediation
» No remediation once fully infected
» Paying the ransom can decrypt– Often days or weeks pass– Lost revenue and productivity
» Webroot SecureAnywhere – Business Endpoint Protection– Whitelisting agent– Cloud-based threat data– Critical focus on zero hour infections– Outbound Cloud-based Firewall– Web Threat Shield– Journaling and Rollback Technology
17Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 17Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Poweliks
Malware in the registry
18Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 18Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Poweliks
19Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 19Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Poweliks
• This registry string is practically an encoded file• In this way it becomes “fileless” and gets a free pass
from traditional AV
20Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 20Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
3. Social Engineering Tactics
with Rogues
21Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 21Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Social Engineering tactics with Rogues
22Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 22Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Social Engineering tactics with Rogues
23Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 23Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
4. Security Best Practices
24Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 24Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Security best practices to prevent the effects of
ransomware
1. Verify you have a reputable AV installed and setup correctly
– We recommend Webroot and so do our partners but maybe we are biased
2. Ensure the latest Windows updates are applied
3. Keep all used plugins up to date (Java, Flash, Adobe etc.)
– Where feasible
4. Use a modern browser with an ad blocker plugin
5. Disable Autoruns
6. Disable Windows Scripting Host
– Stop malicious scripts from being run in the background
7. Have users running as limited users and not admins
8. Backup+ Backup+ Backup+ Backup!
– Did we say backup?
25Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 25Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Security best practices cont’
» Having a second browser installed allows you to still connect even if
your primary is compromised
» Use the policy editor to block paths…make sure you test all new
policies though!
– Block the opening of executables in temp
– Block the modification of the VSS service
– Block the opening of executables in temp+appdata
– Blocking creation of startup entries
» Blocking access to the Volume Shadow Copy Service
– Encrypting Malware may try to access this service to remove
backups
» Disabling the Windows Script Host to block VBS scripts
– VBS scripts are used by malware authors either to cause disruption
in an environment or to run a process that will download more
advanced malware.
26Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 26Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
5. Patch management is still
essential
27Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 27Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Best practices for patch management
» Surprisingly the majority of successful attacks come from exploiting known vulnerabilities
» Patch management can be time consuming and quite complex but this is often due to an organization not knowing what apps they have in house
A. Taking an inventory of keys apps is essential – production apps– Know the OS & version, App Owner, Physical location, Depts
using App
B. Standardise where possible– If you can rationalise the number of OS’ in use and the varieties
of applications running on those OS’ then this will save you a lot of time and heartache
C. Make a list of all the security controls you have in place– Firewalls, IDS, Routers, AV – in knowing what you have and how
they communicate/protect you will be able to mitigate risks as they arise – for example…
28Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 28Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Best practices for patch management – cont’
D. Compare vulnerabilities against your own system inventory – there are online services providing vulnerability reports in real time or you can manage this on your own– Only worry about vulnerabilities relating to your
infrastructure and apps– Rationalising OS and Apps reduces this job– Knowing your apps and infrastructure essential to
mitigating the risk
E. Classify the risk– Assess the vulnerability of your systems and the likelihood
of the attack– Is the resource impacted by a vulnerability inside your
network, mission critical resource, cost of the resource going down
29Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 29Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Best practices for patch management – cont’
F. Apply the patch– You know which systems are impacted, the severity of the
vulnerability and the cost of doing nothing – you now need to
schedule the update without impacting your internal systems
– This is where a patch management tool can more than pay for
itself and ease this burden – solutions like Labtech, Autotask,
Continuum, Kaseya & SCCM really help with the burden of
patching
30Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 30Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
6. Belt and Braces – backup is
still vital!
31Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 31Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Backup that essential resource
» Some things to consider– It's probably not worth upgrading the storage built into your existing servers
– Buy the kind of data storage devices best suited to the services they support.
• For high performance apps use SCSI, file backups can use IDE/SATA
– If you need to add storage to your company network, consider NAS
» Know your environment…– It’s basic but…Decide what you need to back up
– Understand your data environment
• How much data, how frequently, retention time, data security, speed of restore
– Automate as much of your backup as possible – there are vendors like Datto and Storage Craft specialising in this
– Ensure that backup copies are valid and can be successfully restored
• keep logs, revisit procedures and test
32Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 32Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Backup – plan, test and revisit
As with all successful strategies you need to…
– Understand your environment
– Define your appetite for risk and data
backup/restoration needs
– Plan your backup strategy
– Evaluate your plan and test
33Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 33Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
7. Security Solutions – the last
piece of the puzzle
34Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 34Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Security solutions are still essential
» Typically compromises happen when a rogue application or piece of Malware executes on the endpoint
» An effective endpoint security solution is the only way to stop this from happening – Antivirus is not dead despite what Symantec have said
» Filtering solutions block Malware and scripts before they reach your network
» Security solutions based on definitions for detections are out dated– You need dynamic detections in real-time to be effective against
zero day Malware and phishing attacks…
» For larger customers Threat Intelligence feeds are being used
» Aggregating all data in a SIEM is probably advisable for a larger customer
35Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 35Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Endpoint security
» You pay for what you get – freemium is usually not suitable for business
» AV Tests can help to decide on which solution is suitable but these tests are paid for and don’t take account of new and emerging technologies
» Performance and management important – endpoint security can be difficult to manage and heavy on an endpoint – this should be a consideration
» Getting a referral from an existing user is good practice
» Essential features – Web Threat Shield, Anti-Malware, Anti-Spyware, Anti-Phishing,
Features to mitigate effects of ransomware
36Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 36Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
Filtering Solutions
» Features – Web category filtering, malware protection, data type management & botnet protection
» Profiling – Giving users the option of an informed choice by warning them of potentially harmful sites really useful - The ability to block uncategorised will also reduce risk
» Reporting – The ability to create in depth reports on usage – the solution needs to tell you who did what
» Support – Solid support teams for any software solution make the difference
– Again ask for referrals
37Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information 37Saturday, April 16, 2016 | Webroot Inc. | Proprietary & Confidential Information
This presentation is available upon request –
email [email protected]
Thank you for your time!