E-SPIN™ Vulnerability Management (VM) eEye Digital Product ...€¦ · •Can stop 100% of client...
Transcript of E-SPIN™ Vulnerability Management (VM) eEye Digital Product ...€¦ · •Can stop 100% of client...
© 2010 eEye Confidential & Proprietary
E-SPIN™ Vulnerability Management (VM) eEye Digital Product Presentation
© 2010 eEye Confidential & Proprietary
Secure and Comply with eEye
2
© 2010 eEye Confidential & Proprietary
eEye Products
© 2010 eEye Confidential & Proprietary
Solutions
•Scalable to any size environment
•Flexible deployments from appliance to software
• “n” tier architecture for scalability and highly secure environments
• Fully encrypted communications between management and agents
4
© 2010 eEye Confidential & Proprietary
What is a Vulnerability ?
•Software is written by people…
•People make mistakes…
•Software can have mistakes…
•Vulnerabilities are mistakes that can be exploited to:
−Take control of a system
−Deny access to the machine
−Steal information
−Used as a “beach head” to launch additional attacks
−Disrupt operations
5
© 2010 eEye Confidential & Proprietary
What is an Exploit ?
•An exploit is software that is written to target a vulnerability
•Exploits perform additional functions once executed:
−Load other programs
−Self propagation
−Receive commands
−Steal information
−Be destructive
−Etc.
6
© 2010 eEye Confidential & Proprietary
What is Vulnerability Assessment?
• The ability to detect vulnerabilities and provide detailed reporting for
mitigation (fixing the problem)
• In some cases, identify critical exploits on systems that have already been
compromised
• Vulnerability management is the complete life-cycle process of
vulnerability assessment, mitigation, and protection from vulnerabilities
and exploits
7
© 2010 eEye Confidential & Proprietary
Why Scan Your Environment ?
• To assess which devices (assets) connected to your organizations
network have vulnerabilities
• Because of what can happen if those vulnerabilities are exploited
• Provide details to fix (remediate / mitigate) the vulnerabilities
• Ensure data and operation integrity of proprietary and sensitive
information
• Adhere to regulatory compliance laws designed to keep organizations and
their (your) data safe
8
© 2010 eEye Confidential & Proprietary
Intrusive vs. Non-Intrusive Scanning
• Intrusive Scanning – Identifying vulnerabilities on assets using techniques
that could damage, disrupt, or leave the asset in a state more susceptible
to other vulnerabilities or exploits. Generally, intrusive scans disrupt the
normal operation of the device despite the identification of a non exploited
vulnerability
• Non-Intrusive Scanning – Identifying vulnerabilities on assets using
techniques that do not disrupt or cause harm to the asset with a high
degree of accuracy
• Penetration Testing – Intentionally exploiting a vulnerability to document
and test the disruption that an actual exploit could cause to an
organization
9
© 2010 eEye Confidential & Proprietary
Why Does Research Help ?
• What is actually vulnerable?
• How does someone actually leverage the vulnerability with an exploit?
• What degree of danger (severity level) does the vulnerability represent?
• How can identify a vulnerable host?
• How can I protect against the vulnerability? Especially when no patch is
available?
• What systems are affected and why?
10
All of this research and analysis answers questions on how to properly
assess, mitigation, and protect against vulnerabilities and exploits!
© 2010 eEye Confidential & Proprietary
Research
• Industry-Leading Security Research Team: Drives eEye Products
• Over 100 High-Risk Vulnerabilities Discovered
• Microsoft, Apple, Symantec, McAfee, Adobe, Sun, …
• Sasser, Blaster, Big Yellow, …
• First Reported Office 2007 and Vista Vulnerabilities
• Strategic Partnerships With Other Research Teams
• Fast Security Response to Critical Vulnerabilities
• Neighborhood Watch “Honeypot”
• Recent Research Details:
11
1999 IIS Remote FTP Exploit/DoS
Attack
2001 Code Red
2002 UPNP Vulnerabilities
2003 Blaster
2004 Microsoft DCOM Vulnerabilities, Sasser
2006 Apple Quicktime, McAfee,
Symantec, Adobe
2007 Office, Java, Vista,
FLAC file format
RIM Blackberry Desktop
11
10-Feb-2009
Vulnerability exists in BlackBerry Application
Web Loader ActiveX control
CVE-2009-0305
http://blackberry.com/btsc/KB16248
09-Dec-2008
Windows Saved Search Vulnerability
MS08-075
(http://www.microsoft.com/technet/security/
bulletin/ms08-075.mspx)
08-Dec-2008
Linksys WVC54GC NetCamPlayerWeb11gv2
ActiveX control stack buffer overflow
VU#639345
(https://www.kb.cert.org/vuls/id/639345)
© 2010 eEye Confidential & Proprietary
The Need for Audit Updates
• Identifying vulnerabilities is a signature based process
• As new vulnerabilities are identified, identification signatures need to be
updated
• The faster a product can update its signatures, the more accurate it will be
to identifying the latest threats
• Poorly written audits lead to “false positives”. The identification of
vulnerabilities that truly do not exist.
12
eEye maintains a 48 hour SLA for critical vulnerabilities
eEye maintains less than 1% false positive rate for
vulnerability identification
© 2010 eEye Confidential & Proprietary
Secure and Comply with eEye
2009
Social
engineering
delivery to
targets
Mid 2009
Hackers gather
information
from target
company’s
websites &
develop /buy
exploits
2009
Attackers hosted the
exploits on their
servers
December
2009
Google finds
they have
been
attacked
January 12
2010 Google publically
indicates that they
and at least 20
other companies
have been
attacked. Adobe
releases fix for its
vulnerability.
December
2009
Adobe
indicates
vulnerability
has been
found in its
code
Adobe finds that they
have been attacked
January 2
2010
Microsoft
promises to
patch
vulnerability
January 14
2010
eEye Research
Team add audit
for vulnerability
Window of Exposure
Retina
Assessment Only
Patch solution
January 21*
2010
Microsoft releases
out of band patch.
Companies must
begin patch rollout
process
The Google Example (Google, Adobe, +30 more attacked)
No Solution
© 2010 eEye Confidential & Proprietary 14
Why Mitigation & Protection
1. Zero-Days (Google)
− What do you do when the vulnerability is not publicly known
− What do you do when no Patch or workaround is available.
− How do you minimize the impact on the business
2. Reduce Costs Associated with „Panic Patching‟
− Large enterprises are spending millions of dollars (measured in lost productivity and business disruption) when non-scheduled patching is require
3. Protect (From) Mobile Workers
− Mobile workers and teleworkers who typically have administrative rights, acquire infections “in the wild” and introduce them to the network once they reconnect (VPN or LAN). For example they click an email or a website and install some code.
4. Protect from Internal Threats
− Majority of attacks originate from rogue employees within the network (think downsizing), and threats in which hackers leverage naïve employees into making their systems vulnerable
© 2010 eEye Confidential & Proprietary
Retina Network Security Scanner (All)
•Non-intrusive scanning technology
•Accurate vulnerability identification,
less than 1% false positive rate*
•Comprehensive database is updated
within 48 hours of new critical
vulnerabilities
•Standards Based – FDCC, SCAP, SANS,
CVSS, CVE, CCE, CPE, OVAL, XCCDF,
IAVA, and certified as PCI ASV.
•Open architecture for third-party
integration and operations
•Performs a Class C network scan, on
average, in under 15 minutes
* As identified by NSSLabs PCI Suitability Report 2008
© 2010 eEye Confidential & Proprietary
Retina – Protection Components
Protection
Capabilities
What it is Benefit
Application Control Policies on which applications can be installed
and executed by users and/or other programs
Enforce appropriate-use policies
Monitor applications for suspect
activity
Device Control Turn on/off USB removable media Protect against data leakage and
malware spreading through USB
thumb drives
Registry Protection Protect critical registry settings from being
modified
Ensures malicious programs cannot
modify components of the operating
system or change behaviour of
existing programs
Intrusion Prevention Monitor network traffic to look for and protect
against malicious activity.
Block known and unknown network
attacks before they can damage
your assets
Zero-Day Protection
Monitor applications to look for and protect
against exploitation attempts
Protects the system against known
and unknown, local and remote
buffer overflow exploits
Local VA Scanning Performs Retina scanning locally Scan more frequently, where local
credentials are required and
unaffected by firewalls and IDS
systems.
© 2010 eEye Confidential & Proprietary
Retina – Protection Components
Component Attack Scenario How we Protect
Application Control • Application Control:
• Users installing applications that can be used as attack
vectors
• Exploited applications attempting to download and install
malware
• Do not allow users to install unapproved
applications
• Do not allow approved applications to
download and install malware
• Web Protection: Installing malicious code while browsing
the web (drive-by attacks)
• Detect and block attacks using
vulnerable third-party ActiveX controls
installed in Internet Explorer.
Device Control • Data leakage issues
• Malware gets installed and spreads through USB thumb-
drives
• Block users from using USB devices
Registry Protection • Malware attempts to create entries in Windows Registry • Rules can be created to block to
sensitive areas of the registry
• System Administrators can use it to
enforce configuration policies
Zero-Day Protection • Attacker exploiting a zero-day vulnerability in one of the
installed applications.
• Monitor applications behaviour of and
detect and block known and unknown
buffer-overflow exploits
Intrusion Prevention • Attackers using attack tools to exploit vulnerable network
services
• Malware spreading by exploiting unpatched systems
• Analyze and decode network protocols
looking for signatures of known attacks
and signs of intrusion
© 2010 eEye Confidential & Proprietary 18
Why Local Vulnerability Assessment
• Credentials
− Some critical assets may require local scanning if the security policy does not allow a remote scanner to inventory its credentials for scanning purposes
• Firewalls
− Some critical assets may have firewalls turned on that would prevent a remote scanner from accurately performing an assessment.
• On Demand Scans
− The Retina Compliance agent allows users and administrators to perform on-demand scans to check for compliance
• Disconnected Scans / Roaming Users
− The local scans can be scheduled and run even though the asset is not connected to the corporate network or Internet
• Frequent Scans
− Local scanning allows for more frequent scanning without the associated network or management overhead.
© 2010 eEye Confidential & Proprietary
Retina Protection Agent
Firewall Protection
Performs traditional firewall duties, allowing
or denying traffic based on a set of
predetermined rules. Blink also monitors the
source of network traffic in real time and only
allows traffic from authorized applications,
preventing unauthorized programs from
making illegal outbound connections.
Virus and Spyware Protection
Provides complete signature and heuristics-
based attack protection.
Intrusion Prevention & Zero-Day
Protection
Provides protection where a vendor has not
yet created patches to protect against
vulnerabilities in their operating system or
application.
System Protection
−Application control provides policy over which applications are allowed to function by authorizing or denying program file execution.
−Registry Protection prevents specific registry settings from being modified, stopping malicious programs or errand users from infecting or modifying systems.
−Storage Protection prevents data leakage by regulating USB and Firewire storage devices.
Local VA Scanning
Perform local vulnerability scanning where local credential and more frequent scans are required.
© 2010 eEye Confidential & Proprietary
Retina Protection Agent
• Can stop 100% of client side attacks on
un-patched hosts
• The only agent based vulnerability
assessment platform
• Contains a vulnerability assessment,
intrusion prevention, buffer overflow
protection, registry and execution
protection.
• Allows for upgrading to Blink
• Compliments existing endpoint
antivirus solutions
• Included in Retina Licensing
© 2010 eEye Confidential & Proprietary 21
Terms We Should Know: Malware
• Malware
− Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
• Rootkit
− A rootkit is a software system that consists of one or more programs designed to obscure the fact that a system has been compromised.
• Heuristic detection
− Analyze the suspicious file’s characteristics and behaviour to determine if it is indeed malware (not via a signature library). This allows these product to detect new or previously unseen malware. Analysis can used a variety of methods including:
− Sandboxing
− File Analysis
− Generic Signature Detection
© 2010 eEye Confidential & Proprietary 22
Terms We Should Know: Zero-Days
• Zero-day
− A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others (i.e. the software vendor)
• Vulnerability Window Timeline:
1. The developer/vendor creates software containing an (unknown) vulnerability
2. The attacker finds the vulnerability before the developer does
3. The attacker writes and distributes an exploit while the vulnerability is not known to the developer
− The exploit is now used “in the wild”
− Organizations are very susceptible as they do not know which assets are exposed
− Once assessment tools add an audit you can determine which assets are exposed
4. Exploit Publically known
− Over time the exploit becomes known
− Assessment tools add an audit to determine which assets are at risk
− The developer finds the vulnerability and starts developing a fix
− A patch is made available and deployed
• Zero-day protection
− Zero-day protection is the ability to provide protection against zero-day exploits. Zero-day attacks can also remain undetected after they are launched
© 2010 eEye Confidential & Proprietary 23
Terms We Should Know: Intrusion Prevention
• Intrusion Prevention
− An intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities
• Network Based Intrusion Prevention
− A network-based IPS is one where the IPS application/hardware and any actions taken to prevent an intrusion on a specific network host(s) is done from a host with another IP address on the network (This could be on a front-end firewall appliance.)
• Host-Based Intrusion Prevention
− The intrusion-prevention application is resident on that specific IP address, usually on a single computer. HIPS systems do not require traditional signature based analysis.
© 2010 eEye Confidential & Proprietary
Blink - Components
Firewall Protection
Performs traditional firewall duties, allowing or denying
traffic based on a set of predetermined rules. Blink also
monitors the source of network traffic in real time and
only allows traffic from authorized applications,
preventing unauthorized programs from making illegal
outbound connections.
Virus and Spyware Protection
Provides complete signature and heuristics-based
attack protection.
Intrusion Prevention & Zero-Day Protection
Provides protection where a vendor has not yet
created patches to protect against vulnerabilities in
their operating system or application.
System Protection
−Application control provides policy over which applications are allowed to function by authorizing or denying program file execution.
−Registry Protection prevents specific registry settings from being modified, stopping malicious programs or errand users from infecting or modifying systems.
−Storage Protection prevents data leakage by regulating USB and Firewire storage devices.
Local VA Scanning
Perform local vulnerability scanning where local credential and more frequent scans are required.
© 2010 eEye Confidential & Proprietary
Blink - Messaging
• Layered security protection that optimizes defences against viruses,
spyware, worms, Trojans, and other malicious zero-day exploits
• Blink provides complete endpoint protection security by combining: − Application and system firewall
− Endpoint protection platform
− Virus and spyware protection
− Protocol-based intrusion prevention
− Vulnerability assessment
− Patented system protection
− Zero-day attack protection
− Dynamic policy support
© 2010 eEye Confidential & Proprietary
Blink - Benefits
• Blink 4 delivers a host of positive business benefits:
− Layered security protection that optimizes defences against viruses,
spyware, worms, Trojans, and other malicious zero-day exploits
− The ability to consolidate 5+ discrete endpoint security agents into one
Blink 4 agent and reap significant administrative time savings in the
process
− Reduce system resource requirements by over 50% compared to the
memory footprint of maintaining 5+ discrete endpoint security products
− Reduce endpoint security costs by over 50% by eliminating the licensing
and support costs associated with buying and maintaining multiple
endpoint security product
− Gain centralized policy control over applications, system resources, and
removable storage devices
© 2010 eEye Confidential & Proprietary
Blink Endpoint Protection Platform
• Can stop 100% of client side attacks on
unpatched hosts
• The only endpoint protection platform
with vulnerability assessment
• Contains a firewall, virus and spyware
protection, vulnerability assessment,
intrusion prevention, buffer overflow
protection, registry and execution
protection, and optional web application
firewall
• 4 Blink EPP Versions:
−Blink Personal
−Blink Professional
−Blink Server Edition
−Blink Server Web Edition
© 2010 eEye Confidential & Proprietary
The New Retina CS Management Console
Features
• Simplified User Experience
• Customizable Reporting
• Rich Internet Application
• Cross Platform Browser Support
• Improved Scalability and Performance
• Results Driven Architecture
• Complete Vulnerability Management
© 2010 eEye Confidential & Proprietary
Retina CS: A Single Point of Management
• Retina CS manages vulnerability data from:
−Retina Network Security Scanner 5.11.x
−Retina 6.x (when available)
−Retina Protection Agent
−Blink Endpoint Platform Protection
• Blink Professional
• Blink Server Edition
• Blink Web Server Edition
© 2010 eEye Confidential & Proprietary
Retina CS
• Rich internet application for all
vulnerability and endpoint
management
• Scalable to any "n" tier
architecture
• Available as software, managed
service, or appliance
• Result driven architecture
matches businesses and
regulatory compliance
requirements
• Smart groups allow collections by
any asset trait
© 2010 eEye Confidential & Proprietary
Retina Web Security Scanner
• Fully automated authentication and web crawling
• No user scripting required
• Automated positive reduction
• Results validation via distributable reports
• Detection of infected web sites
• PCI DSS v1.2 web application reporting
• Cost analysis for remediation
• Vulnerability trending
• RWSS found 8 to 19 times more vulnerabilities than two of its primary competitors when scanning web applications*
* Larry Suto Study – February 2010
© 2010 eEye Confidential & Proprietary
E-SPIN™ Vulnerability Management (VM) Overall Value Proposition
32
E-S
PIN
™ C
ore
Va
lue
Pro
po
sit
ion
fo
r R
es
ell
er
an
d E
nd
Cu
sto
me
r
Reseller / Partner Proposition
Value Added Reseller (VAR) /
Main Contractor
Local Customer Know Who
End Customer Requirement
Project / System
Technical & Commercial
© 2010 eEye Confidential & Proprietary
E-SPIN™ Success Project Track Record since 2005 Domestic & Oversea (clients based keep growing with partners & customers supported)
33
© 2010 eEye Confidential & Proprietary
E-SPIN™ End to End Consultancy, Training, Certification and Support to back Partner / Customer Requirement
34
System
Deployment
Development /
Customization
Technology Consultancy Special Project Custom
Training
Certification / Exam Coaching / Solution
Architect
Onsite Advanced
Training Offsite Technical
Training