e-spin™ vulnerability management (vm) eeye digital product ...€¦ · •can stop 100% of client...

© 2010 eEye Confidential & Proprietary

E-SPIN™ Vulnerability Management (VM) eEye Digital Product Presentation


Secure and Comply with eEye

2


eEye Products


Solutions

•Scalable to any size environment

•Flexible deployments from appliance to software

• “n” tier architecture for scalability and highly secure environments

• Fully encrypted communications between management and agents

4


What is a Vulnerability ?

•Software is written by people…

•People make mistakes…

•Software can have mistakes…

•Vulnerabilities are mistakes that can be exploited to:

−Take control of a system

−Deny access to the machine

−Steal information

−Used as a “beach head” to launch additional attacks

−Disrupt operations

5


What is an Exploit ?

•An exploit is software that is written to target a vulnerability

•Exploits perform additional functions once executed:

−Load other programs

−Self propagation

−Receive commands

−Steal information

−Be destructive

−Etc.

6


What is Vulnerability Assessment?

• The ability to detect vulnerabilities and provide detailed reporting for

mitigation (fixing the problem)

• In some cases, identify critical exploits on systems that have already been

compromised

• Vulnerability management is the complete life-cycle process of

vulnerability assessment, mitigation, and protection from vulnerabilities

and exploits

7


Why Scan Your Environment ?

• To assess which devices (assets) connected to your organizations

network have vulnerabilities

• Because of what can happen if those vulnerabilities are exploited

• Provide details to fix (remediate / mitigate) the vulnerabilities

• Ensure data and operation integrity of proprietary and sensitive

information

• Adhere to regulatory compliance laws designed to keep organizations and

their (your) data safe

8


Intrusive vs. Non-Intrusive Scanning

• Intrusive Scanning – Identifying vulnerabilities on assets using techniques

that could damage, disrupt, or leave the asset in a state more susceptible

to other vulnerabilities or exploits. Generally, intrusive scans disrupt the

normal operation of the device despite the identification of a non exploited

vulnerability

• Non-Intrusive Scanning – Identifying vulnerabilities on assets using

techniques that do not disrupt or cause harm to the asset with a high

degree of accuracy

• Penetration Testing – Intentionally exploiting a vulnerability to document

and test the disruption that an actual exploit could cause to an

organization

9


Why Does Research Help ?

• What is actually vulnerable?

• How does someone actually leverage the vulnerability with an exploit?

• What degree of danger (severity level) does the vulnerability represent?

• How can identify a vulnerable host?

• How can I protect against the vulnerability? Especially when no patch is

available?

• What systems are affected and why?

10

All of this research and analysis answers questions on how to properly

assess, mitigation, and protect against vulnerabilities and exploits!


Research

• Industry-Leading Security Research Team: Drives eEye Products

• Over 100 High-Risk Vulnerabilities Discovered

• Microsoft, Apple, Symantec, McAfee, Adobe, Sun, …

• Sasser, Blaster, Big Yellow, …

• First Reported Office 2007 and Vista Vulnerabilities

• Strategic Partnerships With Other Research Teams

• Fast Security Response to Critical Vulnerabilities

• Neighborhood Watch “Honeypot”

• Recent Research Details:

11

1999 IIS Remote FTP Exploit/DoS

Attack

2001 Code Red

2002 UPNP Vulnerabilities

2003 Blaster

2004 Microsoft DCOM Vulnerabilities, Sasser

2006 Apple Quicktime, McAfee,

Symantec, Adobe

2007 Office, Java, Vista,

FLAC file format

RIM Blackberry Desktop

11

10-Feb-2009

Vulnerability exists in BlackBerry Application

Web Loader ActiveX control

CVE-2009-0305

http://blackberry.com/btsc/KB16248

09-Dec-2008

Windows Saved Search Vulnerability

MS08-075

(http://www.microsoft.com/technet/security/

bulletin/ms08-075.mspx)

08-Dec-2008

Linksys WVC54GC NetCamPlayerWeb11gv2

ActiveX control stack buffer overflow

VU#639345

(https://www.kb.cert.org/vuls/id/639345)

http://blackberry.com/btsc/KB16248

http://www.microsoft.com/technet/security/bulletin/ms08-075.mspx




https://www.kb.cert.org/vuls/id/639345


The Need for Audit Updates

• Identifying vulnerabilities is a signature based process

• As new vulnerabilities are identified, identification signatures need to be

updated

• The faster a product can update its signatures, the more accurate it will be

to identifying the latest threats

• Poorly written audits lead to “false positives”. The identification of

vulnerabilities that truly do not exist.

12

eEye maintains a 48 hour SLA for critical vulnerabilities

eEye maintains less than 1% false positive rate for

vulnerability identification


Secure and Comply with eEye

2009

Social

engineering

delivery to

targets

Mid 2009

Hackers gather

information

from target

company’s

websites &

develop /buy

exploits

2009

Attackers hosted the

exploits on their

servers

December

2009

Google finds

they have

been

attacked

January 12

2010 Google publically

indicates that they

and at least 20

other companies

have been

attacked. Adobe

releases fix for its

vulnerability.

December

2009

Adobe

indicates

vulnerability

has been

found in its

code

Adobe finds that they

have been attacked

January 2

2010

Microsoft

promises to

patch

vulnerability

January 14

2010

eEye Research

Team add audit

for vulnerability

Window of Exposure

Retina

Assessment Only

Patch solution

January 21*

2010

Microsoft releases

out of band patch.

Companies must

begin patch rollout

process

The Google Example (Google, Adobe, +30 more attacked)

No Solution

© 2010 eEye Confidential & Proprietary 14

Why Mitigation & Protection

1. Zero-Days (Google)

− What do you do when the vulnerability is not publicly known

− What do you do when no Patch or workaround is available.

− How do you minimize the impact on the business

2. Reduce Costs Associated with „Panic Patching‟

− Large enterprises are spending millions of dollars (measured in lost productivity and business disruption) when non-scheduled patching is require

3. Protect (From) Mobile Workers

− Mobile workers and teleworkers who typically have administrative rights, acquire infections “in the wild” and introduce them to the network once they reconnect (VPN or LAN). For example they click an email or a website and install some code.

4. Protect from Internal Threats

− Majority of attacks originate from rogue employees within the network (think downsizing), and threats in which hackers leverage naïve employees into making their systems vulnerable


Retina Network Security Scanner (All)

•Non-intrusive scanning technology

•Accurate vulnerability identification,

less than 1% false positive rate*

•Comprehensive database is updated

within 48 hours of new critical

vulnerabilities

•Standards Based – FDCC, SCAP, SANS,

CVSS, CVE, CCE, CPE, OVAL, XCCDF,

IAVA, and certified as PCI ASV.

•Open architecture for third-party

integration and operations

•Performs a Class C network scan, on

average, in under 15 minutes

* As identified by NSSLabs PCI Suitability Report 2008


Retina – Protection Components

Protection

Capabilities

What it is Benefit

Application Control Policies on which applications can be installed

and executed by users and/or other programs

Enforce appropriate-use policies

Monitor applications for suspect

activity

Device Control Turn on/off USB removable media Protect against data leakage and

malware spreading through USB

thumb drives

Registry Protection Protect critical registry settings from being

modified

Ensures malicious programs cannot

modify components of the operating

system or change behaviour of

existing programs

Intrusion Prevention Monitor network traffic to look for and protect

against malicious activity.

Block known and unknown network

attacks before they can damage

your assets

Zero-Day Protection

Monitor applications to look for and protect

against exploitation attempts

Protects the system against known

and unknown, local and remote

buffer overflow exploits

Local VA Scanning Performs Retina scanning locally Scan more frequently, where local

credentials are required and

unaffected by firewalls and IDS

systems.


Retina – Protection Components

Component Attack Scenario How we Protect

Application Control • Application Control:

• Users installing applications that can be used as attack

vectors

• Exploited applications attempting to download and install

malware

• Do not allow users to install unapproved

applications

• Do not allow approved applications to

download and install malware

• Web Protection: Installing malicious code while browsing

the web (drive-by attacks)

• Detect and block attacks using

vulnerable third-party ActiveX controls

installed in Internet Explorer.

Device Control • Data leakage issues

• Malware gets installed and spreads through USB thumb-

drives

• Block users from using USB devices

Registry Protection • Malware attempts to create entries in Windows Registry • Rules can be created to block to

sensitive areas of the registry

• System Administrators can use it to

enforce configuration policies

Zero-Day Protection • Attacker exploiting a zero-day vulnerability in one of the

installed applications.

• Monitor applications behaviour of and

detect and block known and unknown

buffer-overflow exploits

Intrusion Prevention • Attackers using attack tools to exploit vulnerable network

services

• Malware spreading by exploiting unpatched systems

• Analyze and decode network protocols

looking for signatures of known attacks

and signs of intrusion


Why Local Vulnerability Assessment

• Credentials

− Some critical assets may require local scanning if the security policy does not allow a remote scanner to inventory its credentials for scanning purposes

• Firewalls

− Some critical assets may have firewalls turned on that would prevent a remote scanner from accurately performing an assessment.

• On Demand Scans

− The Retina Compliance agent allows users and administrators to perform on-demand scans to check for compliance

• Disconnected Scans / Roaming Users

− The local scans can be scheduled and run even though the asset is not connected to the corporate network or Internet

• Frequent Scans

− Local scanning allows for more frequent scanning without the associated network or management overhead.


Retina Protection Agent

Firewall Protection

Performs traditional firewall duties, allowing

or denying traffic based on a set of

predetermined rules. Blink also monitors the

source of network traffic in real time and only

allows traffic from authorized applications,

preventing unauthorized programs from

making illegal outbound connections.

Virus and Spyware Protection

Provides complete signature and heuristics-

based attack protection.

Intrusion Prevention & Zero-Day

Protection

Provides protection where a vendor has not

yet created patches to protect against

vulnerabilities in their operating system or

application.

System Protection

−Application control provides policy over which applications are allowed to function by authorizing or denying program file execution.

−Registry Protection prevents specific registry settings from being modified, stopping malicious programs or errand users from infecting or modifying systems.

−Storage Protection prevents data leakage by regulating USB and Firewire storage devices.

Local VA Scanning

Perform local vulnerability scanning where local credential and more frequent scans are required.


Retina Protection Agent

• Can stop 100% of client side attacks on

un-patched hosts

• The only agent based vulnerability

assessment platform

• Contains a vulnerability assessment,

intrusion prevention, buffer overflow

protection, registry and execution

protection.

• Allows for upgrading to Blink

• Compliments existing endpoint

antivirus solutions

• Included in Retina Licensing


Terms We Should Know: Malware

• Malware

− Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

• Rootkit

− A rootkit is a software system that consists of one or more programs designed to obscure the fact that a system has been compromised.

• Heuristic detection

− Analyze the suspicious file’s characteristics and behaviour to determine if it is indeed malware (not via a signature library). This allows these product to detect new or previously unseen malware. Analysis can used a variety of methods including:

− Sandboxing

− File Analysis

− Generic Signature Detection


Terms We Should Know: Zero-Days

• Zero-day

− A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others (i.e. the software vendor)

• Vulnerability Window Timeline:

1. The developer/vendor creates software containing an (unknown) vulnerability

2. The attacker finds the vulnerability before the developer does

3. The attacker writes and distributes an exploit while the vulnerability is not known to the developer

− The exploit is now used “in the wild”

− Organizations are very susceptible as they do not know which assets are exposed

− Once assessment tools add an audit you can determine which assets are exposed

4. Exploit Publically known

− Over time the exploit becomes known

− Assessment tools add an audit to determine which assets are at risk

− The developer finds the vulnerability and starts developing a fix

− A patch is made available and deployed

• Zero-day protection

− Zero-day protection is the ability to provide protection against zero-day exploits. Zero-day attacks can also remain undetected after they are launched


Terms We Should Know: Intrusion Prevention

• Intrusion Prevention

− An intrusion prevention system (IPS) is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities

• Network Based Intrusion Prevention

− A network-based IPS is one where the IPS application/hardware and any actions taken to prevent an intrusion on a specific network host(s) is done from a host with another IP address on the network (This could be on a front-end firewall appliance.)

• Host-Based Intrusion Prevention

− The intrusion-prevention application is resident on that specific IP address, usually on a single computer. HIPS systems do not require traditional signature based analysis.


Blink - Components

Firewall Protection

Performs traditional firewall duties, allowing or denying

traffic based on a set of predetermined rules. Blink also

monitors the source of network traffic in real time and

only allows traffic from authorized applications,

preventing unauthorized programs from making illegal

outbound connections.

Virus and Spyware Protection

Provides complete signature and heuristics-based

attack protection.

Intrusion Prevention & Zero-Day Protection

Provides protection where a vendor has not yet

created patches to protect against vulnerabilities in

their operating system or application.

System Protection

−Application control provides policy over which applications are allowed to function by authorizing or denying program file execution.

−Registry Protection prevents specific registry settings from being modified, stopping malicious programs or errand users from infecting or modifying systems.

−Storage Protection prevents data leakage by regulating USB and Firewire storage devices.

Local VA Scanning

Perform local vulnerability scanning where local credential and more frequent scans are required.


Blink - Messaging

• Layered security protection that optimizes defences against viruses,

spyware, worms, Trojans, and other malicious zero-day exploits

• Blink provides complete endpoint protection security by combining: − Application and system firewall

− Endpoint protection platform

− Virus and spyware protection

− Protocol-based intrusion prevention

− Vulnerability assessment

− Patented system protection

− Zero-day attack protection

− Dynamic policy support


Blink - Benefits

• Blink 4 delivers a host of positive business benefits:

− Layered security protection that optimizes defences against viruses,

spyware, worms, Trojans, and other malicious zero-day exploits

− The ability to consolidate 5+ discrete endpoint security agents into one

Blink 4 agent and reap significant administrative time savings in the

process

− Reduce system resource requirements by over 50% compared to the

memory footprint of maintaining 5+ discrete endpoint security products

− Reduce endpoint security costs by over 50% by eliminating the licensing

and support costs associated with buying and maintaining multiple

endpoint security product

− Gain centralized policy control over applications, system resources, and

removable storage devices


Blink Endpoint Protection Platform

• Can stop 100% of client side attacks on

unpatched hosts

• The only endpoint protection platform

with vulnerability assessment

• Contains a firewall, virus and spyware

protection, vulnerability assessment,

intrusion prevention, buffer overflow

protection, registry and execution

protection, and optional web application

firewall

• 4 Blink EPP Versions:

−Blink Personal

−Blink Professional

−Blink Server Edition

−Blink Server Web Edition


The New Retina CS Management Console

Features

• Simplified User Experience

• Customizable Reporting

• Rich Internet Application

• Cross Platform Browser Support

• Improved Scalability and Performance

• Results Driven Architecture

• Complete Vulnerability Management


Retina CS: A Single Point of Management

• Retina CS manages vulnerability data from:

−Retina Network Security Scanner 5.11.x

−Retina 6.x (when available)

−Retina Protection Agent

−Blink Endpoint Platform Protection

• Blink Professional

• Blink Server Edition

• Blink Web Server Edition


Retina CS

• Rich internet application for all

vulnerability and endpoint

management

• Scalable to any "n" tier

architecture

• Available as software, managed

service, or appliance

• Result driven architecture

matches businesses and

regulatory compliance

requirements

• Smart groups allow collections by

any asset trait


Retina Web Security Scanner

• Fully automated authentication and web crawling

• No user scripting required

• Automated positive reduction

• Results validation via distributable reports

• Detection of infected web sites

• PCI DSS v1.2 web application reporting

• Cost analysis for remediation

• Vulnerability trending

• RWSS found 8 to 19 times more vulnerabilities than two of its primary competitors when scanning web applications*

* Larry Suto Study – February 2010


E-SPIN™ Vulnerability Management (VM) Overall Value Proposition

32

E-S

PIN

™ C

ore

Va

lue

Pro

po

sit

ion

fo

r R

es

ell

er

an

d E

nd

Cu

sto

me

r

Reseller / Partner Proposition

Value Added Reseller (VAR) /

Main Contractor

Local Customer Know Who

End Customer Requirement

Project / System

Technical & Commercial


E-SPIN™ Success Project Track Record since 2005 Domestic & Oversea (clients based keep growing with partners & customers supported)

33


E-SPIN™ End to End Consultancy, Training, Certification and Support to back Partner / Customer Requirement

34

System

Deployment

Development /

Customization

Technology Consultancy Special Project Custom

Training

Certification / Exam Coaching / Solution

Architect

Onsite Advanced

Training Offsite Technical

Training

e-spin™ vulnerability management (vm) eeye digital product ...€¦ · •can stop 100% of client...

Documents