Endpoint SecurityShifting Paradigms

Malware Outbreaks Growing

• Constant morphing● Constant attacks● No target is too small● Damage to victims goes far beyond money● Government (and trial lawyers) growing interest● Everyone is at risk

Today's Paradigm

● We know what malware looks like;● Our users won't accept changes that impact the way they work;● We can train our users so well they'll never make a mistake;● And, our techs and SysAdmins;● With just a little more effort we can deploy all patches to all devices on time every time, without fail;● We've always used blacklists; they work;● We're smarter than the bad guys; and,● We just got breached.

A New Paradigm

● We can't recognize everything that's bad;● Users can accept reasonable changes because they all know an identity-theft victim;● We can know what is permitted on each computer;● Whitelisting works because

✔ We now do it at the executable level (executables and shared libraries);

✔ White lists can be updated each time a patch or update is deployed;

✔ White list maintenance is mostly automated;✔ Whitelisting is augmented with other endpoint controls.

● No matter what kind of malware gets in because of user errors, misconfigurations, or missing patches, it can't execute.

Security Assistant

● Stops everything not on white list● Deploys patches, automates whitelist maintenance● Audits endpoints by opening each file on all drives● Semi-NAC●Console window for every endpoint with schedule-capable

commands

Full Stop

● Stops everything not on white list✔ Monitors hard drive writes (including browser cache)✔ Quarantines if executable/shared library & not on white list✔ Monitors process starts✔ Blocks if starting program not on white list✔ Monitors removable media✔ Blocks execution if not on white list

Integrated Patch/Whitelist Maintenance

● Deploys patches, automates whitelist maintenance✔ Provisional whitelist includes pre- and post-patch file

information, as well as the patch itself;✔ Post-patch whitelist removes information for pre-patch

conditions and the patch;✔ ADDED VALUE – Endpoint restored to pre-patch restore

point is immediately obvious; no more unknown lost patches.

Full System Audit

●Audits endpoints by opening each file on all drives✔ Maps results to FDCC patch requirements✔ Maps results to CVE-type patchable vulnerabilities✔ Can map to any similar standard or requirement✔ Shows authorized software✔ Shows unauthorized software✔ "Click-to-Remove" builds script to remove unwanted files/applications, runs

when initiated from GUI

Vulnerabilities Identified

Consensus Audit Guidelines Critical Control #2

Network-Related

● Semi-NAC✔ Monitor network traffic✔ Each node "knows" other devices on same subnet✔ Reports and refuses to communicate with unknown devices on same subnet ✔ Early 2010, not limited to same subnet

Command Window

● Window into every node✔ Do anything you could if you were at the node✔ Schedule console commands; no commands excepted✔ Highly secure and very mature interface ✔ Gives complete control of each node, realtime and/or scheduled

Critical Infrastructure

FERC Critical Infrastructure Protection Requirements -- CIP-007-2

R3. Security Patch Management — establish, document and implement a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all CyberAssets within the Electronic Security Perimeter(s).R3.1. document the assessment of security patches and security upgradesR3.2. document the implementation of security patches.R4. Malicious Software Prevention — use anti-virus software and other malicious software (“malware”) prevention [and removal] toolsR4.1. implement anti-virus and malware prevention tools.R4.2. implement a process for the update of anti-virus and malware prevention “signatures.”

Similar requirements in other CIP documents.

Consensus Audit Guidelines

● Critical Control 2: Know all authorized and unauthorized software; enforce whitelist – FULL

● Critical Control 10: Continuous Vulnerability Testing and Remediation – PARTIAL (no H/W configuration checking)

● Critical Control 12: Anti-Malware Defenses – FULL ● Critical Control 15: Data Leakage Protection – PARTIAL (log

each USB drive inserted; write-to-removable media can be prevented; block execution of malware which steals data/information)

What Makes Us Different?

● Whitelisting with integrated Patch Management, making possible ● Automated whitelist maintenance● Patch Compliance reporting without false positives (FDCC, CVE,

others) ● Event scheduling● Command console on target node● Network Access Control

Each node has its own white list, updated as patches, updates, and applications are deployed. Command console gives you a console window on the target node, and event scheduling lets you schedule any input that the target node's console will accept, as if you were there.Network Access Control discriminates between new authorized and new unauthorized devices, although both are initially unknown.

Shut down apps, change user mode,schedule & execute any console command

Detect/report newcomers on network

End-User Impacts

● Can't run "non-business" applications● Can't install off-whitelist software● Can't download software from the web● Can't run file-sharing and IM applications● Can't get infected by web browsing or opening

infected email or attachments

Once users understand the importance of culture changes, they go along

Approved "Add To Whitelist" policy and procedure must be published to all

Organization Impacts

● No malware infections● No patchable vulnerabilities● No unauthorized software● "Proof of Compliance" endpoint audits● More orderly use of IT staff (fewer fire drills) Increased security at all endpoints makes your organization a less attractive target.

Demo

● Insert removable media – detected, reported, logged● Execute file on removable media – blocked, reported,

logged● Copy executable from removable media to hard drive – quarantined, reported, logged● Browse infected web site (assist malware download as necessary) – download quarantined● Repeat at other infected web sites – quarantined

Shouldn't your organization be so well protected?

Naknan Corporate Contacts

• Noklek Finley, President & CEO - Doug Finley, Vice President 281-990-0030, Ext. 12

1300-A Bay Area Blvd., Suite 233Houston, TX 77058

281-990-0030www.naknan.com

Business Development Team:

Romani Perera, Business Development Romani_Perera@naknan.comTimi Finley John, Director-Support Services Timi_Finley@naknan.com