mcafee security web pulse: endpoint vs. network, & what ... · c. brain d. creeper answer: d....
TRANSCRIPT
McAfee Internal Use Only
McAfee Security Web Pulse: Endpoint vs. Network, & What Does Cloud Have To Do With It?
Steve Goers
Sr. Solutions Engineer | St. Paul, MN USA
2McAfee Internal Use Only
About Steve Goers:
Over 11 years with McAfee, in multiple roles. Most recently on the Solution Engineering side.
Bachelor of Science, Computer Engineering – University of Minnesota (Go Gophers!)
I have a passion on “being real”. This industry is filled with jargon, loose definitions, and smoke and mirrors. I’m all about technical accuracy.
@securesteveg (Twitter)https://securesteve.com (personal blog)[email protected] (email)
A bit of History:
Can you identify the first computer virus?a. Elk Clonerb. Reaperc. Braind. Creeper
Answer:D. Creeper, named for a character on the “Scooby Doo”
cartoon show, is generally recognized at the first computer virus. It was written in 1971 by Bob Thomas of BBN Technologies and spread through DEC PDP-10 computers on ARPAnet, displaying the message, "I'm the creeper, catch me if you can!"
Elk Cloner, written in 1982 by then-15-year-old Rich Skrenta of Pittsburgh, was a boot-sector virus designed to infect Apply II computers and was the first to be detected in the wild and to be considered wide-spread.
The first antivirus program? Reaper, which was created to delete Creeper.
Stop for a moment…
Have you ever considered why malware is bad?
5McAfee Internal Use Only
Two Types of ‘Malware’ concerns:
This is ONE kind:
6McAfee Internal Use Only
This is ANOTHER kind (Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/):
7McAfee Internal Use Only
Recreational / Vandals Cybercriminals /
Organized Crime Hacktivism / Reputation Attacks
State SponsoredCyberespionage
Cyberattacks
Ransomware is bad, but mostly because it affects your DATA.
If your PC bluescreens, you may have to reimage, but you’ll be back on your feet.
But if a control system bluescreens, power could be affected for thousands homes.
Consider this:
A good posture should start with securing your CROWN JEWELS.
10McAfee Internal Use Only
Let me “Frame” our discussion this way…
11McAfee Internal Use Only
Consider a house: A house should keep out the rain. Do you agree?
But that’s not the only thing it has to do, is it?:• Let you enter/exit• Keep you warm/cool• Be able to spy on neighbors, ahem, look outside• Keep out the zombies/strangers
12McAfee Internal Use Only
A house is like your security posture. There’s more than one component to it, for it to work effectively.
• Let you enter/exit (Doors are better than windows, which are better than walls)
• Keep you warm/cool (walls and roof are best)• Be able to spy on neighbors, ahem, look outside
(Windows are better than walls here)• Keep out the zombies/strangers (a drawbridge helps
here, but so do things like closed doors and locks)
So, do you agree that there certain components that are better than others at accomplishing certain tasks?Also, “Duplication” doesn’t always mean better. However, sometimes it is.
Let’s get to the point:
Endpoint? Or Network?
The Value of an Endpoint Control
• Insight
• Accuracy
• Disinfection
• Manageability
McAfee. The device-to-cloud cybersecurity company.
The Value of an Endpoint Control
• Insight• Runs right where the “Bad Stuff” happens, aka onsite.
• Visibility into all attack vectors (USB, Bluetooth, Floppy, etc.)
• On-Access and In-Memory Scanning, showing at-runtime results and behaviors.
• Accuracy• McAfee scanners run over 4.7 TRILLION files per day, so
accuracy is huge (false positives cannot occur)
• Not simulated, but actual attacks are carried out.
• Disinfection• Can clean, remove infections
• Can ‘repair’ already infected machines
• Remediation of malware artifacts and behaviors, not just deleting the infected file
• Manageability• Usually enterprise-wide management is available
• Remote and offsite deployment, configuration, and monitoring
The Value of A Network Control
• Always On + “Ease” of deployment
• Enforcement
• Performance
• Resilience
McAfee. The device-to-cloud cybersecurity company.
The Value of a Network Control
• Always On + Easy Deploy• Simply put in an appliance and “go”
• OS agnostic protection
• Single update vector, as opposed to thousands of devices that must ‘check in’
• Enforcement• Detailed visibility into behaviors that might not necessarily be
“malware”
• Unique ability to be extremely sensitive (no “false-positive” downside)
• Performance• Multiple types of engines (Signatures, Machine Learning,
Emulation, Sandboxing)
• Dedicated appliance performing a ‘single’ function.
• Duplicate Effort avoidance – items are scanned per organization, not ‘per device’.
• Resilience• Not affected by malware attempting to disable endpoint
protection functions
• Outbound prevention controls (not just incoming) and visibility
True security is not an increasing patchwork
of features or duplication of efforts.
19McAfee Internal Use Only
Consider a ‘Firewall’, both endpoint based and network based.
Common sense says that if both tools are set to block everything and everywhere, then having both is ‘duplicated’ effort. Do you agree?
However, the moment we decide to allow an ‘application’ through, fundamental differences become apparent.The endpoint firewall might identify an application based on a file, or a running process.The network firewall might identify an application based on destination IP or layer 3-7 type data.
To step back, if an endpoint firewall and network firewall are both blocking a particular IP, that is a duplicated defense.
If an endpoint firewall and network firewall are both blocking malicious applications (as they likely perceive maliciousness differently), that is defense in depth.
If the network firewall can inform the endpoint firewall of newly identified threats, that is called awesome, or an
integrated security architecture.
As new defense technologies are adopted widely, their effectiveness decreases. Therefore, speed is critical.
1. Polymorphism (Antivirus)
2. Sandbox Fingerprinting
3. Poisoning of Machine-Learning Models
So if there’s value in both Endpoint and Network, what should I look out for?
▪ DO look for integrated solutions that can share threat telemetry and simplify policy enforcement
▪ DO look for different, functional capabilities (machine learning, static detection, sandboxing, emulation, behavioral and signature)
▪ DO look for robustness in policy flexibility and granularity
▪ DO look for open architectures – easy to onboard solutions and tools
▪ DON’T simply duplicate efforts
▪ DON’T assume that using few or a single vendor implies that a single ‘scanner’ or engine type is used
.
So, the cloud makes this more complex, right?
24McAfee Internal Use Only
Shared Responsibility vs. “Your Fault”
25McAfee Internal Use Only
In a way, we’ve been inundated with charts like these: (What is endpoint? What is network?)
Where does it say WHO or WHAT is responsible for ‘security’??
Shared Security Responsibility Model
On-Premises IaaS PaaS SaaS
Users Users Users Users
Data Data Data Data
Applications Applications Applications Applications
Operating System Operating System Operating System Operating System
Network Network Network Network
Hypervisor Hypervisor Hypervisor Hypervisor
Infrastructure Infrastructure Infrastructure Infrastructure
Physical Physical Physical Physical
Customer Responsibility Cloud Provider Responsibility
What do we do about ‘our’ part of the shared security responsibility?
First, we must not forget that basic security concepts still apply:
▪ Workload visibility
▪ Segmentation
▪ East/West and Access controls
▪ Identifying stakeholders (DevOps, App Developers, Cloud Teams, etc.)
▪ Change management considerations, audit trails
▪ Corporate compliance obligations (PCI, HIPPA, NERC, FISMA etc.)
.
If we orient our thinking around these basics, it will help guide us towards implementing our security responsibilities.
28McAfee Internal Use Only
Cloud Security – What to look for in tools that enable your responsibility
Automate Workload Discovery & Deployment
Audit and CorrectMisconfigurations, gaps in posture, and missing control points
Detect & Assess Network Rules and Access Points, and Data Usage
Anti-malware Host FirewallIntrusion
PreventionApplication
ControlFile IntegrityMonitoring
Behavior Detection
Discover &Monitor
Easily Identify Workload Type and Posture
Is it IaaS, PaaS, or SaaS?
**Is there anything here you’re not doing with your on-premenvironment?**
Bold Statement:
Securing the cloud can be similar to securing an on-premise environment.
You want visibility into the environment.
You want applicable and useful control points, minimizing overlap or redundancy.
These control points may be provided by the cloud services themselves, but you own their usage.
Thus, you want an open architecture and integrated tools to seamlessly enable your desired posture and obligatory requirements.
Endpoint, Network, Cloud:
So where do I start?
▪ Start with your crown jewels, and move “outward”.
For most, visibility is key.
For some, there may be endpoints/devices that control critical infrastructure.
Others may have significant customer data to protect.
Still others have significant Intellectual Property to consider.
Others may be heavy into M&A activity, and need to onboard entities easily.
Some may have abandoned their entire corporate strategy and bet it all on crypto-currency.
True security is not an increasing patchwork
of features.
True security is an integrated architecture that puts useful control points over the critical elements of an
organization.
There is not a one size fits all approach.
There are, however, common sense approaches to securing an organization that acknowledge a non-
constant ever-evolving environment.
34McAfee Internal Use Only
To Infinity and Beyond!You can do it, and you can do it great!
McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries.Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee LLC.