stop server incursions and unauthorized access: how to...
TRANSCRIPT
![Page 1: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/1.jpg)
1
Stop Server Incursions and Unauthorized Access: How to Defend Against APT Attacks
Percy Wadia, CISSP Prashant Khandelwal Sr. Manager, Product Mgmt., SCSP Sr. Product Manager, SCSP
Stop Server Incursions and Unauthorized Access
![Page 2: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/2.jpg)
SYMANTEC VISION 2012
Agenda
2
Cutting Through the Hype 1
Advanced Persistent Threats vs. Targeted Threats 2
Stop Server Incursions and Unauthorized Access
What is Critical System Protection? 3
How Critical System Protection can stop APTs 4
![Page 3: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/3.jpg)
SYMANTEC VISION 2012
Sophisticated Attacks Have Led To Increased Awareness
3 Stop Server Incursions and Unauthorized Access
![Page 4: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/4.jpg)
SYMANTEC VISION 2012
Categories of Compromised Assets by Percent of Breaches and Percent of Records (Enterprise Cos.)
Servers Are the Target – “Endpoints simply provide an initial foothold”
4
Verizon 2012 Data Breach Investigations Report: “… More Often Endpoints / User Devices Simply Provide An Initial “Foothold” Into The Organization, From Which The Intruder Stages The Rest Of Their Attack.”
of stolen data is from servers
97%
Case Studies: Meeting Compliance & Applying Proactive Prevention
![Page 5: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/5.jpg)
SYMANTEC VISION 2012
Exponential growth in Malware poses more risk than in previous years…
• Malicious attacks 81% in 2011(1)
• Attacks used advanced techniques, generating unique versions of malware
• Targeted Attacks avg. 82/day
– 58% of attacks were aimed at non-executive functions to gain foothold in organization
Stop Server Incursions and Unauthorized Access 5
1-Symantec Internet Security Threat Report April 2012 2-Verizon Data Breach Investigations Report 2012
![Page 6: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/6.jpg)
SYMANTEC VISION 2012
… But Security Execs Believe the Term APT is Overhyped…
Stop Server Incursions and Unauthorized Access 6
% of execs believe the term APT is being used excessively or in a misleading way Source: CSO Magazine Research, October 2011
6
![Page 7: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/7.jpg)
SYMANTEC VISION 2012
11%
38%
57%
70%
70%
Other (specify)
Distraction from solving APTs
Distraction from solving other pressing securityproblems
Confusion among IT executives
Confusion among non-IT executives
Source: CSO Magazine Research, October 2011
… Often leading to Confusion on how to effectively protect against them
7
What are the outcomes from the misuse of the term APT?
7
0 100%
Stop Server Incursions and Unauthorized Access
![Page 8: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/8.jpg)
SYMANTEC VISION 2012
How are Targeted Attacks and APTs Related?
8
Targeted Attacks
An APT is always a targeted attack, but a targeted attack is not necessarily an APT.
Targeted Attacks
APTs
Stop Server Incursions and Unauthorized Access
APTs are Different from Targeted Attacks: 1. Customized: Uses multiple attack vectors, that are customized to the target, not a generic burst of attack vectors
2. Low and Slow: Specifically designed to penetrate low-n-slow, to avoid detection, most likely stays under radar for a sustained period
3. Higher Aspirations: Seeking more than opportunistic gain, usually involves covert state actors
4. Specific Targets: Highly targeted to specific organizations (e.g., govt. agencies) and high-value targets
![Page 9: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/9.jpg)
SYMANTEC VISION 2012
The Advanced Persistent Threat
Stop Server Incursions and Unauthorized Access 9
1
Phishing
Drops
Malware
4
Data is
Gathered
2
Malware
Creates a
Back Door
3
Malware
Morphs &
Moves
Laterally
5
Remote
Command
& Control
Exfiltrates
Data
5 Steps …
![Page 10: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/10.jpg)
SYMANTEC VISION 2012
Agenda
10
Cutting Through the Hype 1
Advanced Persistent Threats vs. Targeted Threats 2
Stop Server Incursions and Unauthorized Access
What is Critical System Protection? 3
How Critical System Protection can stop APTs 4
![Page 11: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/11.jpg)
SYMANTEC VISION 2012
Nitro: An APT targeting organizations in the chemical industry
11 Stop Server Incursions and Unauthorized Access
![Page 12: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/12.jpg)
SYMANTEC VISION 2012
Nitro APT Phases
Socially engineered email sent
• Attachments installed Poison Ivy
• Common Remote Access Tool (RAT)
Gathered IP addresses and computer names from network
• Gathered password hashes to take off-machine for cracking
Gained admin credentials and access to critical servers
Captured data and moved it to internal staging servers
Data sent to C&C servers via port 80
12 Stop Server Incursions and Unauthorized Access
1
2
3
4
5
![Page 13: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/13.jpg)
SYMANTEC VISION 2012
Stuxnet: An APT targeted at industrial control systems in energy sector
13 Stop Server Incursions and Unauthorized Access
• Highly targeted, low and slow attack
– Specifically targeted Industrial Control Systems using Siemens Step 7 PLCs & software
– Discovered in June’10 but further analysis revealed presence since atleast a year ago
– More than 60% of infections were specifically in Iran, targeting energy / power plants
1
• Exploited Known, Unpatched Vulnerabilities
– Exploited 4 known Microsoft vulnerabilities, 2 for self-replication and 2 for escalation of execution privilege
2
• Multiple attack vectors to self-replicate and Auto-Update
– Self-replicates through removable drives exploiting auto-execution vulnerability
– Spreads in a LAN through a vulnerability in the Windows Print Spooler
– Copies & executes on remote computers through network shares or WinCC dB servers
– Contacts a command & control server to download and execute code, including updates
3
Customized attack, highly targeted to specific goals, low & slow exploitation, and aspirations beyond opportunistic gain
![Page 14: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/14.jpg)
SYMANTEC VISION 2012
Agenda
14
Cutting Through the Hype 1
Advanced Persistent Threats vs. Targeted Threats 2
Stop Server Incursions and Unauthorized Access
What is Critical System Protection? 3
How Critical System Protection can stop APTs 4
![Page 15: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/15.jpg)
SYMANTEC VISION 2012
Servers Are Attacked Differently than Laptops…
Vs.
69% of Breaches
95% of Records
81% of Breaches
99% of Records
15
Malware Hacking
Case Studies: Meeting Compliance & Applying Proactive Prevention
![Page 16: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/16.jpg)
SYMANTEC VISION 2012
… And Servers Have Unique Security Requirements
Case Studies: Meeting Compliance & Applying Proactive Prevention 16
Confidentiality
Integrity
Availability
Blanket, consistent protections more important
Change visibility less important. Just block malware.
Continuous availability less important. Reboots expected/OK
Targeted Protections based on housed data, function more important
Change visibility highly important. Who/what/where/when
Continuous availability highly important
Laptops/Desktops Server
Desktop-oriented Protections are largely a Subset of Server-oriented Protections
![Page 17: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/17.jpg)
SYMANTEC VISION 2012 Stop Server Incursions and Unauthorized Access
Symantec Critical System Protection Multi-layer protection for critical systems
• Restrict apps & O/S
behaviors
• Protect systems from
buffer overflow
• Intrusion prevention for
zero-day attacks
• Application control
• Monitor logs and security
events
• Consolidate & forward
logs for archives and
reporting
• Smart event response
for quick action
• Close back doors (block
ports)
• Limit network connectivity
by application
• Restrict traffic flow inbound
and outbound
• Lock down configuration &
settings
• Enforce security policy
• De-escalate user
privileges
• Prevent removable media
use
Network Protection (Host IPS)
Exploit Prevention
(Host IPS)
System Controls (Host IPS)
Auditing & Alerting (Host IDS)
Symantec Critical
System Protection 5.2
17
![Page 18: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/18.jpg)
SYMANTEC VISION 2012 Symantec Critical System Protection Overview May 2012
SCSP Architecture
Symantec Critical System Protection Architecture
SCSP Agents SCSP Agents Servers
Management Server
Desktops & Laptops
Management Console
HTTPS JDBC
Agent Registration
Policy Configuration
Event Logging
Policy Management
Agent Management
Real-time Monitoring
Users and Roles
SQL Data Store
Asset Data
Policies
Operational State
Event Data
HTTPS
Reporting
Event Logging
Scalability = 5K-8K agents/server
18
![Page 19: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/19.jpg)
SYMANTEC VISION 2012
Critical System Protection Key Capabilities
• Event Monitoring
• File Integrity Monitoring
• Intrusion Detection
• Host Firewall
• File and Configuration Lock Down
• Admin Access Control
• Malware and Exploit Prevention
• Device Control
• Application Control
• Centralized Management
• Out of Box Policy Templates
• Multiple OS Support
Symantec Critical System Protection Overview May 2012 19
Monitoring
(HIDS)
Prevention
(HIPS)
Ease of Management
SIN
GLE
SO
LUTI
ON
![Page 20: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/20.jpg)
SYMANTEC VISION 2012
IDS Capabilities Provide Alerting and Real-Time File Integrity Monitoring
… Email Client
Office
IE Browser
Web
… crond
RPC
LPD Printer
Core OS Services
Applications
Interactive Programs
Files
Create/Modify/Delete Files
Settings
Create/Modify/Delete Settings
System Operations Host System
System,
Application
& Security
Events System & Text Logs
1.
2.
3.
1.
2.
3.
SCSP collectors
gather events &
compare them to
IDS rule sets
(custom or library),
will monitor and
log what, where,
when and by
whom did changes
occur, all w/o
requiring OS
advanced logging
Upon a match, take action
Record event in local SCSP log
Se
nd
ale
rt to m
gm
t co
nso
le
…
How it Works
Stop Server Incursions and Unauthorized Access 20
![Page 21: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/21.jpg)
SYMANTEC VISION 2012
IPS Capabilities Provide Least Privilege Application Control (Sandboxing) to lockdown Servers
creates a “sandbox” or
“containment jail” for one
or more programs
(processes) using a policy
that defines least privilege
controls or “acceptable”
resource access
behaviors
Files
Registry
Network
Devices
Read/Write Data Files
Read Only Configuration Information
Usage of Selected Ports and Devices
… RSH Shell
Browser
Web
… crond
RPC
LPD Printer
Core OS Services
Applications
Interactive Programs
Granular Resource Constraints Host Programs
…
Most programs require a limited set of resources and access rights to perform normal functions
But most programs have privileges and resource rights far beyond what is required – attacks readily exploit this gap
Stop Server Incursions and Unauthorized Access 21
![Page 22: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/22.jpg)
SYMANTEC VISION 2012 Symantec Critical System Protection Overview May 2012
Is this resource
access allowed for
this process?
SCSP IPS Files
Registry
Network
Devices
Read/Write Data Files
Read Only Configuration Information
Usage of Selected Ports and Devices
SCSP Exploit Prevention Function
… Email Client
Office
Browser
Web
… crond
RPC
LPD Printer
Core OS Daemons
Application Daemons
Interactive Programs
Normal Resource Access Host Programs
…
• SCSP intercepts system
calls to/from the application
• The agent runs a limited
number of checks for each
OS call
22
Normal Resource Access Host Programs
![Page 23: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/23.jpg)
SYMANTEC VISION 2012
Agenda
23
Cutting Through the Hype 1
Advanced Persistent Threats vs. Targeted Threats 2
Stop Server Incursions and Unauthorized Access
What is Critical System Protection? 3
How Critical System Protection can stop APTs 4
![Page 24: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/24.jpg)
SYMANTEC VISION 2012
Defending Against APTs: Myths and Truths
Stop Server Incursions and Unauthorized Access 24
• What worked in the past can stop an APT • A single technology can stop an APT • Defending against unknown malware stops an APT • Employee education is sufficient
• Defense-in-depth is key – no silver bullet • Malware is just one component of an APT • People will always be the weakest link
MYTHS
TRUTHS
???
!
![Page 25: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/25.jpg)
SYMANTEC VISION 2012
What do APT’s Target on a Server?
Stop Server Incursions and Unauthorized Access 25
APTs attempt to change
critical system resources
Critical System Protection
Registry
Config Files
Portable Storage Devices
Applications
Operating System
Ensure File Integrity
Prevent Data Leakage
Prevent Targeted/ Advanced Malware
Prevent Rootkits
Ensure Registry Integrity
Memory Ensure Memory Protection
![Page 26: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/26.jpg)
SYMANTEC VISION 2012
How SCSP Protects Against APT’s
Stop Server Incursions and Unauthorized Access 26
Malware Spreads
CSP protects servers from compromise
CSP can segment key assets from potential high risk workstations
3
Backdoor
CSP prevents malware communication on endpoint
2
Phishing
SEP protects endpoint from compromise
1
Exfiltration
CSP prevents outbound communication to untrusted systems
CSP protects critical data on server from unauthorized users
4
![Page 27: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/27.jpg)
SYMANTEC VISION 2012
SCSP Provides out-of-the-box Policy Templates for greater flexibility & control
Targeted
Core OS Protection with Maximum Application Compatibility • OS Hardening + Buffer Overflow protection Core
Limits Execution of non-server applications • Strict + execution denial for interactive processes, unless in white-list
Limited Execution
Strict OS and Application control • Buffer Overflow + Network Lockdown + System file lockdown Strict
New
Customizable Policy for Specific, Targeted Prevention • Enables easy / fast build out of custom IPS policies in targeted stages,
sequentially enabling prevention capabilities
Stop Server Incursions and Unauthorized Access 27
![Page 28: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/28.jpg)
SYMANTEC VISION 2012
Targeted Prevention Policy
28 Stop Server Incursions and Unauthorized Access
What it does: Focuses on a few customer use cases
Black listing
White listing
Resource restriction
Network control
Memory protection
CSP Self Protection
Wide open, no restrictions by default
What it does not do
Lock down the core OS
Restrict inbound and outbound connections
De-escalate administrator rights
Govern good behavior of applications
Provide out of the box protection for several common applications
Prevent applications from starting
![Page 29: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/29.jpg)
SYMANTEC VISION 2012
Summary: Targeted Attacks and APTs are constantly reinventing themselves…
Malware variants exploit new zero-day vulnerabilities and leverage new attack vectors each day, making it challenging for security solutions to “keep up”
Stop Server Incursions and Unauthorized Access 29
Vulnerability or Attack Vector Targeted Attack/Malware/APT
MS Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability
Stuxnet Worm
Poison Ivy Trojan (sent as email attachment)
Nitro
IE Remote Code Execution Vulnerability
Hydraq (Operation Aurora)
Vulnerability in Windows Kernel-Mode Drivers
Duqu
![Page 30: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/30.jpg)
SYMANTEC VISION 2012
… and SCSP can protect against these attacks by focusing on enforcing “good” behavior
Stop Server Incursions and Unauthorized Access 30
Buffer Overflow Incursion via LNK vulnerability Spreads to USB drives and network using Print Spooler vulnerability, file shares, etc.
SCSP detects the Stuxnet buffer overflow Uses LPAC to confine process (no access to system resources)
Poison Ivy Trojan Spreads through email, injects itself into other processes to control machine
SCSP detects the execution of Poison Ivy Uses LPAC to prevent thread injection, stops registry modification and execution
IE Remote Code Execution Vulnerability Exploits IE vulnerability to open back door that allow remote attacker access to machine
SCSP blocks inbound/outbound network access Uses LPAC to block installation, stateless firewall prevents connection to C&C servers
Vulnerability in Windows Kernel-Mode Drivers Allows remote code execution if user opens a special document or visits a malicious Web page
SCSP blocks shell code from launching Uses LPAC to prevent launch of a shell to install programs, create accounts, manipulate files
Regardless of the attack vectors or vulnerabilities exploited by known or unknown threats, SCSP protects by leveraging least privilege application control features
![Page 31: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/31.jpg)
SYMANTEC VISION 2012
Critical System Protection Helps Organizations Achieve Key Business Initiatives
Case Studies: Meeting Compliance & Applying Proactive Prevention 31
Block Advanced Attacks
• Strong zero day protection
• “Least Privilege” sandbox prevents malicious behavior
• High performance: policy-based & signature-less
Patch Mitigation
• Secure against un-patched vulnerabilities
• Broad platform coverage (Over 33 platforms, physical and virtual)
• Reduce cost of custom platform support
Visibility into Compliance Posture
• Track and monitor user access real-time
• Monitor key files and report on changes with differentials
• Manage configuration drift : restrict access to only specified admin
![Page 32: Stop Server Incursions and Unauthorized Access: How to ...vox.veritas.com/legacyfs/online/veritasdata/SR B22.pdf · SYMANTEC VISION 2012 Agenda 2 1 Cutting Through the Hype 2 Advanced](https://reader036.vdocuments.us/reader036/viewer/2022081404/5f05cb477e708231d414bd40/html5/thumbnails/32.jpg)
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Stop Server Incursions and Unauthorized Access 32