SANS Technology Institute

Group Discussion/Written Project

GIAC Enterprises Desktop Protection

9/28/2008
Jim Beechey
Emilio Valente

1
Table of Contents
Table of Contents.........................................................................................2

Executive Summary.....................................................................................3

Market Survey Top 10 Vendors.................................................................4

Top Three Recommendations....................................................................10

Recommendation.......................................................................................12

Project Costs .............................................................................................13

Implementation Plan ..................................................................................14

Summary....................................................................................................16

References.................................................................................................17

2
Executive Summary
GIAC Enterprises has made a significant investment in securing web applications and
backend database infrastructure. These investments addressed several potential
vulnerabilities in our fortune cookie system. However, one weak link remains, the
security of our desktop computers.

Todays malware could potentially be used as a tool to steal our most precious asset,
our fortune cookie data. The malware threat continues to grow as it become easier to
create modified or custom malicious code that cannot be detected by signature-based
solutions. The number of unique malware samples received by AV-Test.org increased
from 333,000 in 2005 to 972,000 in 2006 and reached 5,490,000 in 2007. During
January and February 2008 alone we found more than 1.1 million samples spreading in
the internet. (1) In addition, todays attacks are often targeted at a specific company or
area of the company. Gone are the days when we can feel confident that someone will
produce a virus definition file in time to protect our critical assets.

During a recent competition at Defcon 16 called Race to Zero, competitors were asked
to attempt to push known exploits through antivirus software without detection. The
participants used various techniques to obfuscate the exploits to avoid detection.
Overall, the average detection rate of the antivirus engines was 60%. For some of the
attacks like Netsky.P and MS07-014, the average plummeted to 15-20%. (2) This
example illustrates the fundamental problem with signature based protection
mechanisms and underscores the concern GIAC Enterprises has over the security of
their desktop solutions.

As you will see in the full report, we are recommending a significant change in the way
we protect our desktop computers at GIAC Enterprises. The following proposal will
outline various options available on the market including a new approach called
application whitelisting. Application whitelisting involves changing the model from
signatures which detect known malware to locking down the entire computer and only
allowing known good applications to run.

During the Race to Zero competition at Defcon 16 noted above, the same obfuscated
exploits were run through an application whitelisting solution and the solution blocked
100% of the attacks. This example highlights the beauty of the application whitelisting
model and addresses GIAC Enterprises primary concern of undetected malware
stealing our fortune cookie data.

3
Market Survey Top 10 Vendors
Traditional antivirus solutions couple signature based antivirus protection with numerous
other system protection options. A full featured endpoint security product can have
several protection mechanisms such as: antivirus, antispyware, firewall, intrusion
prevention, rootkit detection, and protection for various applications (email, instant
messenger, P2P, registry settings). The end result is solutions which use signatures to
block known exploits and malware.

The problem with this blacklisting approach is that malware today is so dynamic and
targeted in nature that antivirus companies are having a tough time keeping up.
Malicious individuals are able to easily make variants of existing malware which are
undetectable by many signature based solutions.

Whitelisting solutions vary in that they do not allow any executable to run which has not
been explicitly allowed by the system administrator. They take the approach to block
everything and only allow known good applications to run. This approach can be
extremely effective against malicious code.

Due to whitelistings block everything approach, these solutions often require more
administrative overhead and could potentially have productivity impacts if not configured
properly. In addition, most whitelisting solutions do not protect against existing security
holes in applications, therefore a robust patch management strategy is still required.

Clearly, both methods have their strengths and weaknesses and in the end the best
solution is likely a combination of the two approaches. The following section details
various vendor offerings for desktop security solutions. The list is in no particular order.

Kaspersky Internet Security 2009 www.kaspersky.com

Kaspersky Internet Security 2009 is a full featured suite of protection

mechanisms including antivirus, antispyware, antispam, intrusion prevention and
vulnerability scanner.

Strengths:
The Kaspersky Antivirus product was CNET Editors choice 2 years running. The
product contains a virtual keyboard which is designed to thwart collection of
sensitive data by keyloggers. Hourly updates keep the application up to date
with changing threats. Kaspersky requires less hard drive space than competitors
(50MB).

Weaknesses:
Kaspersky costs more than the competition ($79.95).

Performance score (4):

4
 Excellent 8.0 ***Review was for Kaspersky Antivirus 7, not Internet Security
Suite***

Cost:
79.95

Check Point ZoneAlarm Internet Security Suite 2009 www.checkpoint.com

The Check Point ZoneAlarm Internet Security Suite is a collection of antivirus,

antispyware, antiphising and firewall protection. The product uses the Kaspersky
version 6 antivirus engine which has received high reviews.

Strengths:
The firewall included in the product has an auto learn function which allows users
to configure the firewall more quickly and effectively. The product keeps a
database of legitimate applications and matches these signatures against
installed applications. This minimizes the alerts and questions to the user and
only prompts for unusual activity. Check Point also includes identity theft and
fraud protection with a world-wide monitoring.

Weaknesses:
The product does not provide any backup or file shredding functionality.

Performance score (4):

Excellent 8.0 ***Review is for Internet Suite 7***

Cost:
$69.99

McAfee Internet Security 2008 www.mcafee.com

The McAfee Internet Security Suite contains various features including

antiphishing, antivirus, antispyware, firewall, backup and recovery.

Strengths:
McAfee also has some "state aware" capabilities which help to allow multimedia
applications (movies, slide shows, etc) to play without interruption by security
alerts or scans whenever you're in full-screen mode.
.
Weaknesses:
McAfee updates only occur daily whereas competitors update hourly. Technical
support costs $2.95 a minute or $39 per incident.

Performance score (4):

Very Good 7.3

5
Cost:
$69.99

Norton Internet Security 2009 www.symantec.com

Norton Internet Security 2009 is the upgrade to GIAC Enterprises current

antivirus solution Norton Internet Security 2008. This new version has several
new features including: up to the minute protection (updates every 5 to 15
minutes), identity theft protection, faster scans and a two-way internet firewall.

Strengths:
Norton is a fully featured product with numerous options. Up to the minute
updates give Norton a competitive advantage over other products.

Weaknesses:
Norton 2009 does not include any file backup/restore functionality, or security file
deletion.

Performance score (4):

Good 6.8 ***Norton 2008 Reviewed***

Cost:
$49.99 upgrade

Symantec Endpoint Protection Version 11 www.symantec.com

Symantec Endpoint Protection is the enterprise counterpart to Norton Internet Security

2009. Version 11 included significant changes from previous versions and include a
very rich feature set including: antivirus, antispyware, intrusion prevention, network
threat protection, DLP add-in and NAC capabilities.

Strengths:
Full featured enterprise level product covering all bases when it comes to end
point security.

Weaknesses:
SEP 11 is an expensive solution compared to alternatives. In addition, there are
features in the product that likely overlap with GIAC Enterprises existing DLP
solution. Setup and deployment appears to be a bit more complicated than
competitors products.

Cost:
$75-225 per client (4)

BitDefender Antivirus 2008 www.bitdefender.com

6
 The BitDefender suite provides protection against viruses, spyware, phishing
attacks, and rootkits,

Strengths:
BitDefender provides hourly updates and has an optional (in aggressive mode)
add-on web protection (malicious ActiveX and Javascripts). The suite costs less
than most competitors and requires only 50MB of hard-drive space. A unique
feature is BitDefenders identity privacy check for outgoing data.

Weaknesses:
The products configuration could be a little more straightforward by providing
more options and explanations.

Performance score (4):

Very good 7.8

Cost:
$24.95

Sunbelt Vipre Antivirus + Antispyware www.sunbeltsoftware.com

The Sunbelt Vipre suite includes antivirus and antispyware protection as well as
secure deletion of files and browser history.
.
Strengths:
Vipre shows hidden processes on the system that are potentially malicious. A
secure file erase function is an interesting feature not seen in other products.

Weaknesses:
No Firewall.

Performance score (4):

Very good 7.8

Cost:
$29.95

The Shield Deluxe 2008 www.pcsecurityshield.com

The Shield Deluxe 2008 combines reliable and efficient antivirus (Kaspersky
version 6) with spyware and adware protection.

Strengths:
The product provides free technical support via phone and email which is
uncommon for most solutions. The Shield Deluxe monitors programs and

7
 processes in memory and alerts for changes in both the file system and system
registry. The program only requires 32 MB RAM or higher and 65 MB free disk
space and it is optimized for laptops.

Weaknesses:
The Shield Deluxe does not come with a firewall.

Cost:
$30 per client (http://www.2009softwarereviews.com/)

Bit 9 Parity www.bit9.com

Bit9 Parity is an application whitelisting solution which allows administrators to

completely control what applications and executables are allowed to run on end
user desktop/laptop computers as well as servers. Bit9 is managed through a
central console and policies are deployed to agent software installed locally on
end user computers. Before running any executable, Bit9 compares the file
against its database of allowed applications and only runs those which have
been given permission. Bit9 users file hashes to identify which files are allowed
and which are not. The Bit9 agent can be used to protect both desktops and
servers.

Strengths:
Bit9 has an enormous database (over 6 billion) of files which makes setup and
maintenance of the system much easier. Administrators do not have to do any
cataloging or hashing of applications themselves.

Weaknesses:
Bit9 is for the Windows platform only. Application whitelisting typically can do
nothing to protect against vulnerabilities in existing software, therefore a robust
patch management strategy is still required.

Performance:
Bit9 scored five out of five stars for performance during a SC Magazine review.
(5)

Cost:
Bit9 costs around $30 per client.

CoreTrace Bouncer www.coretrace.com

CoreTrace Bouncer is an application whitelisting solution which allows

administrators to completely control what applications and executables are
allowed to run on end user desktop/laptops as well as Windows and Solaris
8
 servers. Bouncer is managed centrally through a console and policies are
pushed down to client computers and servers.

Strengths:
Bouncer runs at the kernel level, which allows it to provide more protection
against complex attacks such as rootkits.

Weaknesses:
Bouncer is expensive compared to other application whitelisting solutions.

Performance:
Bouncer requires very little system resources The BOUNCER client typically
takes up less than 20 MB, and uses less than 2 percent of the CPU.
(http://www.coretrace.com/products/solutions/government.aspx)

Cost:
Bouncer costs around $50 per client. (6)

9
Top Three Recommendations

Based upon our review of the marketplace, we have developed a top three list of
finalists for management review. Each solution has strengths and weaknesses as well
as specific considerations for GIAC Enterprises.

Option 1 Upgrade our existing solution, Norton 2008 to the current version.

Reasons For:

Very minimal change for end users and support staff. People are generally
comfortable with the interface and our system administrators have a comfort
level with the product
Up to the minute updates provide the quickest signature updates on the
market today.

Reasons Against:

Cost The upgrade cost will actually be more than several new products.
While the system has made several technical improvements, the issue of
unknown malware still appears to be a large problem.

Option 2 Purchase Check Point ZoneAlarm Internet Security Suite 2009

Reasons For:

Firewall capabilities are very impressive and would be helpful in securing

remote worker laptops and protecting internal systems from network
compromise.

The Check Point suite contains all the standard protection mechanisms you
would expect from an endpoint security suite.

Reasons Against:

The antivirus engine is licensed via an OEM agreement with Kaspersky. The
Kaspersky engine is highly thought of; however we have some concern as to
the long term viability of their agreement. What happens to our investment if
the OEM agreement ends and is not renewed? Further investigation is
necessary into this issue.
Again, while this product has made strides, it still relies heavily on signature
based technologies which does not address our unknown malware concern.

10
Option 3 Purchase Bit9 Parity Application Whitelisting Solution

Reasons For:

This solution addresses our concern regarding the detection of unknown

malware by blocking the execution of unknown programs.
This product also helps with workstation lockdown and concerns over
employee productivity loss due to non-work related applications.
Bit9 has the industrys leading database of file intelligence with over 6 billion
files cataloged to date. Files are both malicious and non-malicious. This tool
helps to accurately define whitelisting policies, quickly create necessary
exceptions and research potential malicious code.
Bit9 makes policy development easier by providing the administrator the
ability to whitelist applications based upon the digital signature. For instance
we could easily allow all our GIAC Enterprises custom applications to be run
since our developers digitally sign all their code.
At around $30 per workstation, the price is very comparable, if not less, than
many signature based endpoint security solutions.

Reasons Against:

Application Whitelisting is still an evolving technology and with that comes

some risk of what future threats could pose to the model.
Bit9 appears to be a strong company; however they are also ripe for purchase
by one of the existing players in the market. The founders of Bit9 previously
founded and sold Okena to Cisco.
Bit9 cannot protect workstations from attacks against vulnerable applications.
For instance, an older copy of Apple Quicktime would still be vulnerable to
certain attacks. Signature based tools may be able to address some of these
vulnerabilities in the host based intrusion prevention modules.
Possible productivity loss due to incorrectly configuring the Bit9 system. If
incorrectly configured, Bit9 will block required business applications. GIAC
Enterprises will need to provide an efficient process for addresses and
responding to those concerns.

11
Recommendation
Our recommendation is for GIAC Enterprises to purchase Bit9 Parity for all end user
workstations. We feel that application whitelisting is the only way to truly reduce the risk
of un-known malware to a suitable level. We also liked the added benefit of eliminating
applications which impact employee productivity.

From a technical perspective, we chose Bit9 for several reasons. First and foremost on
the list was Bit9s robust database of application intelligence. This system will allow our
administrators to quickly create baseline policies and adapt those policies to the
changing needs of our business. Second, the Bit9 solution will be able to control our
entire workstation environment centrally from a single console. We need this ease of
management given the size of our company and IT staff.

Certainly this recommendation is not without some level of risk as it is a significant

change in thinking from a protection standpoint. We would like to address to potential
weaknesses discussed in our top three recommendation section. First, we would like to
address the issue of application whitelistings inability to protect against vulnerabilities
within known good applications. We feel that this risk has already been mitigated to an
acceptable level since GIAC Enterprises already has a proven security patch
management system. We simply would note that continued diligence in this area is
required. Second, we would like to address the issue of potential loss of productivity
due to blocking a business critical application. We recommend that GIAC Enterprises
implement a new Help Desk process by which any incoming support call which
indicates that one of our business critical applications has been blocked is given a high
priority ticket so that these issues can be addressed as quickly as possible. Any issues
such as this would likely have an impact on multiple employees and departments and
needs to be addressed quickly.

We believe that this quote sums up the current state of malware protection best and is
interesting given it come from the CTO of Symantec, the maker of our current solution,
Norton 2008. "If the trend continues and bad programs outnumber good ones, then
scanning for legitimate applications (whitelisting) makes more sense from both an
efficiency and effectiveness perspective." Mark Bregman, CTO, Symantec
Corporation (7)

12
Project Costs Assuming 250 Workstations
Description Unit Cost Total Cost

Bit9 Parity Software Purchase $30 7500

Annual Subscription to Parity Console 750 750

10% of purchase price
Annual Support 1500 1500
20% of purchase price
Server Hardware Parity Console 5,000 5,000

Total Cost Year 1 14,750

Total Cost Year 2 17,000
Total Cost Year 3 19,250

13
Implementation Plan GIAC Enterprises Bit9
Implementation

Objective: Implement Bit9 Parity as a single tool to protect user workstations from
malware.

Phase 1
Start date: September 27, 2008
End date: September 28, 2008

Milestones:
Executive summary
Market survey
Top Three Recommendations
Final Recommendation
Determine Costs
Project plan
Oral presentation of the proposal.
Acceptance of proposal

Resources assigned: 2 Full Time Employees (FTEs)

Phase 2
Start date: October 1, 2008
End date: October 15, 2008

Milestones:
Contact Bit9
Install evaluation versions of their product and test thoroughly

Resources assigned: 2 Full Time Employees (FTEs)

Phase 3
Start date: October 16, 2008
End date: October 31, 2008

Milestones:
Assuming positive evaluation, contact Bit9 to begin purchase process
Negotiate contract, pricing and support
Purchase product

Resources assigned: 2 Full Time Employees (FTEs)

14
Phase 4
Starting date: November 01, 2008
End date: November 30, 2008
Milestones:
Install and configure full version in lab environment
Create various application whitelisting policies with the Bit9 system
Perform pre-production testing of system performance
Perform analysis of the compatibility with existing production programs in lab

Resources assigned: 2 Full Time Employees (FTEs)

Phase 5
Starting date: December 01, 2008
End date: December 15, 2008

Milestones:
Install full version on production desktops
Address any unforeseen issues in production
Ensure Help Desk process for noting any problems with business critical
applications has been deployed.

Resources assigned: 2 Full Time Employees (FTEs)

15
Summary
Thank you GIAC Enterprises staff for taking the time to review our proposal. We feel
that the proposed solution and project plan will provide the protection required of our
desktop computers while not inhibiting system performance or employee effectiveness.
We would be happy to address any additional question or concerns you have a look
forward to hearing your decision regarding the proposed project.

16
References
1 Alex Eckelberry, Sunbelt Software Blog,
http://sunbeltblog.blogspot.com/2008/03/march-test-results-of-antivirus.html

2 http://www.coretrace.com/news/press_releases/press_release_defcon16.aspx

3 http://www.cnet.com/topic-reviews/antivirus.html

4 Matthew D. Sarrel, PC Magazine, Symantec Endpoint Protection 11

http://www.pcmag.com/article2/0,1895,2234123,00.asp

5 Justin Peltier, SC Magazine, Bit9 Parity http://www.scmagazineus.com/Bit9-

Parity/Review/2548/

6 http://products.enterpriseitplanet.com/security/anti-virus/1221159869.html

7 http://www.coretrace.com/products/benefits/malware_viruses.aspx

17