Académique Documents
Professionnel Documents
Culture Documents
9/28/2008
Jim Beechey
Emilio Valente
1
Table of Contents
Table of Contents.........................................................................................2
Executive Summary.....................................................................................3
Recommendation.......................................................................................12
Summary....................................................................................................16
References.................................................................................................17
2
Executive Summary
GIAC Enterprises has made a significant investment in securing web applications and
backend database infrastructure. These investments addressed several potential
vulnerabilities in our fortune cookie system. However, one weak link remains, the
security of our desktop computers.
Todays malware could potentially be used as a tool to steal our most precious asset,
our fortune cookie data. The malware threat continues to grow as it become easier to
create modified or custom malicious code that cannot be detected by signature-based
solutions. The number of unique malware samples received by AV-Test.org increased
from 333,000 in 2005 to 972,000 in 2006 and reached 5,490,000 in 2007. During
January and February 2008 alone we found more than 1.1 million samples spreading in
the internet. (1) In addition, todays attacks are often targeted at a specific company or
area of the company. Gone are the days when we can feel confident that someone will
produce a virus definition file in time to protect our critical assets.
During a recent competition at Defcon 16 called Race to Zero, competitors were asked
to attempt to push known exploits through antivirus software without detection. The
participants used various techniques to obfuscate the exploits to avoid detection.
Overall, the average detection rate of the antivirus engines was 60%. For some of the
attacks like Netsky.P and MS07-014, the average plummeted to 15-20%. (2) This
example illustrates the fundamental problem with signature based protection
mechanisms and underscores the concern GIAC Enterprises has over the security of
their desktop solutions.
As you will see in the full report, we are recommending a significant change in the way
we protect our desktop computers at GIAC Enterprises. The following proposal will
outline various options available on the market including a new approach called
application whitelisting. Application whitelisting involves changing the model from
signatures which detect known malware to locking down the entire computer and only
allowing known good applications to run.
During the Race to Zero competition at Defcon 16 noted above, the same obfuscated
exploits were run through an application whitelisting solution and the solution blocked
100% of the attacks. This example highlights the beauty of the application whitelisting
model and addresses GIAC Enterprises primary concern of undetected malware
stealing our fortune cookie data.
3
Market Survey Top 10 Vendors
Traditional antivirus solutions couple signature based antivirus protection with numerous
other system protection options. A full featured endpoint security product can have
several protection mechanisms such as: antivirus, antispyware, firewall, intrusion
prevention, rootkit detection, and protection for various applications (email, instant
messenger, P2P, registry settings). The end result is solutions which use signatures to
block known exploits and malware.
The problem with this blacklisting approach is that malware today is so dynamic and
targeted in nature that antivirus companies are having a tough time keeping up.
Malicious individuals are able to easily make variants of existing malware which are
undetectable by many signature based solutions.
Whitelisting solutions vary in that they do not allow any executable to run which has not
been explicitly allowed by the system administrator. They take the approach to block
everything and only allow known good applications to run. This approach can be
extremely effective against malicious code.
Due to whitelistings block everything approach, these solutions often require more
administrative overhead and could potentially have productivity impacts if not configured
properly. In addition, most whitelisting solutions do not protect against existing security
holes in applications, therefore a robust patch management strategy is still required.
Clearly, both methods have their strengths and weaknesses and in the end the best
solution is likely a combination of the two approaches. The following section details
various vendor offerings for desktop security solutions. The list is in no particular order.
Strengths:
The Kaspersky Antivirus product was CNET Editors choice 2 years running. The
product contains a virtual keyboard which is designed to thwart collection of
sensitive data by keyloggers. Hourly updates keep the application up to date
with changing threats. Kaspersky requires less hard drive space than competitors
(50MB).
Weaknesses:
Kaspersky costs more than the competition ($79.95).
Cost:
79.95
Strengths:
The firewall included in the product has an auto learn function which allows users
to configure the firewall more quickly and effectively. The product keeps a
database of legitimate applications and matches these signatures against
installed applications. This minimizes the alerts and questions to the user and
only prompts for unusual activity. Check Point also includes identity theft and
fraud protection with a world-wide monitoring.
Weaknesses:
The product does not provide any backup or file shredding functionality.
Cost:
$69.99
Strengths:
McAfee also has some "state aware" capabilities which help to allow multimedia
applications (movies, slide shows, etc) to play without interruption by security
alerts or scans whenever you're in full-screen mode.
.
Weaknesses:
McAfee updates only occur daily whereas competitors update hourly. Technical
support costs $2.95 a minute or $39 per incident.
5
Cost:
$69.99
Strengths:
Norton is a fully featured product with numerous options. Up to the minute
updates give Norton a competitive advantage over other products.
Weaknesses:
Norton 2009 does not include any file backup/restore functionality, or security file
deletion.
Cost:
$49.99 upgrade
Strengths:
Full featured enterprise level product covering all bases when it comes to end
point security.
Weaknesses:
SEP 11 is an expensive solution compared to alternatives. In addition, there are
features in the product that likely overlap with GIAC Enterprises existing DLP
solution. Setup and deployment appears to be a bit more complicated than
competitors products.
Cost:
$75-225 per client (4)
Strengths:
BitDefender provides hourly updates and has an optional (in aggressive mode)
add-on web protection (malicious ActiveX and Javascripts). The suite costs less
than most competitors and requires only 50MB of hard-drive space. A unique
feature is BitDefenders identity privacy check for outgoing data.
Weaknesses:
The products configuration could be a little more straightforward by providing
more options and explanations.
Cost:
$24.95
The Sunbelt Vipre suite includes antivirus and antispyware protection as well as
secure deletion of files and browser history.
.
Strengths:
Vipre shows hidden processes on the system that are potentially malicious. A
secure file erase function is an interesting feature not seen in other products.
Weaknesses:
No Firewall.
Cost:
$29.95
The Shield Deluxe 2008 combines reliable and efficient antivirus (Kaspersky
version 6) with spyware and adware protection.
Strengths:
The product provides free technical support via phone and email which is
uncommon for most solutions. The Shield Deluxe monitors programs and
7
processes in memory and alerts for changes in both the file system and system
registry. The program only requires 32 MB RAM or higher and 65 MB free disk
space and it is optimized for laptops.
Weaknesses:
The Shield Deluxe does not come with a firewall.
Cost:
$30 per client (http://www.2009softwarereviews.com/)
Strengths:
Bit9 has an enormous database (over 6 billion) of files which makes setup and
maintenance of the system much easier. Administrators do not have to do any
cataloging or hashing of applications themselves.
Weaknesses:
Bit9 is for the Windows platform only. Application whitelisting typically can do
nothing to protect against vulnerabilities in existing software, therefore a robust
patch management strategy is still required.
Performance:
Bit9 scored five out of five stars for performance during a SC Magazine review.
(5)
Cost:
Bit9 costs around $30 per client.
Strengths:
Bouncer runs at the kernel level, which allows it to provide more protection
against complex attacks such as rootkits.
Weaknesses:
Bouncer is expensive compared to other application whitelisting solutions.
Performance:
Bouncer requires very little system resources The BOUNCER client typically
takes up less than 20 MB, and uses less than 2 percent of the CPU.
(http://www.coretrace.com/products/solutions/government.aspx)
Cost:
Bouncer costs around $50 per client. (6)
9
Top Three Recommendations
Based upon our review of the marketplace, we have developed a top three list of
finalists for management review. Each solution has strengths and weaknesses as well
as specific considerations for GIAC Enterprises.
Option 1 Upgrade our existing solution, Norton 2008 to the current version.
Reasons For:
Very minimal change for end users and support staff. People are generally
comfortable with the interface and our system administrators have a comfort
level with the product
Up to the minute updates provide the quickest signature updates on the
market today.
Reasons Against:
Cost The upgrade cost will actually be more than several new products.
While the system has made several technical improvements, the issue of
unknown malware still appears to be a large problem.
Reasons For:
The Check Point suite contains all the standard protection mechanisms you
would expect from an endpoint security suite.
Reasons Against:
The antivirus engine is licensed via an OEM agreement with Kaspersky. The
Kaspersky engine is highly thought of; however we have some concern as to
the long term viability of their agreement. What happens to our investment if
the OEM agreement ends and is not renewed? Further investigation is
necessary into this issue.
Again, while this product has made strides, it still relies heavily on signature
based technologies which does not address our unknown malware concern.
10
Option 3 Purchase Bit9 Parity Application Whitelisting Solution
Reasons For:
Reasons Against:
11
Recommendation
Our recommendation is for GIAC Enterprises to purchase Bit9 Parity for all end user
workstations. We feel that application whitelisting is the only way to truly reduce the risk
of un-known malware to a suitable level. We also liked the added benefit of eliminating
applications which impact employee productivity.
From a technical perspective, we chose Bit9 for several reasons. First and foremost on
the list was Bit9s robust database of application intelligence. This system will allow our
administrators to quickly create baseline policies and adapt those policies to the
changing needs of our business. Second, the Bit9 solution will be able to control our
entire workstation environment centrally from a single console. We need this ease of
management given the size of our company and IT staff.
We believe that this quote sums up the current state of malware protection best and is
interesting given it come from the CTO of Symantec, the maker of our current solution,
Norton 2008. "If the trend continues and bad programs outnumber good ones, then
scanning for legitimate applications (whitelisting) makes more sense from both an
efficiency and effectiveness perspective." Mark Bregman, CTO, Symantec
Corporation (7)
12
Project Costs Assuming 250 Workstations
Description Unit Cost Total Cost
13
Implementation Plan GIAC Enterprises Bit9
Implementation
Objective: Implement Bit9 Parity as a single tool to protect user workstations from
malware.
Phase 1
Start date: September 27, 2008
End date: September 28, 2008
Milestones:
Executive summary
Market survey
Top Three Recommendations
Final Recommendation
Determine Costs
Project plan
Oral presentation of the proposal.
Acceptance of proposal
Phase 2
Start date: October 1, 2008
End date: October 15, 2008
Milestones:
Contact Bit9
Install evaluation versions of their product and test thoroughly
Phase 3
Start date: October 16, 2008
End date: October 31, 2008
Milestones:
Assuming positive evaluation, contact Bit9 to begin purchase process
Negotiate contract, pricing and support
Purchase product
Phase 5
Starting date: December 01, 2008
End date: December 15, 2008
Milestones:
Install full version on production desktops
Address any unforeseen issues in production
Ensure Help Desk process for noting any problems with business critical
applications has been deployed.
15
Summary
Thank you GIAC Enterprises staff for taking the time to review our proposal. We feel
that the proposed solution and project plan will provide the protection required of our
desktop computers while not inhibiting system performance or employee effectiveness.
We would be happy to address any additional question or concerns you have a look
forward to hearing your decision regarding the proposed project.
16
References
1 Alex Eckelberry, Sunbelt Software Blog,
http://sunbeltblog.blogspot.com/2008/03/march-test-results-of-antivirus.html
2 http://www.coretrace.com/news/press_releases/press_release_defcon16.aspx
3 http://www.cnet.com/topic-reviews/antivirus.html
6 http://products.enterpriseitplanet.com/security/anti-virus/1221159869.html
7 http://www.coretrace.com/products/benefits/malware_viruses.aspx
17