Achieving Continuous Compliance for your Roaming Endpoints

Sandy Hawke, CISSP Manager, WW IBM Security Solutions

Agenda
Challenges for Endpoint Security & Compliance Endpoint-specific Requirements Across The Regulations Endpoint Mgmt Architectures: Compared Continuous Compliance Recommendations Summary / Q&A
2

First the Disclaimer

Security doesnt always equal compliance. Compliance doesnt always mean youre secure. However, both goals are equally important and can be achieved in parallel, with the right strategy, technology, and process in place. And, compliance projects usually get the funding, right?!

Challenges for Endpoint Security and Compliance

Historical Approaches No Longer Work
Perimeter protection still needed but must be tailored to todays environment

The Endpoint Explosion

Multiple device types/platforms (laptops, smart phones, POS, tablet PCs, etc) Roaming on steroids (endpoints connected anytime, anywhere, to any network)

Multiple Attack Vectors

Malware IM / Social Networks Phishing Blended Threats

Disparate, disconnected security tools

Vulnerability assessment doesnt talk to the tool that actually fixes the vulnerability!

Constantly evolving compliance requirements and audit procedures

4

The Regulatory Tornado

www.unifiedcompliance.com
5

The Tornado . . . Organized

Endpoint Security Requirements A Sample

Requirement Implement anti-malware and keep endpoints current Define, implement, and enforce security configuration baselines Keep endpoints patched Perform regular vulnerability scans and address findings Keep a current network diagram, know when things are added to the network Install, maintain endpoint firewalls, NAC PCI ISO 27001 CobIT DS5.9 DS9 DS5.9 PO9.3 NIST 800-53 SI-3 CM-2,4,6 CM-2 RA-5

5.1, 5.2 A12.6 2.1, A12.1, 2.2, 6.2 A15.2 6.1 11.2 1.1 1.4 A12.6 A12.6 A7.1 A11.4

DS13.3 CM-8 DS5.10 AC-19

The Endpoint Is The Perimeter

Yesterday
Configuration controls, audits focused on servers processing regulated data + general policies and processes WAN, LAN, VPN all computers had to connect to the network to get stuff done AV, maybe FW on desktops & laptops, otherwise rely on network security protections
8

Today
Auditors looking at distributed environment in much more detail Large # of roaming laptops, smart phones, tablets, etc. Some rarely access the network, use Salesforce.com, Outlook HTTP access, Google Docs, etc. Network security tools are a necessary layer, but no longer protect many endpoints

Has this happened to you?

Fix all these issues by the end of the 9 week 9

1. The security team develops compliance policies. 2. The security team runs an assessment tool (or tools) against that policy 3. The security team forwards findings to ops 4. Ops makes corrections as workload allows, one item at a time using different tools from security (which generates different answers to questions like how many endpoints do I have? 5. Users make changes causing endpoints to fall out of compliance again 6. Start assessment all over again 10 10

1. Security and ops work together to formulate policies and service-level agreements (SLAs) 2. Ops implements the baseline (patch, config, AV, etc.) across all endpoints in the organization 3. Policy compliance is continuously monitored and enforced at the endpoint, changes are reported immediately 4. The security team can check on the current state of security and compliance (i.e. no assessment necessary) 5. Security and operations teams work together to continually strengthen security and adjust to evolving requirements.

Getting Back to Basics Endpoint Security and Compliance

Know what OSes and third party software you have. And where. Identify usage patterns.
Remove software thats not required (or being used!)

Precisely target patch updates.

My Mac doesnt know or care what an .exe is! Dont forget about those roaming endpoints

Implement additional endpoint security tools

HIPS, FW, standard security configurations

Automate as much as possible Bridge assessment with remediation

11 11

Todays Endpoint Management Requirements Apply and Confirm Critical Patches in Hours
95%+ first-pass success rate Confirmation is critical for proving compliance Spray and Pray no longer adequate

Anytime, Anywhere, Any Connection

Inside and outside of the firewall Bandwidth- and connection-aware

12

Todays Endpoint Management Requirements Automated, Closed Loop Patch Management and Policy Enforcement One Tool for a Wide Variety of Endpoint Operating Systems and Platforms

13

Todays Endpoint Management Requirements

Self-Repair and Quarantine
Automatic re-application of patches Take endpoints off network until remediation is complete

Custom Policy Definition

Enables custom remediation Swiss Army Knife for IT admins

Remote Control Capabilities

Reaching endpoints wherever they roam
14

Endpoint Management Architectures: Compared

Dumb Agents, Smart Servers
Server contains policy repository, makes decisions and sends instructions to agents Agents do not autonomously enforce policies Relies on polling and distributed database repository

Smart Agents, Dumb Servers

Server distributes policies to endpoint agents Agents store, enforce policies; continuously enforcing them Bulk of processing performed by agents

15

Real-World Zero-Day Case Study

Incident Details April 2008 51 computers out of 3,000 displaying strange behavior: Running port scans against the network Continual reboot cycle Infection by New Polymorphic Virus Zilcat / Sality.w / Sality.ae No AV signatures available Rapidly Spread to 200+ Computers Initial Plan Proposed Drive around to offices, disconnecting from network until DAT file updates published
16

Real-World Zero-Day Case Study

Instead, They Used Endpoint Management Identified infected machines across 3,000 endpoints in less than 180 seconds (system.ini file change the one common variable) Auto-quarantined infected machines from the network Automatically remediate infected machines via single management port once AV updates were available Lessons Learned: When the first defense layer fails, have a workable Plan B Real-time visibility and precise control are priceless
17

Key Take-aways
Traditional network perimeter controls are less relevant today because:
laptops enter hostile environments attack vectors such as end user documents and web surfing

Baking intelligence and policy enforcement into the endpoint is essential. Improved visibility, automation and control will improve security AND help us pass those audits!

18 18

To learn more
www.ibm.com/security www.instituteforadvancedsecurity.com www.youtube.com/ibmsecuritysolutions Twitter:
www.twitter.com/ibmsecurity www.twitter.com/ibmxforce

Questions?
Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit.