Sanctuary EndPoint Management

1
SanctuaryEnd-Point Management

• Bill Aubin

Vice President, North American Sales
Version 3.4
2
My Contact info

• Bill Aubin VP, North American Sales
  (703)724-1032 - Office bill.aubin_at_securewave.com
    Eric Vanderbur Pre-Sales Engineer
  (703)980-0951 - Cell eric.vanderbur_at_securewave.c
  om

3
Agenda

• SecureWave Overview
• The Challenge
• Why Sanctuary
• Uncontrolled Device Use
• Beyond Security Questions

4
SecureWave Corporate Overview
5
SecureWave Value Proposition
SecureWaves Sanctuary platform provides
policy-based threat prevention solutions for
Global 2000 Enterprises
What Do We Do?
1,500,000 enterprise workers in 1,000
accounts rely on our security solutions
Who are our Customers?
The Sanctuary platform secures Personal
Computers/Laptops, Thin Clients, Servers, and
Terminal Servers against tomorrows malware today
at the point of execution and prevents
unauthorized device usage
Our Product Portfolio
Sanctuary shifts customers away from reactive
security models through a positive policy-based
application and device control model
What Makes Us Unique?
6
Strategic Technology Partners
Technology Partners

• "Companies in all fields can easily administer
  and centrally manage their endpoint security
  solutions with SecureWave's Sanctuary suite."
• SecureWave and Network Access Protection will
  improve overall network security by decreasing
  the risk of virus attacks and malware introduced
  to an organization's network, as well as the
  possibility of data theft associated with mobile
  devices.
• Steve Anderson, Director
• Windows Server Group
• Microsoft

7
Sanctuary Platform A Complete Solution
8
The Challenge

• Current Security Events

9
Todays Hot Topic IT security threats
Percentage of firms that rated the following as
one of the top threats to their organizations
Base 149 technology decision-makers at North
American SMBs and Enterprises (multiple response
accepted)
Natalie Lambert - Analyst January 31, 2006
10
Todays hot Topic Patching

• Microsoft's delay to patch fuels
  concernsMicrosoft's decision to cancel a
  security fix after finding problems with the
  patch has security experts questioning whether
  waiting for the fix to come next month might
  leave them open to attack.
• Robert Lemos, SecurityFocus 2005-09-13
• Unofficial patch WMF Exploit
• For those of you wanting to try an unofficial
  patch with all the risks involved, please see
  here. (md5 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP
  signature (signed with ISC key) here. Initially
  it was only for Windows XP SP2.  Fellow handler
  Tom Liston worked with Ilfak Guilfanov to help
  confirm some information required to extend it to
  cover Windows XP SP1 and Windows 2000.Note When
  MS comes out with a real patch, simply uninstall
  this from Add/Remove programs on the Control
  Panel.
• SANS Institute
• Internet Storm Center

11
Todays Hot Topic Zero Day Virus Protection

• Virus Fighters Can't Keep UpFast-moving
  malware has the antivirus industry looking for a
  new strategy that focuses on proactive, automated
  tools.

"The majority of products are unable even to
guarantee 90 protection. And this is the main
problem facing the antivirus industry today." -
Eugene Kaspersky
Thomas Claburn Dec 19, 2005 1200 AM
12
Todays Hot Topic Zero Day Virus Protection

• Kaspersky Lab receives 200 to 300 new malware
  samples a day. Sophos plc, a U.K. research lab,
  reports that the number of new threats rose by
  48 this year. Panda Software warns that more
  than 10,000 new bots--automated worms or Trojans
  that infest PCs and turn them into zombies under
  a hacker's control--have appeared in 2005. "The
  game has definitely changed over the past few
  years, even in the past 12 months, about what is
  an acceptable speed of response to a new virus,"
  says Richard Wang, manager of Sophos labs.
• InformationWeek
• Dec 19, 2005 1200 AM

13
Todays Hot Topic SpyWare Protection

• If you use the Internet, there is over a 90
  chance your computer is infected with SpyWare -
• 20 of all of our Support related calls are
  SpyWare related
• Dell Computer
• Nearly 80 of IT managers claim their
  organizations have been infiltrated in the last
  12 months by spyware.
• Information Week

Computer Security News 2/06/2006
USA TODAY 6/15/2004
InformationWeek Dec 19, 2005 1200 AM
14
In the News Unauthorized Applications

• Hackers Tap 40 Million Credit Cards
• "It looks like a hacker gained access to
  CardSystems' database and installed a script that
  acts like a virus, searching out certain types of
  card transaction data," said MasterCard
  spokeswoman Jessica Antle.
• MasterCard and CardSystems said that of the more
  than 40 million accounts exposed, information on
  only 68,000 Mastercard accounts, 100,000 Visa
  accounts and 30,000 accounts from other card
  brands are known to have been exported by the
  hackers. The data exported included names, card
  numbers and card security codes..

CNN/Money senior writer By Jeanne Sahadi, July
27, 2005
15
Blacklists dont work

• Over 100,000 signatures and growing daily .
• But offers no protection against ZERO-DAY
  attacks.

16
Todays Hot Topic SpyWare Protection

• If you use the Internet, there is over a 90
  chance your computer is infected with SpyWare -
• 25 of all of our Support related calls are
  SpyWare related
• Dell Computer
• Nearly 80 of IT managers claim their
  organizations have been infiltrated in the last
  12 months by spyware.
• Information Week

17
In the News Unauthorized Applications

• Hackers Tap 40 Million Credit Cards
• MasterCard International said card numbers and
  expiration dates were harvested by a rogue
  program planted inside the computer network at
  CardSystems Inc., one of the firms that process
  merchant requests for credit card authorization.
  When a retailer swipes a customer's card, the
  information goes to companies such as CardSystems
  for approval before getting passed along to
  banks.

18
Legitimate or Dangerous Devices
19
What actions to take

• Develop a policy for the use of removable media
• Gartner (July 2004) advises companies to forbid
  employees to use iPods and other USB/FireWire
  devices

20
Why Sanctuary?
21
Why Sanctuary ?

• Corporate Security issues
• Competitive losses, lawsuits
• New Technologies/Behaviors
• Remote Access VPNs, 2.5/3G, Broadband and roaming
  WiFi availability
• Data portability and sharing
• Keyloggers, Trojans, Bots, Spyware
• Legal and Privacy exposures
• Regulatory compliance
• HIPAA, Sarbanes-Oxley, GLBA, Basel II, etc.

22
Why Sanctuary ?
80 of enterprises experienced malware attacks in
2004 while 99 had Fire Walls and 80 have
Anti-Virus solutions In Q1 of 2005 more than 55
percent of corporate PCs were infected by
spyware One out of every fifteen computers is
infected with a key logger.

• Corporate Security breaches
• Competitive losses, lawsuits

23
Why Sanctuary ?
New Technologies/Behaviors
24
Why Sanctuary ?
HIPAA 55 of all Required Implementation
Specifications (11/20) 64 of all Addressable
Implementation Specifications (14/22) 60 of all
Implementation Specifications together
(25/42) Sarbanse Oxley 105 Protection against
violation of confidentiality 302 Prevents
unauthorized modification, destruction of
data 404 Safeguards against unauthorized and
improper use of data 409 Real-time reporting and
event-driven alerts GLBA
(Gramm-Leach-Bliley Act) 501 (a) Privacy
Obligation Policy.It is the policy of the
Congress that each financial institution has an
affirmative and continuing obligation to respect
the privacy of its customers and to Protect the
security and confidentiality of those customers
nonpublic personal information.

• Regulatory compliance
• HIPAA
• Sarbanes-Oxley
• GLBA
• Basel II
• Governance Framework
• More

25
Challenge The Uncontrolled Device Threat
26
The Device Control Problem
Music Files? OR Your Customer Database to Go?
27
The Device Control Problem
Cool Gadget OR New Entry Point for Malware?
28
Sanctuary Device Control
Manage Devices and Access Control Protect All
Ports
TREO MP3
29
Managed Device Access Control
Users
Kernel Driver
List of classes known devices
Known Device Checking
Device Access Request
DEVICE CLASS LISTED DEVICES
Known Device?
Authorization
Access Control List (ACL)
30
Managed Device Access Control
Users
Kernel Driver
List of classes known devices
Known Device Checking
Device Access Request
USER DEFINED DEVICE TYPE
Known Device?
Known Device?
Authorization
Authorization
Access Control List (ACL)
31
Challenge Unauthorized, illegal and unwanted
executables
32
Malware Threat
33
Sample of Unauthorized Software
34
Todays Countermeasures at Glance
Malware
Applications
R I S K

• Known
• Viruses
• Worms
• Trojans
• Spyware

• Authorized
• Operating Systems
• Business Software

• Unknown
• Viruses
• Worms
• Trojans
• Spyware

• Unauthorized
• Games
• Shareware
• Unlicensed
• Software

35
SecureWave Sanctuary Application Control
Malware
Applications

• Known
• Viruses
• Worms
• Trojans
• Spyware

Stops Malware COLD!

• Authorized
• Operating Systems
• Business Software

• Unknown
• Viruses
• Worms
• Trojans
• Spyware

• Unauthorized
• Games
• Shareware
• Unlicensed Software

36
Authenticated ExecutionTrusted Code Execution
Users
Kernel Driver
File signature generation using SHA-1 hash
Application Execution Request
0x20ee7cf645efeba7C81bd660fe307
Comparison with list of centrally authorized
files signature
Authorization
0x4969b6ca2e9651565c75338bcbb1
No Matching Signature
0x20ee7cf645efeba7C81bd660fe307
Log
37
Authenticated ExecutionDefault Deny
Users
Kernel Driver
File signature generation using SHA-1 hash
Application Execution Request
0x20ee7cf645efeba7C81bd660fe307
Comparison with list of centrally authorized
files signature
Authorization
Log
38
Beyond Security
39
Beyond the Security Aspect

• Patch Management simplified
• End point performance improves
• Network Performance improves
• Significant Tech Support ROI

40
Thank you