How to Reduce Endpoint Complexity and Costs
November 08, 2011
Ensuring the security of organizational endpoints is tough, especially when you have limited resources and budget. It’s not just about what security technologies to deploy, but how can you more efficiently manage your environment. Join Roger Grimes and Chris Merritt for the second part of our SMB Security Webcast Series as they discuss key recommendations for improving endpoint security.
Annie: Hello everyone and welcome to the Lumension webcast, How to Reduce Endpoint Complexity and Costs, part two of our Effective and Efficient Security on a SMB Budget webcast series. My name is Annie Wacker and I'll be your moderator for today's event. Ensuring the security of organizational endpoint is tough especially when you have limited resources and budget. In part one of our SMB Security webcast series, we spoke about the problems and challenges that we face in today's IT security environment. The way in which we combat these challenges is we have the typical IT security professional towards a more complex environment. It's not just about what security technologies to deploy but how you can do so more efficiently manage your environment.
Recent research from Ponemon Institute showed that organizations have an average of 7 endpoint solutions, 3 to 6 management consoles, and an average of 3 to 10 agents installed per endpoint leading to control and visibility issues. And that 54% of IT professionals say that managing security complexity is their number one challenge. To delve into these challenges, we have two expert panels.
Roger Grimes, Security Consultant, Author, and Columnist. Roger is 23-year security and a true veteran, author or coauthor of 8 books and over 300 magazine articles on computer security including a long-time columnist for InfoWorld.
Chris Merritt, Director of Solution Marketing at Lumension. Chris Merritt leads the market positioning and strategy for Lumension's endpoint and data protection solutions. He routinely delivers compliance and security-related presentations, whitepapers, webcast, and is a regular contributor to the Lumension blog.
Roger: Thank you.
Chris: Thanks, Annie.
Annie: In today's webcast we will discuss practical recommendations for improving security including improving uptime without additional management burden, reducing complexity by eliminating the number of security agents and consoles to manage and reducing overall cost by getting more from limited IT security resources and budget. Before we move into this discussion I'd like to open with a poll for the audience.
How many point security solutions are you running? A) 1 to 2, B) 3 to 6, C) 7 to 10, or D) more than 10. We'll review the responses in a few minutes.
One housekeeping note, audience members, if you have any questions for the panel, please submit them via the question box at the top of the screen and we'll try to answer as many as we can.
Roger, now, I'll turn it over to you.
Roger: Okay, thank you. Thanks everyone for showing up and spending part of your day with us. Well, today's agenda, first, I'm gonna start talking about today's threats, sort of the things that are attacking us, sort of the ways they are doing it, why are they doing it, and things like that. And then I'm gonna get into the operational basics which I love kind of the title, getting back to the new new. You know, what are the things that we should be doing that we shouldn't have been doing the whole time or what have we been trying to do. And then Chris will pick up with best practices, and questions and answers we'll both cover, but, again, thanks for showing up and hopefully you'll learn a few things.
So first we'll be talking about today's threats. So what I want to cover on today's threats, again, there's three different things. One is how do they do it. How do they break in? And a lot of these will be recapped for some people although I like to kind of talk about what are the major ways they're doing it. It does surprise some people about the number one ways they're doing it. You know, who does it? You know, insiders, outsiders, that sort of thing and different subclasses we'll talk about. And then finally get into why are they doing it, because that's a big deal. That's really, why are they doing it? That's the biggest change of the attack landscape over the last two years.
The attack vectors and the attackers, these are few things, they really haven't changed over the last two decades. I've been doing antimalware and anti-hacking stuff since 1987 and really not a whole lot has changed there. But why they do it, has changed, and that's actually at least changed the strength or how often they do something.
So the first part is talking about how they do it. How they, you know, how are they doing it? So social engineering is certainly the biggest one. And I tried to ask people many times when I'm giving talks and presentations what's the number one way that most companies are broken into? And there...and it's social engineering, but how? The number one way is a fake antivirus screen, or a fake patch, or something like that. So it's, you know, it used to be…early on we have viruses that we get on, you know, you boot with an infected floppy, or you get an infected file attachment, or something like that, or they would attack some unpatched, you know, server vulnerability or something like that. And certainly, all of that is still happening.
We still have viruses, we still have worms, we still have, you know, people doing SQL injection attacks, things like that. But the number one way that most companies who are infiltrated is through social engineering, into a Trojan that they get an email or they click on a link, they're going to their favorite website, somehow a link comes up and it goes, "Oh, you need to run this program. You need to run, you know…you're infected, or you're running out of disk space, or you need to apply this disk patch..." or something like that. It's all social engineering.
It's interesting the attackers as the vendors, software vendors improved their software or that I guess some people would say that it's kind of dubious or, you know, how they really improve it since we're still having hundreds of vulnerabilities found a year. But, obviously, they have or the attackers decided that it was getting too tough to be able to guarantee that people were gonna be unpatched, you know, consistently like it used to be. So the number one way that people are compromised to social engineering usually does some type of software Trojan. That's even true like when people break into banks. Twenty years ago when someone tried to break into a bank they would, you know, attack the banking database server, or the ATM, or something. These days with this social engineer or bank employee get logged on to the banking system and transfer a bunch of money in the security context of the employee they got fooled.
And, of course, we have other vectors, right, password guessing is still pretty common. I think some of the bigger attacks, and I don't necessarily want to name names but there have been a couple of attacks this year that resulted in over a $100 million in damages. And if you look at some of those attacks, some of them, if you look at the details of the hackers or the defender shared some of them include some really weak passwords on the admin account. So here we are 20 years, 25 years later into this computer internet revolution and people are still using easy to guess easy passwords. And certainly they're also doing cracking attacks, you know trying to guess again through the password hashes or just login screens. Because most companies don't have the time to look at all their failed logins and all the event logs.
We still get a lot of buffer overflows where someone runs some type of software against some listening service and it takes over the computer and the security context of the software or service that was buffer overflowed, use of that require some type of software vulnerability. Most of the times these things there's a patch offered by the vendor but the end-user or company hasn't applied it yet, although we are starting to get kind of a, you know, an [inaudible 00:08:10] of more zero days. It used to be that the zero-day was fairly rare, maybe one or two a year and I suspect this is just [inaudible 00:08:16] we haven't looked at statistics. But I think we're getting probably, I don't know, four, five, or six zero a day vulnerabilities a year, not a lot but enough that buffer overflows are still an issue, although the majority of buffer overflows are local buffer overflows. They can be exploited remotely by the attackers sending in somebody a link.
So a lot of times you'll see, most of the time you'll see these buffer overflows reported as remote buffer overflows but I consider truly remote buffer overflow to be a buffer overflow that you know the attacker doesn't have to do anything. They literally point their little attacking tool where buffer overflowing worm at a particular server and it takes over the computer, kind of like that. You know, I think MS Blaster, the SQL Slammer worm, hey, where SQL Slammer, and I think that's 2005, 2006, where it took over every possible unpatched SQL server on the internet, millions of them and, you know, something like under 10 minutes.
Those are the truly remote buffer overflows. Today most of the buffer overflows are local buffer overflows which means they have to trick the end-user into running it again. It goes back to that social engineering piece of it but they send a file or a link and they tell the user, "Hey, run this." And then that thing runs and does this local buffer overflow and it will be counted in security defender's list as a remote buffer overflow but me, just personally I think if I have to trick an end-user into running something it's not truly remote. It's not as dangerous. Truly remote buffer overflow is like Blaster and Slammer, we're scared because the end-user does nothing. As soon as I as an attacker have to make the end-user do something from my buffer overflow to work I've lost a big significant part of my potential attacks just by having to require somebody to click on something. You know, when it's truly remote it's, you know, fired off and boom, it breaks into everything that's unpatched.
We are still seeing a lot of application level of vulnerabilities, a lot of code issues, a lot of SQL injection attacks, a lot of weak coding that's in the software. Certainly seeing a lot of data malformation, so you'll see a lot of very common these days is malformed Adobe Flash files or Adobe Reader files, that people will be tricking against social engineering and trick into running and it exploits someone patched vulnerability. But that's, you know fairly data malformation where it does some type of causes the program to barf and to allow the attacker to get compromised in the context of the program that was exploited. It's been around for 25 years and gonna be with us by forever.
Misconfiguration stuff is pretty common still. I was doing a security audit on a pretty large company this week and they had two of their web servers, they were running Apache 2.2. It had the, essentially the everyone group full control through all their files, anyone group had the full control or full rights to all the files on the web server to an externally facing web server. I mean I talked to the web administrator, it just turns out that they didn't even know that they had Apache running on these two external facing servers. It was actually installed to do some remote management and it was misconfigured when it was installed for the remote management piece but it opened up the entire server to external web hacking.
It's kind of an amazing to me because as I look at the web server, the web server is they've been around about three years and as far as you know had not been attacked yet, but I think that was just more luck. And certainly we still see a lot of eavesdropping, man-in-the-middle attacks that those attacks have been around forever and that's because since we're not running every connection in some type of VPN although even these days if you run your connections in the VPN let's say like SSL or TLS or something like that these days the attackers are breaking into these connections.
You know, now they have things like fire sheet that you can install on your Firefox browser as an, you know, add in and eavesdrop on somebody next to you and log into their Facebook account or something. And even if you put it on SSL or HTTPS there are attacks to break in that way. And really on most networks, there's more than enough plain text traffic running around for people to abuse.
So how do they do it? And I talked about this a little bit, so we certainly have our automated malware. We have your viruses, a virus is some type of malicious code that infects other programs, the copy of itself. So it's not self-replicating. It requires some type of host. Then you got a worm which is a self-replicating piece of code that doesn't need other host files so it's just a...worms are pretty common. They are their own executable that usually has really weird names but still, they will, you know, spread using email or something like that.
Then we have the very popular Trojan state, or Trojan horse programs and those are a single executable or file of some type that they're not self-replicating. They actually take the end-user clicking or running them to start them off. So they're almost like a worm but it requires interaction on the end-user of some type.
And then, of course, we had the bots, right? We have all the spam bots and crime where bots were…you have these literally hundreds of thousands to millions of malware programs, you know, that infect PCs. So you have these huge infected networks that are really under control of the attack wherein they rent access to these botnets and these botnets are used to either steal money, steal identities, or maybe deny a service attack to some other company but still a pretty big business. In these days we almost don't even pay attention to the bots until they have compromised literally millions to tens of millions of machines. And then when some large company like Microsoft or Shamanic or somebody like that takes down a single botnet, it literally reduces spam traffic by like 25% or sometimes 40% or 60% at least temporarily until some other botnet takes its place.
And then, of course, these days most malware doesn't fit neatly and, you know, we can't call it a virus, or a worm, or a Trojan, or a bot, typically it's something that has characteristics of all of it. Like you may have a Trojan horse program that wants to get it executed and takes off and then turns into a virus, infects other executables that then turns into worms so it can be self-replicating around the network. So they tend to be kind of a combination of all of these things. So when you read about Conficker or Stuxnet or something like that they really are a hybrid. I'd say most malware today is a hybrid at least of two of those things, two of those other categories if not all four.
Certainly we have a lot of human attackers today that it kind of went down for a while but it's really picked back up and really where it's picked back up is that the human attackers use one of the automotive malware programs virus, worm, Trojan, bot, to break into to get access into one or more computers. And then the human can take a look at the list of things that they've compromised and see which ones they want to manually attack. So that is really, really common, that is one of the most common ways that you see the days that you'll have, you know, certain company that's hit a lot of malware particular type of malware, maybe it's a social engineered PDF file and then you have multiple employees take it over, and the bot usually or the malicious program uses some type of downloader.
And one of the first things it does is notify, the attacker usually has some type of command and control server where all the exploited IP addresses are reported and the human attacker can tell the different bots and downloaders to do different things, maybe to re-download a bunch of different programs, maybe steal the person's identity, maybe put fake antivirus. But eventually if the attacker, human attacker sees something interesting maybe it's IP address range they're interested in or maybe it's some sort of target or name that just stands out. So that's how they do it. Most of the time, using an automated malware that reports a list of somewhere, you know, between, you know, a handful to literally tens of thousands of compromised machines and then the bad guy either automates that it starts looking at things independently.
How do they get activated here? This is…although I've already said this two or three times, this is probably one of the most important things to realize again, is that 99%, and I'm making that statistic up, but it used to be 99%. Maybe it's only 82% today or whatever it is, but the majority of attacks against the company or clients side, meaning that it had to have some type of end-user interaction. When I talk to people and they're like, "How can I protect my network?" And I get paid to go all around the world, around the country and the world and help people stop malware and hackers from getting inside their companies.
One of the surprises is that most of the time I'm being hired to fix things on the server, you know, to stop SQL injection or to harden their server that, you know, I'm being paid to harden all their servers when most of their risk easily is on the user side, you know, and I'll ask them what they're doing on the user side or try to get them to concentrate on the user side like, "Oh, no, we want to look at the servers," which is great. We need to get our servers more controlled, but if you don't get the end-user cleaned up and fixed the bad guys is just gonna...he is going to come to them and get to your secure servers.
But, of course, you know, we have to worry about bots. If they get SQL injection or something like that or one of the many other types of attacks that are against servers they can, you know, break in and get straight to the data directly that way, although again, very important slide, the vast majority of it is coming through your end-users. If you want to know how they got in and installed in your database, how do they get access and copy your data out into some other foreign country it's through an end-user or end-users.
So who does it? You know, if we look at the dedicated human adversary this again is where it looks changed over the last couple of years. It used to be that we just had, you know, for the first 15 years, 20 years of, you know, viruses and worms and Trojans and things, the vast majority of it was just kids and they call them, you know, hacker wannabes. But it was just people out to prove that they could do it. I mean we had a couple of big damaging malware attacks. We had SQL Slammer, but even SQL Slammer, that's the fastest malware program that's ever been invented. Infects all the SQL servers in 10 minutes or less, it really is, as far as you know other than doing the buffer overflow and maybe gave access to somebody.
But as far as you know it had no damaging routine in it on purpose. It just spread so fast that it took down the whole, you know, just about the whole internet. And then you had things like, I'm trying to think, Michelangelo virus that went around the leading hard drives. But 99.9% of malware did jokes, you know. It printed funny things on your screen. It played Yankee Doodle Dandy. It, you know, I don't know, change some fonts or figures but most of it was just people kind of trying to prove a point that they could. But now, it's a little bit different.
Now, we have, and look at these last three bullet points that we have large criminal gangs. The set of people trying to break into a bank using a gun and getting away with a couple of thousand dollars they break in using a bunch of bank Trojans and bots and there are still, you know, hundreds of thousands to millions of dollars in a day or a month or let's say even a year but they can steal much more money. And the likelihood of them being caught is almost, you know, almost immeasurably small. We almost catch none of these people. We catch a couple a year but not many. They also have no chance as far as I know of getting shot unless they attack the wrong, other criminal gangs. So it's low risk, high reward, and you can't get shot.
So a lot of the criminal gangs and mafia and things like that have moved over to online. It took them a while, it took them a decade or two to get there. But now they are thriving and doing well and growing and, you know, they have lots of hackers and steal lots of money and do lots of things that they've always done. You know, they're selling drugs, and doing prostitution, and doing lots of things online.
Certainly, that probably what's been in the news headlines in the last year or two has been this advanced persistent threat. So you have this foreign adversary that comes into your company and instead of trying to steal your identity or steal money or something like that they're out to steal your company's intellectual property. They want to find out what your company is doing, what it's building, what it's planning, what it's pricing, that is how they're doing it. An advanced persistent threat in most cases is not trying to directly steal money, they are just trying to, you know, do something simple as duplicate your company.
In advanced persistent threat, many people, many experts in this world including myself if I can include myself in that group believe that the majority of companies in the world are already compromised with an advanced persistent threat. Certainly, every company I've been working with for the last couple of years has been compromised with an advanced persistent threat, and again I don't see that changing anytime soon.
The last category is something that's kind of new where we have the government or military threat, things like what looks like this Stuxnet worm. Stuxnet worm is likely government, military related. We're not for sure but it is, if you talk to people that look at malware for a living it is the most impressive piece of malware that has ever been made. Besides it's huge, we think that it probably took dozens of people, a team of people over a year to build. All the skills that it took to build that just are not available in one brand or even, you know, a dozen brands. It took dozens of people that project managers over a long time to plan to plan that worm and it was the first piece of malware. I have looked at tens of thousands of pieces of malware and there are tens of millions of pieces of malware made every month now.
Stuxnet was the first malware program that any of us had ever seen that was flawless in the code. Malware usually has not a whole lot of error checking. Usually, it's full off flaws. Stuxnet was perfect and it was perfect for its intended target and did what it needed to do and caused a significant amount of damage. And some experts actually predicted that the Stuxnet worm was so successful that the damage it caused was more damage than would have been caused by a traditional military, traditional military or a nuclear attack. I mean that's pretty wild that a worm or a Trojan that was, it was a worm in this case, and actually kind of had some virus pieces to it, was so successful that it was more damaging than a nuclear attack, which I think is kind of wild that we're now in this new, you know, military warfare phase of life and it put off a traditional warfare attack or so it seems. So that's incredible.
And the bad thing about this was Stuxnet know that certainly every other government and military in the world took note about it, what it did, how it work, and how successful it was. And a lot of our, you know, a lot of people work in companies that have, you know, that are military-related, defense-related. So who does it is these people, the ones that are scary, the criminal gangs, the advanced persistent threat is certainly top on the list and the government military. That's a new angle, very tough to defend.
Who initiates these things? So a lot of times it's this dedicated attacker out on the outside but it can be this random attacker that creates a bunch of bots, the malware worms, and just accidentally discovers the weakness in your company. So it can be just some random attacker that turns in to be, you know, your worst nightmare or something like that.
We also certainly see a lot of report of trusted insiders all the time where they're employees or ex-employees, and I'm still amazed in every company I go to that when they fire their employees they now take away their security badge or smartcard. They disabled their accounts but they don't reset like all of their remote access methods that the person would use to manage the computers from home. I mean, you know, when you let an IT employee go or something like that you need to change every password that they possibly ever used and knew. And that's so this doesn't happen, I don't know why but it doesn't happen consistently in most companies.
Certainly, we also see business partners that do things, usually, it's accidental where they accidentally, you know, leave a server open or don't patch a server or they, you know, backup data and they lose the data. We've seen consultants do things, you know, either again, accidental like the Conficker worm. A lot of times that would come in on consultant laptops or consultant USB keys or something like that. So, most of the time on the trusted insiders is not intentional. When it is intentional the damage tends to be pretty far and wide.
And what are the motivations today? I would say that if you've got a virus, or worm, or a Trojan on your computer at home you don't have to ask what they're trying to do. They're trying to steal your money. And they're gonna try to steal your money by putting in a banking Trojan. They're going to try to steal your identity. I love the fake antiviruses because the people get a fake antivirus that takes over the computer, they steal all of the information on the computer, and then the fake antivirus comes like, "Oh, you need to buy our fake antivirus." And the person many, many times I've talked to many people that have done this, put in their credit card information, and now the fake antivirus company not only has infected your computer, stolen all your passwords and identity information, but they also now have a good valid credit card that they can use and sell around the Internet.
So, again, if you find malware on a computer at home you don't have to ask what it's doing or really maybe it's doing a bunch of different ways but it's trying to steal your money. And if I find a virus or a worm or a Trojan that's on my computer at home or any of my friends, I always say, "Backup your data, reformat everything, and reinstall." Since they're there to steal your money you can't take a chance that the program is going to clean it up well all the time. I mean, I use antivirus just like anybody else and I use it to identify and to check code. I mean you always have to use antivirus today.
But once it's found something, unless it's some type of harmless adware, which is fairly common as well, if it's anything besides adware, typically I'm starting to go on the lock down mode and reformat everything and backup my data which, of course, I already had backed up. Right?
We're seeing again a lot of intellectual properly theft, a lot of hacktivism these days, anonymous is certainly, you know, out there in the forefront successfully outing and taking down many, many companies doing denial of service or reputational damage. That's where they hit a company so hard that it literally causes hundreds of millions of dollars of damages, things like the Sony attack or the RSA attack or many reputational damages against, you know, the US Army with WikiLeaks and things like that. But, you know, it causes so much damage that it literally harms the reputation and goodwill of the company where they actually have to report that on their NEV or financial statements. And I can tell you as a Certified Public Accountant as well that's what I was in the previous life, CEOs don't like having to state that they have a loss of goodwill or a loss of hundreds of millions of dollars due to a hacking event.
And, of course, you have accidental where someone lost a tape or accidentally let a bag guy enter something like that.
Annie: Thanks, Roger. Now, let's take a look at the results from the first poll. In regards to how many points security solutions organizations are running, 45% have 1 to 2, 45% have 3 to 6, and 9% have 7 to 10. What are your guiding thoughts?
Chris: Roger, I don't know what you've seen out in the field but certainly the literature that I've looked at suggests that that's on the lower side of average but a reasonable number on given the types of threats that are out there and the solutions that people are having to install.
Roger: Agreed, agreed. A lot of times when you count it all up, you know, if you literally include everything, you know, your anti-spam, your antivirus, your anti-Trojan, your privacy, your this, your that, by the time you get through that it can be a lot of solutions.
Chris: Yeah, that's for sure.
Roger: Well this next section that I'm gonna cover is the operational basics, and I love to think you may end here getting back to operational basis for the new new what are we trying to achieve.
Well, this is what we're...we're not asking for a whole lot we're just asking that it'd be low cost and really effective. That's it. And right now a lot of us would…if you have multiple endpoint solutions you don't necessarily have the lowest cost, right? You have a high cost. And then the question is, is those multiple solutions, is it the effective solution? Or do you maybe have a bunch, so many best breeds that you end up with a [inaudible 00:29:26] type thing?
But what I hear from people a lot of times is, you know, no matter what they have and even though they're fully patched and they have, you know, their antivirus is always up to date, they've educated their end-users and they have a host base firewall and things like that that they're still seeing that they have compromises. These are the big ones, the APT type stuff, the Crimeware groups or they used to have a, you know, a lot of different things running around doing bad things.
So we want low cost, effective solutions, yes, of course, we want good performance. I know a lot of people that have complained where they have a very solid reliable antivirus program but the performance hit of that antivirus program is so bad that their employees tried to disable it, tried to go around it, maybe makes and takes the machine 10 minutes to boot, so we want good performance in our security tools that are low impact and that certainly can be a huge problem. People call me all the time, they go, "What antivirus solution should I use?" or something like that. I always say you need to use and test different ones in your environment to find out, you know, which one performs so, which one does well, there's a whole lot of them that, or, you know, always hitting that bars volt in 100 lists or they're always, you know, getting all the 100% of the wild list malware checks.
So there's, you know, there are 50 antivirus programs that do fairly well that you can choose between accuracy but do they have the feature sets that you're looking for? More importantly, do they have good performance? Can you modify the performance? Can you change settings that will help it to be more or less, you know, impact upon the system? We're also looking for easy deployment, people want to be able to setup something on the server kind of point it to a range of networks for IP addresses and click install and have it done.
They also want low false-positives and low false-negatives. You know, if it says it's a virus we want to know that it really is a virus. Or, you know, we don't want it going off and flagging some legitimate piece of software or something bad because when I've had to chase down false-positives in the past that is, you know, that's taking me longer than chasing down the false-negatives. And at least a couple of times of the last five years I've seen antivirus products that had a false-positive that deleted like a necessary Windows files and brought those machines down. So certainly, we don't want low false-positives and low false-negatives. And the antivirus its challenge these days are those, you know, trying to get low false-negatives.
We want it to be as automated as possible. We wanted to provide protection. We don't even want to have to decide what action to take once it finds malware or something like that. We wanted to automatically do something, low cost.
Broad coverage, we want it to, you know, work across on our entire environment and, you know, not only does that mean different versions of Windows and maybe Linux, Unix, and, you know, Macs and things like that but it also means, you know, our mobile phones and our small portable computing devices and the pad computers. They're very, very tough to get that super broad coverage.
We want flexibility, we want lots of options. I've seen some really good antivirus programs that I really think are accurate and good performance but, you know, maybe they only have five checkmarks or five different options like in change, and I've seen some anti-spam options that way. And one way it's good because I don't like to be overwhelmed by decisions and things but at times I do need enough flexibility to decide how it's gonna run on my company, when it's gonna run, when it's gonna update, and that sort of stuff. And when it's gonna update, we want continuous updating, right? We want it to be continuously updating without causing any problems.
So is all of these too much to ask? Sometimes it seems, but this is what we're looking for. All of these…if you're to say what type of software product that we're all looking for, this is it in a recap.
And again, we want it to be easy to manage. We just want it to work. We want it to have great defaults, we want it hands off as possible. I mean we all want to spend the time to make sure we can figure it correctly, that we install it on the servers, and do all the initial planning and work correctly but once we fire that thing off and tell it to go and install we just kind of want it to be hands off. We only want to be involved when we have to be involved. Otherwise, we want the software to handle most of it because we're all, you know, as a small business, small to medium size businesses, we're all, you know, not enough time, not enough people.
Integrated solutions are certainly every… You know, the entire security industry has just bought pieces, maybe they built the pieces they needed or bought the pieces that they needed but now we have integrated solutions everywhere. It doesn't make sense to buy, you know, 10 different products from 10 different vendors. Maybe you can do that but a lot more people are seeing the value of integrated solutions.
People like to get as much as they can into a single console or to a framework or something like that so that they only have to look at one management console or maybe, you know, maybe two or three utmost, something like that. They want to see a single agent if they can. If, you know, one agent can update, you know, the anti-spam, the anti-virus, and, you know, the whitelisting, and all of these things they need to do, that's a big benefit to people because they don't have to worry about the interacting or competition between multiple agents.
Also people want to see the alerts only, like when I put it, when I tell something to manage my logs, I didn't want to see every time I get, you know, an event log which happens thousands of times in every system today. What I want to know is when it does…when something happens to the computer, an event happens that I find actionable. Like I don't want to know about every bad login but if all of a sudden on a computer that's something kind of unusual where we get 10 logins in 1 second or maybe a 100 logins, bad logins, in a particular period of time, then I want to be alerted. I want the reporting to be solid. I want the reporting to give me the...I want the reporting to already be built to give me the information that I need and maybe if I'm lucky I also allow customer reporting or allow me to automate the reporting when they get or send it or publish it to the web and that sort of stuff.
And also we want to make sure that our project provides us real security and also has compliance. And these are two different things, right? You know, security and compliance, I can be very compliant and still not be super secure and vice versa. I mean a good example that I use is one of the very popular compliance regulation says that passwords have to be six characters and complex. Well, I know that a six-character passport no matter how complex is easily crackable. So that even if you gave this compliance regulation a 100-character non-complex password it wouldn't accept it, which is just crazy.
So, unfortunately, we have the dual-edge sword of having to be secure and compliant at the same time. So what I'm gonna do now is turn this on over to Sam...to Chris, I'm sorry.
Annie: Thanks, Roger. Before we go into Best Practices by Chris let's go into our second polling question to the audience. Are you experiencing any visibility issues in your IT environment? A) Yes, I have major visibility issues, B) Yes, I experience at least some visibility issues, C) No, I do not experience any visibility issues, or D) I do not know if I have visibility issues.
Now, Chris, we'll pass it over to you for Best Practices.
Chris: Great. Thanks, Annie and thanks Roger for that, you know, look at what all our customers in the small to medium business space are really facing. You know, a lot of the stuff Roger talked about sounds like big scary stuff that only apply to big companies and a lot of the examples we see out in the press today involves big companies like Sony, or T.J.Maxx, or people like that. But as you mentioned a lot of these attackers come at you by opportunities. They're basically, they're scanning the internet, seeing what they can find and then just attacking based on what they find open. So this really does impact a lot of us.
So let's talk about a little bit about what we can do to try to prevent these attacks and how that really come together to, you know, both improve our security but also that more tangible things of things like reducing cost, reducing the time that we have to spend managing our security and our operation, or our IT operations, and improving the uptime so that our users are more productive.
The first thing that I wanted to show everyone was a study by Aberdeen, a large consulting company, that looked at kind of the top 25% of companies in comparison to other companies and how their maturity in the security space impacts kind of the bottom line. So here we see that the top 20% in the security space saw a decrease in security-related incidents. You look at the bottom 30% and we see that they have an increase in security incidents.
Now, security incidents cost you time and therefore, they cost you money and they reduce your productivity. So this has a real bottom-line impact on what's going on within your organization. But it also impacts things like you audits and the cost that you have to apply to managing those endpoints. So basically, what we see here is that by striving to be up in achieving best practices in the security space we really are reducing the cost and the complexity of our endpoints.
Here's another study, this one, done by Ponemon, relapsed earlier this year, and what Ponemon does is something very similar. They look at organization's security posture on a something like 24 security features or different practices that they have. And they look then at the number of incidents that these companies have and the costs associated with those incidents. And what they've found, and this is the second year they've done this, and actually I've seen other results that confirmed it that what they show is that as you start to implement best practices, as you start to climb that ladder, the cost associated with the data breach go down.
There are a number of things that one can do and that's what we're going to get into next. But before I get into that let me just do one more kind of cost of a cybercrime comparison. You look here at the cost of companies that have the above average practices versus those who have below. And what you see here is that the average cost per data record breach, in a data breach, the average cost is 75% higher for organizations that don't have best practices instituted. So, you know, we kind of started these web series by talking about some of the ways to improve security and how to reduce the cost. And one way you reduce the cost is by moving towards best practices so that you reduce the cost of any impacts that may have come down the pike.
So what are these best practices? We'll start with the basics, kind of cover some of the stuff that Roger talked about. One of the first things you really need to contemplate is educating your end-users. Today, the endpoint is the attack service, so that's made very clear by the presentation that Roger made about how hackers are getting into systems both from the social engineering side and by having the users click on something that installs malware or as a poison pill of some sort. So you really need to educate your users. And this isn't a one-time thing, this is an ongoing process.
Yes, certainly, you need to educate folks that come on board, that first come on board and tell them their rights and responsibilities especially with respect to the IT systems. But you need to then keep them apprised of what's going on in the bigger world. You need to make sure that they understand what strong passwords mean. And, you know, as Roger said, it's not just a six-character strong password, longer is better. And this is a lesson that folks need to remember.
And, you know, as he pointed out also, you know, simple to guess passwords or, you know, brute force attack, make the longer password almost mandatory. And then, you know, you need to educate them on the...that they need to be aware of what they share. What are they sharing on their Facebook pages? What are they sharing in their social networks? A lot of these seems inconsequential but if you use the same password for your work computer that you use for your Facebook and your Facebook account gets hacked, well, guess what?
Now the bad guys have an easy entry into your network. So you need to make sure that folks have been educated to be thinking bigger than just where they're sitting at the moment. And towards that end just as in the side we mentioned we have created a resource center to help you educate your end-users and you might want to go take a look at that. We had some videos. We have a web page out at Be Aware of What You Share.
Now, you know, the next thing you need to think about is perimeter defenses. I mean this is some of the stuff that Roger was talking about, kind of the traditional where classic perimeter defenses gateway, firewalls, event log monitoring, baselining and detecting anomalies. These activities have to be part of your basic approach to security. They need to be kind of wedded into everything that you're doing.
But I think, more importantly, the point that again, that Roger was making was that the endpoint really has become the attack service. And so we need to start practicing defense-in-depths on our endpoints. We saw from the survey that folks have somewhere on the average of three to six sort of endpoint solutions. The question is are we getting the right types and do we have interlocking defenses there.
So let's take a look at that. What would best practice in the defense-in-depths for the endpoint look like? Today we see basically two types of attack vectors. As Roger mentioned there's the network or remote access type of attack, and then there's the physical access. So let's go through some of these kinds of features individually.
Starting on the network side, the configuration management is some basic housekeeping that you need to do. Roger gave a beautiful example of a configuration of the server, these sorts of configuration problems can exist on the endpoints too and they can cause the same source of problems that his example gave. The bottom line here is that you really need to make sure that your endpoints are compliant with best practice and any regulatory mandates that might exist for your industry. You need to ensure that you guard against configuration drift, and you need to identify the risks associated with configuration drift and remediate them.
Roger: Roger, I want to kick in real quick, hold up your thought, but that is so true. I was just thinking, you know, I spent two decades now watching other companies, you know, get more security or trying to get more security to hackers out and I know that when I go into a place that maybe isn't configured and doesn't have all the best patches but they've got a more consistent look across all the computers, when I gave them the report and the recommendations it's so much easier for them to implement than the place that they go to that, you know, all the workstations, all the servers, and all kinds of different states of configuration, that place I give the same report too and they just don't have the ability to, you know, push out the changes and fix this as easily as the guy that's got the configuration management down.
Chris: Yeah. You know, I saw a report recently from, I think it was Gartner that suggested that 65% of the risk associated with endpoints is associated with these misconfigurations. So, you know, just by taking these basic best practice steps you're reducing your risk by 65%.
The next one that we talk about is antimalware. I'm not gonna belabor that point. We certainly all understand that we need some way to protect against known malware. Roger talked about a few of those, you know, different types of malware and the reasons that we have to protect against them. Those use your basic, your traditional blacklist so, you know, I find out that a piece of malware has been created, I put it on a list and then I don't allow it to run anymore. We'll revisit that in just a second.
The next step is on the patch management side. Now, going back to that Gartner report that I was talking about the next 30% of risk associated with an endpoint is associated with missing patches. And Roger brought up a few of these different types of APT attacks and things like Conficker and Stuxnet, and the interesting thing about those is that in every one of those cases a patch existed prior to that attack occurring. And machines that had been properly patched, patched on a timely basis, were protected against attack from those banks. So 90% of attacks occur against known software, or application, or OS vulnerabilities. So just by patching you can protect 90% of your attacks. Again, it's 90% of your attacks.
So the next area that I'm gonna look at is on the hard drive itself is the notion of full disk encryption. Now, this is something that made me a little bit new to folks, the statistics I see suggest that something like 50% of organizations have full disk encryption, but in fact, less than 50% of them actually have it activated. So that's a very interesting feature or a fact. When you're starting to implement best practice and trying to reduce the likelihood of data being taken off your hard drives or that data can be accessed via your hard drives the notion of implementing an easy to use transparent full disk encryption becomes mandatory.
The next theory I want to look at is the port and device control. So we talked a lot about remote access attacks but one of the categories that Roger talked about were the insider attacks. And those insider attacks very often occur via very simple ports like the USB port or in the case of the T.J.Maxx data breach, open Wi-Fi channels that the organization was unaware of. So by implementing a port and device control tool, you can reduce the accidental, or a malicious, or a targeted attack that may occur. You need to make sure that you are controlling the data to come off of those endpoints and that you're aware of what's going on to USB sticks. It would be even better if you could encrypt those USB sticks. I don't know the exact number but if you pay attention to data breaches on a yearly basis a large percentage of them are lost USB sticks that have sensitive data on them that were unencrypted.
And by the way, most state laws will protect you against data breach notification requirements if you have the data encrypted or if you can prove that the data are unusable by the people that got to hold of that USB stick. So there's a lot of reasons why you want to start getting into that implementing device control.
And then the last theory I want to touch on is application control. So application control is a little bit new and a little bit old. Roger has been around long enough, I've been around long enough to remember the old days where that was the only way that we protected our machines. You went to sysadmin, you said: "I want to run this app." They would analyze it and decide if they were gonna allow that to run on their boxes.
Well, we've kind of come full circle, application control is kind of the analog to traditional AV where you create a list of applications that you are going to allow to run. So as opposed to the traditional blacklist you're now creating a whitelist. That whitelist limits what is allowed to be run on your boxes, it limits the changes that are allowed to be made to the boxes. So, you know, think back to some of the attack vectors that Roger was talking about and you can see where that becomes useful if an attacker creates an exploit that will change some code to make something look like a perfect legitimate program, if that legitimate appearing program isn't, in fact, legitimate ID on the whitelist it won't run, and therefore, you've protected your box.
So a couple of other things you can do with application whitelisting that are important, you know, things like projecting against installing applications. It also helps in projecting against end-users changing a configuration, so coming back to that kind of that configuration management notion that I talked about earlier. It prevents end-users from removing patches or running and installing software's, so if you have software on the endpoint that's there for a reason, security reason, you want to prevent them from taking that up, and then, of course, removing security tools.
So those are some of the tools that you want to contemplate when you're looking at best practices for defense-in-depth on your endpoint. Now the difficulty, of course, is as Roger mentioned and as we've kind of touched on with some of the polling questions is, you know, you have too many products, you have too much complexity, too many consoles, too many different types of agents on the endpoints that may impede productivity, impact performance, you know, diverse architectures.
So the solution I would suggest is that you start looking at sweet solutions that are out there that combine all of these best practice tools onto a single extensible platform. So now you have a single console, a single architecture, single server, single agent on the endpoint that does all of the things that you need to elevate yourself into that best practice arena. The added advantages here is that we've now had automatically kind of taken care of some of the other areas that we've talked about which is reducing the complexity both from the perspective of the endpoint and the number of applications that are sitting on the endpoint, the number of agents, we're reducing the IT burden and the complexity that the IT people have to deal with. We're reducing the costs because now we are extending the capabilities improving the bandwidth of your IT folks. And we've improved security.
So with that, I'm gonna turn it back over to Annie for our last poll question.
Annie: Great. Thanks, Chris. Great best practices. Let's see the results. First off, we had a question about what we actually mean by visibility issues.
Chris: It's a great question, Roger I'll let you wait in there but to me what it means is that if I have a number of consoles looking at what's going on in my network I might miss something because it falls in the gaps.
Roger: No, no, that sounds perfect.
Chris: Yeah, I think the other thing you brought up really was the amount of data that's coming out and if it's not filtered appropriately and associated.
Roger: You know that's true. I remember that's one of my favorite quotes is from Verizon Data Breach Report a year or two ago that said something, it was like 82% or 92% or all compromises they actually showed up in the logs or, you know, their equipment alerted or noted it if they just read it. They would have been able to find it faster or stop it. That's a pretty significant finding.
Annie: And if we look at the results from this polling question, about if they were experiencing any visibility issues within their IT environment, 38% said yes, I experienced at least some visibility issues, and 15% said they don't know if they have any visibility issues. Is it surprising to either of you?
Chris: Go ahead, Roger.
Rogers: No. I was gonna say no. That seemed about right. I mean, you know, sometimes it's complex and it's difficult to know your unknowns.
Chris: Exactly. And I think it also shows that our audience is fairly aware of what's going on and it's really well informed, so that's a great news.
Well, we have just a few minutes, actually, we have one minute Roger to kind of cover this last section, why don't you go ahead and walk through that really quickly.
Rogers: Okay. So the first one is that I like how people...I see so many people they don't right size their defenses. Make sure that you look at how your company is being attacked successfully and make sure that you make your defenses fit that. I see so many people that start concentrating on things that isn't how they're being compromised. And, you know, so a lot of the stuff is clients at endpoint stuff, you know, don't spend means or dollars or whatever, a lot of money on things that aren't the biggest problem. Also to make sure that you have good reports to make sure that you're improving your security posture, you know, is what you're doing working? You know, if you're spending time and money and effort on different tools is it really working? And, you know, if not you need to do other things.
One of the other ones that I love, are your end-users being thought the most important things? Well, if the number one way that end-users are compromised to a fake antivirus, are you teaching your end-users what their antivirus warning looks like. Almost every company that I go into that is not the case. You know, why wonder about why end-users are being tricked when we're not teaching them what the real one looks like.
Again, make sure you're reading your log information because most of the time the bad stuff that's occurring in a company is in the log somewhere. If somebody was paying attention it wasn't lost in all that information. So those are some…sorry, since we're running out of time I'll leave it there. And do we have any time to answer any other questions?
Annie: Yeah. Let's open it up to...
Chris: I think we've just run out of time, Annie, actually, so if there are any other questions I invite you to go ahead and post them and we'll get back with you via email. Roger, thanks very much.
Roger: I'm glad to participate.
Annie: Yes. For more information on LUMENSION or any of our solutions including our LUMENSION endpoint management and security suite, you can contact us by going to our website at www.lumension.com, that's L-U-M-E-N-S-I-O-N. You can also visit our blog at blog.lumension.com, call us at 1-888-725-7828 or email us at [email protected] We also have a few resources up on the slide in front of you right now and we'll email you with all of this information. With that said, thank you all for attending and this now concludes our webcast.
Roger: Take care everyone.