Endpoint Security, Boundaries and the ‘Trusted Network’

Recently, Rob Lee of SANS tested a fairly common APT attack scenario against a simulated enterprise environment to generate log files for a course and posted the results on the SANS Computer Forensics and Incident Response Blog.  The not-so-surprising result?  The attack succeeded, and no log files were generated.  This was running the complete McAfee Suite, including:

• Anti-virus
• Anti-spyware
• Safe surfing
• Anti-spam
• Device Control
• Onsite Management
• Host Intrusion Prevention System

Rob was careful to avoid blaming McAfee, since no vendor’s solution effectively defends against targeted attacks:

I have seen a lot of enterprise managed A/V and HIPS suites and none of them have fared well against the APT actors and malware. It is too easy to obscure the malware to avoid detection so any A/V choice here (McAfee, Symantec, etc) would have yielded similar results. And that matches what myself and many others have witnessed in seeing these products at locations where APT adversaries roamed freely for months before detection. In the end, it really would not have mattered to choose product X over Y. We wanted to select a product where most attendees of FOR508 would feel at home when performing incident response.

Even with the some-what inflammatory title of “Is Anti-Virus Really Dead,” he’s careful to state that Anti-Virus is still recommended in almost all environments:

I would never recommend someone go without it, but it is clear that in order to find and defend against advanced adversaries we need to do more than rely on A/V. […] While I'm sure all many of these products stop low-hanging fruit attacks, we found that we basically did whatever we wanted without our enterprise managed host-based A/V and security suite sending up a flare.

After all, corporations don’t want to burn through valuable security and end-user support hours cleaning up after the Java or Flash exploit of the day.  However, that didn’t stop some analysts from disregarding the post and focusing on why they’d never recommend running without Anti-Virus.

Although Rob’s research and conclusions make sense in his specific scenario, I still believe that antivirus is NOT dead for the vast majority of us. I guess my litmus test is that I would never bet my career on telling a large government customer to forgo implementing any antivirus solution.

There are plenty of ways around antivirus but I stick by the fact that it will at a minimum catch much of the low-hanging fruit that novices or automated attack tools use.

This is one of the reasons the original poster advocated the continued use of Anti-Virus, even with it’s limitations.

I think a bigger point is being missed.  Namely, the entire concept of a ‘trusted internal network’ and a ‘trusted user’ is dead.  With the current threat landscape, targeted attacks are being proxied through trusted devices and trusted users – relying on a ‘managed device’ or ‘authenticated user’ to assume a significant level of risk reduction is a huge issue.  Keep in mind, running endpoint Anti-Virus and Host Intrusion Prevention software at best prevents 50% of a typical monthly patch cycle’s vulnerabilities.  Nothing earth shattering, but many enterprises compromise on this security practice in the name of it being ‘nearly impossible’ and too much of an impact to productivity.

Consumerization strategies provide an excellent opportunity to rectify a lot of the security debt that has occurred in many traditional enterprises.  Many business systems will be re-written or re-implemented to allow for ubiquitous access across devices.  At that point, it makes sense to partner systems resources with security resources to ensure that, going forward, businesses implement systems that limit their exposure to data loss, don’t rely on the endpoint being trusted, and are monitor-able for abnormal behavior and access routines.

The API is the New Perimeter.  It’s time to start protecting services and data and stop playing “plug the endpoint.”

AV Sync Issues in View 5

Recently, my team tested quite a few PCoIP thin and zero clients.  We noticed that on certain clients the audio and video would be out of sync while playing videos - both local video and internet video.

• Windows Embedded clients (WES) and Windows ThinPC using the View 5 client played the video perfectly.
• PCoIP zero clients with Teradici chips played perfectly as well.
• Thin clients that ran Linux or proprietary thin OSes with View 4.6 or 5.0 clients had the audio noticeably behind the audio.

Enabling 3D support and giving each workstation VM at least 92 MB of video memory made the audio lag less noticeable and improved video quality quite a bit, but performance still wasn't quite where we wanted it.  Adding a second processor to the VMs helped further, but from a scaling perspective that wasn't a great solution for us (and we still had 1-2 test clients that had sync issues).

Finally, after researching a bit online, we found that Teradici offered an audio driver which might resolve the issue.  After installing the driver, all of the audio sync issues were resolved.  In fact, we were able to remove the additional CPU and video configuration with no further issues.

This definitely stresses the importance of testing ALL client types that you intend on supporting in your VDI environment - had we stopped after the zero clients and WES clients, we would have never found this issue until post-deployment.

UPDATE:  Per the comment below, there is an updated 1.1 driver available on Teradici's site here.  That page has all current up-to-date Teradici downloads (and I assume they keep it updated).  The link above has been changed to point to this one as well.

UPDATE 2:  There's a more current version than the one on their "up-to date page" available here (build 1.1.1.13981).

Combating Consumerization of IT

Previously, I discussed why I felt that blocking social media led to users realizing that, via smartphones, they could easily circumvent IT and Security controls - which lead to a substantial amount of business value being stored (unofficially) on consumer SaaS solutions.  The solution is both easy, and hard.

Compete for your users.

To be successful in competing for your internal users and weaning them off of consumer offerings, a few realizations and concessions need to be made:

• Users don't care about full access to all their crappy enterprise applications - and before someone gets upset about my characterization of enterprise applications as crappy, they are - at least compared to the consumer SaaS that users actually WANT to use.  Trying to secure the entire enterprise to run off an iPad is akin to attempting to boil the ocean - the easy route, hosted virtual desktops, isn't how most users want to interact with their tablets/consumer devices.
• Solutions should be very use-case specific, tailored to how your users want to leverage their devices to solve specific problems.  Find a widely used piece of software (Evernote, for example) and buy/build an alternative that they would want to use.  The fact that your solution would be supported and accessible from their corporate desktop gives you a competitive advantage over the consumer SaaS solutions.
• Security should be pushed server-side as much as possible.  Your users may be willing to accept Active-Sync type restrictions on their devices, and perhaps a password prompt.  Acceptance is much less likely if they are required to install a ton of mobile device management software to access the applications.  This includes using server-side DLP, Intrusion Detection/Prevention, and making sure sensitive data is masked if possible before being transferred to the device as well as user education.  If you fail at this, they'll simply go back to using the consumer SaaS that they are used to and disregarding whatever is the 'supported' tool.
• The lack of integration requirements (since Dropbox, Evernote, et al are standalone) means that this is a fresh slate.  This is a huge opportunity to build an entirely new environment with substantially less technical and security debt.

Going back to the beginning of this post:  Compete for your users?  They're not your users anymore... they're customers.  Refer to and treat them as such.