Speaker nameTitleGroupMicrosoft Corporation

Defense-in-Depth Against Malicious Software

Agenda

Understanding the Characteristics of Malicious Software

Malware Defense-in-Depth

Malware Defense for Client Computers

Malware Defense for Servers

Network-Based Malware Defense

Solutions to implement Malware Defense-in-Depth

November 2006 2

Understanding Characteristics of malicious software

November 2006 3

Malicious Software: Identifying Challenges to an Organization

Malware: A collection of software developed to intentionally perform malicious tasks on a computer system

Feedback from IT and security professionals includes:

“The users executed the attachment from their e-mail even though we’ve told them again and again that they aren’t supposed to.”

“The antivirus software should have caught this, but the signature for this virus hadn’t been installed yet.”

“We didn’t know our servers needed to be updated.”

“This never should have made it through our firewall; we didn’t even realize those ports could be attacked.”

Understanding Malware Attack Techniques

Common malware attack techniques include:

Social engineering

Backdoor creation

E-mail address theft

Embedded e-mail engines

Exploiting product vulnerabilities

Exploiting new Internet technologies

Understanding the Vulnerability Timeline

Product shipped

Vulnerabilitydiscovered

Update made available

Update deployedby customer

Vulnerabilitydisclosed

Most attacks occur here

Understanding the Exploit Timeline

Product shipped

Vulnerabilitydiscovered

Update made available

Update deployedby customer

Vulnerabilitydisclosed

Exploit

Days between update and exploit have decreased

Malware AttackDays between update

and exploit

Nimda 331

SQL Slammer 180

Welchia/Nachi 151

Blaster 25

Sasser 14

Identifying Common Malware Defense Methods

Malware Attack Defense Method

MydoomBlock port 1034 Update antivirus signatures Implement application security

SasserBlock ports 445, 5554, and 9996Install the latest security update

Blaster

Install the latest security update Block TCP ports 135, 139, 445, and 593 and UDP ports 135, 137, and 138, and also block UDP ports 69 (TFTP) and TCP 4444 for remote command shell. Update antivirus signatures

SQL SlammerInstall the latest security update Block UDP port 1434

Download.Ject Install the latest security update Increase security on the Local Machine zone in Internet ExplorerClean any infections related to IIS

What Is Defense-in-Depth?

Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success

Security policies, procedures, and educationPolicies, procedures, and awareness

Guards, locks, tracking devicesPhysical security

Application hardeningApplication

OS hardening, authentication, update management, antivirus updates, auditing

Host

Network segments, IPSec, NIDSInternal network

Firewalls, boarder routers, VPNs with quarantine proceduresPerimeter

Strong passwords, ACLs, encryption, EFS, backup and restore strategyData

Applying Defense-in-Depth to Malware Defense

Policies, procedures, and awareness

Physical security

Perimeter

Internal network

Network defenses

Host

Application

Data

Client defenses Server defenses

Host

Application

Data

Implementing Host Protection Policies, Procedures, and Awareness

Recommended policies and procedures include:

Host protection defense policies:Scanning policySignature update policyAllowed application policy

Network defense policies:Change controlNetwork monitoringAttack detectionHome computer accessVisitor accessWireless network policySecurity update policy:

1. Assess environment to be updated

2. Identify new updates3. Evaluate and plan update

deployment4. Deploy the updates

Implementing Physical Security and Antivirus Defense

Elements of an effective physical defense plan include:

Server computers

Network access points

Premises security

Personnel security

Mobile computers and devices

Workstation computers

Protecting Client Computers: What Are the Challenges?

Challenges related to protecting client computers include:

• Implementing data storage policies• Implementing data security• Regulatory compliance

Data challenges

• Controlling application usage• Secure application configuration settings• Maintaining application security updates

Application challenges

• Maintaining security updates• Maintaining antivirus software• Implementing a personal firewall

Host challenges

Implementing Client-Based Malware Defense

Steps to implement a client-based defense include:

Reduce the attack surface1

Install antivirus software4

Enable a host-based firewall 3

Test with configuration scanners5

Use least-privilege policies6

Apply security updates2

Restrict unauthorized applications7

Configuring Applications to Protect Client Computers

Applications that may be malware targets include:

E-mail client applications

Desktop applications

Instant messaging applications

Web browsers

Peer-to-peer applications

Managing Internet Explorer Browser Security

Security feature Description

MIME security improvements

Consistency checksStricter rules

Better security management

Add-on control and management featuresBetter promptsNew script-initiated windows restrictions

Local Machine zoneAbility to control security in the local machine zone

Feature Control Security Zone settings

MIME sniffingSecurity elevationWindows restriction

Group Policy settingsAdministrative control for feature control security zones

Protecting Client Computers: Best Practices

Identify threats within the host, application, and data layers of the defense-in-depth strategy

Implement software restriction policies to control applications

Implement an effective security update management policy

Implement an effective antivirus management policy

Use Active Directory Group Policy to manage application security requirements

What Is Server-Based Malware Defense?

Basic steps to defend servers against malware include:

Reduce the attack surface

Analyze using configuration scanners

Enable a host-based firewall

Apply security updates

Analyze port information

Protecting Servers: Best Practices

Consider each server role implemented in your organization to implement specific host protection solutions

Stage all updates through a test environment before releasing into production

Deploy regular security and antivirus updates as required

Implement a self-managed host protection solution to decrease management costs

Protecting the Network: What Are the Challenges?

Challenges related to protecting the network layer include:

Balance between security and usability

Lack of network-based detection or monitoring for attacks

Implementing Network-Based Intrusion-Detection Systems

Important points to note:

Network-based intrusion-detection systems are only as good as the process that is followed once an intrusion is detected

ISA Server 2006 provides network-based intrusion-detection abilities

Provides rapid detection and reporting of external malware attacks

Network-based intrusion-detection system

Implementing Application Layer Filtering

Application layer filtering includes the following:

Web browsing and e-mail can be scanned to ensure that content specific to each does not contain illegitimate data

Deep content analyses, including the ability to detect, inspect, and validate traffic using any port and protocol

Protecting the Network: Best Practices

Have a proactive antivirus response team monitoring early warning sites such as antivirus vendor Web sites

Have an incident response plan

Implement automated monitoring and report policies

Implement ISA Server 2006 to provide intrusion- detection capabilities

More advanced

More frequent

Profit motivated

Application-oriented

Too many point products

Poor interoperability

Lack of integration

Multiple consoles

Uncoordinated event reporting & analysis

Cost and complexity

November 2006 24

Protect Information and Control Access at

Operating system

Server applications

Network “edge”

Content

Heterogeneity

Third-party products

Secure custom apps

24/7 security research and response

Unified view and analytics

Reduced number of management consoles

Simplified deployment

Appliances and appliance-like experience

Technical and industry guidance

Simplified licensing

Cross-product integration

MSFT security products

MSFT server applications

Integration with Microsoft IT infrastructure

Active Directory®, SQL Server™, Operations Manager, etc.

Integration with ecosystem partners and custom apps

November 2006 25

One solution for spyware and virus protection

Built on protection technology used by millions worldwide

Effective threat response

One console for simplified security administration

Define one policy to manage client protection agent settings

Integrates with your existing infrastructure

One dashboard for visibility into threats and vulnerabilities

View insightful reports

Stay informed with state assessment scans and security alerts

Unified malware protection for business desktops,

laptops and server operating systems that is easy

to manage and control

November 2006 27

Security SummarySecurity Summary

User Account Control

IE7 with Protected Mode

Randomize Address Space Layout

Advanced Desktop Firewall

Kernel Patch Protection (64bit)

Unified Virus & Spyware Protection

Central Management

Reporting, Alerting and State Assessment

Infrastructure Software Integration

Policy Based Network Segmentation

Restrict-To-Trusted Net Communications

Server and Domain Isolation (SD&I) Combined

SolutionWindows Vista™ Forefront™

Client Security

Guidance

Developer Tools

SystemsManagementActive Directory

Federation Services (ADFS)

IdentityManagement

Services

Information Protection

Client and Server OS

Server Applications

Edge

November 2006 30

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.