WIXLIB

3BESTPRACTICESHomeEditor’s NoteWeb-BasedMalwareWeb GatewayImplementationApplicationWhitelistingSecure Web Gateway Overview:Implementation Best PracticesA Web security gateway can greatly improve an organization’s overall security posture,but it is not a “deploy and forget” product. Theway in which a secure Web gateway is deployed,configured and maintained affects the level ofsecurity it delivers.I’ll discuss how to maximize an investmentin a Web security gateway through optimal deployment, configuration and maintenance.CHOOSING A WEB SECURITYGATEWAY DEPLOYMENT STRATEGYTo maximize the benefits of a Web securitygateway, an enterprise must establish clearsecurity objectives and understand the prosand cons of various deployment strategies.Although traditional physical on-premises appliances are still popular, there’s growing interest in virtual appliances. Cloud-based Websecurity gateway services are increasing in7 E N D P O I N T S E C U R I T Y M A N AG E M E N Tpopularity due to their relative ease of implementation. In fact, many such products nowmake use of cloud-based services to providelive URL lookups and reputation services; hybrid deployments that combine on-premises,managed and cloud-based elements are becoming quite common.The key to success is to choose a product orservice that will integrate with the existing ITinfrastructure, specifically security infrastructure, and be able to handle current and futurenetwork traffic loads. Offerings optimized forsmall and medium-sized businesses offer protection against basic threats and are easier tomanage, while enterprise-grade products andservices offer greater protection against advanced and targeted threats, but require moreskills and resources to manage.Cloud-based and managed appliances areoften a good choice for enterprises with restricted in-house resources or skills. However,

3BESTPRACTICESHomeEditor’s NoteWeb-BasedMalwareWeb GatewayImplementationApplicationWhitelistingthese options mean the organization’s datapasses through, and is accessible by, thirdparty systems and personnel, so don’t forgetto take into account any applicable regulatorycompliance requirements. Also, one slightdisadvantage relative to an on-premises Websecurity gateway is that bandwidth and application controls cannot be used to keep unwantedtraffic off the Internet pipe because it has totravel to the cloud service for analysis.With an on-premises Web security gateway,a proxy architecture is most effective. By forcing all Web traffic to terminate at the secureWeb gateway, the proxy architecture can allowor block any traffic before it enters or leavesthe network. With an inline passive monitoring-style deployment (also known as a TAP deployment), traffic is duplicated and forwardedto the Web security gateway for analysis. Ifit doesn’t detect a threat in time, it could betoo late to completely stop it because trafficisn’t being intercepted as with an inline proxyconfiguration. A TAP deployment is easier todeploy and change, and is fine for enforcing organizational policy, but it’s definitely not a reliable safeguard against Web-borne threats.8 E N D P O I N T S E C U R I T Y M A N AG E M E N TMany firewall vendors have begun incorporating Web security gateway functionality intotheir products, but the complexity of modernthreats rules out such unified threat management devices for enterprise networks. Forhigh-volume networks, it may be better to usea firewall to first filter and block inappropriatelow-level network traffic, such as disallowedprotocols or port requests, before it’s passed tothe Web security gateway. This way, the rightbalance between performance and in-depthanalysis can be achieved.INTEGRATING A WEB SECURITY GATEWAYExisting security controls must work properlyprior to a Web security gateway deployment,otherwise it will merely provide limited coverfor poorly implemented security controls andwon’t provide additional protection. For example, be sure to review the organization’snetwork topology, given that the Web securitygateway adds a new device to it, and ensurethat it is properly segmented with trust boundaries between different classifications of dataand processes.

3BESTPRACTICESHomeEditor’s NoteWeb-BasedMalwareWeb GatewayImplementationApplicationWhitelistingAlso, survey the other security devices onthe network, confirm which threats they areconfigured to mitigate and document the rulesand filters they use to enforce security policy.Detail who collates this information and how itis reviewed. It’s important to avoid a situationin which neither the Web security gateway norendpoint devices are protecting against a particular threat.As employees are a key part of any organization’s security posture, ensure they are beingeducated about the latest social engineering attacks. Teaching them how to identify a potential attack or recognize a malicious link meansyou’re not solely reliant on your Web securitygateway to prevent Web-borne attacks fromsucceeding.MAPPING ACCEPTABLE USEAND COMPLIANCE POLICIES TO RULE SETSControlling how employees use social websites is important. Although many such sitesare valuable business tools, they can also posesecurity risks and reduce productivity. Websecurity gateways make it easier to implement9 E N D P O I N T S E C U R I T Y M A N AG E M E N Tcomplex rules that enforce security policy because they offer visualization of network traffic. Observing information such as bandwidthuse or sites visited in real time allows adminis-As employees are a key partof any organization’s securityposture, ensure they are beingeducated about the latest socialengineering attacks.trators to fine-tune acceptable usage and security rules to optimize productivity and security.Fine degrees of granular control offered byWeb security gateways mean that rules canbe applied to specific applications rather thanhaving blanket allow or deny rules controllingports and protocols. Being able to grant bandwidth priority to critical applications meansenterprises don’t have to prevent all employeesfrom using certain Web applications and losing out on the potential benefits of cloud andmobile apps, while still being able to effectivelyenforce security policies.

3BESTPRACTICESHomeEditor’s NoteWeb-BasedMalwareINVESTIGATING ALERTSAND IMPROVING RULE SETSA Web security gateway produces alerts whena rule is broken or a threshold is reached. Procedures need to be in place to deal with themto ensure a quick, effective, consistent and organized response. The prioritization of eventsis very important, particularly if there are multiple incidents to deal with. Incidents involving high-value or business-critical systems ordata, or those where there’s a danger of furtherWeb GatewayImplementationApplicationWhitelisting1 0 E N D P O I N T S E C U R I T Y M A N AG E M E N Tcompromise, should be investigated first.Finally, to evaluate a secure Web gateway’seffectiveness, record the types, numbers andcosts of incidents as well as alerts. Constantmonitoring of the Web security gateway dashboard and the visual mapping of traffic typesenables administrators to reduce the number offalse alerts and improve rules affecting bandwidth. It is also important to establish an auditprocedure to check that rule sets are enforcingsecurity policy correctly. —Michael Cobb

4APPLICATIONWHITELISTINGHomeEditor’s NoteWeb-BasedMalwareWeb ation Whitelisting:An Extra Layer of Malware DefenseApplication whitelisting makes toomuch pragmatic sense to not have appeal as anantimalware mechanism. Intuitively, a technology operating in the kernel that detects suspicious changes in an IT-controlled softwareconfiguration should be easier to scale than atechnology that looks at all files to identify andclean attacks.Application whitelisting (AWL) came ontothe security scene several years ago with anactive approach to combat the success of malware infiltrating endpoints. Signature matchingantivirus hasn’t been able to keep pace withthe volume of new attacks. Although antivirusscans are meant to detect attacks against itsblacklist of malware signatures, attacks continue to sneak through, undetected by securitysoftware. In contrast, AWL validates the program the user requests to run is on the ITapproved software list and analyzes the integrity of the program before making an allow or1 1 E N D P O I N T S E C U R I T Y M A N AG E M E N Tblock decision. The whitelist approach of approved applications and programs is a valuable,manageable and effective layer of defense thatcan complement the attack blacklist approachfavored by antivirus vendors.Unfortunately, application whitelisting followed the path of host intrusion prevention,with vendors positioning the technology as areplacement for antivirus. This confused enterprise security organizations and createda competitive environment where securityvendors are not cooperating to solve a criticalbusiness problem for customers.Fortunately, there has been traction in enterprise accounts for a coordinated malwaredefense of application whitelisting and antivirus products. There are practical ways for usingAWL today to improve endpoint security. And,with some improvements, the technology couldserve as a significant layer of a larger endpointmanagement strategy in the future.

4APPLICATIONWHITELISTINGHomeEditor’s NoteWeb-BasedMalwareWeb GatewayImplementationApplicationWhitelistingNO ANTIVIRUS KILLERThe surge in malware creates expensive problems for businesses by placing regulated data atrisk and disrupting IT operations to clean infected devices. Application whitelisting tries totackle the problem based on these premises: Onlymalware changes programs withoutIT knowledge. Malware needs to modifyexecutable programs to launch attacks andsurvive reboot cycles on the endpoint. Apragmatic alternative to scanning for malwareis to detect changes to programs that are notassociated with patches or software upgrades. Identifyingcompliant configurations iseasier than identifying malware. Throughthe first three quarters of 2010, McAfee Labsidentified more than 14 million unique piecesof malware, a rate of more than 60,000 newinfections per day, continuing the trend ofyear-over-year growth in malware. Intuitively, checking a list of valid software configurations in real time is a smaller problemto solve than checking files for traces ofmalware.1 2 E N D P O I N T S E C U R I T Y M A N AG E M E N Tconcept of trusted sources, fueled byfeeds from software vendors, simplifiesmanagement of compliant configurations.Platform vendors, especially Microsoft, automatically supply application whitelistingvendors with detailed information on thefiles contained in released software products.This relieves IT of the burden of having tofigure out what is legitimate system softwareso it can focus on defining approved customapplications. TheHowever, the shared belief that there mustbe a better way to secure endpoints led tothe positioning of application whitelisting asan antivirus replacement. Every applicationwhitelisting vendor believed that AWL wouldput antivirus on the road to obsolescence.Ultimately, the technology has not been ableto supplant the antivirus grip on endpointsecurity because it does not by itself fundamentally solve the malware problem. AWLhas proven to be very effective in the handsof skilled IT, but there are flaws that affectusability and security that have yet to beovercome:

4APPLICATIONWHITELISTINGHomeEditor’s NoteWeb-BasedMalwareWeb GatewayImplementationApplicationWhitelisting Mostorganizations cannot lock down userendpoints. The concept of locking downIT policy-compliant endpoint configurationssounds good in theory, but in practice, usersneed the flexibility to install applicationsand personalize their PCs. Too tight a lockdown of the endpoint disrupts user productivity; too light a lockdown weakensthe security benefits of application whitelisting. IT ManyApplication whitelisting vendors have beenchallenged to establish AWL as a vibrant segment of the endpoint security market. Lumension, McAfee and Microsoft have integratedapplication whitelisting into next generationendpoint security and management solutions,while Bit9 and CoreTrace remain as the major independent whitelisting suppliers. Thusfar, enterprise security teams have spoken viaproduct purchase decisions and the verdict isthat application whitelisting is finding broaderthreats are delivered as activecode through the browser and do notmodify whitelisted programs. Application whitelisting is good at making “allow” or “block” decisions when a programis launched, but cannot easily make decisions on active code that is delivered to thebrowser. The problem becomes worse as users grow more dependent on browser-drivenapplications. The browser is now the target ofchoice for malware developers.security teams are forced to decidewhich user applications should be allowedor blocked. IT must not only deploy andadminister an additional endpoint securityproduct, but it must also make timely allow/block policy decisions on user applicationrequests. Although automatically allowingapplications from trusted sources saves time,security teams must be willing to commit extra time for application whitelisting support.AWL has proven to be effective in the hands of skilled IT, but there areflaws that affect usability and security that have yet to be overcome.1 3 E N D P O I N T S E C U R I T Y M A N AG E M E N T

4APPLICATIONWHITELISTINGHomeEditor’s NoteWeb-BasedMalwareWeb GatewayImplementationApplicationWhitelistingappeal as a key element of a comprehensiveendpoint security strategy rather than an outright replacement for antivirus.There are important business considerationsthat application whitelisting has not been ableto overcome. One being that the technology isan incremental product to purchase and administer. Enterprise security budgets for endpoints are committed to antivirus, and that isnot going to change with compliance mandatesand the absence of reasonable alternatives.In addition, application whitelisting has beenunable to overcome resistance from the antivirus industry with its lucrative subscriptionrevenue streams to protect. While antivirusvendors are in the business of protecting endpoints, they must be careful to devalue theirsolutions by being too quick to embrace innovative approaches. For instance, most antivirus vendors tell sales prospects they havewhitelisting; although they’ll also say it’s notapplication whitelisting that makes allow orblock decisions on program launch requests,but rather a performance-enhancing techniqueindicating that a file has been unchanged sincethe last scan (so only new signatures need to be1 4 E N D P O I N T S E C U R I T Y M A N AG E M E N Tchecked). It’s hard to imagine many AV vendorsadmitting they need application whitelistingwhen their business depends upon scanning forattacks. This resistance has caused confusionamong IT decision makers.BEST PRACTICES FOR THE SHORT TERMThere is no question that application whitelisting works well to protect executables, providinga defense against zero-day attacks and customattacks that evade antivirus detection. AWLbacks up AV and detects unauthorized modifications to programs and enforces securitypolicy, either allowing the program to run orblocking execution of the program. AWL’s ability to look inward towards compliant softwareconfigurations for symptoms of an attack provides a complementary layer to AV’s ability tomitigate damage from identified attacks. In theshort term, organizations using the combinedstrengths of both approaches will enhance theirresistance to malware outbreaks. Useapplication whitelisting to secure system-level components and antivirus

4APPLICATIONWHITELISTINGHomeEditor’s NoteWeb-BasedMalwareWeb GatewayImplementationto vigorously scan other programs. Bestpractices call for locking down critical software against unapproved changes, blockingexecution of unauthorized user-installedprograms, and closely monitoring the use ofall other programs. Programs delivered fromtrusted sources that are unmodified copiesfrom the distribution media do not need tobe scanned for attacks. Security teams canfocus the separation of security powers bycoordinating application whitelists with antivirus exclusion lists to reduce functionalityoverlap and increase performance. EvaluateApplicationWhitelistingintegrated management of endpoint security technologies. Vendors are integrating application whitelisting, antivirus,patch management and application intelligence into single endpoint security management consoles. An integrated approach cansave administration time and effort, and alsoensure there are no gaps in security coverage. Prioritizecomputing assets requiring application whitelisting defenses. Missioncritical command-and-control stations, IT1 5 E N D P O I N T S E C U R I T Y M A N AG E M E N Toperations and service desk computers, andsensitive servers are more appropriate for cooperative AWL and AV solutions than devicesthat require a higher level of user applicationcustomization. Start deploying applicationwhitelisting to bolster antivirus defenses ondevices that are needed to keep the technicalinfrastructure operational, even in the face ofa new attack.AWL’S ROLE IN FUTURESECURITY STRATEGIESThe concept of a balanced approach to endpoint security with application whitelistingis compelling, with the technology evolvingto support next-generation endpoint securitystrategies. There has to be a significant rolefor application whitelisting to play as organizations evolve their physical devices, deployvirtualization services for desktops, and shifttheir infrastructure into the cloud and handheld devices. While it is not clear what direction application whitelisting will take, these aresome areas that demand attention in order forwhitelisting to remain viable in the future:

4APPLICATIONWHITELISTINGHomeEditor’s NoteWeb-BasedMalwareWeb GatewayImplementationApplicationWhitelisting Extendthe concept of trusted sources toinclude applications and active code fromWeb downloads. While this may sound likea tall order, electronic storefronts, such asApple’s, already employ a form of applicationwhitelisting; an iPad or iPhone does notallow an unauthorized program or modifiedprogram to run. Application whitelistingvendors can federate trusted sources, perhaps with reputation-based services, to provide more protection against browser-basedattacks. Automatereporting of application intelligence. It will take years for organizations toevolve to application-centric, firewalls. However, application whitelisting already produces intelligence on actual application usageon a user-by-user basis. Reporting application intelligence derived from whitelistingthrough systems such as a SIEM or protocolsli

Endpoint Security Management Endpoint security management is in transition. Signature-based antivirus has been criticized repeatedly as an outdated way to defend against attacks, but for most organizations it remains a must-have due to compliance mandates. This TechGuide will help security professionals develop their endpoint security management