Endpoint Protection Application and Device control to dynamically control storage devices
This presentation is the property of its rightful owner.
Sponsored Links
1 / 15

Rich Bagurdes, CISSP PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on
  • Presentation posted in: General

Endpoint Protection Application and Device control to dynamically control storage devices From kludge to B.A.U. Rich Bagurdes, CISSP. Consultant - Threat Intelligence January 2014. SEP ADC Storage Control Agenda. Intro. 1. Problem Statement. 2. Requirements. 3. Design/Logic. 4.

Download Presentation

Rich Bagurdes, CISSP

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Rich bagurdes cissp

Endpoint Protection Application and Device control to dynamically control storage devicesFrom kludge to B.A.U

Rich Bagurdes, CISSP

Consultant - Threat Intelligence

January 2014

Chicago User Group – January 2014


Sep adc storage control agenda

SEP ADC Storage Control Agenda

Intro

1

Problem Statement

2

Requirements

3

Design/Logic

4

Policy Walkthrough

5

Reporting

6

Summary

7

V2.0

Chicago User Group – January 2014


Intro

Intro

  • Started out in IT in 1997

    • Finance, Telecom, .com startups…

  • 13 years at Discover

    • 5 years

      • Datacenter design

      • OS2/Windows Engineering

      • Patch Management

    • 8 years InfoSec

      • Endpoint protection engineer

        • AV/HIPS/Encryption…

Chicago User Group – January 2014


Problem statement control storage devices

Problem StatementControl Storage Devices

  • 2000-2007 – Administrative Controls

    • Written policies – what can be attached

    • Purse Strings – prevent users and managers from acquiring

  • 2007 -2011 – Technical Controls

    • Microsoft GPO’s – often didn’t apply – weak enforcement

    • No reporting – fire and forget – or spray and pray…

    • Business reluctance

  • 2011 - Present

    • Top down decision – set at CIO level

    • Flexible but secure system

    • User self service

    • Detailed reporting (entitlement and actual use)

  • Future

    • DLP

Chicago User Group – January 2014


Requirements what you need to succeed

RequirementsWhat you need to succeed!

  • Political support and good documentation

  • Windows XP – Windows 7

    • XP requires KB943729 Group Policy Preference Client Side Extensions

    • Active Directory Functional level >2008

  • SEP 12 with Application and Device control AND NTP

  • Groups and GPO’s to support 4 functional roles

    • Execute/Write/Read

      • Operations, End User Support, BCP users

    • Write/Read

      • VP’s and above, select groups that frequently write data (previous analysis)

    • Read

      • Default everyone

    • Lockdown

      • Contractors, offshore, PCI, PII, etc.

  • Employee self service

    • Centralized control, approval workflow

Chicago User Group – January 2014


Design and logic how does this all work

Design and LogicHow does this all work?

  • AD groups, AD policies and Security Filtering

    • 1:1:1 mapping Group  GPO  Location

      • Plus one catch all

    • GPO Security Filter

      • Members of AD group can read aka “apply” policy

    • If policy is read – registry key is set

      • HKLM – single key with changing value.

      • HKCU – changing key

      • Permission keys

    • Registry Keys are triggers for SEP ADC

      • HKLM keys processed by Location Awareness

      • HKCU keys are processed by ADC policy directly

Chicago User Group – January 2014


Policy walkthrough gpo security filtering

Policy WalkthroughGPO Security Filtering

  • Security Filtering controls who receives policy

    • Remove Authenticated Users

    • Only allow members of AD group to read desired policy

Chicago User Group – January 2014


Policy walkthrough group and gpo details

Policy WalkthroughGroup and GPO details

  • Group Policy Preferences set via HKLM

    • String Value (REG_SZ)

    • Value Name is consistent across all 4 GPO’s – but Value Data changes.

      • “StorageKey” in sample policies

Chicago User Group – January 2014


Policy walkthrough sep locations

Policy WalkthroughSEP Locations

  • Create a location for every group, plus one (N+1)

    • Unassigned group

      • Catches non-domain machines or machines that have not been configured

      • Should be most common/default state – Read Only in our case.

      • Notification Messages are user friendly

Chicago User Group – January 2014


Policy walkthrough application controls and rule sets

Policy WalkthroughApplication Controls and Rule Sets

  • Unique ADC policy for each location

  • Rule set to control functions

  • Include rule set to protect Storage Control keys

  • Use the Test and Production modes

    • A rule that would normally “prevent” and action can easily be turned into a “monitoring” policy with a mode flip

Chicago User Group – January 2014


Policy walkthrough application rules

Policy WalkthroughApplication Rules

  • Every rule must have at lease one application *

  • Rules are processed from the top down

  • Allow actions go before the block actions

  • Keep track of Rule Names, Actions and Severity

    • Important for later reporting and analysis

  • Concise/clear notifications on blocks <100 char

  • USB flash drives, and USB hard drives different controls

    • Flash Drives, Floppy Dives CD/DVD drives controlled via “Drive Type”

    • USB hard drives are controlled via USBSTOR* device ID type

  • Restricting DVD/CD burning is very tricky

    • IMAPI restrictions by file hash + restricted apps + GPO’s

Chicago User Group – January 2014


Reporting native tools

ReportingNative Tools

  • Potential for a lot of data.

    • Consider users who frequently backup, or move many files around.

  • Deep analysis is hard with native reporting.

    • Logs – Filter, Export, Excel Filter, Merge Repeat

  • Event logs Monitors  Logs and choose:

    • Log type = Application and Device Control

    • Log Content = Application Control

Chicago User Group – January 2014


Reporting itanalytics

ReportingITAnalytics

  • ITAnalytics or other analytics platform is needed

    • Count of writes or execution use per user per month

  • Drill down to names of files written, types of USB devices in use. Etc.

  • Track execution of unauthorized software, “portable” executables

  • Build your case for DLP

Chicago User Group – January 2014


Summary important points

SummaryImportant points

  • Support from the top

  • Test, then test some more.

  • Good documentation focus on process and help desk

  • Manage this like a program, not just a project

  • References

    • Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies

    • How to block CD/DVD Writing in Windows 7

    • Location Awareness: Using registry values to switch locations

    • Creating custom application control rules

    • Testing application control rule sets

Chicago User Group – January 2014


Rich bagurdes richardbagurdes@discover com

Rich Bagurdes

[email protected]

Chicago User Group – January 2014


  • Login