slide1
Download
Skip this Video
Download Presentation
Rich Bagurdes, CISSP

Loading in 2 Seconds...

play fullscreen
1 / 15

Rich Bagurdes, CISSP - PowerPoint PPT Presentation


  • 95 Views
  • Uploaded on

Endpoint Protection Application and Device control to dynamically control storage devices From kludge to B.A.U. Rich Bagurdes, CISSP. Consultant - Threat Intelligence January 2014. SEP ADC Storage Control Agenda. Intro. 1. Problem Statement. 2. Requirements. 3. Design/Logic. 4.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Rich Bagurdes, CISSP' - alika-roy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Endpoint Protection Application and Device control to dynamically control storage devicesFrom kludge to B.A.U

Rich Bagurdes, CISSP

Consultant - Threat Intelligence

January 2014

Chicago User Group – January 2014

sep adc storage control agenda
SEP ADC Storage Control Agenda

Intro

1

Problem Statement

2

Requirements

3

Design/Logic

4

Policy Walkthrough

5

Reporting

6

Summary

7

V2.0

Chicago User Group – January 2014

intro
Intro
  • Started out in IT in 1997
    • Finance, Telecom, .com startups…
  • 13 years at Discover
    • 5 years
      • Datacenter design
      • OS2/Windows Engineering
      • Patch Management
    • 8 years InfoSec
      • Endpoint protection engineer
        • AV/HIPS/Encryption…

Chicago User Group – January 2014

problem statement control storage devices
Problem StatementControl Storage Devices
  • 2000-2007 – Administrative Controls
    • Written policies – what can be attached
    • Purse Strings – prevent users and managers from acquiring
  • 2007 -2011 – Technical Controls
    • Microsoft GPO’s – often didn’t apply – weak enforcement
    • No reporting – fire and forget – or spray and pray…
    • Business reluctance
  • 2011 - Present
    • Top down decision – set at CIO level
    • Flexible but secure system
    • User self service
    • Detailed reporting (entitlement and actual use)
  • Future
    • DLP

Chicago User Group – January 2014

requirements what you need to succeed
RequirementsWhat you need to succeed!
  • Political support and good documentation
  • Windows XP – Windows 7
    • XP requires KB943729 Group Policy Preference Client Side Extensions
    • Active Directory Functional level >2008
  • SEP 12 with Application and Device control AND NTP
  • Groups and GPO’s to support 4 functional roles
    • Execute/Write/Read
      • Operations, End User Support, BCP users
    • Write/Read
      • VP’s and above, select groups that frequently write data (previous analysis)
    • Read
      • Default everyone
    • Lockdown
      • Contractors, offshore, PCI, PII, etc.
  • Employee self service
    • Centralized control, approval workflow

Chicago User Group – January 2014

design and logic how does this all work
Design and LogicHow does this all work?
  • AD groups, AD policies and Security Filtering
    • 1:1:1 mapping Group  GPO  Location
      • Plus one catch all
    • GPO Security Filter
      • Members of AD group can read aka “apply” policy
    • If policy is read – registry key is set
      • HKLM – single key with changing value.
      • HKCU – changing key
      • Permission keys
    • Registry Keys are triggers for SEP ADC
      • HKLM keys processed by Location Awareness
      • HKCU keys are processed by ADC policy directly

Chicago User Group – January 2014

policy walkthrough gpo security filtering
Policy WalkthroughGPO Security Filtering
  • Security Filtering controls who receives policy
    • Remove Authenticated Users
    • Only allow members of AD group to read desired policy

Chicago User Group – January 2014

policy walkthrough group and gpo details
Policy WalkthroughGroup and GPO details
  • Group Policy Preferences set via HKLM
    • String Value (REG_SZ)
    • Value Name is consistent across all 4 GPO’s – but Value Data changes.
      • “StorageKey” in sample policies

Chicago User Group – January 2014

policy walkthrough sep locations
Policy WalkthroughSEP Locations
  • Create a location for every group, plus one (N+1)
    • Unassigned group
      • Catches non-domain machines or machines that have not been configured
      • Should be most common/default state – Read Only in our case.
      • Notification Messages are user friendly

Chicago User Group – January 2014

policy walkthrough application controls and rule sets
Policy WalkthroughApplication Controls and Rule Sets
  • Unique ADC policy for each location
  • Rule set to control functions
  • Include rule set to protect Storage Control keys
  • Use the Test and Production modes
    • A rule that would normally “prevent” and action can easily be turned into a “monitoring” policy with a mode flip

Chicago User Group – January 2014

policy walkthrough application rules
Policy WalkthroughApplication Rules
  • Every rule must have at lease one application *
  • Rules are processed from the top down
  • Allow actions go before the block actions
  • Keep track of Rule Names, Actions and Severity
    • Important for later reporting and analysis
  • Concise/clear notifications on blocks <100 char
  • USB flash drives, and USB hard drives different controls
    • Flash Drives, Floppy Dives CD/DVD drives controlled via “Drive Type”
    • USB hard drives are controlled via USBSTOR* device ID type
  • Restricting DVD/CD burning is very tricky
    • IMAPI restrictions by file hash + restricted apps + GPO’s

Chicago User Group – January 2014

reporting native tools
ReportingNative Tools
  • Potential for a lot of data.
    • Consider users who frequently backup, or move many files around.
  • Deep analysis is hard with native reporting.
    • Logs – Filter, Export, Excel Filter, Merge Repeat
  • Event logs Monitors  Logs and choose:
    • Log type = Application and Device Control
    • Log Content = Application Control

Chicago User Group – January 2014

reporting itanalytics
ReportingITAnalytics
  • ITAnalytics or other analytics platform is needed
    • Count of writes or execution use per user per month
  • Drill down to names of files written, types of USB devices in use. Etc.
  • Track execution of unauthorized software, “portable” executables
  • Build your case for DLP

Chicago User Group – January 2014

summary important points
SummaryImportant points
  • Support from the top
  • Test, then test some more.
  • Good documentation focus on process and help desk
  • Manage this like a program, not just a project
  • References
    • Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies
    • How to block CD/DVD Writing in Windows 7
    • Location Awareness: Using registry values to switch locations
    • Creating custom application control rules
    • Testing application control rule sets

Chicago User Group – January 2014

rich bagurdes richardbagurdes@discover com
Rich Bagurdes

[email protected]

Chicago User Group – January 2014

ad