Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
      Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Collaborative endpoint security, part one
Ivan Arce, Eduardo Arias 2005-10-25

Article continued from Page 1

Finally, the subsequent evolution of endpoint security technology led to almost purely behavioral models to define what is the normal security context within a protected system. It will then act upon deviations from normality that surpass a given threshold, built either from preset settings or by learning what is 'normal' along its runtime. In this last case, the effectiveness of the solution derives from its ability to correctly model normal behavior and to clearly distinguish deviations. Behavioral solutions also rely on the assumption that attacks are events distinguishable from normal legitimate use of system resources. The behavioral approach offers the advantage of apparently coping with the unknown in a more effective manner and not relying on fast generation and distribution of configuration updates to prevent malware outbreaks.

The intrusiveness issue

Endpoint security solutions must also be easily deployable, manageable and should not conflict with normal use of the system by end users. The effective control of system resources needed to detect and prevent attacks often requires using components that are quite intrusive at the OS level (by way of kernel drivers or kernel modifications). On the other hand, less intrusive solutions may be circumvented with simple variations of attack techniques. Another delicate balance must be found between overly intrusive and trivial-to-evade technology to achieve security effectiveness and manageable deployment and operation.

The granularity issue

A great deal of granularity is needed to implement effective security control on system resources. This is especially the case for personal firewalls, HIPS and application sand boxing solutions that rely on configuration settings to control exactly what, when and how are the system resources accessed or used. In lieu of generic security mechanisms or purely behavioral-based solutions, this greater granularity posses a difficult configuration problem: it is quite hard to know exactly which resources and what use of them is needed for all the possible legitimate uses of the endpoint system by all possible end users that have access to it. To cope with this problem, security providers:

  • Purposely decide to lose granularity in exchange for configuration and operational ease;
  • Build multiple abstraction layers to group granular permissions into objects or other abstract entities that are easier to understand and manage; or,
  • Transfer the problem of configuring highly granular permission to end users.

Clearly, the first approach may introduce weaknesses due to the loss of security capabilities in the solution. The second approach maintains the architectural capabilities of the solution, but hidden weaknesses may be introduced if invalid or shortsighted assumptions are made for the abstraction layers and the grouping of granular permissions. The third option just transfers the issue to somebody else. Total control of the security solution is still possible through the painstaking process of configuring every single security capability available, but the end result is usually flawed - due to the limited time and other resources that can be invested in such a project. This is often the case with the observed lack of precise security configuration for network firewalls and IDS.

The preparedness issue

Another very concerning issue for an endpoint security solution is that of its preparedness to cope with the threat of massively automated attacks in a proactive manner.

A hard-learned lesson of the past five years is that endpoint security solutions must be suitable to prevent the outbreak of fast propagating worms. This is typically malicious code that exploits known security vulnerabilities in endpoint operating systems (such as CodeRed, Nimda, Blaster and Sasser) or that rely on malicious email-borne content that tricks the end user into enabling self-replication and propagation (LoveLetter, Bagle, MyDoom, NetSky).

To accomplish this goal, endpoint security solutions rely on one of two possible strategies:

  • Signature matching or otherwise security configuration dependant solutions that rely on being able to quickly receive configuration updates. These must be general enough to detect or prevent exploitation of vulnerabilities for all, or as many as possible, variants of known exploitation code and malware. This strategy requires fast detection, analysis and response from the solution provider and an equally fast and robust distribution channel.
  • Behavioral and heuristic-based systems that rely on the assumption that any new threat will be detected and prevented by the endpoint solution. This is because no matter what the new vulnerability or malware is, it will follow known exploitation techniques or behave in a noticeably different manner from normal use of system resources.
Both strategies have strengths and weaknesses. They have yet to prove effective in preventing global outbreaks of fast propagating attacks while keeping endpoint resources available for normal use. Behavioral and heuristics based solutions seem promising in this area, but their install base is still not large enough to prove effectiveness at a global scale.

Usability

Endpoint security solutions face a dilemma over usability, hinted at in previous sections.

A given solution must be not only granular and robust enough to detect and prevent attacks effectively, but also easily usable for a vast range of users with different degrees of technical skills and security-awareness. Complex configuration chores and the solution's internals must be hidden from end users, yet they must be good enough to cope with sophisticated attackers and the tools they use. The user interface of endpoint security solutions clearly epitomizes a debate (security versus usability) that has been raging for decades in the various disciplines that deal with software engineering and information security.

Addition and distribution of value

In our rapidly changing information security landscape, an endpoint security solution must be able to effectively cope with new attack techniques and future attack trends. For that purpose, a key feature is the ability for users to improve and refine the capabilities of a deployed solution, which is equivalent to the ability to add value to the solution. Addition of value by users can take various forms. It almost always implies the ability to incorporate new configuration settings such as signatures, permissions, capabilities, and so on in a way that makes sense within the user's IT environment (network topology, endpoint security policies and mission-critical applications and business processes). The suitability of value-add by an end user is a variable with a significant influence in the effectiveness of the solution and its overall total cost of ownership (TCO).

Ideally, an endpoint security solution should not only provide a way for end users to add value to it, but also provide the ability to re-use the added capabilities across a local (or better yet, global) installed base. The requirement for being able to re-use or distribute added value poses additional software engineering and information security challenges, since endpoint systems are usually the most diverse computing environments on any but the most simple networks. File system hierarchies, installed applications, file and directory names, registry hives and endpoint resource's usage practices all vary largely even on local networks and are heavily reliant on end user idiosyncrasies. As of today the authors are not aware of any endpoint security solution that clearly addresses the addition and distribution of value by end users.

The rationale for a collaborative security approach

A collaborative approach to endpoint security may be suitable to address many of the issues described in the previous section.

The use of an endpoint security solution based on software agents that share context information about endpoint security state could provide the required network-level visibility of network devices.

Several proposals for collaborative agent architectures applied to information security have seen the light in academic circles during the last two years. These are generally aimed at using collaborative agents to augment context visibility of network security appliances, or to provide more efficient means of detection of global scale attacks. However, they are focused on collaboration between software components and not necessarily on collaboration between security software users.

Collaboration between users of security software can go beyond the technical advantages of peer or grid computing if a reasonable number of information security practitioners step up and actively collaborate to tackle the complex problem of implementing effective, usable and easily manageable endpoint security solutions. The success of several well-established security projects such as the Nessus vulnerability scanner and the Snort network intrusion detection system (rooted in the community-oriented development processes that distinguishes open source projects), are a good indication of the collaborative approach as a viable option. However, it should be noted that Nessus and Snort were not specifically designed to facilitate generation and distribution of security value in a collaborative manner, although both have had relatively good success at that.

Unfortunately, both projects are currently not within the scope of endpoint security solutions and they are not likely to face many of the challenges posed by the issues described in this article. Consequently, we can't derive better-informed conclusions about the possible application of the existing community-oriented open source security projects to collaborative endpoint security.

Let's examine the possible advantages of a collaborative approach to endpoint security software and how those issues could be addressed.

Collaborative software components and users can leverage endpoint security technology to acquire a broader view of attack trends at a local or global network scale. Automatic sharing of security alerts, normal and abnormal behavior patterns of commonly used applications, and configuration settings for endpoint security policies can all provide improvements to the visibility and effectiveness of endpoint security solutions. Behavioral models can be enriched and improved with the addition of globally-seen behavior rather than just local execution patterns. Furthermore, with the proper tools, collaborative endpoint security users can improve the effectiveness of their solutions through the use of refereed or peer-reviewed endpoint security settings considered effective by one or more groups of users with specific skill sets, geographical or topological distributions and functional roles among the entire user base.

The granularity issue (a desired security feature for tight access control to resources in endpoint systems) can be approached with a divide-and-conquer strategy. This is an approach that distributes among collaborative end users the problem of defining very granular security permissions for the correct - and secure - execution of the endpoint's operating system and the overwhelming number of client applications in use today. Configuration tools that support and promote the seamless addition and distribution of value to endpoint security solution deployments must facilitate this distributed approach to security configuration.

In this fashion, end user experience and expertise with third-party software and applications by specific user groups, vertical markets or networks of organizations can be leveraged to provide effective security settings to an entire user base across geographical, topological or organizational boundaries.

Collaborative end users can achieve the optimal balance for intrusiveness, granularity and usability of endpoint security solutions in real world environments through the open discussion and improvement of security configuration settings. Voting, auctioning and "fair market valuation" techniques for endpoint security configuration settings can help determine what is the right balance for specific operational scenarios on local and global scales.

Finally, the preparedness issue can by addressed by a network of collaborative agents and users that provide the means for fast propagation or configuration settings in either reactive or proactive ways at the outbreak of global or local threats. For that purpose, a community-oriented website, instant messaging, P2P technology and traditional email and file transfers can be used.

Concluding part one

Endpoint systems are increasingly vulnerable to security threats to the point that they've become the weakest link in the security posture of organizations and Internet users. Client-side exploits and phishing attacks, SPAM, virus, worms, rootkits, key loggers, distributed denial of service (DDoS) agents and other malware are a present and real security threat that point at the need for an effective endpoint security solution.

In part I of this article we've proposed a collaborative approach to address the endpoint security threat. In part two the authors will present a freely available endpoint security solution that implements some of the features and ideas behind the collaborative endpoint security approach proposed.

If you wish to learn more about the Core FORCE project at Corelabs visit the website at force.coresecurity.com.

Ivan Arce is CTO and co-founder of Core Security Technologies.

Eduardo Arias is head engineer at Core Security Techologies.

Copyright © 2005, SecurityFocus

SecurityFocus accepts Infocus article submissions from members of the security community. Articles are published based on outstanding merit and level of technical detail. Full submission guidelines can be found at http://www.securityfocus.com/static/submissions.html.
    Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Comments Mode:







 

Privacy Statement
Copyright 2008, SecurityFocus