Professional Documents
Culture Documents
Executive Summary
We dont need to look very far to see the increasing risk to servers as well as the inadequacy of existing solutions to stem the flow of successful attacks. Servers are easily accessible around the world; they allow direct interaction from thousands or even millions of users, and typically contain information assets of high value to attackers. Current protection schemes rely heavily on reactive approaches to security that are ineffective and inefficient. The security profession has long held that a proactive approach to security that starts with default deny is superior to the default allow situation we are in today. But the traditional obstacle to any lockdown approach has been the false positive the potential for disruption of legitimate applications. Server environments are well-suited to a proactive approach. They are physically accessible to administrators, have fewer changes, and more regimented change control processes. One simple way to think about protection is by evaluating the overhead associated with management of a security solution. An application whitelisting solution is established as a positive approach with fewer touches required that excels in a controlled environment.
INTRODUCTION THE SERVER RISK PROFILE ASSESSING THE CURRENT STATE RETHINKING SERVER SECURITY PROTECTION CHARACTERISTICS OF SERVERS SELECTING A PROTECTION APPROACH THE BENEFITS OF APPLICATION WHITELISTING SPIRE VIEWPOINT
1 1 2 3 4 5 5 6
ii
Introduction
Our servers are under attack. Everywhere you look there are stories about breaches that penetrate Web servers, drop malicious code, and burrow deeper into the data center. This isnt necessarily news, but the popularity of server-based attacks is on the rise. Of course, things are never quite the same, as attackers combine strategies, work up the stack to the application layer, and take advantage of new technologies and architectures. For the past few years organizations have been focusing efforts on hardening user endpoints like desktops and laptops, so the attackers have been migrating their strategies to attack servers. Nowadays, any threat, including those that are advanced and persistent, wants to find a way into an environment in a multi-staged attack. The first step comes in multiple ways sometimes, it involves a spear-phishing attack against an end user, but often it incorporates penetrating the initial defenses of the Web server. This compromise provides a staging location for the second phase, which drops control code for remote management and exploitation onto a server. Further steps may involve exploiting known vulnerabilities, running sniffer or other monitoring software, or compromising admin accounts deeper in the data center. To develop a protection strategy for the server environment, it is worth reviewing the server risk profile, evaluating the server security strategy, identifying key characteristics of a server environment, and establishing a protection strategy for servers.
Roundup
Theoretically, security professionals strive for a default deny, known good, whitelist approach because it is typically more proactive than their partners. But the truth is that these pairs of concepts sit on a spectrum and security developers look for ways to balance them all with the goal of minimizing false positives and false negatives.
Superior approach
With its pedigree in the default deny and known good camps, whitelisting is more likely to stop attacks than a blacklist approach. Not only can it catch new and unknown malware, but it can be managed proactively before any attacks are active.
Fewer touches
No organization wants to make changes to its fully-functioning servers unless its absolutely necessary. Security is one of those needs that forces touches of the server to make configuration changes, update the software, and add new
Spire Viewpoint
All security professionals agree that a default deny approach is more secure than default allow. The trick has always been manageability even well-controlled environments claim some discomfort in being able to predefine applications and processes in an efficient manner. In todays threat environment, many organizations will find that the number of touches for signature updates associated with new malware is accelerating. In a server environment, these touches are likely to exceed the number of management changes required by whitelisting software.